Why Certify: Don Murdoch

Why Certify:

December 3, 2004

This is the tenth in a series where I am trying to pin down what the true effect of a given certification is. If you hold a GIAC or other information security certification and are willing to be interviewed by email, send a note to stephen@sans.org

Stephen Northcutt - The SANS Institute

I understand you hold a number of computer security certifications including several GIAC certifications, some from Microsoft, and ISC2's CISSP. Would you be willing to share how much effort it took you to acquire each certification and the benefits, or lack thereof for each one?

I have been pursuing IT certification since 1997. Back then I was a UNIX web developer working for a government contractor, building office automation applications for the US Navy. It seemed that Microsoft was poised to be a market leader, so earning an MCSE on NT4 seemed to be a worthy endeavor. I raced with a colleague for four months (he now works directly for Cisco with his CCIE), and he beat me by two weeks. We setup home lab networks and worked almost every free minute we had to earn our MCSE's. Over the next several years I earned a CCNA, a MCSD and an MCSE / Windows 2000. There was little pay incentive, and with tens of thousands of people getting an MCSE there seemed to be little incentive to continue down that road. In mid 2000 a colleague explained what the CISSP was all about, and since I wanted to move on in my career that seemed a natural fit. Three months of 20+ hr a week study and one tiring all day test later I had earned the CISSP - and I felt about the only practical skill I could apply was writing Business Continuity and Disaster Recovery plans. My wife called me "CrISSPy" during this period of our marriage. I learned no "hard skills", although I did have a pretty thorough foundation in Information Security concepts, practices and disciplines.

SANS and GIAC provided a much needed avenue to learn, apply, and prove that I had hard information assurance skills - intrusion analysis, incident handling, operating system protection, etc. I enrolled in the Mary Washington Graduate Certificate in Information Security program which was the best value for my dollar, and almost two years later I have five GIAC certifications (GCIA, GCIH, GCUX, GCWN, GSEC) and am about to finish number six - GCFW. I have spent between 200 and 120 hours on most of the practicals, as I needed to write at the graduate school level for Mary Washington. GCFA is next, and if I have time GCNA.

Can you share how the decision was made for you to obtain GIAC Certification in the field of Information Security?

Simple - no one else in the field offers what SANS and GIAC offers. No one offers a certification process where you have to prove, through writing a substantive paper that you know a body of knowledge which you are going to be certified in. With the proliferation of "brain dump" websites and websites offering "real test questions for 29.95", GIAC stands head and shoulders above the crowd. Also, as I mentioned in the first question - passing the CISSP exam doesn't demonstrate that you have any day to day practitioner skills in the field.

What do you think the future for Security Certifications will look like, say three years from now, will they be more, or less important than they are today?

I think that the only certifications that will be viable are ones that make an effort to protect the integrity of the certification. For instance, there are a variety of websites that offer test questions that are almost the same as the real vendor test - for many vendors, not just Microsoft. This has lead to the term "Paper X", where X is the vendor's acronym. The ISC2 program will be viable, as they make a concerted effort to protect the exam. The GIAC program, with its written practical component, will forever maintain its extremely high value and credibility - no one else offers a way for someone who is certified to show it.

Did you take any additional Computer Security Certifications or will you attempt the GSE Certification?

I was very fortunate to get a seat in the SANS Forensics track recently at no cost, and I am working on that certification now (Dec 2004). This track has proven to be extremely valuable as I deal with malware on almost a weekly basis. The forensics course and the Reverse Engineering malware course will be very helpful in preparing for the GSE as there is a component where you are supposed to analyze an unknown binary. Also, the advanced auditing track was very helpful as it served to remind and reinforce much of what I had learned in the various other tracks.

Specifically on the GSE - maybe, some day, after I have Local Mentored the five tracks that the GSE has as prerequisites. Local Mentoring servers to reinforce the course materials and make everything solidify in my head - I don't think I will be attempting the GSE anytime soon.

Are there any plans to require new hires to have or obtain Information Security Certifications as a condition for employment?

Since I work for a University we really can't put this as a hard and fast requirement - it would limit the applicant pool. However, we do consider GIAC certification and SANS training as being highly valuable and desired. I am seeing more and more companies list SANS and GIAC in job placement adds lately.

What are your plans for personal development in the future? Where do you think you'll be in two years...five years?

I am currently working on an MBA in Information Systems. Once I finish that I hope to advance where I am, or find a position as a CISO / CTO in industry. The MBA, the certs, any my industry experience should be a major factor in landing the right job at the right IT compensation.

Many people are wondering if a Security Certification really makes a difference, do you feel this has helped your career?

An emphatic yes. If it hadn't been for three SANS courses and their corresponding GIAC certifications - Intrusion Analysis, Incident Handling, and Forensics - I would not be able to effectively handle the type of malcode we see at our University. These three courses have proven themselves worth every penny time and time again as our group deals with incidents on the campus network.

Does the GIAC certification help you respond to threats better, faster or more efficiently?

An even more emphatic yes than the last question. First - since I understand the Incident Handling process I face these situations knowing that there is a solid framework that I can follow when dealing with a virus "outbreak", and that they will eventually come to an end. Second, I can insert myself into the process at the best place that makes sense - doing network analysis to figure out where the infected computers are, visiting infected computers and retrieving malcode, or functioning as the central point for these incidents. What ever is needed based on the situation - I am equipped. Third, we often have people who don't know what to do, and I can help direct them so the entire group can better respond to the situation.

Do you feel professional certifications help your company's overall direction and bottom line?

I think so. It helps to know that if we apply structure to system and network security we can best devote time, energy, and dollars to the right place in the network based on the value and importance of the assets we are trying to protect.

One of the interesting positions I am in now is that there are so many opportunities at the University to provide more system and network security that it is often very hard to figure out what is the best place to spend time and energy, since I have been exposed to so many topics as I worked through nine SANS courses over the last two years. I just keep looking for places to provide security and defense in depth, and keep on going.

One of the "high impact" things I am going to do to help the bottom line is to take some of the Forensics material, distill it down to about an hour, and teach our 30+ front line support staff how to use the Windows Forensics Toolchest (www.foolmoon.net). This one initiative should go a long way to helping arm field staff with tools to better secure campus computers and deal with malcode. Once that's in place we are going to build a web site where our staff can drop off malcode so we can send it off to our Antivirus vendor - with some skills I recently learned from the SANS LAMP course.

You mentioned Local Mentoring earlier - can you expand on that?

Sure. The SANS local mentor program is a great way to get SANS education without traveling to a conference. You take a course over an 11 or 12 week period, usually meeting one evening for about 2 hours with someone who has taken the course and done well in the exams. This is a great way for knowledge transfer, confidence building, establishing a network of colleagues, and most importantly (to me) - almost one on one advice in helping to do the practical assignment.

Leading a LMP is a great way to reinforce the skills that you learn as you teach them to people, and help them through the course materials. It is also very professionally satisfying.

Thanks again,
Don Murdoch