Slashdot Mirror

← Back to Stories (view on slashdot.org)

GIAC/SANS Certification Changes?

Posted by Cliff on from the values-in-practicality dept.

venom600 wonders: "SANS and GIAC have recently changed their certification requirements, no longer requiring a practical assignment be completed in order to be certified. This has created some discussion around the value of their certifications moving forward. In addition, SANS recently asked current certified individuals (in an email) to provide quotes about the value of their certifications for an upcoming brochure. Since the requirements have changed, the value of the certification has changed as well, making any quotes an unfair assessment of value. This brings me to my question: What IT security certifications are left (if any) that actually provide value to you?"

9 of 27 comments (clear)

  1. CISSP by n8y · · Score: 3, Informative

    My CISSP...while not a good indication of technical skill, still seems to provide the ooohs and aaahs necessary from management and customers to be worthwhile. Although I have met plenty of CISSPs who wouldn't know any of the 10 domains from a hole in the ground...it seems to be the "cert du jour" to have. My $0.02 ...from the real world.

    1. Re:CISSP by Mattcelt · · Score: 2, Insightful

      I have to second this... The CISSP is becoming the de facto certification for infosec folks to have. I think a large part of the perceived value is the time requirement (3+ years and a B.S./B.A. or 4+ years) for hands-on security work before you can even apply for the certification.

      I always thought of the GIAC as the gold standard for security, but when getting a complete credential set costs tens of thousands of dollars just to take the classes, it seems a little extreme compared to the CISSP, which can be done in a single course (or if you're brave, just by taking the test).

      I also think the practical part was a good thing for the GIAC, and something the CISSP could benefit from. There are too many people out there with "book smarts" and no practical knowledge, and they dilute the certification and its value to those of us who really know the ins and outs of the subject matter.

  2. None. by CDarklock · · Score: 2, Insightful

    When hiring, I'm not really impressed by certifications. To me, a certification means you stopped working long enough to play games with an authority figure -- usually in the hopes of getting more money -- and that authority figure may or may not have given you a rigorous testing to determine your eligibility for the certification. It's not just the certification that matters, it's where you got it.

    Essentially, I judge applicants based on how I perceive their level of talent during the interview. I'm more interested in the flavor of a resume than I am in the experience and skills listed on it; I can *get* you experience and skills, but I can't get you talent -- let alone the basic ability to "fit in" at my company.

    --
    Microsoft cheerleader, blue flag waving, you got a problem with that?
    1. Re:None. by jessecurry · · Score: 2, Interesting

      I'd love if more bosses were like this. It seems that often times an extremely bright, competent, and talented prospect will get passed over for someone who has a certification.
      The last degree that I completed was for a computer graphics and design program and I found that without any certifications I was able to troubleshoot and repair the lab computers that the "IT Specialist/MIS Department" was just going to reclone or send in for replacement.
      Solid problem solving skills seem to be something that quite a few certified technicians seem to lack these days.

      --
      Those who know, do not speak. Those who speak, do not know. ~Lao Tzu
    2. Re:None. by hdparm · · Score: 2, Insightful
      Trouble with this is that most jobs these days are advertised through agencies, exclusivelly. To get the interview alone, you need at least few acronyms after your name.

      However, not all IT certifications should be treated the same - to acquire some of them you must practically prove your expertise and that alone gives better indication of the person's suitability for particular job. Therefore this (GIAC/SANS decision) can't be a good thing.

    3. Re:None. by CDarklock · · Score: 2, Interesting

      > You are the least fallible
      > instrument in the arsenal?

      Well, I don't know that I'd put it THAT way. ;)

      I know some very bright people who just don't get along well with testing environments. These people are simply never going to be certified as anything, but it takes about five minutes of conversation to figure out that they really do know their stuff.

      On the other hand, I also know a few people with stacks of certifications that... well, let's just say I wouldn't hire them, or recommend that anyone else hire them either. Again, it takes about five minutes of conversation to figure this out.

      So I consider that five minutes of conversation to be the real dividing line. I'm lucky enough to get reasonable numbers of resumes, so I can usually afford to go through them all by hand and bring in over half of the applicants for an interview. If my company ever gets to the point that this isn't really an option, I'll have to reexamine my methodology.

      --
      Microsoft cheerleader, blue flag waving, you got a problem with that?
  3. CISSP - GIAC by Jeremiah+Cornelius · · Score: 2, Funny
    CISSP
    Set the bar. "You must be this tall to ride the Giant Dipper".

    GIAC
    Demonstrated application. "Your stuff could be safe with me.

    A Harvard MBA doesn't translate into a tier-1 CEO. There are no guarantees. But CISSP and GIAC are decent evaluation tools for assessing candidates and associates.

    Security+ shows someone is looking in the right direction.

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  4. Certs by dacoto · · Score: 2, Interesting

    I rank real world experience and self-taught knowledge 100 times higher than certs or degree's from some big name school or college.

    Real world exp. is the real certification in my book, show me someone who has been up for 72 hours working on team or alone to fix a server or network issue who resolves the issue. That individual or team that tackles problems like that will get a job working with me before anyone who has a degree or cert.

    Self-taught knowledge shows me that the person took on the challenge of learning on there own and did not require someone to hold their hand and teach them stuff from a book that is so far off the day to day path that its a waste of a good tree.

    Don't get me wrong, I applaud anyone who has successfully completed any certs or degrees, it takes a lot of time and effort to do that. I just don't feel that the weight that seems to be put on them is justified.

    My 2 pennies, now all the folks with degrees and certs can assault me. :)

    --
    Open Source, Open Formats, Open Doors, Open Your Mind "Break On Through to the Other Side" The Doors
  5. No more certs for me... by itwerx · · Score: 2, Interesting

    ...or tic-tacs for that matter. :)

    But seriously.
    I used to have a good half-dozen certifications active at any given time ("real" ones, not just the generic A+ crap). But after awhile I began to notice that people were much more impressed by what I'd done in the real world and I slowly started letting them lapse. The last one expired about four years ago and to be quite honest I don't think a single customer has noticed or cared. And it sure saves me a lot of time and hassle!
    But then again I suppose it depends on your background. If you're fresh out of college then they would be a Very Good Thing to have for at least some number of years.