Information Security: Comparing the CISSP and GSEC Certifications

By Daniel Miessler on August 29th, 2007: Tagged as Career | Certification | Infosec | Security

aotmp aotmp.com

I’ve had some discussions about how the GIAC GSEC credential compares to the CISSP in terms of difficulty and respectability. Here is one such discussion from a forum I frequent.:

The main reason the CISSP in more respected is because of the standards the ISC2 has established, such as proving the identification of the applicant, verifying they meet the experience requirements, and the way the exam is hosted.
That definitely earns the exam some respect, to be sure, but keep in mind that the first time pass rate is over 70%.
I would give you this analogy: The CISSP is like taking the SAT’s You walk into a room with just a pencil and take a 6hr, 250 question exam that many of the times has more than 1 right answer but you have to draw on your experience to determine which one is “more right” The GSEC is like creating and turning in an Essay and taking an open book test.
Ok, let me put it this way, which of those two scenarios do you think represents reality in the infosec world? Cramming facts and regurgitating them via #2 pencil, or dealing with harder, more technical questions with access to any book and any search engine you want?

It’s the latter.

That’s what problem-solving is — you have Google, you have the text books, you have anything you want. That doesn’t make complex problems easy, it just makes them possible. That’s how the real world works.

Put it this way, I’d be willing to bet that 50% of all CISSPs don’t know what netcat is. What does that say about their infosec skills? What percentage of GSEC holders know what it is? Probably 99%.

Don’t confuse world-wide acceptance with proof of superiority. CISSP is standard, it requires experience, and it’s got a good, broad base of questions, but it’s the kind of test people cram for, pass, and then forget the material it was made up of. That’s not a good measure of a dedicated, technical infosec professional; it’s more a measure of someone who takes their career seriously and knows how to study.

I’ve met CISSPs who can’t configure a home network — no joke. Again, I studied for it and passed it in one week’s time, and that’s with zero previous study of the test materials.

More than I can a test that has a 70% first-time-pass rate that’s explicitly designed for managers and non-technical types. It’s for a wide, wide base of knowledge - not for testing whether or not you’d be qualified to actually do anything.
Don’t get me wrong, if you are going to do one first, or only one of the two, I’d say get the CISSP. It’s more recognized and more respected than any other cert out there. All I am saying is that you shouldn’t confuse this with its difficulty. Almost nobody knows anything about the GSE certification either, but the two PhDs that have it said it was harder to get than their degrees.

I think after you have both you may see it more the way I do. I’d hire a GSEC holder to do some security on a network with significantly less reservation, whereas a CISSP-holder would have to go through the same sorts of checks that someone with nothing more than a 4-year degree would. Just because they can study and take themselves seriously doesn’t mean they know or love their discipline.:

--

20 Comments »

  1. Taking this article and your previous on infosec certs, I’d be interested to see a difficulty comparison with non-security certs such as Cisco’s CCNA.

    This will be very beneficial for those just entering the security field.

    Comment by Saul Lethbridge — 8/29/2007 @ 11:26 am

  2. CCNA is far easier than either of the two I mentioned. It’s a completely entry-level cert that could take a person who’s decent with networking less than a week to study for.

    The CISSP and GSEC need a whole lot more than that unless you go to the courses/bootcamps specifically designed to prepare you.

    Comment by Daniel Miessler — 8/29/2007 @ 11:28 am

  3. I thought you might come back with that.

    The difficulty of the CCNA has increase greatly since 2003, wheras before this it was quite easy.

    Did you get your CCNA recently?

    Comment by Saul Lethbridge — 8/29/2007 @ 12:03 pm

  4. Anyone else care to compare the difficulty of GSEC/CISSP with a recent CCNA exam?

    Comment by Saul Lethbridge — 8/29/2007 @ 12:10 pm

  5. [...] Miessler has posted a pretty good breakdown of the differences between the GSEC cert and the CISSP cert.  He is [...]

    Pingback by An Information Security Place » Blog Archive » Miessler views GSEC cert with more favor than CISSP — 8/30/2007 @ 8:22 pm

  6. I fully agree that CISSP should not be a measure of hands-on info-security knowledge. I also met CISSPs who can’t name services running on port 21, 22, 53, 443, etc. Before testing for CISSP (passed successfully after one (1) day of studying) I already had certifications such as CCSA, CCSE, CCNA, ICE, … and over 10 years of network security experience. Passing CISM and CISA exams was very easy, as well. BTW, I got my CCNA in 1999 after 4-day training and it wasn’t that difficult although I would not compare it with CISSP which is much more complex and requires broader knowledge (CCNA is not a security cert. after all …). When interviewing potential consultants or employees for info-sec projects or positions, I am being significantly more skeptical towards hiring CISSP or CISA vs. GSEC or other GIAC certs.

