GSEC vs Security+
I think the two most popular certifications talked about for those first wanting to break into the security field might be the GIAC Security Essentials Certification (GSEC) and the CompTIA Security+ certification. I also believe this is for good reason. GIAC certifications remain some of the most sought after certifications by employers, and the CompTIA Security+ is on virtually every entry-level job posting. In fact both of these fall in the top six certifications identified on cyberseek.org:
I am fortunate to hold both these certifications and would like to give my thoughts, as well as my recommendations to aspiring security professionals. As always, these are my opinions and should 100% be followed up with research on your own. I would also like to point out a major disclaimer. I became Security+ certified in 2017 and at that time took the now-retired 401 exam. I became GSEC certified in 2020 and took their most recent (as of writing this post) exam version. Because of this my perspective on Security+ is mostly from memory and I recommend having discussions with more recently certified individuals. However, I do think I understand enough about their current material and examination to give some feedback. But do take that into consideration.
CompTIA Security+
Taking and passing Security+ was required during my technical training when I first enlisted into the military. I still remember the late night study sessions with other junior enlisted memorizing ports, quizzing on protocols, and rewarding ourselves with pop tarts and monster when we were correct….don’t judge me, we were bored and stupid. We studied for the SY0–401 version of the exam which was retired in October of 2017. Back then the best resources were, and from what I hear still are, the Mike Meyers book and CBT Nuggets online training video series.
Security+ really is directed towards individuals with little-to-no experience with IT security. It requires students to understand the fundamental aspects of what security is, and how to utilize it in the real-world. It required me to memorize many different ports, most between 1–1024 as those are the most common, and their normal protocol(s). Now this might seem rudimentary and not very applicable to those already in the field, but remember this is for people with no experience. I won’t say that being able to spout off random ports and protocols is a daily requirement in my workplace but I guarantee you I owe it to Security+ when I see ports 22,25,443,123,161,445,3389 and instantly know what is most likely running on those ports.
Moving past that, Security+ students also learn things like fundamental cryptography, symmetric and asymmetric encryption, and PKI infrastructure. Networking skills are built from overviews of networking hardware, topologies, and troubleshooting. This is followed by more business-focused topics like risk management, disaster recovery planning, business continuity plans, and so on. These are all necessary knowledge points to build upon for security professionals. Many of these I did not know going into the course.
In my schoolhouse we had about a month to get through the Security+ material. We were given books for self study four weeks before the exam and then came back together for a two-week long bootcamp style course. The SY0–401 exam was a 90 minute, multiple-choice exam, which I still believe is the case for the SY0–601 version. Although they said there were “performance based questions” I found that the most I had to do was drag-and-drop a couple security devices on a map. Additionally CompTIA sometimes gets a bad rep for ‘gotcha’ questions, but I don’t remember more than one or two. I scored a 777, I still think I should of gone to the casino afterwards but I decided not to.
I think by the end of the course I had sunk the better part of 10–20 hours of my own into the Security+ materials, plus the two week bootcamp. Mike Meyer’s book was probably enough to pass the exam on its own but CBT Nuggets was my favorite. CBT Nuggets always kept the videos short, sweet, and entertaining. I ended up using Mike Meyers as the meat of my studies, and CBT Nuggets as a more relaxed watch-and-listen resource.
Now, I did not pay for Security+ other than the training materials. The exam was provided by the schoolhouse. However, currently the exam is going for $370 USD. It is my opinion that $370 is well worth the investment for those who have little-to-no experience. CompTIA Security+ covers the baseline knowledge that all security professionals should have before building upon any skillset. Being able to, at the very least, understand security concepts and go from there is a great start. And Security+ is definitely a good resume baseline.
GIAC Security Essentials (GSEC)
If Security+ is made for individuals with no experience then GSEC is made for individuals with no experience and a lot of free time.
As an undergraduate student at SANS Technology Institute, GSEC was my second mandatory course. GSEC consists of six different books for well over 1,600 pages of material, and/or 40 hours of on-demand videos. Each book covers specific areas of knowledge; there is networking essentials, defense-in-depth, vulnerability management, data security (cryptography), Windows security, and Linux/Mac security. The course syllabus is massive and way too much to get into in just one blog post, but I will try to give brief summaries.
