Why sre SANS certifications so undervalued?

I have my GSEC and I am getting my GCIH soon and my CISM soon. For some reason the CISSP which I don’t think is that impressive is way more valuable than the SANS stuff. Also my CRISC is too and the CISM will be. The crazy thing is i feel like the SANS stuff made me a better security analyst. The other certs did not. Something needs to be done to change the industry so that companies understand the CISSP is not as valuable as the GSEC for example. Hands on and practical vs high level question and answers seems like a no brainer to me. Feel free to agree or disagree.

Find more posts tagged with

Comments

mactex

Concur. Although I am biased; I think GIAC certs are more valued by actual security practitioners. CISSP and the ISACA certs tend to be more management oriented, and are more often requested by HR and management that may not fully understand the technical aspects of the role they are hiring for. I have no data to back up my claims; just my feels.

chrisone

ISC2 = Executives/ Management
ISACA = Executives/Management
SANS = Security Engineers, Hackers, Analysts, Executives/Management, etc.

ISC2 and ISACA have the edge when it comes to Executives and Management. Sans has the edge for technical hands on techniques, but does cater to executives and management as well.

Ask yourself who gets paid more in any job industry? Executives or engineers(I should have said "staff/employees")?

LionelTeo

you would be right if it is 8 years ago where security management would value a lot more than actual technical skills. However, as adversaries is getting more advance in their attack vectors, companies are really pegging higher value for important technical role. If a hiring manager is still looking at a cissp to hire for a technical role, that is a good indication of a company you should glad your not gonna work for.

GIAC certs does have a little poor ROI unless your going for challenge or company is paying for it. That does not mean the ROI is bad. Its the ROI for information security field in general that starts out generally low, but its gonna offer a really high exponential growth as you get better and gain more experience.

scasc

The post above pretty much nails it on the head. In my experience if you want to go down the GRC/Management Route ISACA is the way forward. If you want to be an engineer/techie then SANS is the best. There is this persona that by having the CISSP you automatically can do most security jobs which isn’t entirely true. The CISSP has been so water downed in recent years that most people have one - however tell that to HR/people writing job specs!

I was interested at one point myself with SANS management curriculum but that soon when due to cost and fact that nobody asks for it - though you can argue you pick up invaluable knowledge nevertheless.

gespenstern

1) CISSP has been around for longer
2) Was marketed heavier
3) Doesn't have a "dilution" problem (majority of recruiters don't know what means what in GIAC world -- it's just too many)
4) Actually a rather good "umbrella" cert that covers pretty much everything security

Now, what choices do I have as a player in the field?

1) Swim against the flow and waste time proving to each and every recruiter/employer I meet on my way that GIAC is better than (=boil the ocean).
2) Swim with the flow and just get yet another cert.

There's only one choice here that would be wise.

CyberCop123

Same reason why CEH is so "valuable" - it's a lack of understanding by recruiters and HR about what it means.

E.g. CEH - Certified Ethical Hacker. To your Mum or Dad that sounds really impressive. You're certified and trained to hack. Amazing.

CISSP: Certified Information Systems Security Professional .... brilliant. They are a security professional and certified too.

Just fancy words. The same as someone being "executive" or "senior engineer". Often it's just word play.

I'm deep into my CISSP studies. I'm learning tons but believe the majority isn't that helpful.

scasc

CISSP has been around for a long time so has built up that reputation. Many companies I know wouldn’t sponsor for SANS due to cost - but you actually learn something tangible here.

CyberCop123

scasc wrote: »

CISSP has been around for a long time so has built up that reputation. Many companies I know wouldn’t sponsor for SANS due to cost - but you actually learn something tangible here.

Impressive set of certifications and qualifications you've got there.

Out of interest, which would you say was:

1) hardest
2) most worthwhile
3) least worthwhile

NetworkNewb

A week long course where you have an open book test about what was covered to get the certification... I found the GCIH exam fairly easy personally. (Come on, open book!)

That said, I loved the course and would love to do more courses if my employer would ever pay for them. CISSP is insanely broad. While SANS courses are good for specific areas where you need that knowledge for your current job. Much more real world things you might be working on and be able to put to use right away.

They serve their own and different purposes imo.

scasc

CyberCop123 wrote: »

Impressive set of certifications and qualifications you've got there.

Out of interest, which would you say was:

1) hardest
2) most worthwhile
3) least worthwhile

Many thanks for the compliment

1. Hardest was SANS GSNA - really need to know your technical auditing stuff - something not taught by CISA (more process/methodology focused, however CISA much more relevant for auditing in enterprises today because that is how its done). Also AWS CSA - Really to need understand the environment.
2. Most Worthwhile - From a Resume perspective AWS, CISSP, CISA, CISM, TOGAF - All have helped with obtaining roles.
3. Least Worthwhile - CHFI, CCISO, CEH

LonerVamp

I'll play devil's advocate here for just a hot minute.

Lots of companies don't necessarily need (or maybe more accurately want) a highly technical person. Just someone who knows enough to give the correct guidance to technical people who do the work. This is often a CISSP-type level. Just like pulling in a consultant or getting an IT health check/audit from a third party.

There's lots of things to do with security in business that have very little hands-on technical work, like advice, design. Security can almost be like a partially technical therapist (the psychological or physical kind).

