As IT-based threats to corporate security become more
sophisticated, the status of information security professionals is
growing. Lindsay Nicolle considers the implications and the
opportunities for IT departments and for individuals seeking a new
direction in their professional development
If you want to get ahead, get into security. Worldwide demand
for information security professionals is predicted to more than
double by 2008 to 2.1 million, according to research firm IDC. This
represents annual growth rates of 11.4% for Europe, 12% for the
Americas and 18.3% for Asia Pacific.
The growing prominence of IT security in the UK is being driven by
competing demands on industry and government to expand access to
services and information, along with new stringent regulatory
requirements and the need for proactive solutions to circumvent
emerging threats. Businesses and consumers increasingly fear
identity theft, global computer viruses, spyware and spam,
according to access management solutions provider RSA
Security.
The pressing need for tighter IT and data security has prompted
information security certification body ISC2 to declare 2005 the
year of the information security professional. ISC2 plans to run
seminars, masterclasses and mentoring programmes to raise awareness
of security as a career. The move is intended to attract
high-quality entrants to the sector and increase
professionalism.
"The role of the information security professional has become
critical for protecting consumers, businesses, government agencies
and companies worldwide in their daily online tasks and
interactions," says James Duffy, president and chief executive of
ISC2.
ISC2's move is supported by organisations including public policy
group the Information Assurance Advisory Council, the Information
Systems Security Association, Ernst & Young, London
University's Royal Holloway College, Microsoft and Deloitte.
However, the reality of information security is that it is a
profession emerging in an ad hoc and piecemeal fashion. Many
security practitioners are self-trained and specialise in only one
area of information security. Various network engineers, systems
programmers and security administrators call themselves information
security professionals, even though they may have little training
or experience in the field.
Senior practitioners are formed mostly from those who have switched
careers from computer audit, police or IT. Junior members are drawn
straight from school or university and often learn on the
job.
In fact, only one in 10 UK companies employ staff with formal
information security qualifications, according to the DTI's annual
information security breaches survey last year.
Although general technical, product-specific and knowledge-based
security qualifications exist, none are universally recognised.
Neither do they have pre-qualification training requirements.
Moreover, they are multiple-choice exams that test knowledge,
rather than skill or judgement.
"The qualifications have been built for professionals by
professionals, but none of them test judgement in decision-making,"
says Paul Dorey, chief information security officer at oil giant
BP.
"A medical degree takes five to six years of high-quality academic
training, but would any of us feel happy being treated by a
physician who did not do the necessary years of supervised house
officer training, where decision-making skills are developed in
earnest? Companies need trusted security professionals who can make
life or death business decisions on their behalf."
Nevertheless, existing qualifications are at least some kind of
benchmark against which employers and shareholders can judge the
abilities of IT and data security staff. According to the IDC
research, 93% of international managers say certifications are
considered to be important when hiring security staff.
With the role of the security professional requiring the hard and
soft skills of the hybrid technical/business manager - including
skills in disciplines such as psychology and management science -
successful practitioners can command highly competitive employment
terms and conditions.
As demand for staff increases, salaries are starting to rise.
Annual UK salaries for heads of security already range from £40,000
to £100,000-plus, depending on the size and nature of the
organisation, according to headhunting firm Peter Marshall &
Co. At the very top of the profession, global chief information
security officers can command annual salaries of between £260,000
and £420,000.
With that in mind, some businesses might be tempted to forgo
employing a dedicated security professional and rely on the
knowledge of a well-informed IT professional. However, the IT
manager may not be a specialist in security technology and may not
be specifically trained to make difficult and business-sensitive
security and risk decisions.
A good security professional is trained to weigh up when a new
threat, such as phishing, reaches a level of risk such that
security investment is justified. They know the strengths and
weaknesses of particular technologies and how to avoid strangling
the business.
"A security manager can also answer questions such as, 'What can go
wrong in a system and what could be abused?'," says Dorey. "It
takes about two years to give a security professional a
'policeman's nose' - to see projects and systems in terms of their
failure modes rather than the generally positive view that things
will always work and be successful."
With users facing the need to find staff with such costly
specialist security skills, outsourcing is one answer. However, it
is difficult to outsource security decisions and policy because
they are business control and risk management issues, and so, by
definition, are part of corporate management.
The area of security which could be outsourced is the skills and
technical knowledge of particular security services, but only where
deep technical knowledge can be decoupled from business knowledge,
for example with "commodity" security services.
Commodity security services include using consultants for technical
implementations or 24x7 intrusion detection analysis services. This
can provide cost-effective security protection and even large
companies such as BP outsource some of these services to be
cost-competitive. However, as with all outsourcing contracts, the
user needs to retain security expertise in-house to be sure that
good service quality and capability is being delivered by the
outsourcing company.
Because of these limitations, the role of the security professional
is protected from being sidelined or relegated to being just one
part of the IT manager's role, or from being outsourced completely.
This is why it has never been a better time to retrain as a
security professional, especially given the predicted increase in
demand for such services over the next few years.
In addition, although the best security careers were with suppliers
in the past, today's user organisations can offer the same
innovative technologies to batten down the hatches against security
threats and industry regulators' penalties, says Marshall.
This, coupled with the boardroom power security professionals are
gaining, means that the role is on a par with, if not more
influential than, that of the IT director or CIO. Most chief
information security officers report to the CIO and are the
equivalent level of divisional IT directors within a company, says
analyst firm Gartner. In some companies, such as banks, the role
has moved sideways to where an IT security professional will report
to a risk director, who will have the same status as the CIO or
even outrank them.
"The covetable job title at the moment is chief information
security officer, and for that you get a six-figure salary and
pretty much anything else you want," says Marshall. "We cannot find
enough candidates to fill the jobs, so if you are thinking of
changing IT career focus, now is the time."
Information security body plans to set
standards
In recent months senior IT security professionals in the UK,
together with representatives from academia and the government,
have been creating the UK's first professional body for information
security practitioners.
The aim is to increase professionalism in IT security.
Participants include BP, Royal Bank of Scotland, Vodafone Research,
Royal Mail, the British Computer Society, GCHQ, the DTI and Royal
Holloway College.
The group, known as the Information Security Professionals
Working Group, has published a draft blueprint on how it proposesto
operate. The group seeks to promote new IT security qualifications,
improve standards and formalise information security as a
profession on a par with engineering, law, accountancy and
surveying.
"Government, management and shareholders need professionalism in
information security now more than ever, but there is no
professional body to set and monitor standards and ensure the
fitness of the people making personal attestations about the state
of information security in organisations," says the working
group.
"Directors and managers need to trust that those who are
responsible for the information security of the organisation are
competent and will behave in an ethical manner. Without
professional standards, the trust placed by the directors and
managers in those working in information security can sometimes be
misplaced."
John Regnault, head of security technologies at BT Exact, says,
"Security professionals, especially senior consultants, have to
make recommendations on the management and mitigation of risk which
could possibly cost millions of pounds to abort, so it should not
be surprising if questions are asked about the qualifications of
people making this judgement call. The problem is that there is not
one body that can provide comprehensive assurance of IT and
business professionalism in security. The group could fill that
gap." The group hopes to set up by September 2005, with its first
members enrolled by September 2007 at the latest.
Key security qualifications
CISM (certified information security manager),
from the Information Systems Audit and Control Association
CISSP (certified information systems security
professional, from ISC2
GIAC (global information assurance
certification), operated by the Sans Institute.
Further information from:
www.isc2.org
www.isaca.org
www.sans.org
www.jerichoforum.org