The information security certification landscape has become a confusing alphabet soup of competing credentials....
A few of the early certifications, like the CISSP from (ISC)2, have become synonymous with information security professionals both inside and outside of the industry. Many in the industry question the value of certifications because of their high expectations for InfoSec professionals and their experience with underperforming certified individuals. Certifications are often overemphasized, as they cannot replace individual experience and are not an accurate measurement of individual performance. Their value is much more clear when viewed as an educational tool like a college degree.
Global Information Assurance Certification (GIAC) has launched yet another information security certification, called the GIAC Critical Controls Certification (GCCC), into this already crowded marketplace. This tip will review this new certification -- specifically, what it focuses on, how it matches up with other popular InfoSec certs like CISSP and CISA/CISM, and who, if anyone, should consider pursuing it.
Understanding the certification
The GCCC is not a replacement for either the CISSP or CompTIA Advanced Security Practitioner (CASP), which focus on a wide range of information security topics. It focuses instead on the 20 fundamental critical controls as defined by the SANS institute. This concentration only on critical controls and risk management may seem elementary for seasoned security professionals, but this is not the target audience of the GCCC.
We have been reminded repeatedly in recent years through breach notifications that organizations are not implementing basic security controls. This is often due to the management of the organization not understanding the controls and not prioritizing information security concerns. The GIAC's GCCC is the perfect vehicle to educate the organization on the importance of these basic security controls. Everyone in the IT organization from the CIO to the system administrator could benefit from learning these basic information security concepts. The biggest improvements in information security are usually attained through driving cultural change, which is where the GCCC could really shine.
About the exam
The testing requirements are fairly minimal and only require that the candidate answer 75 questions within a three-hour time limit. This is obviously not a thorough examination targeting experienced information security professionals. However, this is may be the right length for the intended target market to get them more involved in their organization's information security program. A CIO will not have the time to study or take a CISSP exam, but may be able to squeeze in the GCCC.
The 20 critical controls defined by SANS are well thought out and could be applied to just about any security framework or compliance requirement. Organizations that are looking at NIST 800-53 or ISO 27000 series certifications could use the GCCC as preliminary education before starting one of these more involved frameworks. Organizations that must comply with HIPAA, PCI DSS or Gramm-Leach-Bliley Act will find that these controls can be easily translated to satisfy their compliance requirements.
The world of information security certification has exploded as the industry demand for more qualified information security professionals rose. There is a lot of debate about the value of these certifications and even the most popular have come under fire in the past few years. It is true that certifications are not a good tool for measuring a candidate's capabilities, but they can be effective when used as educational tools. This is where the new GCCC certification could see success if adopted by those in the organization outside of information security. The GIAC GCCC could be used to help build a culture of security through education. This culture could offer much more value than other certifications focusing only on assessing the skills of information security professionals.
About the author:
Joseph Granneman is SearchSecurity's resident expert on information security management. He has more than 20 years of technology experience, primarily focused in healthcare information technology. He is an active independent author and presenter in the healthcare information technology and information security fields. He is frequently consulted by the media and interviewed about various healthcare information technology and security topics. He has focused on compliance and information security in cloud environments for the past decade, with many different implementations in the medical and financial services industries.
Check out SearchSecurity's free Security School to help you prepare for the CISSP certification exam.