Friday, 19 August 2011

The Security Certification Jungle

Holding (amongst others) the following industry certifications, GSE, CISSP (ISSAP & ISSMP, and a book author), CISA, CISM, CCE, GNSA, G7799, GWAS, GCFA, GLEG, GSEC, GREM, GPCI, MCSE and GSPA (a few Cisco ones and many more) I like to think that I have some idea concerning IT Security certifications.

In a world of unconstrained growth in certifications and a lucrative business model for those who do it right, it is no surprise that Information Technology certificates have become as common as sand on the beach. Yet the real secret to this industry, as with any other built on a foundation of trust, is the choice of which certification one selects. The reason for this is that the right mix of certifications can be a immense boast for your career.

I have been tasked with writing an article on this topic as I am uniquely positioned to do so. I have a personal goal to complete all of the GIAC certifications this year and have certifications from most of the major vendors in IT. My insanity is collecting knowledge and in this quest I can say that GIAC is the leading vendor-neutral digital forensic and security certification. GIAC has changed much over the years and in my 15 years collecting SANS training and the associated GIAC certifications I have experienced and seen these changes.

The vast majority of certification bodies and vendors fail to adequately guard and maintain the value of the certification they offer, SANS and GIAC are not in this league. As a member of the ethics council for GIAC, a voluntary position, and through a long association with the people in SANS, I have seen the efforts that go into upholding the integrity of the tests. Many vendor certifications have become paper tiger certificates with Brain-dump sites giving access to actual exam questions.

The position of these vendors is that this is discouraged, but where GIAC has been involved, the level of effort in protecting the integrity of their exams is truly amazing. I have seen fake brain dumps for GIAC material, but any person using these will fail; they rarely even mention the material that is actually in the exams. The result is a certification that aligns with the knowledge in the SANS courseware and which offers the most in-depth and comprehensive security training and certification bar none. GIAC demonstrates a commitment to its certifications through marketing, publicity and an adherence to the integrity of the program that mean these will hold value not just now, but for the long term.

GIAC offers a means for people to corroborate their skills and knowledge by becoming certified with a qualification that actually demonstrates their knowledge. This is in a comprehensive range of areas related to information security and has a vendor neutral approach with over 30 individual certification training from entry level to expert. Even when a certification is focused on a particular vendor (such as the GCWN), they approach the subject in a "warts and all" manner that offers insight into the issues faced in a real production environment.

For this reason, GIAC certifications have immense value. The majority of companies I have been involved with (and, over the last couple of decades, in audit and incident response this is a large number) rate IT professionals who proactively seek the opportunity to expand their skills and expertise greatly. I can say that one of the finest methods available for these professionals to demonstrate their commitment to their career is through the completion of industry-recognized certifications that demonstrate a technical capability.

The format of the GIAC exams is again in flux with the introduction of a new test methodology. While this is a change, it is one for the better. It is a move towards testing proficiency in assigned tasks and away from rote learning. GIAC was good here before, but this new format is looking at aligning the skills being certified to the needs of enterprise as has not been achieved before in less than an expert level hands on certification (such as Cisco's CCNE or the GSE).

Like all aspects in life, certifications come under the economic law of diminishing returns. This is, the more one achieves, the less value one gains from achieving more. When you get a GSE certification, you have something that can be used to demonstrate hands on ability as you have been tested in a long grueling process to confirm you can do what you profess. This has value to employers who are willing to pay for skills that can directly benefit them.

At present, the level of awareness of the GIAC GSE exam is limited, but those who have knowledge of this certification hold it in high esteem and are willing to pay a premium for professionals with it. Of course, there is not a great level of economic value in attempting to gain all the certifications as I am doing, but one needs to have a goal and something to achieve.

The great benefit of the GIAC certifications comes from a combination of a technical focus that is second to none coupled with a series of focused certification paths. To gain the maximum value from this, you should choose a sub-field such as Audit, Security Management or Forensics within the wider field of information security and focus on this. That is, aim to be the best security auditor, pen tester, forensic analyst or whatever other desired field you want to take. By focusing on a selected roadmap, you have the complete set of skills needed in one place to achieve that through GIAC. Other vendor certifications will help as well, but for a technical focus, you cannot look past GIAC.

