Monday, March 14, 2005

SANS Ends Practical Requirement for Certifications

I just learned that SANS, an organization whose conferences I attended fairly regularly five years ago, has terminated the practical requirement for all of its GIAC (Global Information Assurance Certification) programs.

GIAC was originally the Global Incident Analysis Center, a Web site to disseminate information on Y2K rollover threats. From a February 2000 archive of the site:

GIAC began December 21, 1999 as a service to support Y2K watchstanders all over the world, watching for cyber attacks and Y2K problems. We've come a long way since then, but the orignial pages are archived here.

I was an original incident handler and had some of my work posted. I also taught the IDS track several times, until I decided their material was too out-of-date and irrelevant to IDS practitioners. I was tired of scrapping SANS material on stage (aside from some of Judy Novak's TCP/IP slides and Marty Roesch's Snort tutorial) and teaching what students really needed to know.

SANS turned the Global Incident Analysis Center into the Global Information Assurance Certification when they realized they had created a powerful GIAC brand.

The SANS announcement states the following:

"Starting immediately, all new students will be authorized to the exam only GIAC Certification.

The forces that drove us to this change are numerous, but the single most important is the need to move to more modular, adaptable, courseware and certificates and certifications to stay abreast of the current threat. Additionally the marketplace has voted with its feet in favor of exam based certifications.

No practicals or drafts will be accepted after April 15th, 2005."

My take on this statement, and my conversations with SANS faculty, leads me to believe that grading practicals simply became too onerous for the SANS staff. Their margins are higher when they can automate the certification process.

This next statement is disappointing:

"We will issue a new logo design for all future 'exam only' certifications so that there will be less chance of confusion between 'exam only' and the more prestigious, original, practical oriented certifications."

In other words, SANS has admitted to devaluing its certification -- the new 'exam only' certifications are not as 'prestigious' as the original.

SANS has now created a market where holders of the "original" certification are more highly valued than those that follow.

SANS will also no longer be able to offer practical assignments to the community. Although the original practicals will remain online, that source of knowledge will dry up. This is doubly unfortunate as SANS practicals were one of the best aspects of the certification from the perspective of other security students.

While I believe that viable exam-only certifications exist (like the CCNA, CCNP, etc.), I fear SANS has removed a feature of their certification that made it unique and valuable.

11 comments:

Anonymous said...

Three simple letters: NKC

Bammkkkk

Richard Bejtlich said...

I seem to remember this same NKC holder helping to teach SANS in San Antonio...? :)

Anonymous said...

Well, this kind of sucks. I have signed up for the online training some time ago and it won't start until late april early march. On one hand, I have to admit I am sort of happy I can get the cert without the time investment of writing the paper. With how limited my spare time is this was going to be tough for me to push though, but I had committed to doing it. I think I would have learned a lot from the effort, and I am sad to learn that my money I have spent won't go to as good of a Cert as it would have otherwise. Be nice if I got some money back or something at least. Free iPod?

Anonymous said...


Glad to see your response Richard.


I responded to their email as soon as I received it last night and expressed my dismay at their decision. I received a response this evening which frankly, didn't impress me.

The practicals did set the GIAC apart from other certs. It also clearly gives the CISSP a big advantage over the GIAC, as if it didn't already in the eyes of the world.

The biggest problem to me, as you noted, is the enormous resource the practicals provide to the community at large.

Thanks again for your blog, Richard.

George

Anonymous said...

Very disappointing development. Richard, I was lucky enough to have taken the Intrusion detection class from you in San Antonio. I learned a great deal in that class, however I learned even more by doing the practical. Eliminating the practical may be a good financial move by SANS, but it will be bad for the students.

--Mike

Don Parker said...

Well when I received this mass email I was to say the least pissed off. To be told that one of the reasons they dropped the practical was because some FBI Expert couldn't find the time to write is truly pathetic. This smacks of a money grab to just certify more. It has vastly devalued the two GIAC certs I hold. I cannot adequately express my disappoinment here. I know a good deal of the SANS faculty as well and quite a few of them are not in the least impressed with this.

Anonymous said...

