Wednesday, December 26, 2012

The Value of Branding and Simplicity to Certifications

At the risk of stirring the cyber pot (item 3, specifically) I wanted to post a response to a great mailing list thread I've been following. A reader asked about the value of the CISSP certification. Within the context of the mailing list, several responders cited their thoughts on SANS certifications. Many mentioned why the CISSP tends to be so popular. I'd like to share my thoughts here.

In my opinion, the primary reason the CISSP is so successful is that it is easy to understand it, which facilitates marketing it. It is exceptionally easy for a recruiter to search LinkedIn profiles, other databases, or resumes for the term "CISSP." If you encounter a person with the CISSP, you basically know what the person had to do to get the certification.

Before continuing, answer this quick question: what are the following? 1) SSCP, 2) CAP, 3) CSSLP?

Let me guess -- you didn't recognize any of them, just like I did?

Now, let me see if you recognize any of the following? 1) GGSC-0400, 2) GNET, 3) GAWN-C, 4) GBLC, 5) GCIM?

I believe you didn't recognize any of those either.

How about? 1) GISP, 2) GLEG, 3) GCIH, 4) GAWN?

I'm guessing some of you might recognize GCIH as the SANS "GIAC Certified Incident Handler," which actually doesn't have much to do with "incident handling." That's a topic for another day, but it does show GCIH benefits from decent branding.

You've probably figured out that the last two lists of acronyms were SANS certifications. The first list was a selection of a few of the retired SANS certifications. There's 26 of those.

The second list was a selection from the list of 24 active SANS certifications.

What about the first list, starting with "SSCP?" Those are other certifications offered by ISC2. They're utterly forgettable. Had I not visited the ISC2 Web site, I would never have known they existed.

Now, one could argue that the brand "SANS" is as recognizable, or even more recognizable, than the brand "CISSP."

The problem is that a person's resume could list "SANS" as a course he or she attended, without noting if a certain achievement (i.e., certification) was achieved. "SANS" is also a poor search term because the diversity of the SANS ecosystem means you could be dealing with a legal person, or a reverse engineer, or a UNIX system administrator.

What is the answer for SANS, if the CISSP will likely continue to out-market it? I recommend adopting the model used by Cisco. If you hear a person has a CCIE, that means something -- you immediately think of deep knowledge, several levels of work, and grueling hands-on testing over two days in a controlled environment.

The genius of Cisco's approach is that they have "tracks" for the CCIE, e.g. Data Center, Routing and Switching, etc. Those aren't the brands though; that stays with CCIE.

The Cisco approach isn't perfect, because you can't simply search resumes for "CCIE" intending to get a CCIE in security. You might find a CCIE in routing and switching, or wireless. However, if one finds a CCIE, you get a sense of the level of seniority and ability to operate in a stressful environment (at least as far as a test can simulate).

SANS has tried something like the CCIE with their "GIAC Security Expert (GSE)." The GSE is similar to the CCIE in many respects, including horribly tough hands-on labs, but unfortunately hardly anyone knows about it. It is really difficult to reach that level in SANS certification. However, because only 63 people hold it, there's no real market for them.

By the way, I smell a branding failure when SANS certifications like GSE, GCIH, and so on all have a "G," which references another acronym -- "GIAC," for "Global Information Assurance Certification." That doesn't even include the term "SANS," which is the stronger brand. GIAC originally meant "Global Incident Analysis Center," but that's another story.

In brief, I think SANS could increase the branding value of their certifications if they retired the existing acronyms and names, incorporated "SANS" into a new naming scheme, and concentrated on a "level" approach seen with Cisco. Focus on Entry-Level, Associate, Professional, and Expert as Cisco does, and develop programs to accelerate the adoption of the Expert level among its constituency as Cisco did with CCIEs.

Rebranding would cause lots of SANS folk plenty of heartache, but I think integrating "SANS" into the new level-oriented structure would more than compensate for the initial transition costs. Ultimately the system would be stronger for everyone.

What do you think?

13 comments:

DaveD_PDX said...

