Why Certify: Leonard Ong

Why Certify:

March 29, 2005

This is the tenth in a series where I am trying to pin down what the true effect of a given certification is. If you hold a GIAC or other information security certification and are willing to be interviewed by email, send a note to stephen@sans.org

Stephen Northcutt - The SANS Institute

1. What attracted you to the Internet Security field?
It was really a natural evolution of interest combined with opportunities that came along. Just before Internet connectivity became available, I started to setup BBS, and then developed interests in Linux operating system. Once I fairly developed a good knowledge on Linux, I started to get involved with networking to setup DNS, Mail, Web servers. I found out later that networking was my real interest. Cisco ICND (CCNA) course was an eye-opener to networking knowledge, and within 6 weeks, I managed to achieve CCNP with specializations and CCDP. The networking and system administration skills had introduced me to network security area. My current employer first had hired me to support their IP security platform, hence firewalls and VPN soon became my daily work. The more involved I am with the field, the more I found it relevant to my interest. At later stage, I had the opportunity to be part of network security team for the company. Once you are good at something in IT, you have to be able to secure them. Without a good knowledge of a platform, you would not be able to secure it.

2. Can you share how the decision was made for you to obtain GIAC Certifications and the value of such certification?
Being in Asia, I have never heard about SANS or GIAC prior to 2003. On March 2003, SANS held their second conference in Singapore and I took part in Track 3 - Intrusion Analyst. During the six-day course, I was really impressed with the quality of the course and its instructor. Furthermore, there was only two out of twenty-something people in the class attempted GCIA, and only one succeeded. The fact made quite impression on GIAC certification, that it was not average security certification out there in the market. It needs hard-work and proof that you have mastered the knowledge. The course was quite expensive for our standard, and I have my manager to thank for approving me to go. Later, he approved me to go for Track 4 - Incident handling in Tokyo around Mach 2004, and SANS CDI East in Washington, D.C. for Track 8 - Forensic Analyst on December 2004.

The certification is really valuable to show your skill set in a particular area of Information Security field. The practical assignments are publicly published and anyone could look at our own work. It also strongly encouraged me to review the course material several times while working on practical and preparing for the examinations. Repeated courseware reviews and putting the knowledge into practical assignment enforced the learning experience and preserving the knowledge. Another significant value is having the chance to meet and network with peers in the industry. They share the same passion in Information security and have a high level of skill sets. The GCIA class alumni two years ago still have discussions going on from time to time on current topics.

3. SANS and GIAC are not as well known in Singapore and Asia and I know many people from that area must be wondering if a Security Certification really makes a difference, do you feel this has helped your career?
It has yet helped my career in tangible benefits; it empowers me to do my work better. The certifications provide a framework to master a specific area body of knowledge in information security. They make a difference, as I'm benchmarked towards the certifications' standard. It will all depends on the company culture, whether they value certifications in performance evaluation. Recruitment industry has been lagging to recognize security certifications, for example, print advertisement started to use CISSP as preferred candidates and even less CISA. I have seen one or two ads where GSEC would be an advantage, and nothing else on other GIAC certifications. Once GIAC certifications have more recognition both from recruitment industry, HR people and line managers, it may help with certified professionals' career.

4. Does the GIAC certification help you respond to threats better, faster or more efficiently?
Definitely and I could not stress this enough. The advanced traffic analysis skill from Track 3 has helped me to troubleshoot complex network issues so many times. It is very handy as well when responding to incidents and to discover the cause of anomalies in the network. Track 4 taught me the framework for incident handling and introduced me to hacker's techniques that I may encounter. Forensic Analyst track enabled me to do forensics better than before. Lastly, Auditing wireless network course has been a great help when designing and auditing wireless network. Each time I took a SANS training and GIAC certification, it equipped me with valuable skills and knowledge enabling me to work better and faster. The certification also help to close any gaps in the subject, so I always learn new things and feel better prepared.

5. Honestly, do you believe the cert will continue to be respected after the change with the practical? Where do you see GIAC in two years?
Yes, I strongly believe the GIAC certification will still be well respected after practical termination. There is a very good reason behind this. GIAC certifications are based from high-quality SANS training, and it is the leader in information security training. The breadth and depth of a subject prepares candidates to shorten the steep learning curves and equip them for real-world scenarios. Although the practical is no longer a requirement, the examinations will be a scenario-based and become more difficult than ever. Hence, I believe that passing the scenario-based examinations will equally show candidates' expertise. The value of SANS Training and GIAC certifications also in their high-quality courses and instructors, so certification is only one success factor of many.

In two years time, I would see more recognition for GIAC from information security professionals, organizations looking for high-quality InfoSec professional, and recruitment industry. It is also very possible that GIAC will offer more tracks and expand areas to be offered and contribute to securing Internet by educating InfoSec professionals.

6. Did you take any additional Security Certifications or will you attempt the GSE Certification?
I will attempt GSE after achieving five GIAC certifications required. There is still a challenge on getting SANS courses in South East Asia, as there has no been a SANS conference in the last two years. So I may have to travel to US, Australia or Japan to participate in one. I fully understand the constraint, and that's exactly I initiated Local Mentor Program in Singapore to help people get access to SANS trainings and GIAC Certifications. I'm teaching in Local Mentor Program for track 4 (Incident Handling) now, and if SANS would ask me to run another LMP, It could be either Track 4 or Track 8 (Forensic Analyst).

Before knowing SANS/GIAC, I have quite a number of certifications including security ones e.g. Cisco CCSP, Check Point CCSE+ and CCMSE, Nokia Security Administrator, (ISC)2 CISSP with ISSMP and ISSAP concentrations, ISACA CISM and CISA. Later on, I am certified in GIAC GCIH, GCFA, GAWN, and soon from other tracks. I was fortunate to be the first certified on GAWN. I do hope there are opportunities for me to participate in other SANS conferences and complete the five certifications required.

7. Are there any plans to require new hires to have or obtain Security Certifications as a condition for employment?
Not that I am aware of at this moment.

8. What are three things that you feel are crucial for Singapore to adopt as core information security principles to compete in the global marketplace over the next two years?
  1. Establish Information security communities
    Security communities will provide support and medium for Information Security professionals. They will bring together professionals in the area and increase the level of quality and recognition. There are already a few communities established in Singapore and has a number of SIGs. I would see more will happens from the synergy of these professionals within the communities.
  2. Educate Information security professionals
    Most spending on IT budgets is not for people development. I strongly believe that the investment on sending people to courses will help the company eventually by various ways. For example, a well trained InfoSec professional may be able to select a suitable product/services suited to his/her environment and minimize a risk in a project due to ineffective solutions. The professional could also help in securing infrastructure, respond faster to incidents and minimize any losses from incidents. Therefore, it is important to bring high-quality Information Security training to Singapore and the region.
  3. Multi-national synergy and co-operations.
    The scope of Information security co-operation should not be limited to a specific country, but rather cross national borders. A good cooperation between countries in a region could bring benefits to each country rather than doing it by themselves. The professionals from this region would then be in a better position to compete in global marketplace.