This is quite troubling. I was actually planning on taking the Incident Handler certification this year. One of the major reasons I wanted this particular certification is that it sets itself off by requiring something more than just passing a test. Hands on experience is a great way to display the grasping of knowledge, and they've hurt themselves by making this change. As you so aptly pointed out, they've admitted as much about degrading their certification when referring to the original as "more prestigious".

-Jeff

Richard Bejtlich said...

A friend forwarded the original email sent from SANS describing the change:

> From: The SANS Institute sans@sans.org
> Date: March 13, 2005 9:34:29 PM EST
> To: Security Professional
> Subject: Significant changes in GIAC
>
> Hello,
>
> If you are receiving this note, our records show you now hold or
> have held a GIAC certification. I write to share with you some big
> changes coming in the GIAC program that we believe will allow us to
> meet the overarching goal of GIAC - to improve the practice of
> security throughout the network-connected world.
>
> GIAC has differed from other certifications because of two main
> elements: (1) its focus on measuring mastery of technical skills
> essential to the effective practice of security and (2) its requirement
> that people prove those skills through a practical exercise.
>
> The first of these elements is critical to the success of the mission;
> the second is standing in the way. More than 20,000 people who have
> started the certification process were unable to complete it because
> they were not able to carve out the time when they returned to work to
> complete the 30 to 200 hours required for the practical. Here's one
> example: one of the top FBI cyber experts completed the training (and
> told us how extraordinarily valuable it was) but when he returned to
> work, four new cases came in to the office and he couldn't carve out
> the time to finish the practical. There are thousands and thousands
> of other people who have great skills and knowledge but for whom the
> time required to finish the practical was too much
>
> You might be saying to yourself, "I was able to do it, so you should
> make everyone do it." We agree except that the world is moving to
> test-based certifications and the value of your GIAC certification
> will not continue to grow unless we eliminate barriers that block 80%
> of the candidates.
>
> We believe that we can upgrade the testing process, through
> scenario-based testing, while we terminate the need for a practical
> assignment to complete GIAC certification. On balance the program
> will have more value because it touches more people. We will issue
> a new logo design for all future "exam only" certifications so
> that there will be less chance of confusion between "exam only" and
> the more prestigious, original, practical oriented certifications.
> All practicals already submitted will still be graded and returned
> to students with feedback from the grading team.
>
> Starting immediately, all new students will be authorized to the exam
> only GIAC Certification.
>
> The principal force that drove us to this change is the one I discussed
> above: we can not accomplish the mission of improving security broadly
> without the change. But there are others. One big one is the immediate
> need to move to more modular, adaptable, courseware and certificates
> and certifications to stay abreast of the current threat.
>
> We will move rapidly to deploy the state of the art in exam delivery
> including scenario based testing, additional psychometrics, and
> skills assessment.
>
> Additionally, we intend to simplify the recertification process and
> upgrade its testing to require the same exams for recertification
> that are being used for new certification at the time you recertify.
>
> Any feedback concerning these changes can be emailed to
> PracticalTermination@giac.org. A new FAQ to answer a wide variety
> of questions you may have is available at
> http://www.giac.org/overview/faq.php#practical.
>
> I want to thank all the advisory board members and graders and the
> GIAC staff that made the practical system possible. I will be in
> touch via a second note to outline future opportunities. There are
> a number of exciting new projects underway and there is a place at
> the table for everyone who wants to be part of the team.
>
> Respectfully yours,
>
> Stephen Northcutt - Director of Training and Certification
> The SANS Institute
> 808.823.1375 (f) 808.823.1374
>
>

Anonymous said...

posted by LonerVamp

This is certainly disappointing, even to me, a fairly new professional still shopping around for certs to chase.

1) I loved the wealth of information that new and established practioners provided in those practicals. I loved reading them, and it gives many, many people a taste of writing, in an industry that should encourage writing and the goal of being published.

2) The practicals set the GIAC certs apart from the rest in a good way. The practicals help demonstrate that someone knows a subject, and also offer up a deliverable that makes the cert a discussion topic. "Just curious, what have you done for your practicals?" It makes the cert challenging and rewarding, and greatly increases the prestige. Take away the practicals, and the cert diminishes in stature. I've know people who have gone through CCNA certifications and passed...yet they cannot demonstrate even simple concepts. Similarly with the MCSE/MCP trees. That is nothing against those two certs, but it does illustrate that an exam-based cert is not more prestigious.

