As IT-based threats to corporate security become more sophisticated, the status of information security professionals is growing. Lindsay Nicolle considers the implications and the opportunities for IT departments and for individuals seeking a new direction in their professional development
If you want to get ahead, get into security. Worldwide demand for information security professionals is predicted to more than double by 2008 to 2.1 million, according to research firm IDC. This represents annual growth rates of 11.4% for Europe, 12% for the Americas and 18.3% for Asia Pacific.
The growing prominence of IT security in the UK is being driven by competing demands on industry and government to expand access to services and information, along with new stringent regulatory requirements and the need for proactive solutions to circumvent emerging threats. Businesses and consumers increasingly fear identity theft, global computer viruses, spyware and spam, according to access management solutions provider RSA Security.
The pressing need for tighter IT and data security has prompted information security certification body ISC2 to declare 2005 the year of the information security professional. ISC2 plans to run seminars, masterclasses and mentoring programmes to raise awareness of security as a career. The move is intended to attract high-quality entrants to the sector and increase professionalism.
"The role of the information security professional has become critical for protecting consumers, businesses, government agencies and companies worldwide in their daily online tasks and interactions," says James Duffy, president and chief executive of ISC2.
ISC2's move is supported by organisations including public policy group the Information Assurance Advisory Council, the Information Systems Security Association, Ernst & Young, London University's Royal Holloway College, Microsoft and Deloitte.
However, the reality of information security is that it is a profession emerging in an ad hoc and piecemeal fashion. Many security practitioners are self-trained and specialise in only one area of information security. Various network engineers, systems programmers and security administrators call themselves information security professionals, even though they may have little training or experience in the field.
Senior practitioners are formed mostly from those who have switched careers from computer audit, police or IT. Junior members are drawn straight from school or university and often learn on the job.
In fact, only one in 10 UK companies employ staff with formal information security qualifications, according to the DTI's annual information security breaches survey last year.
Although general technical, product-specific and knowledge-based security qualifications exist, none are universally recognised. Neither do they have pre-qualification training requirements. Moreover, they are multiple-choice exams that test knowledge, rather than skill or judgement.
"The qualifications have been built for professionals by professionals, but none of them test judgement in decision-making," says Paul Dorey, chief information security officer at oil giant BP.
"A medical degree takes five to six years of high-quality academic training, but would any of us feel happy being treated by a physician who did not do the necessary years of supervised house officer training, where decision-making skills are developed in earnest? Companies need trusted security professionals who can make life or death business decisions on their behalf."
Nevertheless, existing qualifications are at least some kind of benchmark against which employers and shareholders can judge the abilities of IT and data security staff. According to the IDC research, 93% of international managers say certifications are considered to be important when hiring security staff.
With the role of the security professional requiring the hard and soft skills of the hybrid technical/business manager - including skills in disciplines such as psychology and management science - successful practitioners can command highly competitive employment terms and conditions.
As demand for staff increases, salaries are starting to rise. Annual UK salaries for heads of security already range from £40,000 to £100,000-plus, depending on the size and nature of the organisation, according to headhunting firm Peter Marshall & Co. At the very top of the profession, global chief information security officers can command annual salaries of between £260,000 and £420,000.
With that in mind, some businesses might be tempted to forgo employing a dedicated security professional and rely on the knowledge of a well-informed IT professional. However, the IT manager may not be a specialist in security technology and may not be specifically trained to make difficult and business-sensitive security and risk decisions.
A good security professional is trained to weigh up when a new threat, such as phishing, reaches a level of risk such that security investment is justified. They know the strengths and weaknesses of particular technologies and how to avoid strangling the business.
"A security manager can also answer questions such as, 'What can go wrong in a system and what could be abused?'," says Dorey. "It takes about two years to give a security professional a 'policeman's nose' - to see projects and systems in terms of their failure modes rather than the generally positive view that things will always work and be successful."
With users facing the need to find staff with such costly specialist security skills, outsourcing is one answer. However, it is difficult to outsource security decisions and policy because they are business control and risk management issues, and so, by definition, are part of corporate management.
The area of security which could be outsourced is the skills and technical knowledge of particular security services, but only where deep technical knowledge can be decoupled from business knowledge, for example with "commodity" security services.
Commodity security services include using consultants for technical implementations or 24x7 intrusion detection analysis services. This can provide cost-effective security protection and even large companies such as BP outsource some of these services to be cost-competitive. However, as with all outsourcing contracts, the user needs to retain security expertise in-house to be sure that good service quality and capability is being delivered by the outsourcing company.
Because of these limitations, the role of the security professional is protected from being sidelined or relegated to being just one part of the IT manager's role, or from being outsourced completely. This is why it has never been a better time to retrain as a security professional, especially given the predicted increase in demand for such services over the next few years.
In addition, although the best security careers were with suppliers in the past, today's user organisations can offer the same innovative technologies to batten down the hatches against security threats and industry regulators' penalties, says Marshall.
This, coupled with the boardroom power security professionals are gaining, means that the role is on a par with, if not more influential than, that of the IT director or CIO. Most chief information security officers report to the CIO and are the equivalent level of divisional IT directors within a company, says analyst firm Gartner. In some companies, such as banks, the role has moved sideways to where an IT security professional will report to a risk director, who will have the same status as the CIO or even outrank them.
"The covetable job title at the moment is chief information security officer, and for that you get a six-figure salary and pretty much anything else you want," says Marshall. "We cannot find enough candidates to fill the jobs, so if you are thinking of changing IT career focus, now is the time."
Information security body plans to set standards
In recent months senior IT security professionals in the UK, together with representatives from academia and the government, have been creating the UK's first professional body for information security practitioners.
The aim is to increase professionalism in IT security. Participants include BP, Royal Bank of Scotland, Vodafone Research, Royal Mail, the British Computer Society, GCHQ, the DTI and Royal Holloway College.
The group, known as the Information Security Professionals Working Group, has published a draft blueprint on how it proposesto operate. The group seeks to promote new IT security qualifications, improve standards and formalise information security as a profession on a par with engineering, law, accountancy and surveying.
"Government, management and shareholders need professionalism in information security now more than ever, but there is no professional body to set and monitor standards and ensure the fitness of the people making personal attestations about the state of information security in organisations," says the working group.
"Directors and managers need to trust that those who are responsible for the information security of the organisation are competent and will behave in an ethical manner. Without professional standards, the trust placed by the directors and managers in those working in information security can sometimes be misplaced."
John Regnault, head of security technologies at BT Exact, says, "Security professionals, especially senior consultants, have to make recommendations on the management and mitigation of risk which could possibly cost millions of pounds to abort, so it should not be surprising if questions are asked about the qualifications of people making this judgement call. The problem is that there is not one body that can provide comprehensive assurance of IT and business professionalism in security. The group could fill that gap." The group hopes to set up by September 2005, with its first members enrolled by September 2007 at the latest.
Key security qualifications
CISM (certified information security manager), from the Information Systems Audit and Control Association
CISSP (certified information systems security professional, from ISC2
GIAC (global information assurance certification), operated by the Sans Institute.
Further information from: