My rant upon finding out about SANS upcharging for additional CISSP content...

I've been raking myself over the coals to find the best option for a training vendor in which to get the best bang for my buck related to a CISSP boot camp. I have basically been looking at Training Camp, Secure Ninja, SANS and ISI. I have both found and been provided positive feedback regarding all of the options. I have been inclined towards SANS based on their reputation - but frankly am getting no support from them in any respect. Other vendors have had sales reps, conversant in their offering, who were able to answer detailed questions and provide quotes and even "deal sweeteners" directly over the phone. With SANS I'm getting nothing but "check out our website for details.

So my rant is after finding out today that, not only is the SANS training the most expensive of the group, by a lot, that also extra content that I'd understood was included (On Demand bundle) is actually an "up charge" - bringing the total cost of the class (not including travel, accommodations, or testing vouchers - all things that other vendors were willing to toss in) to $5344!

Anyhow, this is my rant, posted on another forum. I'm shocked at what SANS is up charging for premium content when everyone else seems to be offering something that is bundled in.

Thanks Colin - your feedback echoes pretty much that which I've already received through other sources - individuals, very happy with SANS training - but also no exposure to the competing offerings to distinguish between the two. (Which makes logical sense - how many people would take 2 CISSP prep courses?)

Your mentioning of the On Demand bundle was both extremely helpful and even more discouraging. (I was unaware of the bundle until you mentioned it) After reading your message I checked the SANS website and received a bit of a shock. Without the on-demand bundle, the course tuition is already $4615 - about a thousand more than the price of other offerings. Adding the On Demand brings the total to a whopping $5244! This is up to 2k OVER quotes I've received from other vendors - which in some cases, beyond providing 6 days worth of courseware/instructor delivery, PLUS bundled premium content that they DON'T upcharge for, also include hotel accommodations or testing vouchers. I realize that not all courses are created equal - but I've also been focused on what seem to be the 4 most "tried and true" CISSP prep class vendors - and all have comparable positive feedback regarding the same body of (let's be honest here) non-technical content.

My budget for the whole shebang (including accommodations and later exam fee) is $5k. This is not set in stone, however I have to fight for the extra cost. I have really nothing to offer of substance to my management to legitimize a request to pay (much) more to go to SANS over any of the other 3 offerings out there - which as mentioned get relatively good reviews in their own right. I'm still without the ammo I need to sell SANS over the other offerings and feel I'm fighting the battle on my own, without support from SANS, all the while not even sold myself. I can't even use the angle that I'm taking a class taught by "the guy who wrote the book" as Eric Conrad is only teaching one more time on the east coast this year - in late December.

I work in the health care market and we actually have our expenditures scrutinized (unlike Government and military spending) and I'm starting to wonder if SANS is more interested in that market as I don't see how most in private/commercial organizations can absorb the cost difference based on the inarticulable "we're better just because we're better" marketing by SANS.

I apologize if this seems to be an anti SANS rant - it’s actually the opposite. I'm really very disappointed that absent something I can use to differentiate the SANS product, there is simply no way I'm going to be able to attend. Frankly the upcharge for the online content is probably the nail in the coffin. I can't believe that the most expensive CISSP prep course already is upcharging as well. I have attended many, many training classes, over a host of technical products, and technologies over the years. I've been self-studying for the CISSP for about 4 months now and have worked in INFOSEC as an engineer, analyst and team lead for 15 years across government, military, service provide, and health care environments. I cannot imagine what SANS offers that is that much better than other sources out there and SANS is not doing much to fill in the gaps.

Thanks again for your input.

Find more posts tagged with

Comments

E Double U

cledford3 wrote: »

have worked in INFOSEC as an engineer, analyst and team lead for 15 years across government, military, service provide, and health care environments.

Please skip the boot camp.

Tongy

I'd go on a boot camp if I wasn't paying... Otherwise, I'd buy some books and study.

The CISSP cert would far more than pay for itself despite this cost though!

