March 18, 2003
1. What attracted you to the Information Security field in the first place?
In 1988 I joined the United States Army Signal Corps and began my career in Information Security. I got involved with a new technology called MSE, or Mobile Subscriber Equipment. I became fascinated by the intricate network design that encompassed multiple layers of defense and encryption to ensure a secure network for the units we supported. The more I learned about this system and its potential uses in the military, the more passionate I became about networking and security.
I joined the Army with every intention of using the G.I. Bill to further my education. I left the Army in 1992 to attend college at Michigan State University. I was a Telecommunication major with a focus on Information Technology and Services Management. It was while pursuing my degree that I learned about various network operating systems and their strengths and weaknesses. I had the unique opportunity to work as a PC/Network Support Specialist for the university while pursuing my degree. I feel that it was this experience combined with my military background that put me in position to pursue an information security career in the private sector.
2. Darrin, many people are wondering if a Security Certification really makes a difference, do you feel they have helped your career?
I pursued the GSEC certification because I realized that I had many gaps in my knowledge. I knew that I had specific skills in the areas of firewalls, networking and encryption but lacked some fundamental knowledge in the areas of policy, incident handling, intrusion detection and operating systems in general.
Although I had been working in the Infosec field for many years, by that point I was interested in applying for a job posting that called for a GIAC certification. I had just finished the GSEC so I applied and was ultimately hired. Do I owe it all to the GSEC? No, but it did get my foot in the door.
3. Did you take an additional Security Certifications?
I took the GSNA because I was hired into an auditing team and the GSEC was the cert that got me the interview in the first place. I was in charge of hiring an auditor when I arrived at my new position and I ended up interviewing 50-60 candidates via phone to include CISSP's, GSEC, CISA's, etc. I brought 5 in for one on one interviews and wound up hiring an auditor with her GSEC and CISA certification. I spoke with MANY candidates that were "pursuing GIAC" which, upon asking some pointed questions, really just meant they didn't follow it through to the end. Achieving the GSEC, or any other GIAC certification speaks volumes about a person's willingness to tackle large projects and a certain thirst for knowledge. By having access to their posted practical and exam scores, I was able to get an idea of the person's ability even before the initial phone interview. In the end, I ended up hiring the candidate that had both her GSEC and CISA certification.
4. Well that makes sense, right because a CISA, an ISACA credential, is audit specific while CISSP and GSEC for that matter is general. But a CISA is not all that technical, what do you think the ideal mix would be?
I realized quickly after getting hired that while I had the technical proficiency to conduct an audit, I really had no idea what an audit entailed. The GSNA really helped point me in the right direction. The auditor with the GSEC and CISA certification that I hired attended GSNA training at NS2002 on my recommendation and found the course extremely valuable. She is in the process of completing her practical and hopes to be taking her exam(s) in the next few weeks.
I felt that the GSNA course material did an outstanding job in driving home the point that there are many ways to approach an audit. It had been my experience that many auditors focus solely on their checklist without trying to understand the technology being audited. The GSNA did a great job in illustrating the idea that it is okay to look beyond the checklist and that there is value in taking the time to learn some fundamental knowledge such as Unix commands and/or the various open-source tools available to aid in making the audit a success.
5. Are there any plans to require Security Certifications as a condition for new hires?
We are going to require that all of our security team members (admin and infrastructure) go through at least the GSEC and hopefully some advanced classes. We had one engineer go through my local mentor program and it was very well received. I will be conducting another local mentor session later this month and we have 4 people from my company schedule to attend. The feedback from everyone at my company that has been involved with the SANS/GIAC education has been extremely positive. Our team member's feel more confident about performing their duties and management can see a genuine return on investment. It's a win-win situation for everyone involved.
6. What are your plans for personal development in the future? It appears that your certifications opened the doors to two different positions? Where do you think you'll be two years... five years?
In addition to my GIAC certifications helping me obtain positions of greater responsibility, I have been able to further develop my professional skills by getting involved with the GSEC and GSNA Advisory boards. Knowing that my practical and exam scores will be posted for anyone to see is a wonderful motivator and really pushed me to want to do well. I was invited to join the GSEC Advisory Board because of my exam score and, earning honors on my GSNA practical opened the door to be a member of the GSNA board.
I have also become an Authorized Grader for the GSEC certification and I hope to become more involved with this aspect of GIAC in the next couple of years. I think it's important for people to know that GIAC encourages everyone to be actively involved with the development of the curriculum and further evolution of the certification program.
I am currently pursuing my GCIA certification with my ultimate goal being the GSE certification. To me, the GSE represents the pinnacle of an information security career. I plan on completing the prerequisite requirements in the next two years. I realize this is a lofty goal but I really feel it is within my reach. Once I obtain the necessary certifications, I will apply for the opportunity to pursue the final stages of the GSE.
I have also found that I truly enjoy being involved with the GSEC Local Mentor Program. I am getting ready to start my second session here in Grand Rapids. I'd like to get more involved with the education side of information security and hope to continue to pursue this opportunity with future LMP courses. In addition, I have worked on the Security Essentials book as well as the Linux Step-By-Step Guide.
My long-term goal is to go into consulting on a full-time basis or maybe even become an Instructor with the SANS Institute.