May 21, 2004
This is the sixth in a series where I am trying to pin down what the true effect of a given certification is. If you hold a GIAC or other information security certification and are willing to be interviewed by email, send a note to email@example.com
Stephen Northcutt - The SANS Institute
1. What attracted you to the Internet Security field?
The biggest thing that got me attracted to this field was the mindset of the attacker. Why do they do what they do? More importantly, how do they do what they do?
2. Can you share how the decision was made for you to obtain GIAC Certifications and the value of such certification?
While working at a consulting company back in 1998, I began my career in information security. I was gaining experience everyday and had many product based certifications already, but I wanted to find a certification that would assist me in learning more on the topic of information security as a whole. I began researching online for security courses that were non-vendor specific that would portray me more as a security professional than an application specialist. I found a few, and after performing my research and speaking with many colleagues, the SANS Institute's GSEC course was the most attractive. The value of GIAC certification has been enormous in some ways. I have worked as a consultant for the last five years and many high level customers, such as financial institutions and government agencies respect the GIAC certification. I have also worked with the SANS Institute for the last three years as a GSEC grader, as well as participated in the GSEC LMP program. This has also helped the organization I work for gain the advantage over other consulting organizations simply because the SANS Institute has gained a great reputation for employing some of the best security professionals in the world, and I am involved with their efforts.
3. Many people are wondering if a Security Certification really makes a difference, do you feel this has helped your career?
Security certification, whether vendor based or not, definitely helps your career. It all depends on where you are employed. If you are working for a reseller organization that benefits from product certifications, they are going to ask you to become certified in specific products. In this case, the more certifications, the more stable your job. With regard to GIAC certification, it has helped my career in different ways. Many of the higher end organizations, such as financial institutions and government agencies, demand a higher standard in certification than the typical product certifications. This is where non-vendor based certifications like GIAC and the CISSP play a bigger role.
4. Does the GIAC certification help you respond to threats better, faster or more efficiently?
Definitely. As I have mentioned many times before, the SANS Institute employs some of the best security professionals in the world. Who better to write and teach a course?
5. Do you feel these certifications have helped your company's overall direction and bottom line?
I believe GIAC certifications have assisted at some level. Many of our customers are impressed that we employ GIAC certified professionals. This definitely helps raise the bar.
6. Did you take any additional Security Certifications or will you attempt the GSE Certification?
I have spent the last five years trying to obtain as many security certifications as possible. Some are product based, which needed to be completed and some are not, which I take for personal growth. I have taken many of the level two courses that GIAC offers, but have not had the time to complete the practical assignment that is required to gain certification. Currently, I hold the GSEC, CISSP, CCSA, CCSE, CCSE+, CCSI, CCNA, INFOSEC, CCSP, & MCSE certifications.
As for the GSE...not anytime soon. I would love to achieve such a certification, and I totally believe that I can, but the GSE is a very demanding certification that I cannot fully dedicate myself to at this time.
7. Are there any plans to require new hires to have or obtain Security Certifications as a condition for employment?
If there were two candidates with the same experience and one had certifications and the other did not, I would think that the candidate with certifications would get the job.
However, certifications are not a must at first. If the right attitude and experience is there, the certifications will follow.
8. What are your plans for personal development in the future? Where do you think you'll be two years... five years?
That's a coin toss right now. I am thinking of taking an online Masters of Science in Information Security course, which will lead me to a PhD in the same area. I'm thinking this will take a little over five years. I would also like to make additional time to work on the GIAC certifications. We'll see where time will lead me.