There will be a maintenance outage on November 21st from 7AM - 8AM EST.

Why Certify: Brian Stafford

Why Certify:

June 25, 2004

This is the ninth in a series where I am trying to pin down what the true effect of a given certification is. If you hold a GIAC or other information security certification and are willing to be interviewed by email, send a note to

Stephen Northcutt - The SANS Institute
I understand you hold a number of computer security certifications including GCFW and CISSP. Would you be willing to share how much effort it took you to acquire each certification and the benefits, or lack thereof for each one?

Yes, I spent a lot of Week-end time on both certifications, usually 4 hours on Saturdays for about 6 months on the GCFW . I did the same for the CISSP but needed less time, 3 months. I'm not sure if this is average or not but I was religious about dedicating that time. Towards the end I took some practice tests. I did not find either one of them easy. The CISSP had a larger volume of material subjects but was not as detailed. Also, the CISSP does not have the practical assignment. I also held a CCSE and a CCNA and had worked in the field for a number of years, so I did have many of the basics up front.

Can you share how the decision was made for you to obtain GIAC Certification in the field of Information Security?

I was determined that some sort of baseline would need to exist so that the field of Information Security would carry its weight. I determined that SANS and ISC2 were the main sources of this baseline standardization. I had experience in situations where people had good technical backgrounds but were not security conscious. Also, many others had no technical background but saw the trends in IS and pursued it without understanding basic things like TCP/IP, Networking Infrastructure and Perimeter management. I believe and still hope that, in the future, a baseline certification will be a real indicator to employers about where we come from.

What do you think the future for Security Certifications will look like, say three years from now, will they be more, or less important than they are today?

I can't say for certain, I certainly hope they will be more important and become a standard in hiring practices. The trends I see are three-fold. Small businesses can't afford to hire dedicated Security practitioners, they use the VARs. Big Corporations are maintaining good numbers of us. The government seems to be using contractors and employees with Security Clearance which is difficult to get and very costly. I think there will be pressure on all of these sources to prove that personnel know the field of IS. Therefore, I think it most likely that people like myself, and all of the other thousands pursuing Certifications will ensure that these baselines are met.

Did you take any additional Computer Security Certifications or will you attempt the GSE Certification?

I was driven towards the CISSP after achieving the GCFW for a few well-placed reasons. Many of the other professionals in my group held the CISSP and respected it very much. All of the talk surrounded that particular Certification. I felt that the SANS certification was much more detailed and proved much more about my skills than the CISSP, but I think that somehow the marketing of the SANS organization failed a bit. I don't want to be too critical since both organizations serve us all well and may, in fact, complement each other. I am left wondering if the difference is seen as one being operational in nature (SANS), while the other is Managerial in nature (ISC2). I also suggest that SANS should ask for an annual subscription as ISC2 does. At last count, I think it was $75 per year.

Are there any plans to require new hires to have or obtain Information Security Certifications as a condition for employment?

Not that I am aware of. I suggest that this be the case.

What are your plans for personal development in the future? Where do you think you'll be two years... five years?

I hope to remain in the field and to perpetuate the notion wherever possible that these certifications are not hobbies, but are, in fact, baselines just like the baseline standards we impose on our Security environments. Imagine how dangerous it is to set up a bunch of high level policies and comply with all of the recent legislation just to hire people who don't know how Architect and maintain them. In any Resume, much of the material is based around embellishing experience and making as much out of things as possible. Certifications are certainly proof of the time, energy, ambition and material covered. My idea is to begin to associate the Certification with Baseline Requirements, which is more understandable to many business models of Risk Assessment. We can then involve Personnel Departments by reference to total Risk Assessment and thereby involve Certifications as Baselines.

These opinions are not those of the company Brian Stafford works for and are expressed as educated, personal beliefs.

Stephen Northcutt - Director of Training and Certification
The SANS Institute