Poll: Hardest InfoSec Cert

"Hardest" is a relative term.

Why does it matter to you what InfoSec cert is the "hardest"?

To me the hardest InfoSec cert is CEH because I struggled to associate my name with their crap.

Why does he want to know? I'm guessing content for CertBase.

dbailey007

Hi iBrokeIT. Definitely agree that it is relative, which is what makes it interesting to me. Obviously the difficulty of a cert is certainly something to consider when choosing one. If you don't have a lot of free time or experience, the most challenging cert is probably not the best choice. Also, I tend to think that difficulty is related to respect or credibility of the cert. If you can pass it by reading a ****, then it probably isn't that good a measure of competency.

I also wanted to write a blog post on the topic so I'd really love some feedback!

Probably the GSE since there only 200(ish?) and require mutiple GIAC certs.

iBrokeIT wrote: »

Probably the GSE since there only 200(ish?) and require mutiple GIAC certs.

Also one of the most expensive certifications as well. When you consider the requirements are 2 gold level and 1 Silver level SANS cert, your talking about a 20 to 30 grand investment.

TechGromit wrote: »

the requirements are 2 gold level and 1 Silver level SANS certain

I think you need to reread the requirements because that isn't the only pre-requisite path to qualify for the GSE.

GIAC Information Security Expert | GSE Certification

Please be more careful about posting stuff you aren't familiar with and haven't double checked.

TechGromit wrote: »

... your talking about a 20 to 30 grand investment.

If you go the work study and/or gold paper route you can stay under the $20k mark. Again, paying straight retail isn't the only path.

636-555-3226

cyberguypr wrote: »

To me the hardest InfoSec cert is CEH because I struggled to associate my name with their crap.

Seconded. About a quarter of the way through my first and last EC-Council cert studies I debated whether I wanted to claim knowledge of this garbage on my LinkedIn profile. I eventually figured most people don't know jack about EC-Council quality so it wouldn't hurt to have and just bagged the studies and took the exam cold, nearly acing it. I still encourage everybody I know to avoid EC-Council like the plague unless they want the CEH for the resume.

iBrokeIT wrote: »

I think you need to reread the requirements because that isn't the only pre-requisite path to qualify for the GSE.

Please be more careful about posting stuff you aren't familiar with and haven't double checked.

GIAC Information Security Expert | GSE Certification

GSE pre-requisite list (including substitution options):

GSEC, GCIH, GCIA with two gold
GSEC, GCIH, GCIA with one gold and one substitute
GSEC, GCIH, GCIA with no gold and two substitutes
GCWN, GCUX, GCIH, GCIA with one gold
GCWN, GCUX, GCIH, GCIA with no gold and one substitute

So if you take three SANS classes at $5,600, pay $675 for the exams and pay $400 each to turn two of them gold (plus the research papers), you get $19,625. Two gold and 1 silver, that's what I said. The GSE exam is $399 and the lab $2,100, that adds up to $22,124 minimum. Without golds, the cost goes up to $33,874

If you lucky your could pick up a facilitator gig or two to reduce the cost, but there no assurance they will pick you. I guess in theory you could challenge all 3 exams, flip two to gold and only pay $6,299 total for your GSE.

TechGromit wrote: »

When you consider the requirements are 2 gold level and 1 Silver level SANS certain

TechGromit wrote: »

There's not? Guess you over looked this page.

GIAC Information Security Expert | GSE Certification

GSE pre-requisite list (including substitution options):
GSEC, GCIH, GCIA with two gold

GSEC, GCIH, GCIA with one gold and one substitute

GSEC, GCIH, GCIA with no gold and two substitutes

GCWN, GCUX, GCIH, GCIA with one gold

GCWN, GCUX, GCIH, GCIA with no gold and one substitute

So if you take three SANS classes at $5,600, pay $675 for the exams and pay $400 to turn two of them gold, you get $19.625. The GSE exam is $399 and the lab $2,100, that adds up to $22,124 minimum.

I think you are confusing yourself. In your first post you say "two gold level and 1 silver" when clearly that isn't the only path.

Again, if you did work study x5 @ $1100 and the $399 + $2100 GSE attempt that would be $7999 which by my math is below the $20k you cited.

