ES: My first job out of college was at Bellcore, the company that did research for the Baby Bells. After cutting my teeth working on Operator Services and Payphones, I moved into the security group. Our team focused on two areas: telephone network security and data communications security. As the Internet started growing in the mid-1990’s, I jumped into that side of the team. What a great ride it’s been since then!
TB: If you had to choose one book for someone to get started in Information Security, what book would you recommend?
ES: There are lots of good books out there. Not to be too biased, but I wrote my Counter Hack book so that it would help new people develop the technical skills necessary to jumpstart their careers as information security professionals.
TB: Do you feel that certification has value in the job market? If so, which certification would you recommend first?
ES: Certification is definitely important. Otherwise, as an employer, how can you be sure someone has the skills you are looking for? The hiring process is already complex and costly, so an employer cannot test each applicant’s skills. In a sense, they outsource this to certification organizations.
Of course, to be valuable, the certification has to have some teeth to it. That is, to receive the certification, individuals must have demonstrated real-world technical skills.
My favorite certification is GIAC. I am biased, in that I write materials for GIAC and present for SANS. That said, the GIAC certification really makes people work to get and maintain their certification, giving it value. GIAC-certified people have to take an exam, as well as write a research paper (called a practical) to help improve the state of information security across the community. Some of these papers are tremendous! Check out www.giac.org to see how valuable some of these practical papers are.
TB: What are your thoughts regarding the University of Calgary course where students will create new viruses as a part of learning to combat them?
ES: I’m kind of uncomfortable with the concept. There are already enough malware specimens out there right now for us to analyze. You can certainly create some solid protective software based on the stuff in the wild, without writing new malware. Encouraging people to develop new attacks, exploits, and malware sends the wrong message, in my opinion.