SecurITyCerts dot Org
Navigating Security Certifications
CISSP versus SANS GSEC Certification
CISSP versus SANS GSEC-- how do they compare? A common question.
They are both excellent programs with significant overlap as well as some significant differences. I can’t tell you if getting the CISSP or GSEC will be useful to you personally, although you are bound to learn something in the process.
Both the CISSP and SANS GSEC are advanced certifications.
Neither the CISSP nor the GSEC are entry-level certifications. Even if you have years of information security experience, it's a broad enough field that you can’t just waltz in and pass the exam for either of these; you will need to learn or at least review some material in order to pass either exam.
The CISSP is THE best-known security certification, period.
Sometimes
it’s referred to as the “gold standard” of infosec certifications, but
it’s not necessarily the best choice for everyone.
The GSEC is second best-known security certification, although rapidly
increasing in prominence. CISSP has been around longer than GSEC, which
accounts for much of this.
The GSEC material is more practically oriented.
The GSEC material is practically oriented, whereas the CISSP is much
more managerially and theoretically oriented than GSEC. Although most
people agree that CISSP has some obscure and bizarre material in it
(“Orange Book” material, Bell-Lapadula, etc., NIACAP), most of the
material in both programs is very useful.
The GSEC training from SANS (the only source of GSEC training I know of)
has 10 hours of hands-on training whereas most CISSP programs have none.
There is more emphasis on learning "how to do things” as compared to
“knowing things” in GSEC, and hands-on knowledge is tested by the GSEC
exam.
CISSP requires five years of experience in security, some of which may
be waived for various reasons such as formal education, whereas GSEC has
no such requirement.
CISSP certification is a paper and pencil test scheduled periodically at
locations worldwide, and you may need to drive or fly a long distance
depending on where you live. It’s a 250 question multiple choice exam
which lasts six hours. Very few of the questions are straightforward,
and you are typically choosing the “best” answer from several correct
ones or the “least bad” one from incorrect ones. No one likes taking the
CISSP exam, and the people who leave after only 3 or so hours usually
have given up. A few weeks after you take the test you’ll find out if
you passed or failed.
The GSEC exam is “real world” in that it’s open book. You need to take
one proctored exam on a computer, for example at a KRYTERION testing
center, which consists of 180 multiple choice questions with a 5 hour
time limit. You immediately find out if you’ve passed or failed.
SANS GSEC training is developed and run by The SANS Institute who are
essentially the GSEC people. CISSP training is available from many
sources including The International Information Systems Security
Certification Consortium, better known as (ISC)²,
the CISSP people. This is very confusing because the (ISC)²
certification entity is nonprofit, but (ISC)² training is a different
and for profit company.
Both CISSP and SANS GSEC training is long and involved. The SANS GSEC
training is six days and five nights. CISSP programs tend to be 5+days
long as well. Usually additional study is required before taking the
exams. Note that the training is optional. You can take the exams
without attending training.
The CISSP material and exam doesn’t change very often and doesn’t
attempt to be cutting edge. It’s more like college or grad school course
material. The GSEC material and exam is far more dynamic and updated
more frequently.
The CISSP is good for 3 years and requires an annual maintenance fee, as
well as professional education (CPE) credits for renewal. The GSEC is
valid for 4 years after which you need to retake the examination to
recertify.
To summarize:
CISSP: More theoretical and managerial
GSEC: More hands on and practically oriented
Both are great programs.