636-555-3226

SANS costs what SANS costs. It's like paying the Apple tax for an Apple product. SANS is one of the biggest & best names in the game and they can charge pretty much whatever they want to because, well, nobody else really does what they do. Competition would be good, but there are only a handful of other organizations than even try to compete with SANS and even then they only compete in one or two specific areas.

docrice

Security is still a niche specialization, and it tends to come with specialization pricing. Also consider that the whole "cybersecurity" thing is very hot at the moment and lots of people are diving into it. There are other security training vendors out there, but no one has the diversity across the various domains like SANS. While I wouldn't rely exclusively on SANS for security training, I tend to go back to them time after time.

For CISSP-related training, it would seem that you could do just fine by reading the books out there rather than going through a training course. I took a CISSP bootcamp from Global Knowledge a long time ago and found it pretty dull to sit through (in regards to the material rather than the instructor). Maybe live, in-person instruction would help more in that sense, but OnDemand content (if purchased in addition to a in-person instruction offering) has always been an extra.

Or you could simply do the OnDemand and go through the course at home and use the virtual mentor if you need to ask questions. You could also look at the WorkStudy program for a much less expensive option.

JDMurray

I've said this before: The target demographic for customers purchasing SANS courses and GIAC certifications are businesses and not individuals. The $5000+ per person training/certification is a bargain for any business when the trained individuals will return to work and be able to fix ten times that cost in potential security problems.

An individual spending money on any certification has no guarantee of acquiring or keeping employment. Therefore, sticking with the cert vendors whose prices do target individuals (e.g., CompTIA, Microsoft, Cisco) is the best thing to do until you are hired by a business willing to pay for the much more expensive training.

cledford3

JDMurray wrote: »

I've said this before: The target demographic for customers purchasing SANS courses and GIAC certifications are businesses and not individuals. The $5000+ per person training/certification is a bargain for any business when the trained individuals will return to work and be able to fix ten times that cost in potential security problems.
QUOTE]

As a dedicated member of my organization it is a professional obligation on my part to be a good steward of our finances. My employer IS paying for my course fee, but SANS excessively overcharging for content that can be had elsewhere, with really no distinguishable differentiator (even when directly asked) is not a bargain.

beads

If it helps explain things at all. The long running joke about SANS is indeed many are Harvard MBAs. No joke, no kidding.

- b/eads

nk_vn

JDMurray wrote: »

I've said this before: The target demographic for customers purchasing SANS courses and GIAC certifications are businesses and not individuals.

sticking with the cert vendors whose prices do target individuals (e.g., CompTIA, Microsoft, Cisco) is the best thing to do until you are hired by a business willing to pay for the much more expensive training.

I wish the employers (and their HRs) had the same understanding on the topic. The actual market situation is somewhat different. We all know that an individual who sticks with the mentioned target demographics of the training/certifications is likely to experience the phenomenon of employers taking advantage of a labour market that is over-saturated with qualified individuals. I keep seeing employers that require CISSP/GIAC for entry-level, low-experience, technical positions. People have no choice but to stick their necks out, fork out the cash and supply what the market demands. Nobody will get a job by explaining on the interview that the employer requires the wrong cert for the wrong position.

Danielm7

nk_vn wrote: »

I wish the employers (and their HRs) had the same understanding on the topic. The actual market situation is somewhat different. We all know that an individual who sticks with the mentioned target demographics of the training/certifications is likely to experience the phenomenon of employers taking advantage of a labour market that is over-saturated with qualified individuals. I keep seeing employers that require CISSP/GIAC for entry-level, low-experience, technical positions. People have no choice but to stick their necks out, fork out the cash and supply what the market demands. Nobody will get a job by explaining on the interview that the employer requires the wrong cert for the wrong position.

Today I found a Jr Sec Analyst position that required CCNA+MCSE, 2-3 years of infosec experience and 7+ in IT. In the "desired but not required" area they had CCNP, CCIE, CSSA, CISSP, GCIA, etc. I was dumbfounded.

nk_vn

Danielm7 wrote: »

Today I found a Jr Sec Analyst position that required CCNA+MCSE, 2-3 years of infosec experience and 7+ in IT. In the "desired but not required" area they had CCNP, CCIE, CSSA, CISSP, GCIA, etc. I was dumbfounded.

This actually means "We will call it a Jr and put low requirements to justify the low-end salary, but at the end we will hire the candidate with the biggest alphabet soup of certs who is desperate enough to work for pittance"

beads

@nk_vn

That's why I've read current administrative assistant resumes with the CISSP, PMP and CCNP or other higher end certs.

