Security Musings

Security Musings

Musings on Certifications

Collected musings on information security certifications.

Other Related Articles in Musings on Certifications


GIAC Status Report October 2007


By Stephen Northcutt
As the Global Information Assurance Certification series enters its eighth year of operations and tenth year of development, I have been asked to update an article I wrote several years ago about GIAC. If someone told me in 1998 that one day I would run one of the most advanced technical security certification programs in the world, I would have laughed in their face. I had been given the offer several times, but flatly refused it because it sounded like a whole lot of work.

What changed my mind was an employee who had an impressive ru00c3u00a9sumu00c3u00a9 that listed a lot of intrusion detection experience. When that employee was asked to install IDS Real Secure''"one of the easiest intrusion detection systems to use''"it became obvious that he could not do it, and I knew something was very wrong: Ru00c3u00a9sumu00c3u00a9s cannot be trusted to prove that a potential employee meets a minimum standard.

About a month later, another incident finally convinced me to become involved in creating a certification for security professionals. At the time, I had management responsibilities and approved training for myself and three employees at a conference in Monterey, Calif. On the second day of the conference, I looked around for them, and they were nowhere to be found. They had gone sea kayaking. When you consider the cost of training, which also includes the cost of travel, hotel and per diem, the employer had invested about $5,000 to send each employee to training. Something else was wrong: Employers could invest in training, but had no guarantee that they were getting any return on those investments in their employees.

Certification as part of training is one way for employers to ensure that they are getting their money's worth.


I started bothering my colleagues in the industry, asking what they thought a security professional needed to know. After six weeks or so, the list grew to several thousand items, and the best assessment was that a class that could prepare someone for this role would last at least six weeks. A large number of people could see the importance of this project for the information security industry and cooperated to complete it. Creating this list would have been impossible without their help. The security community worked together to move forward and formed a strategy to prepare the list. The essentials of security were defined using two population groups: technical professionals and managers, especially those who subscribed to the CIO Institute Bulletin. Finally, the first two courses in certifications''"SANS Security Essentials and Intrusion Detection Tracking Certification''"were ready.

The End Result: SANS and GIAC

As a result of the cooperation of the community and in response to the need to validate the skills of security professionals, the SANS Institute established the Global Information Assurance Certification (GIAC) program in 1999. The purpose of GIAC is to provide assurance that certified individuals hold the appropriate levels of knowledge and skill necessary to practice in key areas of information security. In 2002, SANS' Security Essentials was certified as 100 percent compliant with the National Security Telecommunications and Information Systems Security Instruction's (NSTISSI) 4013 training standards.

SANS training and GIAC certifications address a range of skill sets, including entry-level Information Security Officer and broad-based Security Essentials, as well as advanced subject areas like Basic and Advanced Audit, Intrusion Detection, Firewalls and Perimeter Protection, Hacker Techniques, Windows Security, UNIX Operating System Security and Wireless and Forensics. GIAC is unique in measuring specific skill knowledge areas, instead of general-purpose security knowledge.

The first GIAC professionals were certified in February 2000, and just under 1,000 candidates were certified in the program's first year alone. As of March 2002, SANS had certified more than 3,000 individuals, and there are currently more than 18,000 certified professionals.

Distinctive Issues for the GIAC Certification


There are four major distinctions that demonstrate the quality of the GIAC family of certifications:

  • GIAC never grandfathered anyone into the program.
  • GIAC requires recertification.
  • Each student receives a unique certification exam.
  • GIAC uses a meritocracy-based advisory board.
These distinctions give GIAC its unique personality.

Many of the leading security and audit certifications have selected to certify a number of people who have never taken the certification exam. This is known as "grandfathering." It's an understandable choice because it takes a great deal of input to create a certification. Grandfathering is a way to reward the people who helped create the program by awarding them certification. However, because this practice might mean that someone who is certified does not meet the minimum standards, GIAC did not choose that path.

Information technology in general, and security in particular, are changing rapidly. Most certifications do a decent job of demonstrating that candidates meet a minimum standard. However, what about one year, two years or 10 years later? Many security certification programs accept continuing education credits as evidence of continuing knowledge growth. SANS GIAC did not feel that it could rely on continuing education credits in good conscience because it is not a general certification, but subject-matter-based. For example, if you have a firewalls certification, it is not clear that continuing education for forensics will keep your firewalls knowledge intact. GIAC certifications expire in a period of four years, after which students must review the information and retake the exams in order to retain certification. The www.giac.org Web site serves as a link to both GIAC certification information and the latest in information security research.

GIAC security certification creates a unique exam for each student. One of the significant problems in running a modern certification stems from students remembering or copying questions from exams and then selling them to test preparation sites. A question bank of more than 30,000 items based on every skill or knowledge element that GIAC tests helps minimize cheating. Also, GIAC courses are updated multiple times per year. This requires a lot of effort to keep exam questions synchronized to the course. One of GIAC's rules is that every question must be taken from the course material. In fact, questions are tracked by the page in the course. Therefore, all testing is done in batches. All the students of a class are added into a group. There is a matching bank of questions for their courseware, and the exams are generated randomly.

When a student scores over 90 on their exam, they are invited to join the GIAC Advisory Board. We use the advisory board as a sounding board to consider changes to our policies and procedures before submitting these changes to the GIAC Board of Directors. In addition, the board serves as a professional reference for its members when they have a technical question. These discussions are so lively we run them on a parallel mailing list to the one we use for GIAC business. Finally, we have adopted a "promotion from within" strategy for the next generation of instructors. Students that score well on their exams are invited to teach within our Mentor and StaySharp programs with a goal of becoming conference instructors in the future.

Dynamic Changes in 2008

GIAC has been selected by the US Department of Defense as an approved certification for a number of their 8570 requirements.[1] However, this required the program to achieve ISO/ ANSI certification. However, this has been good for GIAC overall, it forced us to document processes and to implement quality control. I can say without reservation that you are wasting your money if you select a certification program that is not ISO approved. In addition, we have begun operations with a post graduate college offering a Master of Information Science in Information Security.[2] GIAC serves as the testing engine for the college. As we approach accreditation from Middle States, we believe having our testing processes certified will be a major benefit.


1) http://www.giac.org/certifications/dod8570.php
2) http://ww.sans.edu