    Comment by Alex — 8/31/2007 @ 3:47 am

  7. [...] do agree with DMiessler and Mckeay: “I’ve met CISSPs who can’t configure a home network — no joke. Again, I [...]

    Pingback by Information Security Awareness & howtos » Which Security Certification Should I Get? — 8/31/2007 @ 8:19 am

  8. Saul,

    I’ve heard that the CCNA has changed signifigantly since I took it in 2003 (more hands allows you to actually type in commands for a router), but I’m sure the differences between it an the CISSP are the same. Aside from the content, of course, the types of questions on the CCNA are simple knowledged based “Type the Command needed to enter the configuration of the router” sorts of questions. Whereas, the CISSP is comprehensive and require you to choose the “best” answer out of four.

    From a content perspective there really is no comparison. Cisco does not have an equivalent to the CISSP that I could find. The CISSP covers so much ground at a high “management” level. Until, you get to CCIE, Cisco certs are each pretty specialized to a small area of networking. CCNA is a broad look at the basics of routing (relatively small slice that can gauge subnetting skills & what commands you know while in typical switch or router). CISSP is a broad look at everything in information security (so broad that it says nothing about technical skill).

    All I know about the GSEC is that its SANS, its expensive and its open book.

    Comment by rob — 8/31/2007 @ 9:45 am

  9. originally posted at http://infosecplace.com:

    The GSEC sound interesting, but I’d definitely go for CISSP first because more employers are looking for it.

    @Monster looking for CEH: http://jobsearch.monster.com/Search.aspx?q=CEH&cy=us&brd=1&re=0&jsnonreg=1&pg=1

    @Monster looking for GSEC (45 pages - many also looking for CISSP) http://jobsearch.monster.com/Search.aspx?q=GSEC&sid=%2D1&cnme=&rad=20&cy=us&brd=1&re=&JSNONREG=1

    @monster looking for CISSP (1680 pages) http://jobsearch.monster.com/Search.aspx?q=CISSP&cy=us&brd=1&re=0&jsnonreg=1&pg=1

    @Monster looking for Security+ (5000 pages!!.. but doesn’t pay as good) http://jobsearch.monster.com/Search.aspx?q=Security%2B&cy=us&brd=1&re=0&jsnonreg=1&pg=1

    Comment by elamb — 8/31/2007 @ 9:58 am

  10. No, No, NO!

    You missed the point of the CISSP and the GSEC both. If I have a leaky faucet, I hire a plumber. If I have a bad circuit breaker, I hire an electrician. Just because my plumber can screw in a light bulb, doesn’t make me want trust him with my electrical problems. Just because my electrician can flush a toilet, doesn’t mean I want him to fix a faucet.

    Just because CISSP & GSEC have the word ’security’ in the name of the certification doesn’t mean one can replace the other in their job or function.

    CISSPs are business decision makers about technology. GSECs are technologist that implement.

    If you can’t understand the difference you should not be choosing either. If you can understand the difference, you would never replace one with the other.

    Comment by Dean — 9/1/2007 @ 10:57 am

  11. For someone that doesn’t have the CISSP, the author claims to know an awful lot about how “easy” it is. I heard the same claim from someone in the Computer Forensics community. The CISSP if far more difficult then the GSEC is. The GSEC is a lower level CERT and not even on the same playing field as shown with the DoD 8570.1 M. The GSEC only qualifies for Technical II while the CISSP qualifies for Technical I, II, III and Management I, II, III.

    “More than I can a test that has a 70% first-time-pass rate…” Really? Where is your proof? I know for a fact that this is not the case in the sector I work in. There are many security credentials out there, some better then the others. The CISSP does not cover everything, but it covers more then the GSEC.

    Comment by Infosecwriter — 9/1/2007 @ 1:42 pm

  12. What gave you the idea that i dont have a CISSP? I have it, the CISA, the GCIA, and the GSEC as well.

    Comment by Daniel Miessler — 9/1/2007 @ 3:13 pm

  13. I always enjoy discussions like this. They show the ad hominem attacks on both sides of the same coin. As a CISSP, CISA, GCFA, G7799 and I have have forgotten more about security than most know. Neither is superior to the other. They both have their strengths and weaknesses. I could describe some of the critical weaknesses of the GIAC program in the same way I could with the ISC2 program. In both instances, descriptions would add no value and also compromise the TOS of both exam processes. The real issue for each and danger for each is how quickly technology changes but the elements of good security remain the same. I still state 90% of good IT Sec is common sense. GSEC focuses on latest technology, but no always on best logical practice. CISSP focuses on best practice and logic but not always the latest technology. If I were wanting to hire a FW engineer, I would want to know whether they can manage the ruleset for the named firewalls be it an outdated Guantlet or the latest rev of Checkpoint or Juniper. But what do I know. I have forgotten it already.

