First: I love SANS and always have- I think they are really good for the
industry and do a great job even if they and ISC(2)/ISSA/CSI/whoever can't
always agree- that's life and that's business. (Since I'm the moderator,
any responses about sans-bashing will be sent to /dev/null. :))

Second: Let's relate our profession to the accounting profession for a
second, this often helps people put this into perspective. I think of the
CISSP like the CPA (certified public accountant) and the GIAC like a
'certificate in tax preparation' (CITP). If all you need is someone to
file your tax return, you may feel perfectly fine selecting someone who has
a certificate in tax preparation (if all you need is a firewall admin, you
might look for someone with GIAC). If you need someone to advise you, help
you troubleshoot and plan complicated financial issues AND file your taxes,
you would likely look to hire a CPA (if you need a Chief Security Officer,
you'd likely look for a CISSP).

The CPA exam is structured much like the CISSP where you need to know a bit
about a very wide range of issues (domains). Choosing an someone with CPA
(or CISSP) after their name does not mean that they are a good accountant
(or security professional)- all it means is that they know as much as the
next CPA/CISSP when it comes to their profession and subject
matter. Choosing someone with a CITP (or GIAC) after their name may very
well mean that they are good at tax prep (or whatever their GIAC cert is
in), but it does not show or prove in any way that they have a wide range
of abilities or knowledge. The fact of the matter is that with
CPA/CISSP/CITP/GIAC after your name you may still be terrible at what you
do, even if you have proven that you "know" the subject matter at
hand. Experience helps, references help and being honest with the people
you work for and with helps.

Read the above two paragraphs twice if you need to. I get asked this
question a lot and relating it to something else seems to help people make
a decision on which way to go. If you are not US-based or have no idea
what a CPA is, your on your own :)

Hope this helps,
-Scott

At 11:20 AM 1/8/2002 -0500, Jeffrey.Stebelton@fund.bisys.com wrote:

>I'd be interested in the same information. I've been doing security
>exclusively since April of 2000 and have a long ways to go before I meet
>the ISC(2)'s four year minimum experience qualifier which goes into effect
>January 2003. I'm considering dropping the study mode for the SSCP\CISSP
>track and devoting my attentions to the SANS GIAC certs, which sound more
>realistic to me anyway (depth in one subject you can use instead of breadth
>on every subject with no real-world applicability). If there are more
>materials on the SSCP besides the study guide put out by ISC(2), I'd
>probably still consider the SSCP test this year, but there is seemingly
>little material on it since it is a test that is supposed to cater to
>system and network admins who also must wear the security administrator
>hat. Anyone taken the SSCP test? If so, what study materials were
>beneficial to you? Would anyone recommend the SSCP over taking the GIAC
>certs?
>
>Jeff Stebelton
>Network Security Administrator
>BISYS Fund Services
>614-470-8249
>
>
>
>
> Scott
> Root
>
> <sroot@newsletterhold To:
> cisspstudy@securityfocus.com
> ings.com> cc:
>
> Subject:
> SSCP
> 01/08/2002 10:29
> AM
>
>
>
>
>
>
>
>
>
>
>Has anyone taken the SSCP exam? If so, would you
>comment on whether or not the CISSP Prep Guide
>could be used to prepare one for the SSCP? I have
>been in I.T. 4 years now, 3 of them as a System
>Manager. I was going to attempt the CISSP later this
>year but feel that I have not had a solid 3 years
>experience in security. As a result, I've decided to
>take the SSCP first. Unfortunatley, I'm unable to find
>any study resources specifically for the SSCP. So,
>will the CISSP study guides from the relevant
>domains properly prepare one for the SSCP?
>
>Scott.
>
>
>****************************************************************************************
>This email and any files transmitted with it are confidential and intended
>solely
>for the use of the individual or entity to whom they are addressed. Any
>other
>use of this information is strictly prohibited. If you have received this
>email in
>error please notify the system manager via email at
>mailadmin@fund.bisys.com
>and delete the file immediately. Thank you for your cooperation.
>****************************************************************************************

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]