My Security RoadTrip

Martin asked several of us to tell our Security story again. I told it here (which was an updated story from earlier) and this time I'm going into a little more detail. Hope you enjoy it and I promise no Sun Tzu quotes Amrit.
____________________________________________________________________

I've mentioned before about how I got started in IT and sort of moved into Security but as I look back at what I wrote I didn't go into much detail about why and how I made the change.

I used to think that security meant a firewall and AV. The company I worked for never patched machines and I don't think that we even put AV on all machines (can't remember for sure). We ran MS Proxy Server 2.0 for a firewall and that was the extent of our security.

When we built a new data center we decided to "upgrade" our infrastructure we put in a Cisco PIX and MS ISA 2000 server. We put in McAfee EPO to manage AV. It was then that I started monitoring the firewall logs and ensuring that all our machines were updated with AV and we even started some patching. It was around this time that Code Red (or some high profile virus/worm) hit. It was then that I realized the implications of having a secure environment. I was also noticing attacks that were being attempted on our network from the outside. Several projects that I was involved in required me to do lots of research and talk with vendors about their offerings. I started realizing that there was lots of cool "toys" out there that allowed me to see deeper into the network and do things to mitigate the risks that I was starting to see.

My Boss was pushing me to upgrade my CCNA to CCNP. I had decide that I wanted to focus more on Security and asked him if he would object if I pursued what was at the time the equivalent of the CCSP (I think it was call CSS I and CSS II). He agreed and I started studying for it. Shortly after that I was laid off and my next job was a consulting position where I was hired to be the Security Specialist for the companies clients. I did network surveys to look for security weaknesses in their environments. Of course Security awareness was still in it's infancy (especially in small town USA) and most companies didn't want to pay for the service or the recommended changes to their environment. So I spent lots of time doing network monitoring and maintenance.

Until a month ago I had never held a pure security position. It was always just part of my job as a Network Engineer. I personally took the initiative to make it my priority and primary focus. As I was looking at what direction I wanted to take my career I decided that obtaining the CISSP over vendor certs would benefit me more. Since I was on my own for training, study, paying for tests, etc I had to choose carefully. Thus even though I'm qualified to work with several vendor devices I'm not certified on any of them.

There it is. My story. Long winded as it may be.