[unisog] Certification for Security Administrators

eward {Elaine N. Ward} eward at forum.utexas.edu
Mon Dec 24 18:00:07 GMT 2001

Thank you for sending your opinions to the question I asked last fall (!)
about CISSP certification. Please excuse the delay in compiling the
summary--I can hardly believe it's been so long.

You sent a total of 12 responses.

About two thirds said that CISSP offered a very broad overview. The
consensus was that the CISSP certfication was more helpful in managment and
policy roles than practical application.  Some comments were:

1.	Good certification, widely respected:  sort of a standard. Covers 10
domains very broadly.  By itself won't make you a competent system
administrator or architect.
2.	Likely the "best of breed."
3.	Premier certification for individuals dealing with security policy.

4.	Best for management role.
5.	Broad and shallow.  Doesn't test practical security knowledge.

While CISSP is expensive, the costs can be reduced. One person wrote:

" . . . I sat in on a self-study review course for the CISSP in which 2/3 of
those who
participated and took the exam passed.  It was sponsored by our local ISSA
chapter.  A great deal of the material used in that course is available
the website at cccure.org.  In additions to the isc2's  2 weeks on the CBK,
offers a 3 day course for ~$1500.  One of their instructors said it had a
greater than 80% pass rate. . . . "

Six suggested GIAC was better for training specific areas in a particular
environment--even though GIAC/SANS was not mentioned in my original query.  

Those who strongly preferred GIAC said:

1.	GIAC Requires real configuration knowledge.  To understand and
evaluate new technologies, learn how they can be used more safely, manage
new deployments and policy development, get GIAC.
2.	SANS certifications are targeted to hands-on, day to day tasks. 
3.	GIAC is a much better option-you can train more specifically in
areas of concentration.

One respondent sent supporting documentation from a salary perspective.  The
original report was published by SANS, but based on facts gathered in an
independent survey:  

Salary Survey Shows How Much Security Certifications Pay

In a survey of 29,400 workers in over 1,850 private and public sector
employers, security certifications were found to be growing the most
rapidly (out of 135 skills and certifications) in improving the pay of
those who hold the certifications, with five GIAC certifications leading
the way:
GCUX (GIAC Certified UNIX Administrator)
GCIA (GIAC Certified Intrusion Analyst)
GSNA (GIAC Certified System and Network Auditor)
GCIH (GIAC Certified Incident Handler and Hacker Tools Expert
GCFW (GIAC Certified Firewall Analyst)

The quarterly Foote Survey -- largest in the IT industry -- found extra
pay for security certifications grew to 8.3% of base pay up from only
6.8% in the same quarter last year.

The Foote Survey which covers nearly all popular certification programs
and IT skills area is widely used by human resource departments to set
salaries.  More information is available at

And finally, one of you reminded us that:

Tests alone don't mean you've mastered the subject material.  Not a
substitute for hands on experience.  Lots of idiots have advanced degrees.

Thanks again for your interesting and helpful observations.  

Happy holidays,


Elaine N. Ward
ACITS IT Security and Policy Officer
The University of Texas at AustinAt
(512) 475-9482 

-------Original Message-----
From: eward {Elaine N. Ward} [mailto:eward at forum.utexas.edu]
Sent: Wednesday, September 26, 2001 11:39 AM
To: unisog at sans.org
Subject: [unisog] Certification for Security Administrators.

Our office is investigating professional certification programs for the
system security analyst in our office.  We are looking into CISSP, which
though somewhat pricey, seems to offer a lot.   We'd appreciate your sharing
your opinions, experiences, or other alternatives you believe are worth
investigating.  Please respond to eward at forum.utexas.edu.  I'll be glad to
summarize responses for the list.

Thanks for your help,


Elaine N. Ward
ITS  Policy Officer
Information Security Office
The University of Texas at Austin
(512) 475-9482 

More information about the unisog mailing list