There is nothing like feeling like you are late to the game (4th quarter, up by 20 -- put in Shaw), but I had to chime in on the recent blog cage fight between CISSP'ers and GSEC'ers. Having the painful distinction of passing the CISSP on two occasions (more on that later) and being the fourth person to complete the GSEC (#13, but they started counting at 10), I have a little history on which to build my soap box.

The differences between the two certifications and the impacts they can, and likely will, have on a security professionals career are significant:

When I was doing IT contract work for the Navy in Charleston, I stumbled upon a relatively new organization: SANS. At the time, I had little functional knowledge of security and their GSEC track seemed like a great introduction to "usable" information security. The sub-sections included OS Security (Unix/Windows), encryption, and the use of specific tools (l0phtcrack). The lessons were at times rough around the edges, but I felt like my interests were piqued, which was what I needed to make a career change. I am embarrassed to reread my paper, but it is a good reminder of where I was in IT. When my GSEC finally expired, I didn't realize it, nor did I worry about it. The GSEC to me is more of a point in time achievement. It was a tool that helped me learn and explore the field. I approached the GCIH in much the same way. FINAL THOUGHT: If you are interested in information security, getting started in the field, or have a job related need to interface with infosec staff, the GSEC is a well-rounded certification that touches on numerous practical elements of information security.

Fast forward 2+ years and I am now pulling shifts for a managed security provider. I decided that while being hands on was something I enjoyed, my interest in management was equally as strong. It was at this time that I decided to pursue the CISSP. I knew that there would be very little that I would learn that would be applicable to my current job, but also knew that most hiring managers valued the certification. I decided to skip the boot camps and simply use a study guide. I opted for Shon Harris' CISSP All-in-One Exam Guide. A month later, I was certified. I won't go into the specifics of the test, as that is an entirely different discussion. What surprised me the most, was the difficulty I had (and continue to have) in obtaining the required number of CPE credits. The perfect storm of time with the family, time in the office, and a severely limited training budget resulted in an insurmountable deficit of credits. I realize that there are many ways in which to earn CPEs, but none of them seemed to fit my life's mold. After three years, I ultimately found it easier to retake the exam. I wouldn't wish that upon anyone, so I committed myself to keeping up with the required CPEs this time around. Well I am happy to say that after the first year of my new three year cycle, I have zero credits. Something has to change and I doubt it will be our company's training budget or the amount of free time I have. Any suggestions? FINAL THOUGHT: The CISSP is virtually a must have for information security managers and above. The certification won't help you implement technical controls to improve your environments security, but it will likely extend the boundaries of your security thinking.

So what does an infosec professional do to actually learn ways to improve the security of their infrastructure? I recommend vendor specific training, LOTS of reading (books, blogs, documentation), and late nights in the office or home lab. A couple thousand dollars spent on hardware, software, and/or books can do what no certification will -- give you the skills to excel in your field.

Side Note:
I have talked with many colleagues who are insulted when asked if they have, or would obtain, the CISSP. The feeling is that it is not an worthwhile reflection of their technical abilities. My question to anyone who feels this way is: does any one element of your resume reflect all of your abilities? Your college degree(s)? Your clearance? The answer is obviously, no. So why not enhance your marketability?