3) The practicals themselves help promote community with the assumption of sharing information and the posting of the practicals on a central site.

4) It is insulting that people who were able to attain their certs with practicals get a certain distinction. Why do you give certain people distinction and not allow other people to achieve it? This is very extreme, but this makes me think about race and discrimination based on something you cannot physically achieve (black becoming white, being able to achieve a cert with a practical).

5) SANS does want to make their certs worthwhile, but making them more accessible to the masses and increasing the overall number of recipients does not accomplish this. Stephen Northcutt, in his message about the change, states that barriers block 80% of applicants. Let's say of those 80%, 50% would have passed. Let's also say that of all applicants who meet these barriers, 50% of them pass. That means that for every 100 applicants, previously only 10 would pass. Now, 10+40 would pass. That's a 400% increase in your user base. Yes, you will have more of your certs out there, but because there are more, they will be worth less.

5) I disagree with the logic of Stephen Northcutt. He states that one of the main reasons for the elimination of the practicals was due to the barriers the practicals create, namely the time it takes to do the practical. By that logic, we should not be requiring or promoting special week-long SANS bookcamps. We should not be requiring extraordinary studying. We should not be requiring applicants to take time out of their day to attend the exam.

6) Mr. Northcutt also points that the overarching goal of GIAC is to "improve the practice of security throughout the network-connected world." This change itself does nothing to further this power statement; in fact, it lessens it, based on the points made above. Security is not something you can just test and nod your head "yes" you know it; security is not a state, it is a process. It is something ongoing that requires more than just being able to answer questions on a test. It is this dangerous mindset that a test will prove that individuals make better security professionals, that really scares me. A company will look at a GIAC certificate-holder and hire them thinking they have demonstrated abilities, but if they don't, then you've cheated the company, the individual, and the industry by souring the opinion of the cert and the abilities of all people in the industry. All just to get this in the hands of more people?

I think the reasons Stephen's gives did not create this change; the change created the need to formulate the arguments. I think the reasons probably lie in the overhead of grading practicals and probably the pressure to not get swept under the rug of other certs that everyone is achieving. They want to not lose that "80%" who don't make it past the "barriers" to competing certs. People want shortcuts, they want quickness, they want achievability; they want tests. I think that's a dangerous way to promote and certify a professional, and encourage them to measure success.

Maybe SANS is just being economical. A company has a market base, but we have to admit they need to increase the market base because everyone that attends conferences and takes exams are that many fewer people who may need to do it next year. If a company needs to continue growing revenues, it needs to diversify or grow its market base. SANS is growing its marketbase.

I think this decision probably means I will pursue my CISSP in April when I become officially eligible. If SANS just wants a test, then CISSP becomes more important to me because it "proves" experience of 4 years or more.

Anonymous said...

To be fair, maybe we should all wait to see the caliber of the new GIAC tests before we make judgements. As someone who holds both GCIA and GCFA certifications, I know exactly how tough the practical assignments can be, but the tests themselves are NOT EASY. To be able to complete the average SANS exam is quite a task: one or two 90 question exams each within 2.5 hours that require a good grasp of hex math, IP addressing, and many other in-depth technical subjects. As a security professional and a SANS affiliate, I would still have a great deal of respect for anyone able to pass a SANS exam (or two, for the more challenging certs). If SANS replaces the practical with a "scenario-based exam", the end result will be an exercise of the candidates ability to think on their feet in a limited amount of time. Considering that fact that it is easy to have someone else write a practical *for you*, maybe a battery of exams is even harder. And if this makes SANS certs more obtainable, so what? Since the real acid test of Information Security is in the field (and not the classroom), a practical isn't really much more than a take-home exam....

As far as economical arguments are concerned, don't forget that certification only costs $200 - $400 per cert...it is the week-long training that costs $2000-$4000.

I think SANS is trying to make the certification more accessible to security professionals that aren't necessarily uber-gurus.

Richard Bejtlich said...

SANS is devaluing its own new certification standards with this statement:

"We will issue a new logo design for all future 'exam only' certifications so that there will be less chance of confusion between 'exam only' and the more prestigious, original, practical oriented certifications."

I think a certification can be tough and respected without a practical -- but not if the certifying body tells candidates their 'exam only certification' is not as 'prestigious' as the original.