Management Laboratory

Management Laboratory

Leadership Lab: Management Competencies

Other Related Articles in Leadership Lab: Management Competencies

Varied Paths Taken to Information Security Competency

Stephen Northcutt, Editor

This is research into how about 50 people got their start in information security and how they became competent in the field.

Version 1.1

Note, if you would like to share your story with Stephen Northcutt, you can write him at

I got my start in security after being a system administrator. I took all of the Microsoft MCSE classes back when Windows 2000 was released. I liked attending those classes from a standpoint of learning something new, but received little that I could take back to work and apply.

I took my first SANS course after being in security for 3 years; SEC 401. I am amazed at how much I learned. I was instantly hooked on SANS and have taken may full courses. I am confident that by applying the techniques from SANS courses has been the key to my success. Realizing how much I do not know and intentionally working on that list has also helped.

After getting laid off from my unsatisfying job in architecture when the economy soured - this was in early 2009 - I fell into a job as sidekick for a one-man outfit that handled IT for businesses and home users in my small town (8,000 people). I had always been a computerphile and naturally gravitated toward the default IT person everywhere I worked, but I had never considered IT as a profession. It was a good match. 40% of the business was assisting home users with problems, and probably 75% of that was trying to clean up after malware (of course). The cat and mouse game involved with locating the badness and trying to clean the machine without resorting to wiping it proved to be both frustrating and exhilarating. I became determined to learn more and eventually put myself through Security Essentials via the Work Study program. That experience was such an eye-opener, especially in relation to the IT culture of my extremely small town, and I found myself completely hooked. I'm now certified as a GSEC, GCIH, CCNA, (getting toward a) MCITP, and CSSA. I moved away from my small town for a job in corporate-land in the Chicago area. I'm long on enthusiasm and book knowledge, but I obviously still need more experience. I did very well on the GCIH for example, but I have yet to have permission to actually go through a formal incident response process, or craft an IR policy, etc. I have to squeeze security in around the edges of my otherwise systems administrator/network engineer job. So I'd say that I'm still working toward "fully competent". If I can possibly figure out how to both fund it and find the time, I am determined to pursue a masters through STI.

I was working at the campus book store. One of my co-workers was a seminary student. His background was 20-odd year Navy and he was an early CISSP. He'd apparently trained the guy who trained Shon Harris. Anyway, I digress.... Needless to say, Tim took my interest in security and pointed it in the right direction. I was ready for a job change and he talked me into ordering Harris' CISSP study guide. I began reading and had just finished the first chapter when the CIO called and asked me to apply for the security role.

During the interview, the CIO asked me to define security and I used Harris' definition and the CIA triad. That got me in the door (low standards and all). Everyone else thought that security was simply locking down Windows.

At that point, I worked for Ops and the networking team believed in security, but the rest of IT was iffy. IT trained me (several SANS certs, CISSP, etc). I began putting into practice the offensive skills and used them to encourage improvements. That earned me credibility and the ability to influence IT decisions.

Though I now have a non-Security title (Service Desk Manager), I consult for IT and am actively working to improve IT security from the SD side.

So short answer: friend guided me into security; people in/around IT vouched for me (without my knowledge); and IT trained me.

I worked for 9 years at a regional hospital doing network and server/systems administration. With involvement in firewall management, Active Directory, intranet development, endpoint security, (immature) incident response and pretty much anything else between the keyboard and the Internet. The experience provided a very broad foundational knowledge of IT and interoperability. From there I applied for an entry level security architect position, as I was always interested in the security elements of IT and saw it as a a field of great opportunity 5 years ago. Since starting that position it wasn't until I completed my GCIH training/certification that I really felt like I was starting to "get" security, and I've only grown since then with hard work, long days, attentiveness to current trends in research, technology and exploitation, and a lot of lab work learning the ins and outs of the various elements of network and host security.

I was one of two network admins at a company that processed banks. We were the backend datacenter for everything at the banks. At that point, I was informally responsible for security. When the decision was made to implement internet banking, I approached management and told them that without some security training, I wasn’t comfortable beginning that project. They asked me to research training opportunities and let them know what I wanted. My research led me to see that a GSEC class and certification would be a good start. They agreed, and thus began my journey with SANS. In the weeks before my class, I purchased ‘Hacking Exposed’ and studied it so that I wouldn’t be going into the class ‘cold’. That was great preparation for the class, and the training was excellent. They subsequently also sent me to training for the GCIH certification as well. The company has been bought, and I’m now a Sr. Security Analyst with that company.

I became a project coordinator for a former employer’s PCI Compliance activities after working in a System Administration role for a number of years. I noticed one of the QSAs had his CISSP and CISA designations. As a result, I decided to obtain both certifications. After that, I realized I still had a lot to learn. It wasn’t until I started taking SANS courses that I truly felt competent in the role. I am currently an STI student.

I was introduced to Infosec when I help start a small shell account service provider back in the late '90s, which introduced me to end user based and individual server based security principles. I moved from there to working for a regional ISP and network design company and gained experience dealing with multi-server and network security, site and physical security, PCI/banking security, application layer security, firewalls, VPNs, different types of authentication and identification models, data security models (DAC, RBAC, MAC). The company spun off a Network Operations Center and Network monitoring service provider with multi-national clients. As a network engineer and developer, I was tasked with developing and deploying a remotely managed layer 2 VPN monitoring appliance network which bridged multiple customers networks into our monitoring network at L2. This introduced me to OPsec principles, integrating different firewalls, accreditation, validation and acceptance testing, pentesting (from both sides), PKI, key, and certificate management, event correlation, etc. Now at an electric public utility for 6+ years I'm dealing with SCADA and infrastructure control system security, vulnerability assessments, DHS/NERC/FERC/WECC mandates, multiple site implementation of multiple security architectures, security awareness, forensics, incident handling, etc.

