Aussie achieves world's first audit certification
- 22 August, 2007 11:08
Australia will be home to the world's first IT Global Information Assurance Certification (GIAC) Security Expert (GSE) in Compliance and Audits after a local information systems manager completes the final leg of the gruelling course in September.
Only 11 people from Spain, the United Kingdom and the United States have completed the Las Vegas-based SANS Institute GSE exam since its inception in 2003. To complete the strict criteria, an applicant must complete four SANS certifications and achieve a "gold" status in two of them.
Craig Wright, information systems manager at accounting firm BDO Kendalls, will be the first in the world to attain the audit certification and the first Australian ever to sit the security exams.
SANS certifications are highly regarded in the security industry, particularly for its "hands-on" approach to training, according to Wright.
"It is a very tough exam which requires 36 hours of testing with evaluations covering hands-on, written and multi-guest presentations," he said.
A firm believer in certifications and standards to increase industry professionalism, Wright said any provider that engages in FUD (fear, uncertainty and doubt) to sell products should be ostracized and excluded.
"The proliferation of FUD damages everything in the long run; it is a self-destructive tool," he added.
In fact, Wright believes the biggest IT threat to the enterprise has nothing to do with technology and is all about lack of education and awareness.
Wright's certification formally validates his skills in systems penetration testing, Web applications security, PCI DSS (Payment Card Industry Data Security Standard) reviews, and other areas which lack skilled workers.
"It is set apart from courses like the MCSE (Microsoft Certified Systems Engineer) because it assesses your ability to use skills from the [two gold SANS Institute] courses which means you can't memorize notes before the exam and forget it afterwards," he said.
Wright has completed a whopping 18 SANS Institute courses, including prerequisite GIAC certifications in Systems and Network Auditor (GSNA), Payment Card Industry (GPCI), Security Policy and Awareness (GSPA) and ISO 17799 security and auditing (G7799).
After 20 years in the IT industry, most notably in the IT security and research fields, Wright has some memorable tales to tell although he will only comment on those that have been openly reported in the media.
For example back in the late 1990s, Wright's IT crew managed to take down the News Limited's entire national photo-imaging server after removing cables from incorrectly named ports.
He also recalls a semi-permanent ad-hoc fix for the Courier Mail newspaper's old fax machine, which was raised by a forklift to allow the fax to keep operating while the floors were being laminated.
And the biggest inhibitor to a successful IT shop? Wright says it is the disconnect between IT and business.
A disconnect he attributes to a lack of financial understanding by IT.
"IT people do little to understand compliance and the economic requirements that come with the job; without this they can not negate risk," Wright said.
"Business and IT need to work together and stop treating everything as a silo.
"It doesn't mean everyone has to know everything about law, finance and IT. It means each business unit or representative from each of these sections need to work together so there is discussion with the rest of the business."
Wright began his career working in IT at KMart in 1985 and later joining the Australian Stock Exchange (ASX).
After completing his SANS StaySharp and TCP course for Google hacking in November, Wright is planning another first by teaching the GSE course in Australia.
Wright spends next month in the US completing his final exams.
A report released earlier this year by Foote Partners LLC shows that formally certified security professionals on average command about 10 to 15 percent higher salaries than non-certified individuals in comparable roles.
Among the certification programs commanding the highest premiums were Certified Information Systems Security Professional (CISSP) , Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM).