The SANS Institute is eliminating the lengthy practicals required for GIAC certifications, saying the long hours...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
required for completion are discouraging qualified applicants. But some current GIAC holders fear watered-down criteria will in turn dilute the value of their hard-earned certifications.
"I really fail to see how this will improve the practice of security throughout the network-connected world and better gauge the mastery of skills as [SANS claims]. To me it will simply produce more people who do not have the proper skills, and it will water down the value of the SANS GIAC certifications as a whole," said Clement Dupuis, president and chief learning officer for CCCure Enterprise Security and Training.
SANS' director of training and certification issued a statement explaining the planned move, which goes into effect after April 15. "The lengthy practical exercises blocked more than 80% of
According to the SANS announcement, more than 20,000 people who started the certification process were unable to complete it because they were not able to carve out the time when they returned to work to complete the 30 to 200 hours required for the practical. As an example, SANS cited a top FBI cyberexpert who completed the training but was unable to complete the practical because of a large volume of cases when he returned to work.
"Additionally, GIAC will be simplifying the recertification process," SANS said.
However, some who hold GIAC certs aren't thrilled with the changes.
"The truth is that [SANS] wishes to show a larger number of people being certified while cutting cost in the process," said Dupuis, who holds the Global Incident Analysis Centre Certified Intrusion Analyst and the Global Incident Analysis Centre Certified Firewall Analyst certifications. He's also served SANS since its beginnings as a grader, courseware developer, instructor and advisory board member. "It is sad to see an organization gauge its success on the number of people who have completed their certifications. For me, this is not a valid metric at all."
Even those who didn't manage to complete the practical have mixed feelings.
"I am one of the 80% who did not complete the GIAC practical in the allotted time," said one poster to the CCCure.org reader's forum. "Rather than blame SANS, the requirements or the fact my mother
GIAC certifications range from security essentials to forensics, from hacker techniques to intrusion detection, from firewalls to auditing, and from security foundations to security leadership. SANS said more than 7,700 security professionals have earned GIAC certifications.
"The purpose of a certification is to give employees and employers criteria to know if they could do the job -- not create an elite [group]," said Alan Paller, SANS's director of research. "We changed the cert so that more qualified people who have the skills will be able to demonstrate them."
Historically, SANS has said three unique elements set its GIAC certifications apart from others:
- Focus on measuring mastery of technical skills essential to the effective practice of security, rather than general security knowledge;
- Constant updating to reflect changing threat patterns; and
- Requiring applicants to complete a series of practical exercises that often spanned many months.
Now SANS plans to substitute scenario-based examinations for the practical assignment element of the certification process.
"The written practical was one of the key differentiators from the other certifications that are available in the market," Dupuis said. "They would allow the student to show mastery of the subject and allow potential employers to take a look at what one can do as far as applying the knowledge learned toward a specific real life application.
"On top of all this, the practicals were feeding the SANS Reading Room which has become a key site for the community when doing research on security topics," Dupuis added. "It will definitively be missed by all."
Other board members were sorry to see the demise of the practical, but believe it was for the best.
"While the practical was a great learning tool, it did indeed lose its objectivity," according to a note to Paller from an unnamed member of the IDS board. "I am saddened at
SANS tried to allay fears for those earning certs under the older system. "Although the new testing program will maintain very high standards, SANS will provide a special designation for those GIAC holders who completed the practical exercises, so that their singular accomplishment will continue to be recognized by their employers and the community," the company said in its announcement.
Practicals will be accepted through April 15 and fully graded according to the pre-established standards. Students passing the practical will earn the original GIAC certification and have their practical posted on the Web site. Other information on the termination of practicals is available on the GIAC Web site.