Eric spent more than five years working with information security for the CIA (Central Intelligence Agency) where he led a team in desiging and deploying secure communications systems.
He helped to develop some of the SANS GIAC (Global Information Assurance Certification) exams and the corresponding SANS courses. He continues to work in information security as the Chief Scientist for The Sytex Group's Information Warfare Center and he has appeared on 60 Minutes, CBS News and CNN.
Eric agreed to take some time out of his schedule to answer some questions and share his insights on certification, getting into information security, the current state of information security and more:
TB (Tony Bradley): How did you first become involved in Information Security?
EC (Eric Cole): I was accepted as an intern for the CIA and I was given the choice on which job I wanted to take. Before college I use to play around with my commodore 64 figuring out ways to make it do things it shouldn’t. I also took some security classes in college and the one job that offered security seemed interesting. I accepted the position and have been hooked every since.
TB: If you had to choose one book for someone to get started in Information Security, what book would you recommend?
EC: Definitely, Hackers Beware. Sorry I could not resist the temptation to recommend the other book I wrote. Actually that question is very hard to answer because it depends on a lot of things. The book that I recommend to all of my students when I teach Security Essentials as a must read book, is The Cuckoos Egg. It is not technical but probably a great place to start on your information security journey.
TB: Do you feel that certification has value in the job market? If so, which certification would you recommend first?
EC: Yes, because they validate that you have a certain skill level. So many people claim that they are security experts and very few are. However, on the flip side just because you have a certification does not mean you are an expert. A certification is a baseline showing you have a minimum subset of knowledge not a maximum subset. The SANS GSEC certification really provides a nice level of detail for the security professional and would be my recommendation for someone’s first ceritication.
TB: There is a lot of talk about Information Security in American business- do you feel that companies are doing enough to secure and protect their systems?
EC: Absolutely not. Very few companies really understand what it means to be secure. Security is not about spending money, it is about understanding and minimizing one's risk. The whole security paradigm needs to be re-defined because most people think that if you have a firewall and IDS you are secure and that is very far from the truth.
