Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to SearchSecurityChannel.com you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of SearchSecurityChannel.com is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
First of all, GIAC is the certification arm of SANS. By itself, it is not a certification. GIAC would best be compared to (ISC)2, the organization that maintains the CISSP. So it's not possible to do a true comparison of an organization (GIAC) to a cert (CISSP). When I am asked questions in writing, it can be difficult to figure out exactly what knowledge the reader is truly looking to gain without the give and take of a conversation. Therefore, in an attempt to decipher a question that many of you have asked, I'll throw out some interesting tidbits (but trust me, I'll eventually get to an answer).
In order to attain one of the many GIAC certifications, you have to attend a SANS event. This can be costly -- not only for the event itself but also for the travel, since they don't have an event in every major city. Although they have international events, not every event offers every class. If you can make it to one of their events, their training is top notch, and (to use a baseball analogy) their instructors go through a "farm system"-like process to get to the show. So you are almost guaranteed a major league course if you attend one of their larger events. I have a lot of respect for Northcutt, Paller, Sachs, Skoudis and the gang at SANS. But as well respected as the training may be, their certs, unfortunately, are nowhere near as well known outside of IT circles (i.e. HR Directors and consulting clients) as the CISSP.
The CISSP credential is offered by a number of training companies, some officially recognized by (ISC)2 and many not. So you have to be really careful about not only what company you use for your training, but you also have to concern yourself with who is doing the actual classroom instruction. So go with a known name like The Training Camp. If you're not careful, it can be a big roll of the dice, but if you attain what many consider the gold standard of security credentials, you will have a more recognizable credential even by those outside of the IT community.
Then there's the consideration that you may not have it in your budget to attend classroom training. Although I find boot camp-style courses to be beneficial, I also understand the commitments of time and money they require. This leaves us with the self-study method. If you decide this method is the one for you, there are plenty of CISSP materials out there, but very few for GIAC certs.
Now, let's look at the question itself. Which certification is more beneficial for a security consultant? When I see "beneficial for a consultant," I think money. So taking all of those tidbits into account -- wider availability, a more accessible self-study option and a highly recognizable certification -- I'd have to give the edge to CISSP.
This was first published in November 2006