I don't know that I would consider myself 'fully competent', since with every event I encounter or class I attend I realize how much I still don't know and how many people there are that are much more competent than I.

I brushed up against security early in my career while working as a system administrator for a local university's CS department, but I wouldn't say I working in security. I moved to a system administration and part time development position at a local telco and this position gradually changed to full time web development where we had our first serious incident involving a customer site. At this point, the company paid for me to take the SANS GCIH remotely (initial request for travel was denied and SANS generously agreed to move this to online access), but I still wouldn't say I was working in security. However, my interest was noted and they began to throw secure development work my way in the form of web single sign-on projects. A position opened up in a side branch of Application Architecture, but this was cut from the vine and transplanted in the Chief Security Office and called Security Architecture. As our department began making in roads into the project governance process and sitting on architecture reviews, I would say this is when I began to become competent. The process of communicating requirements, collaborating on solutions, and reviewing the work of others has broadened my understanding. I cannot call myself an incident handler, as I've never done the job only the certification. But that certification has, if anything, emphasized the need for the Preparation phase which is where I'm applying myself today.

I was our company’s Director of Application Development for many years. I had a strong interest in security and was involved in responding to all security questionnaires as we did not have an InfoSec team at the time. The ARRA stimulus package changed my life as the inclusion of HiTech put our entire corporation in scope of HIPAA. We hired an experienced CISO. I immediately requested to be their Director and was granted that position. We now have a staff of 6 analysts in addition to the CISO and myself. Upon the transition, I immediately began taking SANS courses and attending conferences. I how have 4 completed certifications, in addition to one I completed for HIPAA. I will be sitting for my GCFE next month and have already purchased Forensics 508 to complete next. I have completed GSEC, GCIA, GCIH and GPEN. I have designed and managed programs (Incident handling, Pen Testing and Forensics) for many areas of our business largely using my SANS education. Upon completion of the forensics courses, my focus will turn towards the management track.

I realized right away that I had special talents related to computers and I was fascinated with early attacks such as the Morris Worm and the Cuckoo's Egg. I went to university and studied computer science. An opening came up on the University's IT Security Team and I was hired. The university sent me to SANS training where I got certified. I took applied science classes to learn networking. I got a Ph.D. in Computer Science with research in security. I got promoted to ISO. For me, it was almost like all of this was supposed to happen from the first time I turned on my first computer.

I started out in server administration, with no experience and full rights to a growing 4.11 Novell Network at a large casino. I quickly realized that if things were configured correctly then my job would be a lot easier and I'd spend less time cleaning up messes and more time building cool new stuff. As I matured professionally I continued to apply this logic to the environments I managed. I was in a company I enjoyed working for but was looking for more of a challenge and continuing to mature my management by watching BugTraq for impending problems and patches. When I started looking at a wider security realm I decided that would be the right direction to move my career.
As for how I became fully competent I don't know if you do, I started with SANS and the GSEC and used my background in the Navy for security principals and frameworks like ISO and COBIT to ensure I'm not missing the obvious. I continue to participate in the Advisory Board and I've earned my CISSP and learn from my mistakes but if your an attacker I guarantee you could still get into my company today.

How I started working in IT security and how I became competent.
My undergraduate degree is in physics and comp-sci, but the comp-sci program did not include any security components. In and right out of school for my bachelors degree I had jobs in networking, software development, and web development. While working as the webmaster for a medium sized bank I got increasing levels of responsibility for security as we put more services online. I had the opportunity to go to the RSA Security conference in 2001, which cemented my interested in computer security, and at the same time regulatory pressure was increasing for our bank to better formalize our information security program. The responsibility fell in my lap, the first class I took to prepare was Incident Handling and Hacker Techniques with Ed Skoudis which gave me a great foundation for understanding IT security risks. This foundation helped me build the bank's information security program. In a very short time my responsibility grew from web security to encompass all of IT security. Most of my formal training came from SANS courses, however I also learned through independent research and involvement in community groups and projects. Ultimately my responsibility grew to cover all aspects of corporate and bank security, then after twelve years at the bank I quit to become a penetration tester because being a bank manager wasn't fulfilling.

I ended up in Information Security due to my operational Information Technology background. I started working in Information Technology writing code at home and in classes; eventually, I was employed part-time building PCs and pulling network cabling. I worked my way into maintaining servers and small networks, progressing to bigger networks and more complex integrations of various systems. I eventually learned that Information Security knowledge was needed to protect my operational services. Since I have mostly been the primary technical resource at smaller companies, I decided to learn that security knowledge myself. I have generally been a jack-of-all-trades when it comes to computer technology.