Mike7

636-555-3226 wrote: »

I still encourage everybody I know to avoid EC-Council like the plague unless they want the CEH for the resume.

CEH helps get your resume through HR filter and a few colleges accept EC Council certifications as credits.
Other than that, I prefer to associate my name with (ISC)2 and ISACA certs.

iBrokeIT wrote: »

Again, if you did work study x5 @ $1100 and the $399 + $2100 GSE attempt that would be $7999 which by my math is below the $20k you cited.

Is it cheaper to go the Work Story route? Absolutely, but you could apply for every work study opportunity for years and never get selected. You need to be a little bit lucky to get work study gigs. I guess if you knew someone like a instructor that recommended you could get selected, but where would you meet an instructor without ever attending a SANS conference? Meet them at another security conference and make friends? Your route relieves heavily on luck, my route doesn't.

NetworkNewb

TechGromit wrote: »

where would you meet an instructor without ever attending a SANS conference? Meet them at another security conference and make friends?

I'm getting a recommendation from an instructor for a work study later this year because a co-worker at my current job used to work with the instructor at a previous company...

aka I know a person who knows a person

NetworkNewb wrote: »

I'm getting a recommendation from an instructor for a work study later this year because a co-worker at my current job used to work with the instructor at a previous company... aka I know a person who knows a person

Not everyone is so lucky.

I went out drinking with two instructors on the 5th day of a SANS training conference, but be hesitant to hit them up for a recommendation.

SaSkiller

"If you can pass it by reading a ****, then it probably isn't that good a measure of competency."

That is a foolish statement. Just because a candidate is capable of dumping a cert does not mean that the cert has no value, and that no candidate with it can be considered competent.

There are **** available for almost every cert out there. And there are a lot of qualified, competent individuals. People want certs to be a black and white area where you can guarantee competence. It just doesn't work that way yet.

BlackBeret

SaSkiller wrote: »

"If you can pass it by reading a ****, then it probably isn't that good a measure of competency."

That is a foolish statement. Just because a candidate is capable of dumping a cert does not mean that the cert has no value, and that no candidate with it can be considered competent.

There are **** available for almost every cert out there. And there are a lot of qualified, competent individuals. People want certs to be a black and white area where you can guarantee competence. It just doesn't work that way yet.

I agree with what you're saying and since there's a **** available for almost every cert you really have to look at the candidates closely, what they've done work wise, how they perform in the interview labs, etc. However, given a stack of resumes for a Linux related position the people with RHCSA are going on top of the people with Linux+ because of the amount of candidates we've seen with Linux+ and no actual Linux abilities. I think dbailey is just trying to factor that concept in with the difficulty rating, and he's not wrong about it unfortunately.

BlackBeret

The most difficult exams I have taken -
1. GCIA - It's very technical and even with a lot of preparation and being open-book you still have to be able to work through the given problems. It's very deep technically speaking.
1.5. CISSP - The breadth of knowledge required is extreme. It's the opposite of GCIA, you have to learn a little about a LOT of topics, it doesn't go near as in depth technically. I rank it just under GCIA because it's not as technical, even though you need to learn more topics you don't really have to be any type of expert in a particular topic. This is also why I approve of their extreme endorsing policies, they want to make sure you are in expert in a few of the topics and still have an understanding of all of the other areas.

gespenstern

I'm about to start my OSCP in next few months and one hypothesis that I wanted to test by accomplishing this is that the exam's complexity is seriously exaggerated. What could be hard here after all. There's a limited variety of penetration and post-penetration techniques that you are supposed to learn and lab and then just apply what you've learned.

I'd vote for recent MS exams, they are pretty hard. If you look at TE forums you'll notice that there's just too many folks who attempt exams such as 70-410 or 70-412 multiple times and fail.

Sheiko37

gespenstern wrote: »

I'm about to start my OSCP in next few months and one hypothesis that I wanted to test by accomplishing this is that the exam's complexity is seriously exaggerated. There's a limited variety of penetration and post-penetration techniques that you are supposed to learn and lab and then just apply what you've learned.

You make it sound like they just give you a simple list of what to learn.

