Today we interview another friend, that I’ve known for quite some time, Kevin Riggins.

Q: Tell us a little about yourself.

I am a husband, a son and the proud father of our furchild, an 8 year old Corgi 🙂 I am an avid science fiction reader and love tinkering with computers and electronic gadgetry.

Professionally, I am a Senior Information Security Analyst with a Fortune 500 financial services company. I lead and manage a team of five analysts who are responsible for providing internal information security consulting services and tasked with performing risk assessments for the different business units that make up the company.

I have a blog called Infosec Ramblings where I write about information security topics.

Q: How did you get interested in information security?

I have worked in an extremely broad range of disciplines in information technology over the years. This includes help desk, workstation management, server management, UNIX administration, etc… About 10 years ago, I started becoming very interested in how easy it was for people to get access to information that they weren’t necessarily supposed to have access to. I was able to talk my employer into sending my to my first SANS conference where I went through the Security Essentials course. I came away from that experience knowing that this was the path I wanted to take.

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

I am a college dropout. Actually, I do have my Bachelor’s degree, a BA in Computer Science, but I did not get it until I was an adult. I decided during my youth that I would rather work than continue to go to college. I don’t regret that decision, but I am also very glad that I went back to school as an adult and finished what I started. I have had more certifications than you can shake a stick at, but the only two that I keep current at the moment are my CISSP and my CCNA.

As far helping my career is concerned, college helped me learn how to think better. The actual information wasn’t as important as the process of learning. Regarding certifications, you see quite a bit of disparagement aimed at the CISSP and those who have the cert. For me, getting my CISSP was a very valuable experience. I spent a significant amount of time self-studying for the exam and I think that really helped me broaden my perspective when it comes to information security. Does that mean I think the CISSP indicates I am some sort of expert? Not at all. Like any certification, the experience of the individual who has those letters behind his name is much more important than said letters. I also self-studied for my CCNA. I think the fact that I have one “management” cert and one “technical” cert helps show that I am not one dimensional.

It also keeps the network folk from trying to pull the wool over my eyes 🙂

Q: What did you want to be when you grew up? Would you rather be doing that?

I honestly can’t say what I wanted to be when I grew up. That pretty much extended all the way into my first stab at college. I started out in Electrical Engineering, switched to Computer Science, then Accounting, then Petroleum Land Management, and so on, and so until I finally landed in Electronic and Computer Technology and then quit. I got a job based on the last one and the rest is history.

Q: What projects (if any) are you working on right now?

You recently published Michael’s interview where he mentioned a mentoring project that will be coming to the Security Catalyst Community. I am working with him on that project and really looking forward to what we can accomplish with the help of the great community that exists there.

Q: What is your favorite security conference (and why)?

Any that I can get to 🙂 I really enjoy Defcon and have had fun at RSA Europe the last couple of years. Defcon is great for keeping up with the newest things that are happening in Infosec. Not necessarily via the presentations, but via the great hallway track. RSA Europe is fun because I get to meet up with a lot of my European friends.

Q: What do you like to do when you’re not “doing security”?

“Doing security” tends to bleed over into my non-work life, but beyond spending time with my wife and puppy dog, I am an avid amateur photographer. My flickr page is listed below. I don’t get things up there as often as I’d like, but I really enjoy taking pictures. I have recently taken up piano again. I am focusing on Jazz piano right now and have fun. As I indicated above, I love reading science fiction and I also enjoy singing in choir at my church.

Q: What area of information security would you say is your strongest?

I have a broad background to draw from and, as such, I would say I am strongest at being able to have a good grasp of what affects a project from a security perspective, a business perspective and an information technology perspective. This allows me to effectively communicate with all the people involved in the efforts that we have to assess and consult on.

Q: What about your weakest?

Admit weakness? In a public forum? Pshaw. Just kidding. I am not as technically proficient as I used to be. I still have a lab at home and still keep my fingers in, but my day-to-day duties don’t call for the level of technical hands-on ability that I used to have.

Q: What advice can you give to people who want to get into the information security field?

Take a hard look at yourself and decide if you are ready for the stresses that a career in information security will put on you. You are contemplating getting into a field where you can never quit learning. Our field is an ever changing one and keeping up takes a significant commitment. It is also a field where you may be faced with having to influence people to make decisions that they might not want to make. In other words, you are often going to be causing others some stress which can make them not happy with you. You have to be okay with that.