I believe my path was fairly typical. Started in mainframe support in mid 1990s, moved into Unix administration and customer support, then Windows and Cisco administration. Once you were the "networking" guy the organization added firewall administration to your duties which in the early 2000's meant you become the security guy too. Around 2007 when FISMA really started taking off in the Government I become the security architect for the Agency I work for later building the security operations branch and incident response team. I am now 25% management and 75% hands on proactive and reactive security ops lead. Over the course of 17+ years in IT I studied extensively for certification tests to learn the breadth of these technologies (have several certifications), attended conferences and vendor training when I could and developed a network of go-to folks whom I lean on regularly. A comment I heard recently on a podcast really resonated with me. Us Security Professionals spend more time on professional development and maintaining our skill sets more than any other profession. We do most of it on our own time and our on dime. I spent probably 1-2 hours each day reading technology updates and blogs, listening to podcasts (start every day with Dr. J) and deep diving into emerging threats and technologies.
If you don't find personal satisfaction in this work then you will burn out or become ineffective in a very short amount of time.

I was working as a networking engineer for my organization. My strengths were in documentation, monitoring and hardening of our Nortel gear. I had a growing fondness for the VPN switch and was quickly becoming the SME. My director witnessed a few traits he thought he liked and asked me if I would be interested in transitioning over into a security role and building a team from scratch. The director immediately started me into formal training which included Nortel, Checkpoint, SANS, CISSP, CompTIA, ISACA. I gained my competencies through both OJT and formal training. SANS played a large part of the technical pieces. Bottom line, I was asked to get into security to fill a need.

I first started in security seven years ago not by choice, but by assignment. I don't know why - it was just part of a departmental reorganization. I felt very inadequate for the task for a few years.
I had 25 years experience in software development, and no server or network administration experience. In fact, I had a mental block to all things networking. Fortunately, I had the opportunity to choose some training that first year and I chose the SANS Security Essentials course, led by David Rice as it turned out. The course and the subsequent GSEC certification greatly accelerated my knowledge and confidence. A couple of years later I pursued and attained the GCFA certification. And a couple years later another reorganization assigned me to a new manager. Under his orientation, I'm now gaining a better understanding of the controls and audit side of enterprise.
Finally, I have to admit to listening to 160 hours of job-related podcasts, books, and course materials in 2011 outside of working hours, along with participating in SANS list server groups and subscribing to many security and privacy RSS feeds.

In the year 2000, after having worked for several years in a Sys Admin/Desktop Support role within the defense industry, I transitioned to a IT Technical Project Manager position, but had developed an interest in IT Security. So I spoke with the local Information Assurance Manager (with whom I had worked and developed a friendship), and we proposed a local "Security Engineer" position, focusing on the technical aspects of security. I was hired for that position within about two months. Since that time (except for two years, in which I worked again as a Sys Admin) I have worked in a series of technical security positions, assisting Information Assurance Managers and Officers with technical solutions to security problems, researching technical subjects, and performing computer forensic analysis on company systems. From the beginning of my time in security until now, I have developed my skills via a combination of SANS security training, "OJT", and peer training.

I had been with a number of different systems integrators in the general IT space, and after 15 years decided to start my own Management and IT consultancy with three colleagues in 2000. We tapped our existing networks for work, and one of the first projects we landed was to help re-engineer the administrative application a large company was using to manage SecurID cards. We did such a great job that they kept us on as they began an enterprise Identity & Access Management program. For the next five years, we provided consulting and architectural expertise to help them deploy an I&AM suite (LDAP directory, employee onboarding, provisioning, password reset, etc.) to manage close to 100 applications. Ever since then, I've continued to consult with large organizations doing I&AM work. For the past three years, I've been doing an I&AM implementation for a very large manufacturing company based in Brazil. I've been attending SANS courses for 3-4 years now, having gotten my CISSP in 2008 and just this past month tested for an received my GIAC GSEC certification.

A new relationship with a woman, then the purchase of my first home (near to her) left me with an hour commute to my job in Northern VA as a Lotus Notes developer and NOC flunky. The company I worked for was going through bankruptcy and everybody was getting laid off, so I found a job very close to my new home that didn't pay much, but saved a lot in time and gas. It was being an intrusion detection watch officer. On that job, I heard about SANS and GIAC certifications (then still requiring a practical part) and purchased two very expensive gold spined books on ID and started reading. A better job offer in the same area changed my focus to inspections and vulnerability analysis and I shifted my focus from GCIA to GCIH, which eventually became my first GIAC cert. For the next six years, I spent every night, every weekend and all my vacation time attending SANS courses and studying for certification tests and ended up owning a handful of certs that established my competence. Volunteering as a red team member in the regional CCDC also helped make new connections and hone my skills in an "active" environment.

In the true sense of the word Hacker I started back in 1984 writing in basic on Apple IIe's. Later on hacking in to the High Schools administrative systems on the first Mac. But, this was not the start of my career, my career in security really started after 9/11. Since I had been called up to active duty for a year, I lost my job doing network/deskside support, I heard through word of mouth that IBM was building out a new MSS SOC and it sounded fun enough. From there I broaded my horizons by working in just about each of the MSS services; IDS, vuln mgmt. incident response, content filtering, etc. After that is when I felt competent.

I'll try and summarize my career path which lead me into an IT Security role. I originally graduated in Electronic Engineering, and worked for about 10 years or so in a strictly engineering role. However, over time I slowly drifted into an IT role as the demand increased for someone to take care of the increasing complexity of the computing environment.
After a couple of job changes I ended up in a full-time UNIX system administrator role. As a consequence of this role I started developing an interest in IT security. I began working on developing the skills I would need to pursure this type of role. As such, the first security certification I obtained was the CISSP, which was sufficient for me to apply for, and be hired into an IT security role with my employer.
Subsequently I have sought to further develop my technical skills, and I have chosen to focus on IT security architecture as well as IT investigations and forensic analysis. Which has lead me to obtaining the GCFA from GIAC.

