What value your security certification?
Pundit laments GIAC shake-up
Comment It was with great dismay that I read of the recent changes to the GIAC certifications. There is now no longer a requirement to write a practical portion to the GIAC, which has recently become purely exam-based. This practical portion requirement was, until now, the one distinguishing feature that separated the GIAC certifications from all the others. To earn this certification one had to, in no uncertain terms, prove in a written format his mastery of the subject matter. The reasoning given by Steven Northcutt, the director of training for SANS' GIAC, as to why they dropped the practical requirement has been widely dismissed by many current GIAC holders, including myself. The GIAC's prominence and value was largely due to the highly technical nature of their various certifications. Without a practical portion to the certification, however, it now becomes one of the same among so many others.
This brings to mind a similar problem among certifications that first occurred some years ago. Let's consider the devaluation of the MCSE certification for a moment. For some time the MCSE held value among those in the IT world - that is, until the "boot camps" appeared, which pretty much guaranteed the attendee his MCSE within one week regardless of any practical knowledge that he may have garnered during this time. Thus, the MCSE certification soon lost a lot of its value in the eyes of many - and in particular, in the eyes of employers who were left to deal with having hired new employees who often could simply not function in their complex corporate environments. This phenomenon coined a term that is still in wide use today, that of the "paper MCSE", or more generally, the "paper certification". These terms refer to one who has crammed for an exam and had good memorization skills, but may or may not have have any real practical ability. A great number of people thought at the time that this "boot camp" type of training was just a money grab by some IT vendors. However, I will reserve my opinion on that.
With these two examples in mind, one has to wonder about the value of certification for the security industry. Is the certification process a self-serving one that exists for the benefit of educators to make money, instead of imparting knowledge? I regret to say that many believe so. However the reality is that most people don't have a choice anymore, as so many employers demand various certifications before even giving one the opportunity for an interview. Prospective employers now look at the well-known certifications as the bare minimum of accepted competency, or as the piece of paper that gets one in the door for an opportunity to prove his knowledge in other ways. Like it or not, it's certification is a requirement nowadays. This now leaves one with the prospect of choosing which certification provides the best opportunity, and the best value.
Arguably the most widely recognized certification out there today is the CISSP. From a network security perspective, the CISSP is still considered the premiere certification. What many people don't realize though is that the CISSP is generally regarded as a management level certification, and is much less technical than the GIAC certifications. However, you can't really go wrong with getting the CISSP assuming that you meet the prerequisites, such as the required work experience in the security industry. One of the other notable features of this certification is the standard of ethics it makes all CISSP holders bound to. In a nutshell, for your training and certification dollars, the CISSP may be your best bet overall. It's still not very easy to attain for many people, and this fact keeps the certification elevated at a high level. Not only that, but unlike the recent changes in the GIAC, the CISSP has remained pretty stable over the years.
What about the vendor specific certifications? This is an avenue that should be explored as well. Before making a decision on which certification, one must determine what his job focus will be over the next few years. In other words, there would be no reason for a Windows system administrator to get the RHCE, for example, even if there truly is a security component to that certification. After you have taken stock of your goals, you must then focus your aim at a specific certification.
Let's look at the RHCE certification in a more detail though, for there are many who maintain Linux servers. Is this certification worthwhile? For many security people looking to understand Linux better, the answer would be a resounding yes. The RHCE seems to be the last remaining cert that makes you demonstrate your skills via a practical, hands on portion. Unlike the "paper certification" syndrome as mentioned above, the practical segment of the RHCE makes it stand out for all the right reasons. A prospective employer will know that you can actually do the hands on work once you have earned this certification.
A second example where you cannot go wrong with vendor certifications is with the CCNA. Routers are key to every corporate network today, and Cisco is still the reigning king of the router world. Unlike the CISSP, there are no prerequisites to obtaining the CCNA. You simply study hard, plunk down your money, and take the test at your local test center. If network security is your mainstay, however, and you have been upset about the recent downgrading of the GIAC certification, then the lack of a practical portion to the CCNA unfortunately puts it in the same league. In that case you should contemplate the CCSP - which is still an excellent technical certification.
With these various certification options in mind, and with our discussion on practical portions vs. purely exam based certifications, we have come full circle. What makes a certification worthwhile is ultimately what it means to you, your knowledge, and your career. Having gone through many of these certifications myself, I truly believe you must have a practical portion for the certification to be effective. It is simply too easy to cram for an exam and then have the infamous brain dump, without having really learned anything. This type of exam-based certification really displays little concrete evidence to an employer - and once again, it does little more for your career than to get you in the door.
Remember, it is always best to have a certification that will unequivocally show your knowledge in a practical setting. Anything else leaves your skills open to question. I myself hold two GIAC certifications, and must now lament the fact that, in light of recent changes, that they are longer as valuable as before. When looking for a new security certification to pursue, choose wisely and look beyond that piece of paper you'll get in the end.
Don Parker, GCIA GCIH, specializes in intrusion detection and incident handling. In addition to writing about network security he enjoys a role as guest speaker for various security conferences.