Experience, training, education… What makes a security expert?
My, how things have changed. Now that IT is the foundation on which enterprises conduct business and implement e-commerce, executives realize that their firms may be incapacitated without safe and secure computing.
Yet well-trained and experienced security professionals are hard to come by. Cyber-security is a specialized field that includes unique technologies, techniques, and approaches. You can’t assign your IT professionals to security duties, give them a little extra time, and expect them to harden your systems for e-commerce, e-mail, and extranets. They may try, but without professional training, experience, and education, you’re not getting real protection.
Why the current shortage? There are several reasons:
- Until about 18 months ago, cyber-security didn’t appear to be a lucrative field for aspiring IT-related personnel.
- Security techniques and technologies are evolving so quickly that a common body of knowledge has yet to be developed and recognized.
- Information technology is changing so quickly to satisfy e-commerce demands that training continually lags behind.
- Training is often product-specific, leaving the security novice without a clue as to how a vendor’s software links with other security applications running on corporate networks.
- Experience is frequently gained by failure (i.e., breaches) instead of learning from the success of others. This leads to “knowing what you know” instead of “knowing what you should.”
- Since professionally trained IT personnel are in high demand, most don’t have the time (or haven’t taken the time) to ramp up on security techniques.
- Professional security positions with specific job descriptions are just now surfacing in modern corporations that are determined to survive e-commerce.
- There are few graduate programs in network security. While undergraduate programs in information systems, computer science, engineering, and related fields offer solid foundations for security professionals, they provide modest security instruction at best.
Good news is in sight
There are positive signs foretelling a resolution to the security staffing shortage.
Leading educational institutions worldwide, such as Purdue’s Cerias Security Center (http://www.cerias.purdue.edu/), are developing and launching graduate programs in computing security. The National Security Agency has designated seven universities as Centers of Excellence in Information Assurance (see http://www.nsa.gov/isso/programs/nietp/newspg1.htm), and expects more to be added.
Some professional societies have established formalized certification programs to encourage and verify baseline security knowledge and skills. The International Information Systems Security Certifications Consortium, Inc. (http://www.isc2.org/) offers the CISSP (Certified Information Systems Security Professional) security certification program, currently one of the most widely recognized by employers; 3,000 are currently qualified, according to security personnel recruiter Tracy Lenzner of Lenzner and Associates.
The Information Systems Audit and Control Association has offered the Certified Information Systems Auditor (http://www.isaca.org/cert1.htm) designation since 1978. It is one of the mainstays in auditing circles. SANS Institute’s Global Incident Analysis Center (GIAC) offers specialized Global Certified Intrusion Analyst and Global Certified Firewall Analyst designations (see the GIAC Training and Certification overview (http://www.sans.org/giactc.htm) for details).
Recognized and rigorous certification programs that require continuing education supply objective measurements of the security skills that candidates claim to have. Holding a certificate demonstrates a security professional’s commitment. Remember, though, that security certification is just emerging, so don’t weigh these credentials -- or lack thereof -- too heavily in your hiring decisions today.
Security training abounds -- but watch out for firms selling security training primarily to make a buck from those without the necessary background. Be sure to check out the background of the instructors, how many classes they’ve taught in the training you’re considering, and talk with security staff in companies who’ve sent people to the course. You may find instructors who haven’t updated their course material beyond last year’s exploits and teach security exploitation techniques barely beyond script kiddie level. If you’re looking for advanced workshops, be sure to ask for a detailed instructor outline. Detailed outlines with specific instructors listed will serve two purposes: 1) identifying instructors who will be presenting your training and 2) guiding your expectations for quality instruction. Don’t be reluctant to talk with the instructor prior to registering for a course.
When the hiring gets tough
While the dearth of security experts shows promise of abating, where do you find security experts today? I suggest developing your current IT employees. The better ones, if they’ve got a clue, will drool over company-sponsored opportunities to become more qualified through college courses, certification programs, and training workshops.
You also have to protect your investment in the highly qualified personnel who, once trained, may be tempted to move on to more lucrative positions at other firms. Be sure to gain commitment from employees, at the outset, that security training comes with an expectation (perhaps in writing) that they will remain with your firm for a specific period following training. Utilization assignments (i.e., working in company areas that will directly apply your new skills), following training are common and shouldn’t be a surprise. An employee who departs prior to fulfilling his commitment should reimburse the company for security training he received.
Dr. Goslar is principal analyst and founder of E-PHD, LLC – a security industry research and analysis firm. He is also on the editorial board of the International Journal of Electronic Commerce and can be reached at Comments@E-PHD.COM.