Why Certify: Andrew Hay

Why Certify:

July 2, 2006


What prompted you to contact Does Certification Really Matter?

I really enjoyed the interview with Peter Giannoulis, a good friend of mine, and would like the opportunity to contribute my thoughts as well. I'm also a big proponent of certifications as a way to validate one's experience and knowledge.

How long have you been in the industry?

I have over 9 years experience in IT and am a frequent reference point for colleagues seeking information on 'the next certification'. I am also a technical trainer and solutions architect for Q1 Labs Inc and CEO of my own security consulting company, Koteas Corporation.

What certifications do you have?

I currently hold the following certifications:

  • Check Point Certified Security Administrator (CCSA)
  • Check Point Certified Security Expert (CCSE)
  • Check Point Certified Security Expert Plus (CCSE+)
  • Check Point Certified Security Expert NGX (CCSE-NGX)
  • Cisco Certified Network Associate (CCNA)
  • CompTIA Security+ (Security+)
  • Red Hat Certified Technician (RHCT)
  • Red Hat Certified Engineer (RHCE)

I've completed part 1 of the GIAC Intrusion Analyst (GCIA) and will complete part 2 by July 17th.

Wow, that is quite a list, which one did you take first and why?

My first certification was the Check Point Certified Security Administrator (CCSA). When I worked at Nokia Enterprise Solutions there were certain pre-requisite competencies to move from a contractor into a full time position. I worked quite hard during my first year to achieve not only the CCSA but also the CCSE, CCNA, and Security+ to differentiate myself from the other contractors looking to get hired full time. Within 8 months of my start date (and my new bag of certifications) I was hired on full time at Nokia.

Did it change your professional life in any way?

Definitely. While working at Nokia I found myself wanting to learn and experience more of what was going on in the industry. I decided, with two colleagues, to start a security consulting firm to assist government and enterprise customers during off-hours. The response was incredible and we landed several large customers that required work on an 'as needed' basis. Each customer was incredibly impressed with the technical competencies and related certifications that we held.

If you were advising someone just getting into Audit or Information

Security what you recommend in terms of training and certification?

"Security" isn't solely about having security knowledge. If you don't understand the basics, such as TCP/IP, routing, switch, or how operating systems work, then you won't be very successful in the industry. I would highly recommend some foundational certification tracks like the CCNA, Security+, SSCP, GSEC, etc. Ultimately, I find that the desired role dictates the training required (i.e. security manager vs. firewall administrator).

What about someone with ten years of experience that wants to jump-start their career?

The first thing I would suggest is to pick up a book. Not everyone in this industry has the money or the time to attend formal training and everyone can, and should, make time to read every now and then. The books listed on the SANS Recommended Reading list are some of the best out there and you should take advantage of other people's knowledge and experience.

For an experienced person in our industry is a certification or series of certifications more important than a master's degree?

I think it really depends on the person doing the hiring. I find that the "Baby Boomer" generation puts far too much emphasis on the importance of a 'degree'. I have been eliminated from certain competitions in the past simply because I did not hold a degree, regardless of how qualified I was. I think that certifications are starting to gain the recognition they deserve in the industry just as managers are starting to see the importance of validating one's competencies.