What's really a shame is that the hiring managers will likely find a candidate with these credentials.

If nothing else they make me giggle.

- b/eads

UnixGuy

SANS prices are ridiculous. I found eLearnSecurity to be a good reasonable alternative.

Don't pay a penny for CISSP training. Just read the book.

guy9

Like mentioned and as I am sure you already know, you can self study and pass the CISSP or take a bootcamp that is along the lines of your budget. Nobody knows how you studied for the CISSP exam when you pass it, nobody really cares how you studied for it. So where/if you take a bootcamp means little. You complain about SANS training, that is fine. Just know that SANS isn't seeding out weekly emails begging for your $. They do sent out emails about specials and the next event and this and that but most of it finds its way in my trash, only because when I am ready to attend another training I won't need an invite. People "complain" about the price of SANS training, to me a cert that starts with a G sticks out on a resume, a signature block, or a frame in an office. I am not going to say a broad statement like the "security field" this and that. But, in the Security Field where I have worked/currently work having a G cert separated you from everyone else and peoples face looked like

. I personally paid out of my pocket to attend the training, I wouldn't suggest it nor have I told that many people. I also paid out of my pocket to attend a CEH bootcamp. 5k is a lot of money (to some), but I call it an investment towards the future. I have lost more money in the stock market! The other separation between CISSP (or any other cert) and a G cert is that you know the guy/gal didn't buy a braid-d-ump to pass. That in itself gives me a higher respect for other certified individuals.

I actually took the CEH bootcamp at one of your listed training facilities (like mentioned paid out the pocket). Honestly, like i mentioned a few weeks ago I have little respect for "bootcamps" after my experience. I am not going to BS you, "some" of them in some way shape fashion or form give you the answers. How do you think they have that 90% pass rate? Yes, I know I seen the SANS CISSP training with a high pass rate as well and I am a hypocrite.

SaSkiller

cledford3 wrote: »

JDMurray wrote: »

I've said this before: The target demographic for customers purchasing SANS courses and GIAC certifications are businesses and not individuals. The $5000+ per person training/certification is a bargain for any business when the trained individuals will return to work and be able to fix ten times that cost in potential security problems.
QUOTE]

As a dedicated member of my organization it is a professional obligation on my part to be a good steward of our finances. My employer IS paying for my course fee, but SANS excessively overcharging for content that can be had elsewhere, with really no distinguishable differentiator (even when directly asked) is not a bargain.

Here is the issue I have with that. It is a bargain for a company to pay one or two people for a few certs. I have found out recently they don't like it so much when they need to certify a whole team of security professionals. And there is the additional issue that they have no alternative for certain material, and there is no discount for taking one form of training vice another (live courses vs online). Eventually I think the tide will turn and SANS will be in a world of trouble. They have good material, but one price for all is not sustainable. Maybe for the DoD for now, but with DoD pulling back for the 8570 re-certification costs, I don't think it will be too long until DoD starts to rethink utilizing SANS for their cyber corps unless they are getting a steep discount.

JDMurray

There is a clear separation between "SANS training" and "GIAC certification." One can take SANS training without testing for GIAC certification and vice versa. If you don't need the training, but do need the certification, that option is open to everyone and it is the much more inexpensive route to go.

justjen

Although I may be swimming against the tide, I also have paid for most of my training and for all of my certifications - with an emphasis on training (not being particularly interested in a bowl of alphabet soup). One employer did pay for a couple SANS courses, but not any certs, regardless of vendor. I chose to pay out-of-pocket for other SANS training and for all of my certs - because I wanted them. (And yes, I have other certs not listed in my profile.)

I have never regretted the money I spent on SANS. However, I always think carefully about my goals, before deciding how I can best meet my objectives. My next course (already registered, not yet started) is not a SANS course, because SANS did not offer the educational opportunity I was looking for. YMMV.

LionelTeo

I never paid for any SANS course despite what I have. SANS course are for big organization who emphasize on training, some big companies out there even have the budget to set up a training consultation team that specifically looks into training option for employees, imagine what is 5k to companies like these given the amount of money pour into such a team!

I would highly recommend you to self study for CISSP, a lot of people did it that way and pass. Save the 5k, any training is not going to give you return on investment as good as any self study out there.