    Enjoy the world, it will be different a nanosecond from now

    SD Dietz

    Comment by sd dietz — 9/1/2007 @ 5:36 pm

  14. What give me the idea you don’t have it? Simple… Miessler is not in (ISC)2’s certification database. This tells me you don’t have it: https://www.isc2.org/cgi-bin/cert_verification.cgi. If you have a CISSP, you need to fix the issue with (ISC)2. Posting your certification number for others to verify your claims would also be appropriate since you’re not in the database.

    I’ve seen your name on SANS for the GSEC and am awaiting confirmation from ISACA on the CISA.

    Comment by Infosecwriter — 9/2/2007 @ 1:04 pm

  15. Dear “Infosecwriter”, you can find someone in (ISC)2 registry only if they gave permission for their personal information to be published. That does not mean that Daniel is not a CISSP and I really don’t think he is under any obligation to prove his membership to YOU. Your obsession with checking his certifications only shows that you are just not getting it! Experience, skills and ability to perform logical reasoning is much more important that any certification.

    Comment by Alex — 9/3/2007 @ 2:58 pm

  16. [...] have been taking a bit of flak regarding my post comparing the CISSP to the GSEC. It’s been interpreted as negative towards the CISSP, which I suppose is fair to some degree. [...]

    Pingback by dmiessler.com | More Refined Thoughts on the CISSP — 9/3/2007 @ 6:56 pm

  17. [...] interest (and some amusement) that I was following the recent comments between Daniel Miessler (original post and followup) and Marty McKeay (here and here) in regards to the comparisons/differences between [...]

    Pingback by JeffBolden.net » Security Certs: Oh How I Love/Loath Thee… — 9/7/2007 @ 6:14 am

  18. [...] Information Security: Comparing the CISSP and GSEC certifications [...]

    Pingback by Network Security Blog » Network Security Podcast, Episode 75 — 1/5/2008 @ 9:32 pm

  19. Infosecwriter, drop the agenda. The simple fact is that (whether or not he has it… who cares) many people have said the same thing… just Google CISSP and GSec. I have been in the industry for more than seven years now… the CISSP exam took me less than 1.5 hours, including double-checking my answers and work. It is a fairly simple exam… I learned nothing in the bootcamp (and made everyone save the teacher angry because I knew all of the answers and he and I kept going into in-depth discussions).

    The CISSP is a weak exam because it is non-technical and covers many topics, but few things. No depth. What little depth it attempts to provide is generally wrong, though. For example, my exam had a question concerning buffer overflows and how to “prevent” them. The only somewhat correct answer is to check the range and offset, but even that’s not right. In all of the domains, excluding BC and DR, the CISSP has very little information, depth, or knowledge.

    Also, just to weigh in on the CCNA thing (I agree it’s completely different), I took the CCNA 1/2/3/4 route through Cisco’s Networking Academy, which taught me a wealth of information that I retain today and has helped me through my college studies, work, and my research. CISSP has done nothing for me. In my case, I got the CCNA through a respectable means, rather than simply passing the exam, and I learned the most; I didn’t learn anything in the CISSP bootcamp and and no issues with ANY of the CISSP exam questions (save 2 that made no sense… the English was completely messed up).

    My ultimate point is that certifications should mean nothing to you… it’s the knowledge. Anyone can pass an exam (I know CISSPs who couldn’t tell you the difference between a router, switch, lvl4 switch, lvl3 switch, hub, repeater, and bridge…. I know CCNAs who couldn’t either). I recommend that you take classes, go to University (and apply yourself), and participate in research. Certifications and ceritificates are pointless and don’t help you grow… when companies figure this out, we’ll see a dramatic shift in work quality and fewer losers in our fields (I do application PT, Web-based application PT, network PT, OS PT, and vulnerability assessments for a living).

    Comment by DO — 1/21/2008 @ 8:50 pm

  20. The Department of Defense and others are nowing training their security officers with the GSEC bootcamps instead of the CISSP. That should be a strong indication that the industry is starting to put the GSEC ahead of the CISSP. Besides the GSEC must be taken every 4 years where the CISSP is a lifelong certification. What I have notices is that many CISSP “professionals” know very little about a lot. Where someone who has the GSEC knows a lot about a lot. Looking at recent jon postings you can ever see things like “CISSP or Security+ required.” The CISSP is losing ground to Security+, GSEC, CCNA and others which it should!

    Comment by Bee — 6/23/2008 @ 5:08 am

RSS Feed For This Post...
This Post's TrackBack URI

Leave a Comment...