March 27, 2008
An interview with Kevin McLaughlin, Director of Information Security and Adjunct Instructor at the University of Cincinnati
- Kevin, what attracted you to the Internet Security field?
Believe it or not my journey to this field started in 1969 when I was enthralled with the TV Show 1 Adam 12, I was 8 years old when I decided to go into law enforcement. I was able to meet that life goal by joining the US Army as an MP when I was 18 years old. After a fun career as an MP, MPI and then Special Agent my wife encouraged me to try the civilian world. While I was in the service I received my BS in MIS and became very interested in technology. After I got out of the service I became a Police Officer in Kissimmee Florida, a Computer Science teacher at a middle school, a director at the Astronaut's Memorial Foundation at KSC, a private business owner and then an IT manager at Procter & Gamble.
- Now that is what I call a rich background, but somehow you heard the computer security music?
Because of my law enforcement background I was always aware that the computer systems I managed had to be secure. My last IT assignment at P&G was with their Information Security team, this was 14 years since my last law enforcement work and it brought back to me loud and clear where my passion area was. I am so passionate about information security that when my next IT assignment came up at P&G (they do 3-4 year rotational assignments for IT managers) and they would not allow me to stay in the InfoSec field I made the decision to leave P&G (something basically unheard of in the Cincinnati area) in order to remain in the infosec field. This lead me to my current Director of InfoSec position here at UC.
- Can you share how the decision was made for you to obtain GIAC Certifications and the value of such certification?
I have always been a strong believer that professionals should show a level of expertise in their given profession that is more focused than formal education tends to be. At P&G the IT community was not encouraged to get certifications as the P&G mantra was "you are a P&Gr for life" that is even what they told you during the recruiting process day visits. Then one day P&G management decided to outsource most of IT to HP and our Senior VP came in and said "you probably want to consider getting two or three certifications in your field of expertise so that you can show the rest of the world you know what you are doing". That made it pretty clear that outside of P&G certifications were important. So, even though I got to stay with P&G during the HP outsourcing deal I decided that I had to make myself marketable just in case a similar situation came up in the future.
- This is a very good point, sometimes people wait this there is uncertainty in their job situation to get certifications or write papers and get published. The world can happen fast, it can be too late before you know it. So how did you start down the certification path?
My first certification attempt came after attending the SANs boot camp taught by Dr. Cole in Orlando Florida 3 or 4 years ago. Eric's camp was so informative and knowledge packed that I had no problem passing my CISSP exam. This course made me a strong believer in the SANs mission and the quality of SANs programs. When I took the Director spot at UC I decided that even though I had an MS in Computer Science that really didn't say "This guy knows how to be an Information Security Leader" so after my first year at UC (UC was a startup InfoSec operation so you can imagine how busy I was in year 1) I remembered the knowledge I received at my first SANs course and decided that I needed the same level of knowledge in regards to InfoSec leadership. The obvious choice was the SANS GIAC-GSLC. I took Stephen Northcutt's class, Management 512: Security Leadership Essentials and learned a bunch, I was actually so happy with the class room knowledge transfer that I almost "blew off" the exam. I sat and thought about it though and came to the same conclusion I tell my UC undergraduate students "your BS/BA is good to have but it isn't enough, you have to show you are knowledgeable in your chosen profession and the way to do that is by getting a couple industry leading certifications like SANs and CISSP." I like to use this analogy: I had a BS degree when I became a Cop in Florida but still had to go through the academy and pass in order to be licensed, Fire fighters, Civil Engineers, teachers, accountants all have to do the same thing — they have a degree but still need to get "certified" in their specific field before they can work in it. InfoSec should be no different.
- Many people are wondering if a Security Certification really makes a difference, do you feel this has helped your career?
