Date sent: Mon, 7 Mar 2005 11:55:27 -0800
From: Larry Gadallah <lgadallah@gmail.com>
I remain very interested in knowing the practical, real-world
differences between the CISSP and GIAC certifications.
As has been said before, when you compare the CISSP and GIAC, you are
comparing apples and oranges.
I have frequently told people that if you want a job tomorrow, get a SANS cert.
If
you want to still have a job in ten years, get the CISSP. The SANS certs are
specific to a given product or technology. The CISSP deals with the whole of
infosec.
Some historical perspective. I remember the first calls for questions to
include on
an exam that (eventually) became the CISSP. At that time, there were all kinds
of
people who were selling themselves as security experts. Some were, and many
weren't. At the same time, many people who legitimately were expert in one or
another field of security only knew about their particular area, and it was
frequently an exercise in frustration to watch an attempted dialogue between
people who were expert in their own fields, but didn't understand the other.
The
idea behind the CISSP was that you would have a single standard that would be
able
to state the minimum requirements for somebody to say that they understood
security. (Minimum, I should remind those who see the CISSP as an elitist
designation.) The certification should also ensure that anyone who held it
would
be able to have a minimum foundation of background so that any two holders
would quickly be able to establish a common ground and establish a dialogue.
That is the rationale behind the CISSP. And, in large measure, it has
fulfilled its
purpose. It is not, and should not be, the only security cert in town. It
isn't the
elite. It isn't a tech cert. It's a basis for minimum background and
communications.
There has been
plenty of discussion about the inherent conflict of interest of the
certifying bodies (ISC2 and SANS), but I'm more interested in finding
out how the marketplace views and values these certifications, with
the understanding that an individual with a certification and nothing
else is not much of an asset to any organization, as has been noted
earlier.
SANS certs are very often required for specific jobs or products. The CISA is
a
must if you want to be taken seriously as an infosec auditor.
The CISSP is becoming more widely known. It is certainly not alone on job
postings, but shows up most frequently. (Sometimes even on jobs that are not
security specific, but might touch on the area. I've seen a number of IT
director
level job postings that want it.) It is starting to show up after author names
on
book jackets.
Is the CISSP respected? Yes. Universally? No. Broadly? It's getting there
...
====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu
A person reveals his character by nothing so clearly as the joke
he resents. - G. C. Lichtenberg
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/CISSP-Discuss/
<*> To unsubscribe from this group, send an email to:
CISSP-Discuss-unsubscribe@yahoogroups.com
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