My career in the field of information security began from the technical side. In the late 90's I moved from supporting systems and networking to supporting network security tools like firewalls and IDS. I was supporting everything for the organization but found the security side more interesting. From there I specialized more in this area, received several vendor specific certifications and was hired by a security management organization. From there I moved to the public sector as information security took on a bigger role post 9/11. About 6 years ago I moved back to the private sector as a security engineer and have been employed with the same organization since 2005.

I ended up working in Information Security quite by accident. My IT career started out in software distribution, workstation imaging, and locked down configurations. We used mandatory profiles in a Windows NT domain, and I worked with the security group at that job to implement them. The company I worked for was an early adopter for Active Directory, and they had this "Group Policy" thing that everyone thought might be cool to check out. I volunteered, and got to figure out how to migrate all of our old mandatory profile settings into Group Policy. (We had to manage it in Excel spreadsheets in the days before the totally awesome Group Policy Management Console. Remember that?)

I moved on to a few different jobs after that. Some of them had capable information security teams, some had none. I often had to wear multiple hats, implementing technology on the one hand and making sure the business was protected on the other. In some of the bigger companies, I discovered that the information security teams applied a whole new meaning to "default deny all". You want to do a new project or implenent a new technology? Denied.

I learned a lot about security because it was the right thing to do as a technologist. I also learned a lot because I had to be able to debate the meanings of obscure compliance requirements with security people who didn't get it. It didn't take long for me to become the go-to person on many security questions, and it's a role I enjoy filling.

The short answer is that I first got into security by accident. I was managing a development group and one of our applications was a single-sign-on service for some of our in-house systems. When the inevitable division reorganization came up and they were divvying up teams, they weren't quite sure where to put my group. Someone remembered that we had this SSO service, figured that we must know something about security, so they decided to put us with the security organization. The rest is history.

As for how I became fully competent (if we are making the assumption that I am ;-), that leads to the long answer. When I was "coming up"
(circa mid 80s, early 90's) there was very little security-specific training available apart from SANS and USENIX, and security wasn't yet recognized as a real specialty. So I took what classes I could, did a lot of reading, and figured out the rest on my own. It really helped that I was employed at AT&T/Lucent and had access to lots of smart people in Bell Labs! I think you'll find the same in a lot of folks that got their start around that time (and earlier). We all came to security from other places - development, administration, engineering, liberal arts, audit, accounting, whatever. We got into security because that's where our path happened to lead us. We found we liked it, stayed on to learn more, and eventually got pretty good at it. If you got 20 of us "old timers" (my kids' words, not mine ;-) into a room and ask what our educational or career background was before we became security specialists, almost none of us would say security.

Contrast that to the past 10 years, and the landscape is much different. There are degree programs specifically in infosec, more training opportunities than you can shake a stick at, certification programs for every security specialty and sub-specialty, and an entire culture and technology landscape that recognizes the value of security. Kids now choose security as a career path, and the learning opportunities are there to support them. Would you have imagined in
1990 that STI was even a possibility? Well, maybe you perhaps, but not many others.

In my early days at Bell Northern Research, when they started rolling out Unix workstations they used part time sysadmins. As the low man on the totem pole I was volunteered to be the sysadmin for about 50 users in my area. I had been a Unix user for about 10 years, but had never conceived of the fact that sysadmins existed. So I started reading to find out what a sysadmin should do. I read anything I could find that looked useful, but a couple of readings still stand out today. I remember reading Bellovin's "Packets found on the Internet" and "Practical Unix Security" and I was hooked. I set out to automate as much of my sysadmin job as possible including password security checks, and file permissions, and other security functions. A few months later management reorganized and hired full-time sysadmins and I was back to my job as an operating system programmer.

A number of years later I decided that being a programmer in an end of life technology in a proprietary language on a proprietary platform was probably going to limit my career options soon, so I started exploring my options. A position came up in the security operations group responsible for implementing firewalls and network security, Securid and some aspects of host security. At the interview the manager asked me about what security background I had, and knowing it was a long shot I told him about my brief time as a sysadmin and some of the automation I had done to make my life easier. Next thing I know he says "You wrote the password security automation routine? We still use that code. I always wondered who wrote it." Needless to say he hired me, and the rest is history. It was a steep learning curve at first, and a lot of books and hands-on. One that had a big impact on me was Zwicky's "Building Internet Firewalls", which lead me to SANS and my GCFW. Fifteen years later I am still learning and still enjoying the security industry.

Prior to getting into security I was a second-tier (desktop level) support person. I was basically asked to take over administration of our antimalware systems (while still doing desktop support) because my employer was dissatisfied with the contractors who had been handling that function. About a year later a restructure gave me the opportunity to leave the support side behind and take on a fulltime ICT security role. The GSEC was fantastic as a new starter to the field. More recently I've completing a Masters in Information System Security which was great for expanding on my few years workplace experience. Now if only the Masters could be used for credit towards my upcoming GSEC renewal, but there appear to be no Australian universities accredited with "" (yes I couldn't resist raising that gripe).

Editor’s Comment: I did put a word in for him on his gripe, we shall see!

