IT professionals were once thought of as geeks in a back room,
keeping the network afloat while avoiding the general population as
much as possible. But with info security criminals increasingly
intent on using technology against us, it's now possible to change
that image from geek to rock star, experts at the
SecureWorld Expo said
last week.
But to keep company execs interested in the next CD, so to
speak, the IT security professional needs to have a mix of
abilities -- including a penchant for adapting to rapid
technological change, a knack for bonding with people outside IT
and an understanding that threats in the physical world could
impact the corner of cyberspace you're trying to protect.
David Sherry, vice president of enterprise identity and access
management for Citizens Financial Group in Rhode Island, played up
the geek-to-rock-star theme in one of his conference presentations,
saying that information security was once viewed as a hindrance to
company policy and growth. But the IT professional's stock has
risen as security risks become more apparent to the top brass.
"At one time we were just a cost center, a necessary part of
doing business that didn't provide a lot of value," he said. "Now,
because of our identity management initiative, we actually had a
department call us rock stars … by getting people on quicker and
helping departments remain compliant we are enabling the business
to grow and remain secure, keeping our CEO's name off the front
page of The Boston Globe. We are becoming rock stars, being
asked to come to the table instead of being shunned."
But as musical stars know, it takes a lot of work to keep the
audience coming back for the next song, and the same reality
applies for an IT security rock star, Sherry said. You have to show
consistent progress. The top execs may love your initial proposal
and let you run with it, but they need to see that what you've put
in place actually works over the long haul.
Part of making a security routine a long-term success is the IT
officer's ability to foresee how future changes in technology will
ultimately affect the company's operations. In other words, they
must be able to see change coming and update security policies to
meet it, said Pamela Fusco, executive director of security
solutions for FishNet Security and former executive vice president
of global information security for
Citigroup Technology Infrastructure (CTI).
"Technological changes are bringing about significant unforeseen
consequences," Fusco said. "Whatever we put in place today has a
lifecycle of about five years, and we need to be thinking ahead. If
you're installing Windows Vista today, you need to start thinking
about what will be in the next version of Vista. Do you think there
won't be any more patches because of Vista? Of course not."
IT shops will eventually want Vista anyway because it's the
latest Microsoft has to offer, she said. The key is to understand
it won't be the last major upgrade you'll ever have to make.
To be successful at ushering in change, Fusco said, IT
professionals must have a positive attitude, invite colleagues to
collaborate in the process and acknowledge mistakes, which are
inevitable.
"Change brings mistakes, frustration and finger-pointing," she
said. "It can be viewed negatively for fear of the unknown. You
need to be able to explain why something is needed and define the
expected outcome. Be positive, celebrate successes and failures and
communicate the milestones."
Another key to rock star status is the ability to keep tabs on
data traveling outside the company, according to Anne Oribello,
senior information security analyst for Genzyme .
"A common problem is that people focus strictly on getting their
internal infrastructure up to speed without paying attention to the
fact that some of their data is going outside," she said. One key
to tracking that data is to have a good relationship with people in
departments outside of IT. Having a good relationship with someone
in the purchasing department, for example, can make the IT
professional more aware of where data from that department may be
traveling.
One department it's important to keep in touch with is the one
that handles physical security, according to Ernest Hayden, CISO
for the Port of Seattle, and Dennis Treece, director of corporate
security for the Massachusetts Port Authority.
After all, they said, threats that affect an organisation's
physical buildings and grounds can have an ultimate impact on the
organisation's IT security.
"There are real benefits to having the physical and IT security
people on the same page," Hayden said. To ensure that different
departments are on the same page, he said the Port of Seattle has a
corporate security coordination committee.
To create more security rock starts in the future, Treece said a
better academic program is needed.
"One of the big issues for me is that I want to see a recognised
degree program to prepare people for the converged role of CSO and
CISO," he said, adding that he hopes to play a role in creating
such a program.