At the risk of
stirring the cyber pot (item 3, specifically) I wanted to post a response to a great mailing list thread I've been following. A reader asked about the value of the CISSP certification. Within the context of the mailing list, several responders cited their thoughts on SANS certifications. Many mentioned why the CISSP tends to be so popular. I'd like to share my thoughts here.
In my opinion, the primary reason the CISSP is so successful is that it is easy to understand it, which facilitates marketing it. It is exceptionally easy for a recruiter to search LinkedIn profiles, other databases, or resumes for the term "CISSP." If you encounter a person with the CISSP, you basically know what the person had to do to get the certification.
Before continuing, answer this quick question: what are the following? 1) SSCP, 2) CAP, 3) CSSLP?
Let me guess -- you didn't recognize any of them, just like I did?
Now, let me see if you recognize any of the following? 1) GGSC-0400, 2) GNET, 3) GAWN-C, 4) GBLC, 5) GCIM?
I believe you didn't recognize any of those either.
How about? 1) GISP, 2) GLEG, 3) GCIH, 4) GAWN?
I'm guessing some of you might recognize GCIH as the SANS "GIAC Certified Incident Handler," which actually doesn't have much to do with "incident handling." That's a topic for another day, but it does show GCIH benefits from decent branding.
You've probably figured out that the last two lists of acronyms were SANS certifications. The first list was a selection of a few of the retired SANS certifications. There's 26 of those.
The second list was a selection from the list of 24 active SANS certifications.
What about the first list, starting with "SSCP?" Those are other certifications offered by ISC2. They're utterly forgettable. Had I not visited the ISC2 Web site, I would never have known they existed.
Now, one could argue that the brand "SANS" is as recognizable, or even more recognizable, than the brand "CISSP."
The problem is that a person's resume could list "SANS" as a course he or she attended, without noting if a certain achievement (i.e., certification) was achieved. "SANS" is also a poor search term because the diversity of the SANS ecosystem means you could be dealing with a legal person, or a reverse engineer, or a UNIX system administrator.
What is the answer for SANS, if the CISSP will likely continue to out-market it? I recommend adopting the model used by Cisco. If you hear a person has a CCIE, that means something -- you immediately think of deep knowledge, several levels of work, and grueling hands-on testing over two days in a controlled environment.
The genius of Cisco's approach is that they have "tracks" for the CCIE, e.g. Data Center, Routing and Switching, etc. Those aren't the brands though; that stays with CCIE.
The Cisco approach isn't perfect, because you can't simply search resumes for "CCIE" intending to get a CCIE in security. You might find a CCIE in routing and switching, or wireless. However, if one finds a CCIE, you get a sense of the level of seniority and ability to operate in a stressful environment (at least as far as a test can simulate).
SANS has tried something like the CCIE with their "GIAC Security Expert (GSE)." The GSE is similar to the CCIE in many respects, including horribly tough hands-on labs, but unfortunately hardly anyone knows about it. It is really difficult to reach that level in SANS certification. However, because only 63 people hold it, there's no real market for them.
By the way, I smell a branding failure when SANS certifications like GSE, GCIH, and so on all have a "G," which references another acronym -- "GIAC," for "Global Information Assurance Certification." That doesn't even include the term "SANS," which is the stronger brand. GIAC originally meant "Global Incident Analysis Center," but that's another story.
In brief, I think SANS could increase the branding value of their certifications if they retired the existing acronyms and names, incorporated "SANS" into a new naming scheme, and concentrated on a "level" approach seen with Cisco. Focus on Entry-Level, Associate, Professional, and Expert as Cisco does, and develop programs to accelerate the adoption of the Expert level among its constituency as Cisco did with CCIEs.
Rebranding would cause lots of SANS folk plenty of heartache, but I think integrating "SANS" into the new level-oriented structure would more than compensate for the initial transition costs. Ultimately the system would be stronger for everyone.
What do you think?