I started off as a web application developer in the early 90's, back when "webmaster" meant that you were the system admin, dba, graphic artist, content manager, QA, security engineer/analyst, etc. My interest in security came from a mix of being ex-military, not wanting my systems or applications to get abused, and an interest in the exploits that were rampant at the time. After a few years of being largely self-taught I was given the opportunity to expand the scope of my work when the organization for which I was working began to migrate its central business applications from a mainframe platform to a distributed model. The vendor who provided the suite of applications to which we were moving had absolutely no input with regards to system and network security. After pestering management enough times about the inherent risks, for one our entire public Class B IP range was open to the Internet, they gave me the green light to design something better. Nearly 20 years later I'm still at it; in practice but, not for the same company. My development has been a mix of self-education, university, SANS courses, vendor courses, certification courses, and working closely with others, including business units, management, and both technical and non-technical staff, within and outside of the formal security/risk groups.

I have worked for a large service provider (Telstra Corporation) here in Australia for my entire career (24 years) having started out as a trainee straight out of secondary school (at the age of 19).
The traineeship provided a wage while paying for me to complete tertiary studies.
During the term breaks I was required to work at an assigned area within the company.
After completing tertiary studies in Electronics and Communications Engineering I completed another 6 months of internal Telstra training as well as various work experience placements throughout the organisation.
I’ve worked in a number of different technical roles including wireless, satellite, international communications and internet related areas.

I was in a role as a Project Team Leader working on the development and integration of new IP network related products and services and had an opportunity to work on a PKI related project.
At this time I had a very progressive Manager and was offered the opportunity to complete SANS Security Essentials. I did this and gained the GSEC (#657).
Soon after this I successfully applied for a Security Operations role and then later due to some organisational changes I needed to look for other options.
I then obtained another role within our Professional Services Security Consulting team and have been working (and enjoying!) this role ever since.

My consulting role having exposure to large enterprise and government clients down to mid and small tier organisations has been great for broadening both my technical skill base as well as the people and process aspects of security.
It has done wonders in “maturing” my approach to security by demonstrating the need to have a pragmatic style in order to maximise controls with available budgets while minimising risk.

BTW – I’ve always tinkered with technology and had (still do) an interest in locks from an early age including cutting locker master keys at school! Funny how life’s direction is set...

Out of necessity and self-interest, I got into this field. Initially the role of IT Mgr (one-man-show) meant I had to deal with all aspects of the job, including security, which I already had an interest in. My BSD / unix background provided me with some of the skills and mindset I would need to test and secure our networks and I already possess a hacker-esque "how does it work, break it and find out" mentality. As for accreditation, the impetus was purely due to work pressure, since we were bought out by a larger corporate body, they wished to make me an IT Security Officer, and a little alphabet soup after the title looks impressive when courting business partners.

I started working in security as an outshoot of system administration.
As one of the only sys admins with an interest in security, I eventually managed to collect all security duties that the other admins did not want to do. Over time I took some courses (started over 8 years ago with a course taught by a small and almost unknown group called SANS). From there I moved into management and self-created an add-on position of Security Manager. This allowed me to increase both my time spent in security, and training. This gave me some experience and knowledge, which I continued to expand by interfacing with the community, helping out others having issues and honing my skills through practise. Currently I maintain my competency through training (seminars, formal education etc), work experience (recently moved into Web Application Vulnerability arena) and my own side projects centered mainly around malware and current trends.

I was working as the supervisor of a desktop team when my boss (who I still work for at another company) came to me and asked if I'd like to be the "security guy". We had no information security people on staff at that point. I asked him what I would be doing in that position (I had no idea). He replied, "I don't know. Hang out in IRC channels and see what hackers are up to, I suppose.." We've both come a long way since then, fortunately. That was in 2000. I self-educated for two years (sort of and badly) before I finally convinced to send me to training, so in 2002, he sent me to SANS Big Apple (at my suggestion after researching what was considered good training) AND SANS San Francisco. I didn't understand the size of the task of completing the practical so when I read about having six months to to write it, my reaction was to decide to take the first two months and do a thorough review then start. By the time I realized my error (and having missed the instructions in the practical guidelines), it was too late and my other conference was coming up, and the clock would start on that certification process as well.
I didn't pass either one, obviously (that was Sec 503 and 504), but I did go back and retake both courses later and pass the Silver, as well as getting my GCIH. I've never considered going anywhere else, and been to six (I think) full conferences, the NIAL Conference in 2003 and the Stay Sharp on Master Packet Analysis with Jim Clausing (who lives a few miles from me). Just took FOR558 last summer and I'm re-visiting it now (or was until we started a project to roll out Sourcefire). Am supposed to go to SANSFIRE again this year, but sadly may not get to, as they're sending me to Columbia to take Sourcefire training next week. Hoping I can still swing it and get another SANS conference in this year.

I guess I began with an interest in programming on a Beeb (BBC Micro) back in the mid-80s in primary school – the expat school I was in at the time unusually had a computer lab and lessons during school. That stayed with me throughout my childhood and led me eventually on leaving university to doing technical support for a large tech multinational. I spent about 5 years in a couple of other companies doing various levels of PC, Mac, server and network support until noticing SANS’ courses in the UK. As the company I worked for (a start-up ISP/VoD company) had no security specialisation at all, I managed to persuade management to send me on the GSEC course, as security was always of more interest to me than support. From there, the rest, as they say is history – I built up a security function within the company over a few years, additionally took the GCIH certification and eventually, through a merger, took on an official title for the security function and management of that function. This, in time, opened doors elsewhere to get experience in other verticals and lead me to where I am today, in a heavily regulated financial services role protecting one of the world’s most critical global financial market instruments. When we take on staff now, we look for imaginative, creative, curious people with a deep technical background. It does narrow the applicant pool somewhat!