It’s been said by others already, but I will repeat it. Find a mentor. Preferably one that has been around for a bit. The value of having someone to bounce ideas off of and who has been through the trenches cannot be stressed enough.

Q: What suggestions would you have for technical people who want to move into a supervisory or management role?

I am going to answer this question assuming that the individual has done their research and truly thinks they want to become a supervisor or manager. What to do? Tell somebody in your current organization. It is easier to move into a supervisory or management role with your current employer than it is to find a new job without having some management experience. You can often ease into it by managing this project or supervising that process while still staying technical. This is great for figuring out if you truly do want to make such a move.

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

Blog: http://www.infosecramblings.com
Email: kriggins@infosecramblings.com
Twitter: http://twitter.com/kriggins
Flickr: http://www.flickr.com/photos/krandj/
LinkedIn: http://linkedin.com/in/kevinriggins

The first Information Security D-List interview of 2010 is my good friend Peter Giannoulis. I’ve known Peter for several years and he’s grown into one of the most knowledge information security people I know.

Q: Tell us a little about yourself.

I live in Toronto, Ontario, Canada, with my wife and two children.

I’ve been an information security consultant for over a decade specializing in the implementation of all sorts of security technologies from firewalls, IDS/IPS, vulnerability assessments, penetration testing and audits. I recently founded Source 44 Consulting Incorporated, whose goal is to provide outstanding infosec services to organizations of all sizes.

Along with some close friends, I also launched The Academy Pro (www.theacademypro.com) in March 2008. The Academy Pro is a website that was designed to provide organizations free infosec tutorials in video format.

Q: How did you get interested in information security?

It was really an accident. I was employed by an infosec consulting firm as a systems administrator. I quickly became bored with the role and brought this to the attention of the President of the company. He offered me a position as a security consultant and the rest is history.

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

I have a little bit of college behind me, but I tend to grasp concepts if I study and apply them on my own. Throughout the last decade I have gained many certifications. Many have been vendor neutral based, but because of my position as a consultant, I needed to maintain vendor specific certifications as well.

Q: What did you want to be when you grew up? Would you rather be doing that?

What every geek wants to be; a rock star! While I love my current career path, I would rather be playing Good Riddance inspired punk music to thousands of people every night. There’s nothing like writing songs and performing them to a live audience.

Q: What projects (if any) are you working on right now?

Full time consulting and The Academy Pro takes up most of my time from a project perspective. However, there’s a few things that we’ll be announcing shortly from a company and website perspective.

Q: What is your favorite security conference (and why)?

I don’t frequent them often. I find there’s too many egos at some of the larger conferences.

Q: What do you like to do when you’re not “doing security”?

I love spending time with my family and I continue to play music from time to time.

Q: What area of information security would you say is your strongest? What about your weakest?

I’d say I’m a fairly good instructor. I have always scored high in this area. I also enjoy architecting solutions and performing penetration tests.

As for my weakest; I’m not much of a programmer. That’s an area I wish I took a bit more seriously years ago.

Q: Do you think the average Canadian is able to comprehend the threat that malicious attackers pose? What do we do to change the perception?

Not at all. So many parents in my neighborhood tend to ask me questions about Internet safety and than regret it after I answer. I honestly don’t try to scare people, but instead make them aware of the problem.

Something needs to be done from a larger scale in order to change the perception. I believe that education boards need to make parents aware from an early age about the dangers of the Internet by holding monthly or quarterly workshops with infosec professionals. That would be a start.

Q: Your kids are at the age where they’re getting into computers. How do you, as a parent AND a security professional, work to educate them on Internet safety?

My wife and I have made my children aware of the dangers of the Internet from an early age. Awareness is not always sufficient, so that’s where content filtering comes into play.

Q: What advice can you give to people who want to get into the information security field?

The security field is so interesting that it kind of draws you in. If you’re not looking to lose all of your time and enjoy spending time with your family and friends; don’t do it.

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

Twitter: www.twitter.com/theacademypro
The Academy Pro: www.theacademypro.com
Email: peter@theacademy.ca / peter@source44.net