Risk and reward as a data defender

Information security chiefs can work at the highest level of business and reap the financial benefits, but their livelihood is on the line if a breach occurs.

Information security chiefs can work at the highest level of business and reap the financial benefits, but their livelihood is on the line if a breach occurs.

As information security has risen up the corporate agenda, the role of chief security officer has emerged to oversee it.

The CSO typically sits on the board and works alongside the chief executive and other senior managers to ensure that the organisation has the right security policies, procedures and technologies in place.

Adrian Asher, head of security at online gaming exchange Betfair, is one of this new breed of CSOs. "My role is to provide assurance to the business that our operations are secure," he says.

"For Betfair, that can mean anything from protecting against denial of service attacks to preventing users from repudiating bets they have made."

Asher manages a team of 10 security specialists who advise him on particular areas of policy and research and implement technical systems. With CSOs looking to build these kinds of teams to support their security strategies, there is growing demand for security specialists at a lower level.

Premium rates

Security roles typically pay a premium of about 10% above rates for similar roles in other IT disciplines, said Sam Baxendale, sales manager at recruitment firm Computer People. But that premium comes with a downside, especially for the CSO.

"If there is a security breach, the buck stops with you and it is difficult to shift the blame," Baxendale says. "The result of any investigation is often a sacking."

Security is certainly not for the faint-hearted. Lysa Myers, a virus research engineer at security research firm McAfee Avert, says, "It is a fast-paced environment, and at times it can be overwhelming."

Myers analyses samples sent in by users of McAfee systems to determine the threats they contain, explain them customers, and add them to McAfee's detection and removal systems. She also provides training for internal staff and customers.

"You have to be able to switch gears quickly, from whatever you are working on to something else that is a higher priority. But there is something different every day, and always something new to learn," says Myers.

Because the emphasis on security as a specialism is relatively recent, there are no clearly established career paths, especially to the CSO role. However, accreditation is becoming increasingly important.

At CSO level, employers look for candidates with CISSP (certified information systems security professional) certification, said John Whiting, managing director of the UK IT business at recruitment firm Harvey Nash. At a more junior level, supplier-specific qualifications such as Cisco, Nokia, Juniper and Checkpoint are in demand, he says.

Broad experience

However, most people seem to have fallen into security roles by accident, having been involved in a project where security was a prime concern, and experience across the full spectrum of IT is the best grounding, according to those working in security roles.

Asher says, "To be good in security, you have to be able to think from top to bottom and have done a little of each of the disciplines - network, database, applications and server admin - at a high level. Because you have to convince people who do these tasks every day to do them in a slightly different way, they have to respect you and you have to respect them, so you need some depth across all those areas."

Asher worked in network and server admin before becoming involved in a security-focused project to revamp Heathrow Airport's internet-based systems.

Similarly, Dave Martin, a managment consultant who jointly heads up the security consulting group at LogicaCMG, came from a background of programming, systems administration and operations management in the Royal Navy and defence contractor Plessey.

Working with security as a component of the systems he was developing gave Martin experience that he was able to transfer to a commercial environment.

He now conducts risk analyses of firms' systems, devises policies to mitigate those risks, and delivers security awareness training to end-users. Martin also carries out these functions internally to ensure that LogicaCMG's own operations remain secure.

On the supplier side, it is typical for security staff to join with generalist IT skills and to receive company-specific training on the job.

Myers started off at McAfee in a secretarial role and began asking questions about the reports she was helping to compile. Over time, she took on analysis of more complex threats, and she is now McAfee's expert in malware related to IRC bots.

Interpersonal skills

However, the kind of technical skills Asher, Martin and Myers have developed are just one aspect of the security role. Interpersonal skills and business skills are equally key, especially at CSO level.

"You have to be an ambassador to senior managers and the board," says Asher. "Internal communications are a large part of the board."

Martin agrees. "Many technical people hit a glass ceiling in security, because you have to be able to talk business to senior business people," he says. "You often get people who are excellent technicians but cannot translate that into business issues."

But if you can master a security role, it can open doors. Whiting says, "There are big links between IT security, risk management, compliance and business continuity, so people coming from any of those areas are seeing avenues opening up across all of them. And it can provide a route to move into the operational side of the business from a pure technology role."

Study unlocks door to security riches >>

Springing Leaks: Getting smart about data loss prevention >>

Business data protection: the expert view >>

IT security professionals face tighter accreditation >>

Comment on this article: e-mail [email protected]

Read more on IT risk management