Some months ago, I proudly earned my Global Information Assurance Certification (GIAC) in network intrusion detection from the Bethesda, Md.-based SANS Institute Inc. I was impressed by the technical depth of the course and by the difficulty of the evaluation process.
I’m confident that any potential hires with this certification know one end of a TCP packet from the other. But whether they would ever get to use that knowledge in a commercial environment is a different question. The certification process goes much technically deeper than any security professional ever needs to in our environment.
That depth comes with a price, in terms of breadth. To cover network intrusion-detection systems in such detail means that host-based detection systems and other subjects are skimmed over. I recently completed my Certified Information Systems Security Personnel (CISSP) exam and found that it has gone to the opposite extreme, sacrificing much-needed depth for breadth. So are such certifications worth it? Perhaps, but not for the reasons you read about in the marketing literature.
The Claims vs. the Reality
The SANS Institute has data showing that people with a GIAC earn 12 per cent more than staffers without the qualification. This is a cute statistic, but one with questionable meaning: Better-funded companies are more likely to send their employees for GIAC certification and are more likely to pay them better. Professionals with the certification are generally more senior and experienced than noncertified staff. This doesn’t prove that the GIAC raises your income.
I’d like to see statistics on the salary levels of staffers who fail their GIAC test, but I know I won’t anytime soon. (If you’ve ever offered a higher salary to new hires based on their certifications, I’d love to hear about it in the Security Manager’s Journal forum.)
Despite the inflated salary claims, the SANS courses offer good training. We have sent staffers to courses and they have enjoyed themselves and improved their technical knowledge.
However, a review of job postings will show that the GIAC isn’t well known. I found 2,990 security job listings, of which seven mentioned GIAC and 11 mentioned SANS. A qualification requested for 0.6 per cent of jobs isn’t going to set the world on fire.
There is one certification that does a little better. The CISSP was mentioned in 75 job descriptions, or 2.5 per cent of the jobs. That’s better, but it’s still not great. A more interesting statistic is that more than 70 per cent of the jobs that required a GIAC also required the CISSP.
Friends told me of recruitment agents who refused to put their r