CISSP versus SANS GSEC-- how do they compare? A common question.
They are both excellent programs with significant overlap as well as some significant differences. I can’t tell you if getting the CISSP or GSEC will be useful to you personally, although you are bound to learn something in the process.
Neither the CISSP nor the GSEC are entry-level certifications. Even if you have years of information security experience, it's a broad enough field that you can’t just waltz in and pass the exam for either of these; you will need to learn or at least review some material in order to pass either exam.
it’s referred to as the “gold standard” of infosec certifications, but
it’s not necessarily the best choice for everyone.
The GSEC is second best-known security certification, although rapidly increasing in prominence. CISSP has been around longer than GSEC, which accounts for much of this.
The GSEC material is practically oriented, whereas the CISSP is much
more managerially and theoretically oriented than GSEC. Although most
people agree that CISSP has some obscure and bizarre material in it
(“Orange Book” material, Bell-Lapadula, etc., NIACAP), most of the
material in both programs is very useful.
The GSEC training from SANS (the only source of GSEC training I know of) has 10 hours of hands-on training whereas most CISSP programs have none. There is more emphasis on learning "how to do things” as compared to “knowing things” in GSEC, and hands-on knowledge is tested by the GSEC exam.
CISSP requires five years of experience in security, some of which may be waived for various reasons such as formal education, whereas GSEC has no such requirement.
CISSP certification is a paper and pencil test scheduled periodically at locations worldwide, and you may need to drive or fly a long distance depending on where you live. It’s a 250 question multiple choice exam which lasts six hours. Very few of the questions are straightforward, and you are typically choosing the “best” answer from several correct ones or the “least bad” one from incorrect ones. No one likes taking the CISSP exam, and the people who leave after only 3 or so hours usually have given up. A few weeks after you take the test you’ll find out if you passed or failed.
The GSEC exam is “real world” in that it’s open book. You need to take one proctored exam on a computer, for example at a KRYTERION testing center, which consists of 180 multiple choice questions with a 5 hour time limit. You immediately find out if you’ve passed or failed.
SANS GSEC training is developed and run by The SANS Institute who are essentially the GSEC people. CISSP training is available from many sources including The International Information Systems Security Certification Consortium, better known as (ISC)², the CISSP people. This is very confusing because the (ISC)² certification entity is nonprofit, but (ISC)² training is a different and for profit company.
Both CISSP and SANS GSEC training is long and involved. The SANS GSEC training is six days and five nights. CISSP programs tend to be 5+days long as well. Usually additional study is required before taking the exams. Note that the training is optional. You can take the exams without attending training.
The CISSP material and exam doesn’t change very often and doesn’t attempt to be cutting edge. It’s more like college or grad school course material. The GSEC material and exam is far more dynamic and updated more frequently.
The CISSP is good for 3 years and requires an annual maintenance fee, as well as professional education (CPE) credits for renewal. The GSEC is valid for 4 years after which you need to retake the examination to recertify.
CISSP: More theoretical and managerial
GSEC: More hands on and practically oriented
Both are great programs.