The SANS Technology Institute

Security Laboratory

Sec Lab - Security Heroes

The SANS Security Heroes project is to help introduce you to people that have made a difference in information security. We believe there are a lot of people contributing to make security work, and we want to introduce you to them.

Craig Wright, Security Hero - April 4th, 2008
Peter Giannoulis, Security Hero - March 19th, 2008
Suzanne Novak, Security Hero - February 13th, 2008
Laura Taylor, Security Hero - February 8th, 2008

Peter Giannoulis, Security Hero

March 19th, 2008
By Stephen Northcutt

Peter Giannoulis certainly qualifies as a security hero! He has written articles for SC & Information Security Magazine, has been a real work horse for SANS and GIAC, and now, as you will see, he is working on his own signature approach to sharing security information. He is a truly busy guy, a contributor to the SANS Security Laboratory, and we certainly thank him for his time.

Peter, were you born wanting to be a security guy, or did you drift into the field somehow?

How I got into information security was really an accident. I had just acquired a systems administrator position at a security consulting firm. My employment obligations were to maintain Windows/UNIX servers for the sales staff and technical consultants at a value-added reseller (VAR) of information security products in Toronto, Ontario, Canada. After a whole 3 months of systems administration I felt it was time for a change. I really didn’t enjoy systems administration duties and even considered changing careers at the time. I approached the President of the company with regard to my feelings and, to my surprise, he asked me if I wanted to join the group of technical consultants.

Nothing quite like being given a challenging response, so what happened?

I really didn’t know what to expect, but I agreed to the position anyway. That happened to be on a Friday. I was asked to go out to the local book store, pick-up a copy of Building Internet Firewalls, published by O’Reilly, and read it through that weekend. It just so happened that I was scheduled to perform my first firewall implementation with a senior consultant on Monday. Typically, I don’t agree with the method of throwing somebody into the fire, but everything turned out well and I’m still doing the same thing nearly a decade later.

Nice, so how did you build your skills?

Over the past decade I have spent countless hours reading books, earning certifications, learning from my mistakes – believe me there have been a ton - and doing it all over again. It really has been a crazy ride, but I have enjoyed it nonetheless. I have acquired a few dozen security related certifications, some have expired, others were for products that have now been discontinued, but the first non-vendor security certification I acquired was GSEC back in 2000. I remember learning about SANS & GIAC from a mentor of mine who pointed me in that direction because I was tired of product-related certifications. After receiving my GSEC certification it was my ultimate career goal to become a SANS instructor. I believed it was the thing to strive for if you wanted to be somebody in the information security space. Now I’m sure I gained some knowledge over the last 10 years, although sometimes I don’t feel any smarter, but here I am teaching for SANS, writing for SANS, and assisting in promoting the SANS machine.

And we are glad to have you, so how did The Academy – www.theacademy.ca, come into being?

At the end of 2007 I had the idea to create a website that could assist organizations in achieving a more secure environment by learning how to properly install, configure, and troubleshoot their security infrastructure. I didn't want to launch a typical forum-based website. These websites definitely serve a purpose, but there are plenty of individuals who have done this already. There simply was no point in re-hashing the concept.

So you started looking for your niche eh? They say that is the rule of innovation, what did you decide?

I've been an information security consultant for a decade and had the opportunity to work with so many different products and technologies. I got to thinking - there has to be a way that I could share this experience with organizations on a global level. Although things differ in life, there's one thing I know for sure - most organizations, be it education, government or healthcare, implement a security technology or product from the same bag as the next organization.

I spent a few more days pondering the idea for the website and decided on presenting ideas in video format. I then realized the amount of work that would go into maintaining such an endeavor. This had to be a global effort and there was no way it would survive without assistance from other users as well as vendors. I pinged Adam Winnington, Andrew Hay, and Jason Ingram, ran the idea by them, and hoped for the best. They jumped at the chance to work on the project and within two months we had a functioning website with over 50 videos presenting technologies such as IPS, firewalls and anti-spam.

Fantastic Peter, I think we may even have a video or two up there. So tell me, where does the name The Academy come from?

I went searching for available domain names which included keywords such as security, videos and education, but they were all registered by other individuals. Adam Winnington, who owned www.theacademy.ca for many years, offered it to the project and it certainly didn’t hurt since it fit with what we were trying to accomplish.

Fantastic, and if you had one security message to tell our readers, what would that message be - what is the most important thing to keep in mind from a security perspective?

Get involved with the global security community! It’s the only way to stay ahead of the game from both a defensive and career perspective. The fight to keep information secure will never be won if you go at it alone.

I know you do a lot of consulting, what are the three most common mistakes organizations make?

I find it shocking after all these years that some organizations continue to make the same mistakes. Organizations continue to throw technology at everything without really assessing the situation and digging out the root cause. Spending money on technology certainly has its place, but it doesn’t always solve the problem.

Having overworked and underpaid technical staff has been a growing problem in the information technology space. Organizations that overwork their IT staff without reward have high turnover rates or disgruntled employees. This doesn’t benefit the employee or the organization. Things will get better, but organizations need to realize that the IT department is a business enabler and not a cost center. Security budgets need to be realigned to include more funding for security training, but not just product training. Vendor neutral security training is a necessity in order to combat the speed with which attacks have manifested over the last few years.

Thanks for sharing that Peter. Back to The Academy, where do you see it being in about a year from now?

We recently launched the website, but already have a large registered user base and the vendors we have spoken to are excited to be involved with the project. In a year I would like to see tremendous growth from a community perspective. We have some interesting initiatives in place to ensure that everybody continues to stay involved. It’s going to be a busy year!