April 28, 2003
I know a lot of people have similar stories, but I had been in the Information Technology field for about three years when I was first exposed to the password cracking tool L0phtCrack. I was an inexperienced network administrator and the small perspective that I had on information systems was turned upside down when I saw how easily L0phtCrack defeated the security of our environment. After studying L0pht and other security related tools and websites, I quickly realized that many of those involved in the Internet Security field were, in the classical sense, hackers -- people that picked apart and studied protocols, applications and technologies to get a sense of what works, and what doesn't. This fascinated me and I've been working at becoming one of those people ever since.
In my first security job, I was fortunate to work for a manager who had already been to SANS training and who insisted on sending all of the employees that he could to SANS training. The training I received there made me realize that the security expertise that I admired in the "giants" of the industry was somewhat accessible. I used both of my practicals as an opportunity to build a deeper understanding of systems and networks. For me, this was the greatest benefit of the GIAC certification, it forced me to take time to thoroughly understand how systems and networking worked. In my case, I have had very little formal training in the IT field and I used this as an opportunity to do what I consider a graduate level "self-study" in IT security.
I know that it has helped my career. Let's just put it this way... It's one thing to go into a job interview and tell them about the experience and the certifications you have. It's another thing to backup your experience and the certifications you have with your 20+ page paper that is posted publicly on the GIAC website. It gives the term "paper certification" a new, positive connotation.
Absolutely. Because the GIAC certification encouraged me to better my skills much more than a traditional certification I'm able to respond to threats better, faster and more efficiently. I'm more technically proficient. The GIAC certifications require more than studying questions and brain dumps to prepare for an exam, the practical part of the certification encourages deeper analysis of security systems and architecture. The completion of a GIAC practical is a very satisfying thing, you put a lot of work into it and consequently your knowledgebase grows in a way that is much more permanent than the more traditional IT certifications. In my opinion, the whole boot-camp, cram for the exam, brain-dump mentality of some of the more traditional technical certifications completely misses the point. This sort of thing becomes more about adding letters after your name and less about taking the time to understand the technology and systems you work with on a day-to-day basis.
Yes, again because I've improved technically, my company is much less reliant upon the expertise of others. I'm better at evaluating products and technologies, this improves my company's bottom line because the technology we invest in has been adequately screened and evaluated. In this way, we get a lot more bang for our buck because there are far less "surprises" with the security products that we do purchase.
I'm planning on attempting the CISSP in June. Although I would love to eventually be in a position to attempt the GSE Certification, I have a lot of professional growth to do before I would be ready for that certification.
Seriously, I don't know. I just plan on continuing to better my technical skills and other things will fall into place.