Feeds

What value your security certification?

Pundit laments GIAC shake-up

  • alert
  • submit to reddit

Build a business case: developing custom apps

Comment It was with great dismay that I read of the recent changes to the GIAC certifications. There is now no longer a requirement to write a practical portion to the GIAC, which has recently become purely exam-based. This practical portion requirement was, until now, the one distinguishing feature that separated the GIAC certifications from all the others. To earn this certification one had to, in no uncertain terms, prove in a written format his mastery of the subject matter. The reasoning given by Steven Northcutt, the director of training for SANS' GIAC, as to why they dropped the practical requirement has been widely dismissed by many current GIAC holders, including myself. The GIAC's prominence and value was largely due to the highly technical nature of their various certifications. Without a practical portion to the certification, however, it now becomes one of the same among so many others.

This brings to mind a similar problem among certifications that first occurred some years ago. Let's consider the devaluation of the MCSE certification for a moment. For some time the MCSE held value among those in the IT world - that is, until the "boot camps" appeared, which pretty much guaranteed the attendee his MCSE within one week regardless of any practical knowledge that he may have garnered during this time. Thus, the MCSE certification soon lost a lot of its value in the eyes of many - and in particular, in the eyes of employers who were left to deal with having hired new employees who often could simply not function in their complex corporate environments. This phenomenon coined a term that is still in wide use today, that of the "paper MCSE", or more generally, the "paper certification". These terms refer to one who has crammed for an exam and had good memorization skills, but may or may not have have any real practical ability. A great number of people thought at the time that this "boot camp" type of training was just a money grab by some IT vendors. However, I will reserve my opinion on that.

With these two examples in mind, one has to wonder about the value of certification for the security industry. Is the certification process a self-serving one that exists for the benefit of educators to make money, instead of imparting knowledge? I regret to say that many believe so. However the reality is that most people don't have a choice anymore, as so many employers demand various certifications before even giving one the opportunity for an interview. Prospective employers now look at the well-known certifications as the bare minimum of accepted competency, or as the piece of paper that gets one in the door for an opportunity to prove his knowledge in other ways. Like it or not, it's certification is a requirement nowadays. This now leaves one with the prospect of choosing which certification provides the best opportunity, and the best value.

Arguably the most widely recognized certification out there today is the CISSP. From a network security perspective, the CISSP is still considered the premiere certification. What many people don't realize though is that the CISSP is generally regarded as a management level certification, and is much less technical than the GIAC certifications. However, you can't really go wrong with getting the CISSP assuming that you meet the prerequisites, such as the required work experience in the security industry. One of the other notable features of this certification is the standard of ethics it makes all CISSP holders bound to. In a nutshell, for your training and certification dollars, the CISSP may be your best bet overall. It's still not very easy to attain for many people, and this fact keeps the certification elevated at a high level. Not only that, but unlike the recent changes in the GIAC, the CISSP has remained pretty stable over the years.

What about the vendor specific certifications? This is an avenue that should be explored as well. Before making a decision on which certification, one must determine what his job focus will be over the next few years. In other words, there would be no reason for a Windows system administrator to get the RHCE, for example, even if there truly is a security component to that certification. After you have taken stock of your goals, you must then focus your aim at a specific certification.

Let's look at the RHCE certification in a more detail though, for there are many who maintain Linux servers. Is this certification worthwhile? For many security people looking to understand Linux better, the answer would be a resounding yes. The RHCE seems to be the last remaining cert that makes you demonstrate your skills via a practical, hands on portion. Unlike the "paper certification" syndrome as mentioned above, the practical segment of the RHCE makes it stand out for all the right reasons. A prospective employer will know that you can actually do the hands on work once you have earned this certification.

A second example where you cannot go wrong with vendor certifications is with the CCNA. Routers are key to every corporate network today, and Cisco is still the reigning king of the router world. Unlike the CISSP, there are no prerequisites to obtaining the CCNA. You simply study hard, plunk down your money, and take the test at your local test center. If network security is your mainstay, however, and you have been upset about the recent downgrading of the GIAC certification, then the lack of a practical portion to the CCNA unfortunately puts it in the same league. In that case you should contemplate the CCSP - which is still an excellent technical certification.

With these various certification options in mind, and with our discussion on practical portions vs. purely exam based certifications, we have come full circle. What makes a certification worthwhile is ultimately what it means to you, your knowledge, and your career. Having gone through many of these certifications myself, I truly believe you must have a practical portion for the certification to be effective. It is simply too easy to cram for an exam and then have the infamous brain dump, without having really learned anything. This type of exam-based certification really displays little concrete evidence to an employer - and once again, it does little more for your career than to get you in the door.

Remember, it is always best to have a certification that will unequivocally show your knowledge in a practical setting. Anything else leaves your skills open to question. I myself hold two GIAC certifications, and must now lament the fact that, in light of recent changes, that they are longer as valuable as before. When looking for a new security certification to pursue, choose wisely and look beyond that piece of paper you'll get in the end.

Copyright © 2004, SecurityFocus logo

Don Parker, GCIA GCIH, specializes in intrusion detection and incident handling. In addition to writing about network security he enjoys a role as guest speaker for various security conferences.

Related stories

Boom times ahead for IT security profession
Counting the cost of security training
Top security graduates offered bursaries

The Essential Guide to IT Transformation

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Sonos AXES support for Apple's iOS4 and 5
Want to use your iThing? You can't - it's too old
Stick a 4K in them: Super high-res TVs are DONE
4,000 pixels is niche now... Don't say we didn't warn you
Philip K Dick 'Nazi alternate reality' story to be made into TV series
Amazon Studios, Ridley Scott firm to produce The Man in the High Castle
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
Too many IT conferences to cover? MICROSOFT to the RESCUE!
Yet more word of cuts emerges from Redmond
Joe Average isn't worth $10 a year to Mark Zuckerberg
The Social Network deflates the PC resurgence with mobile-only usage prediction
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.