If there is an area in which GIAC could do better, it is in the promotion of its higher level certifications. GIAC has two levels of accreditation for most of the certifications it offers. These are the Silver (requiring an exam) and the Gold (with the requirement of a peer reviewed paper also being added). In addition, the three platinum level certifications are the ideal means of demonstrating a true depth of information security knowledge, yet they are hardly known outside the information security community and are rarely considered as a goal in themselves.

The requirement of a peer reviewed paper to achieve a Gold level certification may seem unnecessary to many technical people, but it both adds weight to the student’s ability in the field as well as demonstrating that they have the capability to communicate their findings. The point here being that you can be the best Pen Tester in the world, but if you cannot report your findings to management in a coherent manner, you may as well not be doing the job. Gold level certifications also stand as college credit. A Masters program offered by the SANS institute is based on the completion of several Gold level certifications from GIAC. Stressing the path to postgraduate qualifications would seem a logical end that needs more attention.
I completely agree with the quote from, " The Master degree programs provides a comprehensive array of courses that allows students to gain technical mastery of technologies and processes that set apart the leading security practitioners in the field. "

As far as a certification path goes, a series of certifications that are both in demand and which demonstrate technical ability is great. When you also consider that these can be used as credit towards a Masters degree, you have a set of certifications that go a long way to starting or enhancing your career.
In my career, both my staff and I are heavily involved with forensic and incident response work. GIAC adds enormous value here. It is common to have opposing "experts" offering reports in court. When you see some of the common mistakes that these uncertified people do again and again, you start to see the reason for learning a common methodology. On top of that, GIAC certifications need to be renewed and the material is continually updated and aligned with the SANS courseware (which is updated with current technical trends and knowledge).

In my career and having to present in court, the value of GIAC's quality control and depth is beyond question and reproach. Having a vendor certification (such as EnCE) in forensics does not hurt, but these do not teach the fundamentals and focus on using the particular product. Personally, I would rather hire a forensic analyst with no experience on a product (let alone a vendor certification) and a GIAC forensic certificate. It is easy to teach a person with the fundamentals the product, but it is not always easy to teach a person with product knowledge the why of what they need to do. The same applies to all aspects of security, knowing why and having a wide range of in-depth technical skills wins hands down over any particular vendor certification.

John Bambenek, one of the GIAC exam developers and GIAC certificate holder has noted,
"By shifting from recall questions to analysis/application questions, it requires the students to apply what they have learned instead of merely memorize the text."
The changes mentioned earlier in this article to the GIAC exam format will only further enhance the value of the certification to employers. Of course, holding a certification that is in demand is a means to become a sought after professional. As also noted, the GIAC gold format allows you to have a published paper to your name. This is both a means to marketing yourself with well read papers being a means of getting your name out to others and to demonstrating your ability to communicate your findings and knowledge.

Chalmer Lowe, also GIAC certified and another exam developer stated,
"Most of us don't run into problems where we work that are simply "recall" problems...most problems we run into involve some level of analysis and then some level of knowledge application. The format for the new SANS questions models what we experience in real life...a problem exists, the student needs to analyze the facts, determine the possible solutions and then apply the correct solution. The ability to answer these questions correctly in the test will be a good indicator of the student's ability to perform similarly in their work environment."

The new GIAC exam format will increase the chances of being able to identify those professionals with a high level of understanding and not just a good recall. Application of knowledge and skills is crucial to employers and the leadership taken by GIAC will make them the preeminent certification for years to come.

As Chalmer further held, "when a student sits down for a GIAC exam, they are expected to be able to analyze problems and apply their knowledge, not simply recall random facts".

Achieving GIAC certification provides an abundant array of benefits. These include improved career prospects and superior earning power. Specialization in information technology will only continue in this coming decade and GIAC certification is a way for professionals with advanced skills and up-to-date knowledge to show that they have what it takes to succeed. Not only do they provide for personal accomplishment, but GIAC's range of certifications is an ideal means to increase your opportunities for career advancement.

Having technical skills and being able to demonstrate these will get you so far, but if you really want to be hunted, you need to demonstrate your ability. Doing a GIAC gold paper or even going for the GSE and GIAC based Masters Degree is a great way to fast-track your career.

1 comment:

suarez said...

Good article, I welcome discussion in my forum I've created a thread at

This is a new forum I've created this morning so I would appreciate any interested IT Security professionals and hobbyists to join and help spread the word.