Absolutely, my entire staff is certified and part of my hiring agreement requires new hires to commit to getting certified in InfoSec within 6 months of hire. My forensic examiner is SANS forensic certified and this provides him with the credibility necessary to testify in court and to network effectively with the local law enforcement community. Further, I want to be sure that when I talk to one of my staff we share a common vocabulary; threat, vulnerability, risk, incident, et cetera are terms that mean the same thing to each of us. Effective team communication is difficult enough — a common vocabulary simply helps us communicate more effectively. It is also a plus for me to know that each of my ISO's have the same foundational knowledge with InfoSec domains and concepts. Further, I teach my InfoSec students that if they want to know if certification is important simply do the Monster.com test — type in the certification (CISSP, GIAC, etc.) and see how many hits you get for available jobs. Doing this shows them that many employers require a degree + certification for even entry level InfoSec positions. Just like certifications provide me with a level of confidence in what my team members know it provides prospective employers with the same confidence level.
- Does the GIAC certification help you respond to threats better, faster or more efficiently?
Yes it does. It gives me a good knowledge base to launch OS and Application Scans from, to establish proper policies, process and Enterprise Security Architecture. It also provided me with the knowledge to establish InfoSec priorities and to assign those tasks effectively to my team members. My forensic guy makes use of the skills and knowledge gained from SANS GIAC-GCFS(? The forensics one) on a daily basis to conduct effective investigative analysis.
- Do you feel these certifications have helped your company's overall direction and bottom line?
Absolutely, knowing how to establish a Defense in Depth or Layered Defense architecture is critical to the protection of our regulated or PII data. While you can get some of this knowledge just by doing the work you really don't know what you don't know. You have to take the time to sit in a class and get the whole picture (like the one you show in your course) or else you will have exploitable holes throughout your security architecture. I guess it could be debatable that taking the class is sufficient and you don't really need to get certified but certification forces you to intensively study the material and really learn it. You can take a class and get some knowledge but studying the material enough to get certified really re-enforces the key learnings.
- Did you take any additional Security Certifications or will you attempt the GSE Certification?
I will take additional SANS courses but have decided not to pursue additional certifications as I already have (CISM, CISSP, GIAC-GSLC, PMP, and ITIL Manager). My next step is to obtain my doctorate in Information Assurance. I will continue to force my staff members to obtain at least two security certifications.
- Are there any plans to require new hires to have or obtain Security Certifications as a condition for employment?
Yes, they have 6 months to get certified. Currently I am making them get either the CISSP certification or the GIAC forensic certification, depending on their job assignments.
- What are your plans for personal development in the future? Where do you think you'll be two years... five years?
I will finish out my career at this level (CISO) but would like to move from Higher Education back to the Corporate world. I may get into consulting when my youngest son moves out of the house. I am currently working on my PhD in the field of Information Assurance so I also envision expanding the number of InfoSec courses I teach. Throughout all of this I plan on keeping my certifications current. Honestly, I hope that SANS decides to expand into a Doctorate or PhD program in 3-4 years and hires me to set it up and run it!
- What is the best way to keep a certification current?
I believe that once you get certified that the best way to keep your knowledge current and to make it a lifelong commitment is to have a CPE program and not a re-test. It is difficult to justify giving staff members large blocks of time out of office (again) for them to study for their re-test and then also provide them with the time to take the exam (again). I would prefer to have them attend a SANS course one time a year and have hours from those courses count towards certification renewal.
- Certifications get a bad rap sometimes for being "book" certifications with no real world experience. How do you feel about that?
Well, in most cases I would rather have someone who has some knowledge of the field than someone with no knowledge or deep knowledge in just one area. The issue with IT resources who have the experience and not the certification is that often times their experience is very focused on one or two IT areas (I'm the Firewall expert or I'm the IDS/IPS expert) and in one or two pieces of vendor specific hardware. Certifications make these folks expand their horizons and see more of the big infosec picture. This is a good thing. I like to use the example that attorneys have to pass the start BAR exam and that is an example of someone being a "book" certified individual. The BAR covers a breadth of law that some of the very specialized attorneys don't have real world experience in. They still have to pass the BAR and show that they are fundamentally solid in their knowledge of law. Certifications even book ones, requires an individual to obtain knowledge in their field and even if they forget 90% of what they had to learn they still come out 10% ahead. Book certifications also provide, if nothing else, the common vocabulary I discussed in an earlier response and this leads to more effective team communication.