Information Security: Comparing the CISSP and GSEC Certifications

<

p style=”text-align: center”>aotmp aotmp.com

I’ve had some discussions about how the GIAC GSEC credential compares to the CISSP in terms of difficulty and respectability. Here is one such discussion from a forum I frequent.:

The main reason the CISSP in more respected is because of the standards the ISC2 has established, such as proving the identification of the applicant, verifying they meet the experience requirements, and the way the exam is hosted.

That definitely earns the exam some respect, to be sure, but keep in mind that the first time pass rate is over 70%.

I would give you this analogy: The CISSP is like taking the SAT’s You walk into a room with just a pencil and take a 6hr, 250 question exam that many of the times has more than 1 right answer but you have to draw on your experience to determine which one is “more right” The GSEC is like creating and turning in an Essay and taking an open book test.

Ok, let me put it this way, which of those two scenarios do you think represents reality in the infosec world? Cramming facts and regurgitating them via #2 pencil, or dealing with harder, more technical questions with access to any book and any search engine you want?

It’s the latter.

That’s what problem-solving is — you have Google, you have the text books, you have anything you want. That doesn’t make complex problems easy, it just makes them possible. That’s how the real world works.

Put it this way, I’d be willing to bet that 50% of all CISSPs don’t know what netcat is. What does that say about their infosec skills? What percentage of GSEC holders know what it is? Probably 99%.

Don’t confuse world-wide acceptance with proof of superiority. CISSP is standard, it requires experience, and it’s got a good, broad base of questions, but it’s the kind of test people cram for, pass, and then forget the material it was made up of. That’s not a good measure of a dedicated, technical infosec professional; it’s more a measure of someone who takes their career seriously and knows how to study.

I’ve met CISSPs who can’t configure a home network — no joke. Again, I studied for it and passed it in one week’s time, and that’s with zero previous study of the test materials.

More than I can a test that has a 70% first-time-pass rate that’s explicitly designed for managers and non-technical types. It’s for a wide, wide base of knowledge – not for testing whether or not you’d be qualified to actually do anything.

Don’t get me wrong, if you are going to do one first, or only one of the two, I’d say get the CISSP. It’s more recognized and more respected than any other cert out there. All I am saying is that you shouldn’t confuse this with its difficulty. Almost nobody knows anything about the GSE certification either, but the two PhDs that have it said it was harder to get than their degrees.

I think after you have both you may see it more the way I do. I’d hire a GSEC holder to do some security on a network with significantly less reservation, whereas a CISSP-holder would have to go through the same sorts of checks that someone with nothing more than a 4-year degree would. Just because they can study and take themselves seriously doesn’t mean they know or love their discipline.:

Sign Up For Email Updates


If you’d like discuss this content, please reply on Twitter, email me, or comment below.


blog comments powered by Disqus