Are GIAC certifications well recognized outside US?

indexActually, I started writing about that topic as an answer to this comment, but turns out it may be a good point to explore and encourage discussions here as a blog post (thanks, David!).

I believe the best short answer for title’s question is, unfortunately, NO. They are not widespread outside US, but this should definitely not be a key point for driving a decision about challenging or not a GIAC certification exam.

At least in places I have been working (Brazil, Netherlands, Germany), it’s almost impossible to mention GIAC word without having to explain about it in more details, I mean, without linking to SANS institute, the conferences, the lab trainings and all the stuff related to it. That should not be taken as the only reason why I believe they are not recognized, that’s just one example to support my opinion. I started playing with GIAC challenges some while ago, but seems like its popularity has not changed that much since that time.

However, it seems not to be the case in US, as one can infer from the post title, where there is an increasing number of projects, especially related to government agencies and military, outlining SANS and GIAC resources as foundation for their staff training and certification.

Seems like SANS is not putting too much effort on Marketing actions as (ISC)² does, I am not saying they need to, but maybe that’s why their certifications are not known among a large number of people, including infosec pros and HR teams. The way (ISC)² handles cert business is really remarkable. I am glad to be an invited SME for one of their certifications (SSCP) and reinforce how seriously exam’s items development and review workshops are taken.

Nevertheless, I dare saying that most infosec players, including consulting firms, labs/teams and vendors (not HR, but CSOs, tech-teams) are aware of GIAC/SANS as a big name for infosec cert/training and that’s why those certifications stand out, especially for tech roles. In my opinion, I am not SANS instructor or something, one thing seems to be very clear: SANS offers the best enterprise-level infosec training tracks, especially the hands on, very technical oriented ones.

Giving that trainings are in depth, lab-based and a week longer, most people will not leverage the knowledge obtained just after classes to earn GIAC certifications, since they need some extra time to digest such knowledge; as opposed to other programs where you get prepared to the exam during the training. I believe this is one point that can be better approached by SANS, but that’s hard to say without deeper involvement, but definitely should be considered as a point.

Also, the costs should not be ignored. Besides the high difficulty level involved, one single GIAC exam costs U$999, which is way too much for having professionals paying from their pockets in most cases. That means, applying for such exams is very unlikely without any sponsorship. And I am not arguing whether it’s worth or not investing that money, but it’s quite a good amount for that.

If you search for “information security certification” on Google, first pages will barely mention GIAC but CISSP, CISA, CISM and also CEH (OMG!). And this is probably what a lot of HR will do if they don’t get enough input from security roles description. A couple of things related here, ranging from poor SEO/Marketing from SANS, to lack of interest from security leaders when describing a role profile.

There is a recent GIAC x CISSP discussion at a famous blog where branding is also considered, I recommend this reading if you want to go deeper on this topic. GIAC portal also hosts a good article on advantages of getting certified, worth reading. And lastly, if you haven’t noticed, the header’s image I used for this post represents first hit from Google’s image search for the word GIAC. The image which represents the certification program we are talking about here is found below.