Networking essentials is pretty straight forward. This book covers hardware, software, topologies, subnetting, and ports/protocols. I would say that this book covered all of the networking topics in Security+ plus another 20%. It did not require much memorization, but it did expect you to remember the differences between Telnet, SSH, FTP, SFTP, SSL, and more.
Defense-in-depth would most closely align with the business side of the house that Security+ hit, and them some. This mainly focused on topics such as disaster recovery, business continuity, redundancy, etc. However, where it surpasses Security+ is in the nitty-gritty about exactly how defense-in-depth is implemented, how you should approach protecting a business from a high overview, and what security measures upper level management focus on.
Vulnerability Management explained topics not covered in SY0–401, I am unaware of if these topics are covered in the more recent Security+ materials. This was the book that got into penetration testing, incident response, web application security, and purple teaming. Although no one could walk away from this book directly into a specialized field it at least exposed students to these topics.
Data Security (cryptography) was, in my opinion, the most beefy book. This really was Security+ cryptography on steroids. GSEC was not satisfied with a student knowing what the diffie-hellmen key exchange was. No no, you need to be able to explain the exchange, and in detail. Along with that came other topics like in-depth analysis of different algorithms, how they are (or should be) implemented, and in what circumstances. I must admit I struggled the most in this book.
Books five and six covered Windows, Linux, and Mac security. These books focused on actual tools used to protect, harden, and manage systems. By this point in the material there was not much theory, it was hands-on material revolving around the labs.
Speaking of labs, through every book there were many different labs. Most labs were used to simply give students a hands-on-keyboard experience with a tool or technique shown in the book. Normally these took less than 15 minutes to complete and were nice, but definitely not mandatory to pass the exam. But, high quality labs nonetheless. By the end of everything I probably put in 60–70 hours of study time.
The GSEC exam is a five hour, 180 question, multiple-choice exam that must be proctored either at a testing center or through ProctorU. My exam took just over three and a half hours; I scored a 92. I will also say the questions were very well written and took a good understanding of the material to think through. It was not “explain X algorithm” it was “which algorithm works in X scenario.”
In all of GSEC’s great material, high-quality labs, and above-average exam questions, GSEC falls because of one crucial detail. The price.
Right now SEC401 (the training material for GSEC) is a whopping $7,020 USD, and that doesn’t even come with a test voucher. If you want that it’s another $799 USD. Almost $8,000 USD for one single certification. That within it’s own right should end this discussion for almost everyone. I am very lucky that the GI Bill recognized SANS TI as an approved school and so my studies are covered in full. But unfortunately that is not the case for most.
So which one should I go for?
Well, Security+, obviously. I could not, and would not, ever look at an aspiring security professional and say “oh you know what you should do? Go pay almost eight grand for this one certification.”
Look, if we were to compare the material apples to apples, with a blindfold on asking “which one is better”, GSEC takes the cake hands-down. But we can’t just ask which is better. SANS courses, and their accompanying GIAC certifications, are made for people whose employers or scholarships foot the bill. I won’t say that’s a bad thing. In fact I do think SANS courses are some of the highest grade training I have ever had and are definitely worth four digit price points. But almost five digits? I’m sorry but no. The saying “you get what you paid for” is a true statement and if you pay top-dollar for SANS you do in-fact receive top-dollar training. Their training is incredibly up-to-date and their instructors are fantastic. But there has to be a point where you start to experience diminishing returns in your investment. I don’t know exactly where that would be in terms of SANS/GIAC but it is definitely before $8,000.
At the end of the day if you are lucky enough to have the resources to attend SEC401 and take GSEC then go, it is well worth it. But if you can’t, please don’t feel like you are missing out on a mandatory certification. A much more obtainable Security+ is a great first start in your career. I will continue to recommend that those who are eager to learn seriously consider CompTIA Security+ as their “get your feet wet” certification in the security realm. But always remember, it is not about the certification, it is about the knowledge. I love my Sec+ and GSEC certifications because I’m partly a narcissist, but I know the actual value comes from the knowledge rather than the piece of paper.