Why would we in the professional community support have any incentive to support SANS? Sure ISC2 and ISACA et al are also interested in increasing market share and profit from their certifications. But at least they are nonprofit and have significant industry oversight. In contrast, SANS is a private company that uses their "certifications" primarily as a mechanism to sell high cost training. Sure they do a good job of providing opportunities for practitioners to get something of value and participate in training.

But, in my opinion, we'd be better off, as a community, relying on SANS as a provider of training, and having professional certifications exist in a more independent ecosystem without the profit motive of training associated with it.

Anonymous said...

I hold many SANS/GIAC certs and I agree totally with you. None of my certs is wildly know by people. By those who took it or those who are familiar with SANS yes but by the wide majority no. So I had/have to take more well know but with less quality certs because employers' are more familiar with them than with SANS certs.

Rich Graves said...

Branding and marketing for whom?

CISSP is marketed to job-seekers and HR recruiters.

SANS is marketed to security and HR professional development people.

They're in different businesses. Nobody goes to (ISC)2 to learn about security. I got my CISSP because it was listed as a job requirement. I became GSE #54 for two very different reasons: personal satisfaction, and because it's one requirement for the MSISE degree. As big a deal as it was, I don't expect GSE to open any career doors (though MSISE might).

GIAC and STI are quasi-independent orgs for business reasons. I don't see that GIAC really needs a stronger brand.

STI, the SANS grad school, will become VERY interesting to watch in roughly one year, when they become accredited.(ISC)2 has no such aspiration.

JDMurray said...

Many certifications are not recognized because of too little marketing effort by their vendor to promote them. For example, the SSCP is intended for people newly out of college with only a year of InfoSec experience. This is a difficult demographic to accurately target with marketing campaigns that promote the value of obtaining the SSCP cert. Hiring managers must also be targeted and convinced of the cert's value so they will place "SSCP" in their job requisitions.

In my experience, public IT certification web sites, such as TechExams.Net, and IT certification study material providers, have done as much to promote--or detract from--IT certifications as certification vendors themselves. Google searches for certifications such as "CCNA passed", "CISSP worth it", and "GSEC exam" bear this out.

JDMurray said...

Many certifications are not recognized because of too little marketing effort by their vendor to promote them. For example, the SSCP is intended for people newly out of college with only a year of InfoSec experience. This is a difficult demographic to accurately target with marketing campaigns that promote the value of obtaining the SSCP cert. Hiring managers must also be targeted and convinced of the cert's value so they will place "SSCP" in their job requisitions.

In my experience, public IT certification web sites, such as TechExams.Net, and IT certification study material providers, have done as much to promote--or detract from--IT certifications as certification vendors themselves. Google searches for certifications such as "CCNA passed", "CISSP worth it", and "GSEC exam" bear this out.

Anonymous said...

If the perceived value of a certification is not related to the required knowledge and skills to obtain it but to how it's branded, and I'm afraid you're making this case, there is a problem with how people understand the value of certifications.

Anonymous said...

@Rich - What is your source for STI accreditation. They've been a candidate since 2010, but I don't see a reference for 'roughly one year.'

http://www.sans.edu/about/authorization

Stephen Northcutt said...

Richard, it is nice to read something other than the fiscal cliff :) And I apologize, but can't comment on the STI accreditation timeline.

I also agree with many of your points. Many a sleepless night I have wondered what the world would look like today if we only offered GSEC, GCIH, GPEN, GCFA and GSE. But, I can't turn back the clock, so let's look ahead.

I *think* the GSE will prove to be more of an industry force. Your point about so few is valid, but it works two ways, for some strange reason it has always had brand, even when there were only two successful candidates. Neither of can know, but are certainly seeing an increase in the slope of the curve. Maybe bet a beer and mark our Google calendars for end of 2014 or some such.

One thing that works against us brand wise, but helps me sleep at night is the separation of church and state ( instruction and certification) is getting better and better. When we first applied for ANSI certification of GIAC, we had to rely on a Chinese wall argument. Today, they are separate corporations, with separate missions and separate business unit managers where they both have autonomy.

Nuff said, I am going to go back to staring at the cliff :)

@heywiz said...

My take in 3:
1. - The SANS cert structure could use some work.
SANS certs could be stronger and reduce confusion by having classes work towards a common cert. Cisco, for example, has multiple classes/tests you can take to attain certs (note, none of the classes/tests have their own individual cert, it doesn't muddy the water). So, have multiple classes work towards a cert.

