First of all, GIAC is the certification arm of SANS. By itself, it is not a certification. GIAC would best be compared to (ISC)2, the organization that maintains the CISSP. So it's not possible to do a true comparison of an organization (GIAC) to a cert (CISSP). When I am asked questions in writing, it can be difficult to figure out exactly what knowledge the reader is truly looking to gain without the give and take of a conversation. Therefore, in an attempt to decipher a question that many of you have asked, I'll throw out some interesting tidbits (but trust me, I'll eventually get to an answer).
In order to attain one of the many GIAC certifications, you have to attend a SANS event. This can be costly -- not only for the event itself but also for the travel, since they don't have an event in every major city. Although they have international events, not every event offers every class. If you can make it to one of their events, their training is top notch, and (to use a baseball analogy) their instructors go through a "farm system"-like process to get to the show. So you are almost guaranteed a major league course if you attend one of their larger events. I have a lot of respect for Northcutt, Paller, Sachs, Skoudis and the gang at SANS. But as well respected as the training may be, their certs, unfortunately, are nowhere near as well known outside of IT circles (i.e. HR Directors and consulting clients) as the CISSP.
The CISSP credential is offered by a number of training companies, some officially recognized by (ISC)2 and many not. So you have to be really careful about not only what company you use for your training, but you also have to concern yourself with who is doing the actual classroom instruction. So go with a known name like The Training Camp. If you're not careful, it can be a big roll of the dice, but if you attain what many consider the gold standard of security credentials, you will have a more recognizable credential even by those outside of the IT community.
Then there's the consideration that you may not have it in your budget to attend classroom training. Although I find boot camp-style courses to be beneficial, I also understand the commitments of time and money they require. This leaves us with the self-study method. If you decide this method is the one for you, there are plenty of CISSP materials out there, but very few for GIAC certs.
Now, let's look at the question itself. Which certification is more beneficial for a security consultant? When I see "beneficial for a consultant," I think money. So taking all of those tidbits into account -- wider availability, a more accessible self-study option and a highly recognizable certification -- I'd have to give the edge to CISSP.
This was first published in November 2006