I'll share my story. I initially got into the genre as a teen following hacker culture (news, movies, 2600, phrack, packetstorm zeroday vuln lists etc.) and subsequently following defacement mirrors (attrition, zone-h) and trying to figure out what vulnerability was exploited in each case. I started keeping tabs on all new vulnerabilities (securityfocus bugtraq, packetstorm, and other hacker group websites) and how new malware exploited them. I did desktop support which involved a lot of malware cleanup. I majored in com sci in undergrad and then majored in com sci in grad school with a network security concentration. This landed me my first Security Engineer job. I had already started reading security standard documents (NIST) and articles regarding security best practices before I started grad school but, having access to an environment where I could go hands-on, apply this knowledge into creating policies and then enforce these policies gave me the real-world experience I was missing. The one thing I hadn't realize despite all my reading was that security has to conform to business needs. It's always about acceptable (or unacceptable) risk to the business and also that security awareness is a huge factor in large environments.

I first began working in network security at the start of 2008, after doing a bit of SATCOM acquisitions work. In reality, one of our projects in a different division had a need and I was willing to learn and fill that need. I had pretty decent computer skills, but almost no network or server skills. Luckily the project was gracious enough to provide me training in TCP/IP and the Snort Intrusion Detection System. At that point, I was allowed to shadow our senior IDS expert located in another office for a week. As I already had great analysis skills, from my engineering undergraduate degree and my time as a financial analyst working with acquisitions, it was not too difficult to apply my skills within the area of cyber-security, and more specifically intrusion analysis. Since 2008, my skills have increased as I have been introduced to various areas of cyber security, including network design and installation, software security testing, and security administrator. I have now made my way back as the lead intrusion analyst on my new project and am the secondary on incident response for our organization.
The most helpful area for my career development had to be the network design and installation area. In this position I was able to learn many technologies, including web proxies, firewalls, switches, vlans, vpns, email gateways, configuration management systems (WSUS and YUM), HBSS, and many other technologies that have proven to be very valuable in my current role. Without knowing that technology and the current architecture of the network I am on, my job would be extremely difficult to perform.

I transferred from a large government department to a small government agency with a ten week notice period. During those ten weeks their firewall administrator gave his notice and left, nobody else wanted the responsibility, so I arrived to find I was the new firewall administrator. That was thirteen years ago and I have been learning ever since. I think the moment I because fully competent, if that ever really happens, was when I had enough training and experience to start teaching classes on that type of firewall

I began my IT career working as a programmer. I spent many years in a large financial services organization working on online banking and bill payment applications where of course security had to be top priority. Through working on various projects I interacted quite often with our organizations' Information Security team and in particular their security assessment and testing teams. As the manager of that team looked to expand the assessment program, she contacted me (having worked with me previously) and asked if I would be interested in joining the team performing functional assessments of security controls in our applications. I joined the team and about a year later was asked to move into a team lead role taking over responsibility for managing the ethical hacking portion of the team. As I've grown in that role, training has been a primary focus. I achieved a number of formal certifications (CEH, eCSA, CISM and GPEN). Today I've changed organizations but still function in a similar role managing test engagements for a team of ethical hackers.

I ended up in the Information Security field through what seems to me to be a logical progression of events, through no specific design of my own. I began my career working part time at a private investigation firm while I was in college pursuing a degree in Aerospace Engineering. I excelled at investigative endeavors and soon realized that I could do a lot better financially if I set out on my own, and that the market was underserved. I started my own private investigation firm and soon partnered with a former investigator from the Denver District Attorney’s office who also had set out on his own. I worked in that field for 10 years and eventually my partner and I had a falling out that led me to look at other avenues of employment. Around that time frame Qwest Communications was an up and coming telecommunications company poised to take advantage of the massive bandwidth requirements they thought they could foresee would be in demand. The internet was just developing as a commercial medium and in the PI field, we were having a hay day hacking email accounts, breaking voice mail, and monitoring cordless and cellular telephones with impunity because the laws had not caught up to the technology. I created a website that served up my resume and experience on the Internet. A manager at Qwest Communications who was tasked with figuring out how manage security, access control and change management of telecommunications systems providing optical transport for the new national fiber optic network (eventually international) they were building, found my resume. He liked my skills and hired me to be the manager of a new group responsible for security administration of the network elements. After several years of that endeavor an opportunity at Qwest arose to join the Risk Management Information Security organization as an Information Security Engineer and in the meantime I had finished a Master’s degree in Network Security (now they call it “information assurance”) as well as the SANS GCIH (Analyst # 673). That was in 2005. So as you can see I did not have any forethought about entering the field. I happened into it or maybe was pulled into it, as technology advanced, as the Internet exploded, and as needs arose that seemed to be aligned with skills and interests that I possessed.

I was always intrigued with security, but around 1974 when I was working in the CUNY system I was part of a group of 4 students breaking into computer accounts looking for computer games.
From that, it then became a hacking into the main CUNY system for fun, to see how far you could get and what could be accomplished. Luckily back then there were no laws or ethics yet for hacking.
Over the years my focus was on systems programming of mainframes, with a concentration of system modifications (back then there was source code that you could modify) and making the system do things that were not in the original design – called system mods.
With a concentration in application programming, and college privacy laws, building in security functionality seemed important and fun.
This takes me up to the mid- late- 80’s where as a system programmer / system admin doing file permissions and user account management was the primary security functionality of InfoSec. Then, around the mid 1990’s I got exposed to an inforsec disciple that I closer to what we know infosec today.

