InformationWeek

Hunt For Security

Information security pros aren't easy to come by

By Candee Wilde
Issue date: May 26, 1997

Within days of becoming a Certified Information Systems Security Professional in January, Chuck Ryan had a half-dozen job offers. Several companies were bidding against one an other to hire him.

"That certification was like receiving the mark of international approval, showing what you can bring to an organization," says Ryan. He accepted an offer to become an information security consultant with Capital One Financial Corp., a Falls Church, Va., company that processes credit cards and credit information. Ryan chose Capital One because "they take information security very seriously. They budget and staff for it properly to get the job done."

Capital One is not alone in its emphasis on information security. A growing number of companies are creating formal information security positions and programs to protect information resources against the vulnerabilities of connecting to the Internet. Some are training current IS employees for the job; others are hiring security specialists; still others are outsourcing and working with information security consultants on a retainer basis to jump-start security programs and avoid hiring full-time staff.

The number of information secu rity workers employed by corporations, government agencies, and educational institutions is expected to increase by 18% this year, according to a survey by the Computer Security Institute (CSI), a global association of information security professionals in San Francisco, and Baseline Software Inc. in Sausalito, Calif.

Still, information security remains a small, specialized field, and professionals aren't always easy to come by. The 340 organizations responding to the CSI survey averaged one information security specialist for every 1,600 employees. In contrast, these companies had 11 employees dedicated to physical security, and 56 IS professionals for every 1,640 workers. Because information security has not been a priority for most companies-and because universities didn't spend much effort on the subject in their computer-science programs-most IS professionals have picked up whatever security expertise they have helter-skelter. The result is sobering. "Among IS professionals, there is a great dearth o f knowledge about security," says Richard Power, a senior consultant with CSI.

Indeed, security professionals must acquire a daunting array of skills. Base requirements include a solid background in a variety of networking technologies-TCP/IP, Windows NT, and Unix, to name a few. Experience with firewalls, password management, encryption, and digital signatures is also necessary. Nontechnical qualifications, such as the ability to assess risk, develop information security procedures, write policy statements, and educate senior managers and users are just as important.

To harness these critical skills, Hughes Electronics Corp. in Los Angeles assembled employees from its corporate office and subsidiaries to form the Information Resources Protection Steering Team. "This doesn't require hiring anyone," says Ron Martin, manager of corporate network security at Hughes. "We are leveraging the expertise within Hughes Electronics."

The steering team, which ensures the protection of information in all dif ferent media-paper, microfiche, transparencies for presentations, and digital form-consists of one information security specialist and one IS security specialist from Hughes' corporate office, as well as employees from Hughes Aircraft, Hughes Space and Communications, Hughes Network Systems, Delco Electronics, and DirecTV. The group oversees the IT Security Team, which is made up of specialists in IT security, network security, cryptography, and information security from Hughes' corporate office and subsidiaries.

"The IT and information security [specialists] work within their respective companies to guide IS security efforts at the local levels," Martin says. The steering team has established consistent information labeling and classification terminology and has launched a program to use cryptography to protect sensitive information. Hughes also is implementing a public-key infrastructure in its worldwide operations. Although Hughes Electronics and some of its subsidiaries outsourced many of its IT func tions several years ago, the company has kept oversight responsibility for security.

United HealthCare Corp. in Minneapolis recently consolidated the security functions of its mainframe, client-server, and Internet-intranet environments. It folded in disaster-recovery planning, security-architecture development, and business-systems security. This centralization ensures that security professionals communicate with one another to develop, implement, and oversee coordinated policies and procedures, resulting in a more secure environment, says Randy Sanovic, director of IS security at United HealthCare. "When the security function is distributed, it's difficult to manage," Sanovic says. The company, which has roughly 26,000 employees worldwide, has 28 information security specialists.