/devil

DatabaseHead

Everyone of our security positions either ask for or prefer the C|EH. It most certainly has some value.

datacomboss

In my organization HR is only responsible for organizational job requirements. Hiring department managers are responsible for the technical requirements for the job, so it's a lot of time the CISO's and ISO's who are listing CISSP and CEH as requirements.

TechGuru80

OmniMan wrote: »

1. I have my GSEC and I am getting my GCIH soon and my CISM soon. For some reason the CISSP which I don’t think is that impressive is way more valuable than the SANS stuff. Also my CRISC is too and the CISM will be.

2. The crazy thing is i feel like the SANS stuff made me a better security analyst. The other certs did not.

3. Something needs to be done to change the industry so that companies understand the CISSP is not as valuable as the GSEC for example.

1. The CISM and CISSP are used in similar roles, which generally are management or senior level. CRISC also falls into this category as risk management USUALLY isn't handled/decided at the operational level...it is a management level strategy.

2. No kidding? SANS certifications are meant for analysts...the CISSP is meant for management...so I would say you basically answered your own complaint.

3. Nothing needs to be done except you shouldn't compare requirements for a management level job to that of an analyst. The CISSP does have value at the management level where a broad understanding is required...technical certifications have value at the analyst level...not all roles are created equal for what they need.

scasc

@Lonervamp
@Techguru80

Couple of very valid points. Depends what side of the fence you are on and what you want to get out of the courses.

Randy_Randerson

I don't think they are undervalued at all. But as others have stated, it is all about what the person is going to be doing in a specific role. When I'm posting for technical jobs, I have GIAC certs listed right alongside those from other certifying boards. When I am posting for management level positions, those are going to lean towards management certs like CISM/CISSP etc. Go look at your CISO/CSO of your company. Let me know what their background is. I am willing to bet there is very little technical skills involved. In fact, they probably have their MBA and their skillset is right around business/risk management. That is what management is about. Managing the team to conduct work on behalf of the company. They don't need to have GPEN or GCIH because they are not going to be working that stuff. They are going to be leading the team that does it.

CISSP sadly is not going to go away. I get the disdain for it in the community (especially Infosec), but it is probably one of the most worthwhile certs to get if you're already in study mode. Just get it over with.

TechGromit

The entrance bar is set much lower for CISSP holders, anyone with 5 years experience, who buys a book, studies enough and has $699 can get a CISSP. For any GIAC, it's almost triple that cost to challenge the exam, and over 6 grand for the course and exam. Also the CISSP was released in 1992, while GIAC certifications came out in 1999, you also had to write a research paper in addition to passing the exam until 2005. About 120k professional hold the CISSP certification, GIAC is less the 90k for all of types of certifications.

In short, while GIAC Certifications are better in my opinion, the much high cost to obtain one will continue to limit the number of professionals that have one. Which in turn make it a less well known certification.

JGS

Do you think the perception/interest in GIAC certifications will change in the next 5 to 10 years?

JDMurray

While you can still send a security team to SAN training for $100K and, after they return to work, are able to find and fix a potential of $1M in security issues in your enterprise, there will be continued interest in SANS training and GIAC certs.

UnixGuy

CISSP ==> Pure marketing, I see no value in it, whatsoever. I've seen extremely incompetent people with this cert (both in technical & management capacity).

But if you can't beat them, join them. Just get a CISSP. Do what @gespenstern suggested.

UnixGuy

NetworkNewb wrote: »

A week long course where you have an open book test about what was covered to get the certification... I found the GCIH exam fairly easy personally. (Come on, open book!)

.

Because GCIH is actually easy and entry level-ish. SANS courses 600+ or GCFA will really challenge you. People fail GCFA with open book

NetworkNewb

I'm glad to hear other ones are harder. The only other cert that I have taken that was open book I found ridiculous too (CCSK). Certs should not be open book imo... I get it is more "real world" since you have access to materials in the real world. But think certs should be a test of your current knowledge on a subject, not a test on if you can look up information quickly.

Clm

I have no Sans certs i want to get a few but the cost is the biggest draw back.

I dont think Sans are necessarily undervalue i just think most hiring managers put CISSP,CISM and others over Sans becuase more people have them.

yoba222

SANS is high quality, expensive training that happens to have an exam and a certification.

UnixGuy

NetworkNewb wrote: »

I'm glad to hear other ones are harder. The only other cert that I have taken that was open book I found ridiculous too (CCSK). Certs should not be open book imo... I get it is more "real world" since you have access to materials in the real world. But think certs should be a test of your current knowledge on a subject, not a test on if you can look up information quickly.

GCFA there are just too many windows artefacts, file names, locations, directories, registry , etc, there is no point memorising them so the open book is handy

E Double U

NetworkNewb wrote: »

Certs should not be open book imo... I get it is more "real world" since you have access to materials in the real world. But think certs should be a test of your current knowledge on a subject, not a test on if you can look up information quickly.

One can argue that no multiple choice exam truly tests your mastery of the subject.

NetworkNewb

Very true!

chrisone

Excuse my ignorance but the GPEN exam you don't actually pentest anything during the exam? .......

cyberguypr

GIAC exams are not hands-on, for now.

markmorow

I had several questions on the GCIA that were lab based.