I worked in information security throughout my twenty-year military career as a US Army Signal Corps officer. Most of my assignments were in engineering or operating telecommunications systems which transported classified information. In my earliest assignments I conducted several security Iincident investigations. These investigations helped me develop a strong sense of what policies and controls actually protected data and how much of every system relies on the human element. Human error accounted for 80% of the security compromises I investigated. Most were not due to disregard for policies but mistakes, like pressing the wrong keys or filing papers in the wrong area. I encountered one incident that was caused by a software failure, but everyone assumed it was human error until I proved it otherwise.
My current job is in a civilian non-profit organization where security is not so much ingrained in the culture and thought processes of the people, but the requirement to comply with PCI standards has brought a steep learning curve and rapisd changes. The lessons I learned from my military career are applicable daily.

In terms of IT security education, I have been an autodidact... After 8 years working in IT, in a series of IT jobs that had some security aspects, I moved into a full time IT security manager position and have been continuously employed as an IT security specialist/manager for the past 22 years. Other than IT formal training - CDC Cyber/850 mainframe systems programming, VMS and Solaris system management, various database management systems), I did not have any formal IT security training until 2006 when I took SEC507 / GSNA in order to validate my approach to technical security audits. My CISSP, CISSP-ISSEP and CISSP-ISSAP were based on self-study (textbooks and borrowed course notes), and I only took the CISSP-ISSMP seminar because I could not find any study materials.

I started out as a mainframe COBOL and PL/1 application programmer/analyst (1982/84), who moved into a system programmer/assistant datacenter manager position (1985/86), on a CDC NOS machine. That was instructive, since the entire O/S source was available, and the approach in the community was to modify the system software to add local functionality. Then off to manage an 8 person IT shop (VAX/VMS) with a significant classified processing footprint (1987/8), and on to a project manager position within a program office, where the specified environment was System V/MLS. That was instructive, since I volunteered to develop the program office's technical security architecture, learned the SysV/MLS internals from the Bell Labs authors, prototyped MLS applications and got published at the NCSC conference in 1990. I then moved into IT security management as a day job, but invested personal time to stay current on technical aspects of IT security. Lots of reading, lots of studying small system behaviour, and a serious Linux user since 1991/2 (my first system was a 0.99pl3 kernel ftp'd from,

It started with "I Love You." I clicked on an infected email the morning the virus came out, watched it spread around the world, and managed to find out how to fix the damage in caused on my system. I was fascinated and worked harder to learn more about networking, scarcely technical as I was. Later that year, determined to learn more, I took my first SANS course, which led to my first SANS certification. I then worked more and more on the security of the networks I was put in charge of and found security ever more interesting. Finally the opportunity to work on security full time came up. I jumped at it and worked hard to learn as much as I could on the job and after I left the office.

This is a good thread, and I had to take a break from the 'frenzy of the week' to make a short and succinct path.

My first exposure to security from an information standpoint was as an officer in the US Navy, working with crypto gear, data management procedures, specifically influenced by the post-John Walker era. Since I had more computer experience than many of my peers (from using them in graduate school, not being a computer scientist), I was given the "new job" of ADP Security Officer and implementing a security program involving the non-networked computers. That was 1991, and I was a LTJG.
I was assigned to the US Naval Academy in my next tour, where I was teaching chemistry. We also taught our students to use spreadsheets for their data analysis, and there I also learned how to use networks, and that new-fangled world wide web. I also was able to break out of the Z-286 PC world and use Macs, VAX, and SGI systems. My next Navy job was in test and evaluation, where I was given the golden opportunity to evaluate software systems, and the head of the shop put us all through the SEI Capability Maturity Model process, and we started performing process assessments. This really put me on the path to software quality assurance, which undergirds all I do in security nowadays.

Skipping ahead, after leaving the Navy, I worked for two years at an IT-intensive insurance company ("Flo" is your clue) as an IT manager and leader for the Software Engineering process improvement group. The big deal with that domain for security purposes is that I learned the true business of risk management and competitive analysis. Insurance is just that, risk management (and I won't take a diversion about government health insurance...). As the economy soured for the industry in 2000, my whole group was reorganized and I had the choice to manage a mainframe group, but the opportunity to work in information security came up and I left and went to work as a NASA contractor.

I spent 5 yrs as a contractor in the network security and IT Securty Program Office. In that effort I earned by GSEC Gold. Since contractors really have no organizational responsibility in the federal space, I left to become the CISO at CWRU, and so with the 6 years here, I see the field moving again.

I characterize Information Security to my staff and colleagues as the "radiology of IT." The field is a hybrid of business and IT, but as I've moved further into leadership, I see my role changing to be more of a visionary and thought leader than a procedure writing, vendor coordination, and bash shell using tech-head. I need to solve the organization's business functional (what it does) problems and balance the risks of non-functional (how it is done) security requirements.

I ended up working in the consulting end of one of the big CPA firms (KPMG) hoping it would help my career (I didn't want to be stuck as an AS/400 programmer).

I ended up on a project doing a disaster recovery plan with this partner out of the San Francisco office. He liked my work and started suggesting I end up working for him. Initially I wasn't too thrilled about doing IT audits, but this was 1994 and the Internet was starting to get big. His plan was to set up a practice to do full-on e-commerce information security. He had hired a cryptography specialist with military background (which impressed me) and one of the top names in DRP. I ended up shifting to his practice and doing security work, though with a foundation in the IT audit profession. I later switched to SAIC to further this career.