Organizations that don't have a sizable information security staff can still get the job done, says CSI's Power, as long as senior executives support IT security initiatives. "A good information security officer can acc omplish a lot with management behind him," he says. "Management commitment is critical to information security." With that support, even a lone information security officer can educate and enlist the help of other IT professionals-Webmasters, E-mail system administrators, and network managers-as well as users, and ultimately create an effective information security infrastructure.

Providing Support
Outsourcing and consulting companies also are bolstering their information-security practices so they can provide their clients the support they need, says executive recruiter Tracy Lenzner, president of Lenzner & Associates in Williamsville, N.Y. Lenzner has been working extensively with Ernst & Young to recruit information security experts, and helped place Jose Granado in the consulting company's San Antonio office several months ago. Granado, manager of Ernst & Young's information systems assurance and advisory service, will recruit staff as he works with clients to help them design secure networks and develop security controls and policies.

"The information security field is very young, and it can be difficult to find folks who have real, practical experience," says Granado. "Everyone in IS has some idea of what security is, but not many people have experience designing or maintaining a firewall or dealing with security issues day in and day out."

Before joining Ernst & Young, Granado spent eight years as an Air Force captain, specializing in information security. During his last four years in the service, he was an Air Force computer-crime investigator. "When I started as a computer-crime investigator in 1992, we had only 12 or 14 investigators worldwide," he says. "I spoke with a contact there recently, and those numbers are in the 30s or 40s now."

To document his knowledge, Granado is seeking the same CISSP accreditation that opened doors for Capital One's Ryan. CISSP status is awarded to those who pass an examination created by the International Information Systems S ecurity Certification Consortium, the nonprofit corporation that developed the program.

Granado also is pursuing the Certified Information System Auditor credential from the Information Systems Auditing and Control Association. ISACA is a professional association composed of a wide range of IS audit and control professionals working for all types of businesses, as well as local and national governments. "You put your seal of approval on a network when you tell clients that if they follow the recommendations, you believe the network is secure," says Granado. "It's nice to have certification backing up your seal of approval."

Experts For Hire
For organizations that don't want to completely outsource information security or add staff, companies such as Network-1 Software and Technology Inc. in New York offer a third option-hiring IS security experts on a retainer basis. For a set monthly fee, Network-1 "does certain things regularly, like poke at the customer's firewall," says Bill Hancock, e xecutive VP and chief technology officer at Network-1. "If something ugly happens, we get a security response team out there quickly."

Network-1 staff members are trained to track hackers and to collect and preserve evidence for law-enforcement officers. These practices give organizations a better shot at successfully prosecuting computer criminals. "It's a good service for medium and large companies that need those resources available, but don't want to pay to have them on staff," Hancock says. A skilled information security specialist commands a salary of at least $100,000, he says. Network-1 charges $250 to $300 an hour to do what Hancock calls a "hacker bust."

Network-1 also delivers IS security consulting on a project basis. Capital One's Ryan worked with Network-1 while at Glaxo Wellcome Inc. in Research Triangle Park, N.C., where Ryan was senior manager of information security before joining Capital One. Ryan says Network-1 helped Glaxo shore up weaknesses in the pharmaceutical company's networ k infrastructure and roll out an international information security policy.

"Based on Network-1's findings, we came up with security baselines and standards for many of our operating systems," Ryan says. Although Glaxo employs specialists in each of the network platforms and operating systems in the company's IS infrastructure, "no one knew how to communicate the security risks across to other platforms. Network-1 was able to do that."

Computer vendors also are helping customers ensure information security. IBM, for example, conducts primary research on intrusion methodology to keep pace with fast-changing security threats. "We keep busy inside IBM worrying about the new threats our customers face because most can't put in a large team to focus on security," says Kathy Kincaid, IBM's director of IT security. Kincaid coordinates IBM's development of security products and services, which include worldwide security consulting, an emergency-response service, and antivirus software. "Security is not stati c," she says. "You can't say, 'I did it, I'm done. I am secure.' As soon as you do, someone will think of a new threat."

Comments?

http://www.informationweek.com