I've heard many suggestions about how Microsoft can improve its certifications, but the suggestion I hear most often calls for the company to start measuring a candidate's ability to apply what he or she knows in real-word situations. But having candidates demonstrate that they can install OSs, add new users, configure desktops, or perform any of the hundreds of other tasks that network administrators perform regularly wouldn't be easy. Cisco requires that candidates for its advanced certifications attend specially equipped labs and demonstrate that they can configure and troubleshoot several complex sample routers, switches, and firewalls. However, this kind of hands-on testing wouldn't scale well to the MCSE program, which draws thousands of candidates per year.
The Global Information Assurance Certification's (GIAC's) Security Engineer certification takes an interesting alternative approach to validating a candidate's understanding of security best practices. The certification, called a "practical," consists of a research paper (probably not too different from the papers you wrote in college) plus exams. For the paper, you choose a topic, perform research, and write five pages that attempt to improve the collective understanding of some facet of security. Your paper can address an exploit or a
vulnerability, examine a particular protocol, explain how to accomplish a task, or explore a legal issue—so you should be able to find a topic that interests both you and the community at large.
What's unusual about this process is that GIAC must approve your topic and you must submit your paper for grading before you can take any exams. You have 10 weeks to write the paper and prepare for exams, and you forfeit your certification fees if you miss the deadline. For those with jobs and family commitments, the time limit might present the most significant obstacle to earning the certification. My plan is to take care of as many of my other responsibilities as I can before I start the certification process so that I can try to work without disruptions when I need to.
The paper and the short time frame will likely discourage all but the most dedicated. If these requirements don't scare off the casual certification seeker, the cost of the process probably will. Certification—without any training—costs $475 for two exams and the evaluation and grading of the paper. If you plan to use training to help you prepare for the exams, my best estimate is that the Security Engineer certification will cost three times what the MCSE costs. With such barriers, we probably won't see a flood of GIAC-certified professionals on the market, as we have with MCSEs. As a result, the GIAC will carry greater respect and hold greater value in the long term.
In my next column, we'll discuss the requirement that all GIAC candidates renew their certifications regularly—another way that the GIAC certification differs from other certifications. Until then, visit the GIAC Web site and look over the papers that past candidates have written to get an idea of what's in store for you if you pursue the certification.