News Stay informed about the latest enterprise technology news and product updates.

SANS drops hands-on portion of GIAC certifications

By making it easier to earn certain security credentials, some wonder if theirs will lose value in the workforce.

The SANS Institute is eliminating the lengthy practicals required for GIAC certifications, saying the long hours required for completion are discouraging qualified applicants. But some current GIAC holders fear watered-down criteria will in turn dilute the value of their hard-earned certifications.

"I really fail to see how this will improve the practice of security throughout the network-connected world and better gauge the mastery of skills as [SANS claims]. To me it will simply produce more people who do not have the proper skills, and it will water down the value of the SANS GIAC certifications as a whole," said Clement Dupuis, president and chief learning officer for CCCure Enterprise Security and Training.

SANS' director of training and certification issued a statement explaining the planned move, which goes into effect after April 15. "The lengthy practical exercises blocked more than 80% of

More on certs

CISSP among highest paying certifications
See what GIAC certifications are hot or not.

certification candidates from ever taking the examinations," Stephen Northcutt said. "We did an extraordinary job of skills development but the lengthy practical exercise process made the second goal unreachable for many skilled professionals."

According to the SANS announcement, more than 20,000 people who started the certification process were unable to complete it because they were not able to carve out the time when they returned to work to complete the 30 to 200 hours required for the practical. As an example, SANS cited a top FBI cyberexpert who completed the training but was unable to complete the practical because of a large volume of cases when he returned to work.

"Additionally, GIAC will be simplifying the recertification process," SANS said.

However, some who hold GIAC certs aren't thrilled with the changes.

"The truth is that [SANS] wishes to show a larger number of people being certified while cutting cost in the process," said Dupuis, who holds the Global Incident Analysis Centre Certified Intrusion Analyst and the Global Incident Analysis Centre Certified Firewall Analyst certifications. He's also served SANS since its beginnings as a grader, courseware developer, instructor and advisory board member. "It is sad to see an organization gauge its success on the number of people who have completed their certifications. For me, this is not a valid metric at all."

Even those who didn't manage to complete the practical have mixed feelings.

"I am one of the 80% who did not complete the GIAC practical in the allotted time," said one poster to the reader's forum. "Rather than blame SANS, the requirements or the fact my mother

Read up on all infosec certs Guide to Infosec Certifications

passed away during that time, I blamed myself for putting it off. The GIAC cert was desirable because it required discipline to achieve … devaluing the cert is not my preferred method of dealing with it. However, I believe we should give [SANS] time to show us what good may come from this change."

GIAC certifications range from security essentials to forensics, from hacker techniques to intrusion detection, from firewalls to auditing, and from security foundations to security leadership. SANS said more than 7,700 security professionals have earned GIAC certifications.

"The purpose of a certification is to give employees and employers criteria to know if they could do the job -- not create an elite [group]," said Alan Paller, SANS's director of research. "We changed the cert so that more qualified people who have the skills will be able to demonstrate them."

Historically, SANS has said three unique elements set its GIAC certifications apart from others:

  • Focus on measuring mastery of technical skills essential to the effective practice of security, rather than general security knowledge;
  • Constant updating to reflect changing threat patterns; and
  • Requiring applicants to complete a series of practical exercises that often spanned many months.

Now SANS plans to substitute scenario-based examinations for the practical assignment element of the certification process.

"The written practical was one of the key differentiators from the other certifications that are available in the market," Dupuis said. "They would allow the student to show mastery of the subject and allow potential employers to take a look at what one can do as far as applying the knowledge learned toward a specific real life application.

"On top of all this, the practicals were feeding the SANS Reading Room which has become a key site for the community when doing research on security topics," Dupuis added. "It will definitively be missed by all."

Other board members were sorry to see the demise of the practical, but believe it was for the best.

"While the practical was a great learning tool, it did indeed lose its objectivity," according to a note to Paller from an unnamed member of the IDS board. "I am saddened at

Sound off!
Share your thoughts on the SANS decision. Does it dilute the cert? Or will having more GIAC-certified pros boost its value?
its loss as I feel the graders were in large part the reason for its failure. The bar kept being raised and raised, and no matter how hard some of us tried, [we couldn't] keep a reasonable level of expectation in the minds of the other graders. I believe your efforts to change the GIAC exams are good and necessary so that SANS and GIAC both live on and prosper."

SANS tried to allay fears for those earning certs under the older system. "Although the new testing program will maintain very high standards, SANS will provide a special designation for those GIAC holders who completed the practical exercises, so that their singular accomplishment will continue to be recognized by their employers and the community," the company said in its announcement.

Practicals will be accepted through April 15 and fully graded according to the pre-established standards. Students passing the practical will earn the original GIAC certification and have their practical posted on the Web site. Other information on the termination of practicals is available on the GIAC Web site.

Dig Deeper on Security industry certifications

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.