OctalDump

iBrokeIT wrote: »

I think you are confusing yourself. In your first post you say "two gold level and 1 silver" when clearly that isn't the only path.

Again, if you did work study x5 @ $1100 and the $399 + $2100 GSE attempt that would be $7999 which by my math is below the $20k you cited.

Has anyone done it that way? Given that the 5 you can take are from a limited pool, it looks like it would be challenging to achieve 5 work studies, maybe even harder than the GSE

I think a 20k figure is probably reasonable, given that you'd probably have a bunch of other costs on top of the actual courses and exams (travel, accommodation, practice times, more books, lab etc). I think a similar figure has been given as a starting place for CCIE.

Not to mention the opportunity cost if you are earning a good amount of money.

Although I expect most people doing the GSE are either writing it off as business expense, or having a good part paid for by their employer.

It is in an interesting position, though, since as a non-vendor certification there won't be the same incentives for businesses to get their staff certified.

OctalDump wrote: »

Has anyone done it that way?

You might be able to pick up one or two work studies, but five, that's wishful thinking. You can do online training to minimize travel/accommodation costs, that's why I didn't include it in my estimates. If I were to add up training and travel costs, I'm up to over 16k for two GIAC certs (assuming I pass the GCIH). Fortunately my company has picked up the entire tab so far, if the current trend holds, it will cost over 40k for me to obtain a GSE.

OctalDump wrote: »

Not to mention the opportunity cost if you are earning a good amount of money.

Really don't know if the cost for the GSE is worth the investment. I've seen very few jobs that just specific a GSE, usually most job postings will happy to accept a few GIAC certs. You also have to remember that only 150 people ever had a GSE and around 140 are still current, that's an extremely limited talent pool.

I met a guy at my last work study that skewed every single work study statistic. In 2015 he did 5 courses through the program. He quit his job for health matters and after everything went back to normal he decided to live off savings for a while and just do work study. He's local to the NoVa area so he had a lot of events he could do. After a the first few I'm sure the SANS peeps knew him on a first name basis.

cyberguypr wrote: »

After a the first few I'm sure the SANS peeps knew him on a first name basis.

That's exactly how it goes with some of the people I met at Security West. A few of them said they have a good rapport with the work study coordinator and send email to that person before sending in their app. A few of them were on their 6th or 7th work study.

You still have to consider even with work study, unless your employers picks up the tab, airfare, accommodations, meals are at least $2,000, add that to the cost of work study, it's 3,000+. If your lucky the SANS training event will be held local to you, but from what I understand, they prefer you stay onsite so your at there beckon call. I'm sure I could get my employer to pay for the work study after I get the certification for the class, but I'm not so sure they would be willing to pay for other costs, especially if I they already paid for training / travel once that year for me. The training budget isn't bottomless.

Good point. I completely neglected to mention that this guy lived in his car while doing all of those Work Study sessions. I can't do that. Respect.

cyberguypr wrote: »

After a the first few I'm sure the SANS peeps knew him on a first name basis.

So they knew him by name...and smell?

Seven days is a long time to be living out of a car, I guess he washed up in the restrooms each morning with cold water.

Does anyone know if they needed someone for work study, would they allow you to work one course and give you the materials for another? I'm sure they prefer to have someone that does work study take the same course as they facilitate, but if they were hard pressed to find someone fill a slot, are they flexible?

gespenstern

TechGromit wrote: »

So they knew him by name...and smell? Seven days is a long time to be living out of a car, I guess he washed up in the restrooms each morning with cold water.

There's a trick to deal with it. You find a nearby gym that allows one-timers and go there to "exercise", but instead you just go straight to a shower room.

OctalDump

gespenstern wrote: »

There's a trick to deal with it. You find a nearby gym that allows one-timers and go there to "exercise", but instead you just go straight to a shower room.

Yet another valuable tip this site has given me.

chanakyajupudi

This discussion went about being a SANS / Work Study discussion. I have been able to get into 5 over the last 3 years. I am sure it is not as easy as it was a few years ago. I got docked my On Demand subscription because I was not wearing the dress code the 5th time.

I hear the competition is very high and in some countries SANS are not direct. They have a company that manages that for them which makes it even harder because that company sends in their employees / consultants to do the work study.