JoJoCal19JoJoCal19 California KidMod Posts: 2,828 Mod
I am curious about the ROI of the SANS GIAC certs. I would like to hear thoughts about the ROI of them in general, related to the cost per cert, and compared with other security certs like CISSP, CISM and CISA.

At almost $5000 for training and exam fee, I wan't to know what kind of impact that these certs can have on job prospects, and specifically compared to CISSP, CISM and CISA. Right now I'm working on CISSP and will take the CISM next June. I'm wondering if trying for the some of the GIAC certs would be worth the investment after that. I do understand that the GIAC certs are more for actual hands on knowledge real in depth of knowing how to do things compared to the other certs.
Currently Working On: Python, OSCP Prep
Next Up:​ OSCP
Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework


  • ptilsenptilsen Member Posts: 2,835 ■■■■■■■■■■
    Most people who get GIAC certs get it paid by their employers, from what I've seen. For the most part, I haven't seen evidence that there's really very good RoI from doing them out-of-pocket.
    Working B.S., Computer Science
    Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
    In progress: CLEP US GOV,
    Next up: MATH 211, ECON 352, ICS 340
  • cyberguyprcyberguypr Senior Member Mod Posts: 6,915 Mod
    Don't forget that you can do their training and certs for $850 a piece if you use their Work/Study program. Right now I am sitting in the classroom for SEC 505 in Chicago as a facilitator. Another TE member is also here as a facilitator. I will post about my experience once the event is over.
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    Checking in from SEC401 :) Agree with the above, the $850 Work Study program is a great alternative.
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 12,020 Admin
    Realize that there is certification ROI from the perspective both of the business training/certifying its employees and the ROI experienced by the certified individuals themselves.

    From a business perspective, SANS training and GIAC certification has enormous ROI. A business can spend $50K sending its security people to SANS training and can immediately benefit from the knowledge gained to fix security problems that could have causes many times that amount of monetary losses for the business.

    From the perspective of the certified individual, it depends on who is paying for the training and certification. If everything is paid for by the employer, SANS/GIAC is the best InfoSec-related IT certification investment you can make after the CISSP (assuming your certification goal is InfoSec employment). You are getting highly useful knowledge for virtually free.

    If the certification candidate is paying for the training/certification him/herself, the probability of having an immediate positive ROI is much less because of the personal expense. (Realize that SANS/GIAC prices are targeted at businesses and not individuals.) The ROI may only be perceived as positive if the training/certification nets the self-paid candidate the job s/he really wanted.

    Some may argue that a better ROI is gained by skipping the SANS training and challenging a GIAC exam directly. I don't agree with this because of the excellent information provided during SANS training. Someone who challenged and passed a GIAC cert may be perceived to be lacking in essential knowledge because they skipped the SANS training. It odd to realized that having the GIAC paper doesn't mean you also have the SANS training.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    I'm probably one of the few folks around here who did the majority of his SANS training (and corresponding GIAC certifications) on his own dime. Personally, I found it enriching enough that the ROI was worth it. However, this probably might not be the case for most people. Private industry doesn't seem to recognize GIAC certifications by name as much as military. That said, the number of private industry orgs who have dedicated infosec teams that post job listings and mentioning GIAC certs seem to be increasing.

    In summary, there are two ways to look at ROI - 1) your ability to catch HR's / recruiters' eyes due to resume splash and get your foot in the door for an interview, and 2) personal knowledge and fulfillment. For me it was the latter. The hit to my pocketbook was painful for sure and it was a hefty financial sacrifice, but I think in my current position it has been very, very helpful and I'd be a lot more ignorant on how I go about my job if I hadn't taken the courses.

    Also keep in mind that I don't think my certs mattered when it came to my current employment as I was recruited by former co-workers rather than reached out to blindly.

    I agree that while challenging GIAC exams can be a way to attain the alphabet soup next to your name, the real value is in getting the training. SANS updates their material quite often to keep up with the changes in the field (I'd guess once or twice a year) and that in itself merits the relatively high price tag. Now that said, most other in-class training that I've seen hover near the same price range.

    It still seems the CISSP is the coveted gold prize when it comes to infosec certs, although many will argue as to its worth beyond an HR keyword match in resume scans. But if you're looking to get into the infosec field, it would seem like the logical first choice in ROI. I don't hold the CISSP, but I'm probably more of an exception than the rule.
    Hopefully-useful stuff I've written:
  • JoJoCal19JoJoCal19 California Kid Mod Posts: 2,828 Mod
    Thanks for all the input. I do know about the work/study program and that would be the way I would go if I could fit it into whatever my schedule is at the time, or else I'd be going with OnDemand which is the more expensive route. I'm thinking that I will wait until the need arises to get the very in-depth technical knowledge and experience the SANS certs provides. As it stands now I'm trying to track more on the InfoSec management side (why my bachelors is in business admin and I wan't my MBA). There are some SANS certs that are oriented for that so I will probably look at those ones.
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • wmcglasswmcglass Member Posts: 13 ■□□□□□□□□□
    I agree with everything said thus far. You can add me to the ranks of people that have had their SANS training and GIAC certifications paid for by their employer. The SANS courses are by far the most relevant, directly applicable, content-rich training courses I've ever taken. All of the instructors I have had are actively working in the field in which they teach, so they are very sharp. As you go through a SANS course, you'll find yourself creating a bullet list of "Things to do when I get back to the office". That's how applicable it is, and it provides for immediate ROI to your employer.