So I went from IT consulting to IT audit/security to a more pure security focus

I got my start in IT Security by missing the deadline for my last paper in my last class for an MBA in MIS, a concentration which I helped get instituted at my university. Domestic holiday issues meant getting it in at 8:30am the next morning, which was not good enough for 5pm the night before. Looking through the schedule for Spring, I found the IT Audit and Security class, a new class modeled as a CISA prep course. I took it, passed the CISA, and got the MBA that May. Meanwhile, I was asked to teach that class and Intro to MIS the next fall, as I had college teaching experience. I moved into a contract for Win 3.1 to 9x and NT to 2000 migration, and subsequently into IT audit and consulting positions.

I found myself looking at things from an admin's perspective, toward security, and chafed at "checklist auditing". I needed to know "why" something was a "best practice", and how it would impact data flow, and how it could be compromised - having been in on early Stoned, Azusa, and Ping-Pong virus issues before that.
I finally landed at a growing major financial firm that offered me a position in IT Security as well as IT Audit -- technical and hands-on at the millennium. That July 4th weekend, I was allowed to go to SANSfire 2000, and take the GSEC track. My number is still below #83, and I've taken the exam 4 times - and am proud to keep it. My career blossomed after that, as what I had been doing was reinforced and grew from what I learned there. I believe that enterprise, and the wisdom of the CTO there who saw what we did to transform IT and bake security into it without impacting workflow, made all the difference. His daughter and son-in-law have subsequently chosen IT security and IT secure coding as careers. Those were the days of Love Letter, Melissa, Nimda, Code Red I and II, and Blaster, too. In these days, I added GCIH, still under #300.

Windows, AS/400, VAX, and mainframe - but still not much UNIX. After a trip through compliance-land, which I found unsatisying but necessary, I returned to consulting and diversified into SCADA work, which I still love. Do NOT say "hardened appliance" in the same sentence to me. The rigors of 110% travel, and crews promised as 4 but actually just me got very tiresome. I added GSNA and G7799 (now G2700), and a number of certificates - Cisco, web, legal, et al.

I moved to a large educational / governmental / healthcare institution, and as soon as I sat down, I realized that security would have to be added from the ground up. I have played a major part in using my experiences to work directly with the admins, build trust in IT security to add not only security, but also efficiency, with secure, scripting, unattended builds, and build standards for web server software, databases, et al. I've even managed to conquer my "fear" of UNIX/Linux with secure build guides and scan results for the Heinz 57 of varieties here, and even passed the GCUX. The hardest road has been troubleshooting a resurrected commercial vulnerability scanner to viability (no extra pay), and also the ability to obtain a clean, secure workstation build as we migrate to WIndows 7. This has finally been achieved, and the admins now use tools recommended from SANS experience.

The most helpful piece of all of this may be a bit esoteric - PRAISE for a job well done. Management wants the ASSURANCE that things are build securely, and that errors are rapidly identified and corrected, and incidents are minimized, Most admins are trying their best to do their job with limited time and resources, and when PRAISED to their managers and peers, as well as InfoSec management, the cooperation and trust gain enormous, synergistic benefits, both personally, and for the institution as a whole.

I won't say it hasn't been tough along the way - breaking into the profession as a women, from a non-IT (airline analyst, geology/science teacher, ESL instructor) background. Often, neither my workplace, direct boss, or even family has supported my efforts to learn that next system or take the next class or exam. A touch of stubborn perseverence and optimism has helped.

I have taught IT audit and security courses, served industry professional organizations and mentored several hundred students to CompTIA, ISC2, and now EC-Council certifications through them, and steered as many to SANS as could afford or be supported to take their courses and guidance for skills. Their results have made my efforts more than worthwhile. I have received mentorship and support along the way from the leadership and staff of SANS, including the late, great Gene Schultz. I have worked to have their contributions honored, too. Now I will be recognized this coming week with the title of "Fellow of the ISSA" at the RSA Conference in San Francisco, but the honors go to those who have both mentored and believed in me along this path of the last 16 years.

I got into security shortly after being laid off from a position with Nortel during the dotcom bust. I was doing some freelance consulting work, and clients started asking me questions on security. I began reading on the topic, and became hooked. During a contract stint with Sprint, I found two of your books from New riders press, and started looking to get into an infosec position. At about that time my wife got a job offer in Fredericksburg, so we relocated. I spent the next few months doing part time consulting and looking for a full time position. I answered a job posting in the local paper for a part time Linux systems administrator, and when I got to the interview I was hocked to discover that I was interviewing for a position with SANS. I believe that you know the rest of that particular story. :)

My story is probably different than many others. I had to struggle to get into IT in the first place. As a GS employee with the U.S. Fish and Wildlife Service, they weren't letting me near computers in the early 90s. I went to school at night and on weekends until I landed a tech support job, and since then I have still pursued my own education and next steps on a career progression. I was working 3 to 6 month contracts after a company I worked for went under, when my online resume was picked out for an entry level position watching and testing IDS sensors. My experience with QA and general aptitude - recall I always taught myself and paid for my own education or of pocket no loans or (usually) assistance - promoted me quickly in the organization and progressed to the point I am in this profession. I still pay my own way because I deal with the same issues as others, employer expects the skill set but does not understand the cost.