I've actually been in interviews with a panel that included technical employees with SANS certs to see if I wasn't blowing smoke. Interestingly, they read the certs I had and asked questions about other unrelated certs and subject matter. When I responded "I haven't studied that" they said "You have the cert though". Even they were confused.

2. - Not everyone needs an uber cert.
Not to backtrack on my previous comment, but I do understand individual certs. Congratulations, you've devoted considerable braincells to having a basic efficiency at reverse engineering and you passed GREM. Awesome. If I were a manager, I really wouldn't want you working towards something unrelated after that if we truly need reversing capability in our org. Stay in that specialty.

3. - The bigger issue is that the hiring process is flawed.
Not every infosec position needs a cert. A cert doesn't show proficiency, only initiative (much like a degree). Experience matters. If you have to advertise a job that you feel requires a cert, pick the correct one please. Have a technical person review the resumes. Somehow we need to convey that to HR and the hiring mannequins/managers.

It's nauseating to see every infosec position require CISSP when it's not needed the majority of times. The last position I spoke with a hiring manager on advertised for "incident response often acting as lead, most advance defense methods/implementation, bad actor/threat intelligence and attack remediation, mentoring handlers, packet analysis, etc...". My question: "Hey, is this a new spot opening on our team? I know someone that could help." Their response: "Oh no, this is a policy job. Have they written policy before? Do they have their CISSP?"

jbmoore said...

Richard,

I agree with your take that (ISC)2 markets the CISSP certification well. I got my current job because of a dual CISSP and RHCE certification. My SANS certifications got me a few interviews but no jobs. While recruiters aren't the brightest bunch, they really don't know what SANS is or what its certifications signify. This is a shame since one of the best certifications SANS offers is the GCFA. In terms of practical IT Security knowledge, SANS beats (ISC)2 hands down. This is not to say that SANS courses can't be improved. They borrow a lot of material from open source projects such as The Honeynet Project, and some of it is dated. Generally, the CISSP should be required of managers and SANS certifications should be required of techies, but for now, the CISSP is required for both groups.

John

Anonymous said...

SANS is a business that offers absurdly expensive "training" where the chief benefit is providing access to their course material, which you can take into the exam with you (along with mountains of other reference material and notes).

(ISC)2 is a non-profit that offers an extremely lengthy and relatively challenging closed book exam, but the exam does not earn you certification. What earns you certification is years of experience.

Now let's compare re-certification/certification maintenance. (ISC)2 requires a great deal of continuing education to maintain their certifications whereas SANS requires only that you pay them another $4,000+ to extend your SANS certs for another 4 years ad infinitum.

Don't get me wrong, I found value in my exposure to SANS training. But, that SANS training was delivered in a classroom of 175 students with 1 instructor over 6 eight hour sessions. Assuming each student paid an average of $4,000, that means SANS is charging about $14,500 per hour of training. Since they seized opportunity early, recruited a bunch of the best known "early adopter" white hats as instructors, and put together fairly good training, they are apparently able to demand such high rates. But they have essentially 0 competitors, and that's something I'd like to see change.

SANS training requires intensive effort on the part of the student to derive value from those few days of incredibly expensive training, and much is lost no matter how attentive the student is. The CISSP demonstrates much more than test taking ability, such as a dedication to the profession and ongoing education. Not to mention 4 years of full time involvement in information security, usually in the form of employment.

I find SANS somewhat dubious as an organization, given their absurd rates, lack of competitors, and short courses. The CISSP remains the gold standard in InfoSec certifications and is likely to retain that title well into the future.

Anonymous said...

Wow, I don't have time to refute each point in the previous post by "anonymous", but please, anyone who doesn't know better, just take it with a pinch of salt! Almost every single sentence is bending or breaking the truth ..

Kebra IT Solutions said...

@Richard- the reason the "CCIE" model works so well is because there is a monetary gain to be had by the Cisco partner hiring the "CCIE" professional. Cisco requires that a partner company have x amount of CCIE's on staff in order to get discounts on equipment purchases. With the GIAC certain being vendor neutral SANS does not have the leverage to force a company to hire GIAC cert holders