    Now, is it $5K worth of value? It can be hard to quantitate. I've saved my employer thousands of dollars in professional services expenses because of the training. If you can in-source some type of service or task that the company is currently paying a third-party to support, it will pay off for them many, many times over, and that's a great way to sell it.

    With that said, I don't know if I would pay out-of-pocket for the courses or not. If I were looking to get into a specific field like, say, penetration testing, I might pay out-of-pocket for the GPEN or GWAPT cert just to land that job or get my foot in the door. I believe, without a doubt, that it will pay off in the long run, but it might be several years before you see that payback, monetarily speaking.

    Keep in mind that GIAC certs have to be renewed, too. It costs, currently, $399 every four years for most certs. That's the most expensive renewal cost that I know of.

    The work/study program is definitely the way to go if you can.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    GIAC recently revised the certification renewal program:
    Hopefully-useful stuff I've written:
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 12,020 Admin
    The GIAC's Certification Maintenance Units (CMU) are the same concept as the (ISC)2's Continuing Professional Education (CPE) credits. This is all needed to conform to certification standardization under ISO/IEC 27024. It's simply more options for us cert holders to stay current in our certifications. :)
  • iamlearningiamlearning Member Posts: 8 ■□□□□□□□□□
    Guys dont you think GIAC should have options similar to Cisco Recertification Policies ??

    Once we give any higher level exams or any exam related to our certification our previous certifications get renewed automatically. :)

    What do you feel guys? :)
  • cyberguyprcyberguypr Senior Member Mod Posts: 6,915 Mod
    GIAC experts make correct me if I'm wrong but I don't think GIAC certs are hierarchical like CCENT > CCNA > CCNP. From what I've seen GIAC certs are specialized across many areas.
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    I agree with cyberguypr.
  • iamlearningiamlearning Member Posts: 8 ■□□□□□□□□□
    Well i was talking in terms of Level as seen below:

    GIAC Certification Categories

    Once we give level 3 then level 4 -- At that point of time as soon as we give level 4 level 3 should automatically get renewed.
    Similarly for level 5 exams all below levels should be recertified.

    I hope you get my point :)
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 12,020 Admin
    With regards to certification renewal, GIAC must obey the requirements of ISO/IEC 27024.

    The GIAC Certification Renewal FAQ states:

    Can I use or attempt a different certification and use it for CMUs toward my renewal?
    No, other certifications do not qualify for CMUs.
  • timrvttimrvt Member Posts: 28 ■□□□□□□□□□
    this is the response I received on my gsec renewal using my gisp training:
    Mgt414 qualifies for 36 CMUs toward your GSEC certification renewal. You may register, pay, and submit your CMU information and documentation online through your account prior to your certification expiration date. Once logged in, click Certification History. You should see a link to Renew Now.
    After your registration and payment are received, follow the same steps through your account. You should see a link to Submit CMUs. Please include a copy of your Mgt414 Certificate of Completion as a .zip file with your submission. You should have a copy of your Certificate under 'My Orders' of your account.

    Please let me know if i can be of further assistance.

    Beth Corcoran
    [email protected]
  • wmcglasswmcglass Member Posts: 13 ■□□□□□□□□□
    As others have stated, you cannot renew an intermediate GIAC certification by obtaining or renewing an advanced one, and you cannot renew an advanced certification by obtaining or renewing an expert one. However, as 'timrvt' stated, you do get CMUs for completing the SANS courses. Note the difference between completing a course and getting or renewing a certification; there is a distinction there. Not all courses offer the same number of CMUs.

    In example, if you challenge a certification, you take the exam, and you pass, you do not qualify for any CMUs.

    In another example, if you take a SANS course that qualifies you for CMUs, and you complete the course, you will receive the CMUs, regardless of whether you've completed the related GIAC certification or not.

    All this information is out there on the SANS and GIAC sites, although I did used to blend the lines between SANS and GIAC a lot, which got me really confused in the beginning. Once you understand that there is a distinction between GIAC and SANS, I think it's easier to grasp the concepts.

    There is one exception to this rule that hasn't been mentioned yet, and that's the GIAC GSE certification. You can renew all current and future GIAC certifications by obtaining the GIAC GSE. You can keep all your GIAC certifications current by attempting and passing the GIAC GSE written exam every four years.
Sign In or Register to comment.