GIAC/SANS Certification Changes?

venom600 wonders: "SANS and GIAC have recently changed their certification requirements, no longer requiring a practical assignment be completed in order to be certified. This has created some discussion around the value of their certifications moving forward. In addition, SANS recently asked current certified individuals (in an email) to provide quotes about the value of their certifications for an upcoming brochure. Since the requirements have changed, the value of the certification has changed as well, making any quotes an unfair assessment of value. This brings me to my question: What IT security certifications are left (if any) that actually provide value to you?"

CISSP

[n8y]

My CISSP [isc2.org]...while not a good indication of technical skill, still seems to provide the ooohs and aaahs necessary from management and customers to be worthwhile. Although I have met plenty of CISSPs who wouldn't know any of the 10 domains from a hole in the ground...it seems to be the "cert du jour" to have. My $0.02 ...from the real world.

Re:CISSP

[Mattcelt]

I have to second this... The CISSP is becoming the de facto certification for infosec folks to have. I think a large part of the perceived value is the time requirement (3+ years and a B.S./B.A. or 4+ years) for hands-on security work before you can even apply for the certification.

I always thought of the GIAC as the gold standard for security, but when getting a complete credential set costs tens of thousands of dollars just to take the classes, it seems a little extreme compared to the CISSP, which can

None.

[CDarklock]

When hiring, I'm not really impressed by certifications. To me, a certification means you stopped working long enough to play games with an authority figure -- usually in the hopes of getting more money -- and that authority figure may or may not have given you a rigorous testing to determine your eligibility for the certification. It's not just the certification that matters, it's where you got it.

Essentially, I judge applicants based on how I perceive their level of talent during the interview. I'm more

Re:None.

[Jeremiah Cornelius]

So. You are the least fallible instrument in the arsenal? :-)

Can I hire you? (insert more grins here)

Re:None.

[CDarklock]

> You are the least fallible
> instrument in the arsenal?

Well, I don't know that I'd put it THAT way. ;)

I know some very bright people who just don't get along well with testing environments. These people are simply never going to be certified as anything, but it takes about five minutes of conversation to figure out that they really do know their stuff.

On the other hand, I also know a few people with stacks of certifications that... well, let's just say I wouldn't hire them, or recommend that anyon

Re:None.

[jessecurry]

I'd love if more bosses were like this. It seems that often times an extremely bright, competent, and talented prospect will get passed over for someone who has a certification.
The last degree that I completed was for a computer graphics and design program and I found that without any certifications I was able to troubleshoot and repair the lab computers that the "IT Specialist/MIS Department" was just going to reclone or send in for replacement.
Solid problem solving skills seem to be something that quite

Re:None.

[hdparm]

Trouble with this is that most jobs these days are advertised through agencies, exclusivelly. To get the interview alone, you need at least few acronyms after your name.

However, not all IT certifications should be treated the same - to acquire some of them you must practically prove your expertise and that alone gives better indication of the person's suitability for particular job. Therefore this (GIAC/SANS decision) can't be a good thing.

Re:None.

[jschottm]

To me, a certification means you stopped working long enough to play games with an authority figure -- usually in the hopes of getting more money

Perhaps I'm misreading you, but it seems like you may almost have some bias against people with certs. There's plenty of people out there who have certs because their management instructed sent them off for the training/certification, so it's not always a plot to get cash.

that authority figure may or may not have given you a rigorous testing to determine your

Re:None.

[CDarklock]

> it seems like you may almost have
> some bias against people with certs.

A bit. A bit. Just a bit.

Seriously, it's not the certification I have trouble with; it's the sort of person who waves it around. I think a certification is the sort of thing you pull out when you need it, not something you stick at the end of your name for brownie points.

Unfortunately, that's what you have to do for a lot of employers, and there's no way for the applicant to know I'm actually put off by certifications... so I'

Easy...

[Anonymous Coward]

MCSEs are making all the money these days :p

CISSP - GIAC

[Jeremiah Cornelius]

CISSP
Set the bar. "You must be this tall to ride the Giant Dipper".

GIAC
Demonstrated application. "Your stuff could be safe with me.

A Harvard MBA doesn't translate into a tier-1 CEO. There are no guarantees. But CISSP and GIAC are decent evaluation tools for assessing candidates and associates.

Security+ shows someone is looking in the right direction.

TheRegister...

[0x461FAB0BD7D2]

has an informative article outlining the value of several of the IT security certifications. Read it here [theregister.co.uk]

Certs

[dacoto]

I rank real world experience and self-taught knowledge 100 times higher than certs or degree's from some big name school or college.

Real world exp. is the real certification in my book, show me someone who has been up for 72 hours working on team or alone to fix a server or network issue who resolves the issue. That individual or team that tackles problems like that will get a job working with me before anyone who has a degree or cert.

Self-taught knowledge shows me that the person took on the challenge of

Theory and practical need to go hand in hand

[FidelCatsro]

"ANS recently asked current certified individuals (in an email) to provide quotes about the value of their certifications for an upcoming brochure. Since the requirements have changed, the value of the certification has changed as well, making any quotes an unfair assessment of value"

This is a rather underhand unless they make it perfectly open that the degree has changed in this way , to use a crude example its like using a rave review of crunchynut conrflakes to describe cornflakes(my imagination is ap

No more certs for me...

[itwerx]

...or tic-tacs for that matter. :)

But seriously.
I used to have a good half-dozen certifications active at any given time ("real" ones, not just the generic A+ crap). But after awhile I began to notice that people were much more impressed by what I'd done in the real world and I slowly started letting them lapse. The last one expired about four years ago and to be quite honest I don't think a single customer has noticed or cared. And it sure saves me a lot of time and hassle!
But then again I suppose it depends on your background. If you're fresh out of college then they would be a Very Good Thing to have for at least some number of years.

As practically everyone else has observed...

[jd]

...certifications are utterly useless. Especially in security, where anything that's been around long enough to train wannabe teachers, print course texts, get the courses promoted, persuade the PHBs to send people to get trained, have the people trained and THEN have them re-trained because so many failed the exam the first two or three times, is certainly old enough for Black Hat websites to have published exploits that circumvent the techniques taught.

Most janitor get paid for picking up paper. How com

Re:As practically everyone else has observed...

[jschottm]

where anything that's been around long enough ... is certainly old enough for Black Hat websites to have published exploits that circumvent the techniques taught.

That's why you teach the skills to analyze and find the latest blackhat stuff, not how to find specific attacks. If you know how to look at packets at the hex level and know how to write your own snort (or IDS of choice) rules, then you have the skills to cope with the new threats that emerge.

Followup paperwork too time consuming...

[sakshale]

I took the SANS [sans.org] security boot camp when they first started. I found it valuable and very well done. A solid week of good, well presented, stuff that you won't find anywhere else.

However, even though I passed all the exams needed for GIAC [giac.org] certification, the follow on requirement to submit papers simply did not fit my work schedule. As the only system administrator for a small startup, I simply did not have time to write papers. So, the requirement they appear to be dropping was the requirement that blocke

Re:Followup paperwork too time consuming...

[chill]

You basically just described the difference between a Bachelor degree and an advanced degree like a Master or Doctorate.

See how far taking graduate level classes at a decent University gets you if you don't do the dissertation. [Hint: It won't get you an advanced degree.]

They could just make an Apprentice, Journeyman and Master certificate if they wanted, with the Apprentice not needing to publish. Instead they are caving.

-Charles