SANS Ends Practical Requirement for Certifications

I just learned that SANS, an organization whose conferences I attended fairly regularly five years ago, has terminated the practical requirement for all of its GIAC (Global Information Assurance Certification) programs.

GIAC was originally the Global Incident Analysis Center, a Web site to disseminate information on Y2K rollover threats. From a February 2000 archive of the site:

GIAC began December 21, 1999 as a service to support Y2K watchstanders all over the world, watching for cyber attacks and Y2K problems. We've come a long way since then, but the orignial pages are archived here.

I was an original incident handler and had some of my work posted. I also taught the IDS track several times, until I decided their material was too out-of-date and irrelevant to IDS practitioners. I was tired of scrapping SANS material on stage (aside from some of Judy Novak's TCP/IP slides and Marty Roesch's Snort tutorial) and teaching what students really needed to know.

SANS turned the Global Incident Analysis Center into the Global Information Assurance Certification when they realized they had created a powerful GIAC brand.

The SANS announcement states the following:

"Starting immediately, all new students will be authorized to the exam only GIAC Certification.

The forces that drove us to this change are numerous, but the single most important is the need to move to more modular, adaptable, courseware and certificates and certifications to stay abreast of the current threat. Additionally the marketplace has voted with its feet in favor of exam based certifications.

No practicals or drafts will be accepted after April 15th, 2005."

My take on this statement, and my conversations with SANS faculty, leads me to believe that grading practicals simply became too onerous for the SANS staff. Their margins are higher when they can automate the certification process.

This next statement is disappointing:

"We will issue a new logo design for all future 'exam only' certifications so that there will be less chance of confusion between 'exam only' and the more prestigious, original, practical oriented certifications."

In other words, SANS has admitted to devaluing its certification -- the new 'exam only' certifications are not as 'prestigious' as the original.

SANS has now created a market where holders of the "original" certification are more highly valued than those that follow.

SANS will also no longer be able to offer practical assignments to the community. Although the original practicals will remain online, that source of knowledge will dry up. This is doubly unfortunate as SANS practicals were one of the best aspects of the certification from the perspective of other security students.

While I believe that viable exam-only certifications exist (like the CCNA, CCNP, etc.), I fear SANS has removed a feature of their certification that made it unique and valuable.