Internet security seems one of the more glamorous career paths for technology professionals to pursue in the current climate, but it is one of the most risk-laden, fast-changing fields in corporate IT.
The e-security specialist focuses on the moving target both externally and internally - viruses and worms, hacks, denial of service (DoS) attacks, or security threats from the disgruntled employee, business partner or customer. They face a two-pronged pressure of needing hands-on technical skills as well as management savvy to deal with the Internet security spectrum.
Despite a steady spoon-feeding of doom and gloom lately - IT employment downsizing, spending cuts, hiring slowdowns and canceled projects - there are plenty of new developments in security in particular, translating into bona fide opportunities for any IT pro mapping out a new near-term job strategy.
As 2002 dawned, security was one of the few areas which caught the eye of David Foote, chief analyst of Connecticut-based IT workforce research firm Foote Partners LLC.
In the firm's latest global survey of 2000 employers, managers agreed security is on the rise. Many executives now rightly believe that high-profile Web attacks, electronic fraud and privacy breaches can seriously damage their companies' reputations and revenue generation.
For IS security professionals, the surge in managers' interest in security means they need to enhance their technical skills in areas like computer forensics, intrusion detection from outside and within, firewalls, athentication/authorization and security auditing-the areas now in highest demand, according to Foote.
The survey showed that premium bonus pay for security certifications has risen nearly 19 percent since Q1 of 2001, while base pay for corporate security positions grew 10 percent. But many employers will covet the following qualities even more: a broad view of security; being adept at corporate politics; business knowledge, aptitude and skills; good relationship management, team and project skills; and the ability to market, sell and negotiate outcomes.
IT managers and analysts believe security training in cyber-security and disaster recovery training, in particular, will be hotly pursued in 2002, says Jerry Luftman, distinguished service professor for graduate information systems programs at the Stevens Institute of Technology in New Jersey. He cites high-profile hacking incidents last year like the much-publicized infiltration of Microsoft's Web servers in addition to the September 11 terrorist attacks as spurs to that focus.
So where are IT pros themselves and companies with e-security specialists turning to in order to upgrade their practical expertise and management skills in information security?
IT executives and analysts who spoke to Computerworld were not overly-impressed with current training options available in Australia, saying no particular course or professional certification from either vendor or niche providers was "better than the other." People with product-based training are a diamond dozen, so the experts say; thus they prize constant independent research as valuable to understanding the gamut of e-security, from the technological to the legal aspects.
According to specialists like Ajoy Ghosh, Unisys Australia e-security architecture director, the model of the security profession has girthed from traditionally subservient to middle-heavy. It used to resemble a pyramid with chief technology officer at the crest and plenty of graduates forming the bulk at the bottom. Fresh out of university they could be trained according to an organisations' needs, says Ghosh.
However, the model is now mid-heavy, he says. The chief security officer still at the top and commanding around $150,000, middle-level professionals are now in over-supply - typically former network professionals, application developers or LAN administrators - and earning beteeen $90,000 and $120,000. On the other hand, there is only a "handful" of graduates and trainees starting in consulting, typically on salaries between $50,000 to $80,000.
Ghosh argues the model is "not the way it should be", claiming it leaves little opportunity to mould new graduates into "true" security people, as personnel with an IT background have been entrenched in their old organisation's ways of managing security.
Dimension Data national business manager for security, Tim Smith, says the mid-level girth is making it hard for employers to find multi-skilled professionals. The problem, he says, is that "most of the those in the market lack business as well as risk management skills."
He sees most clients struggling to recruit engineers with security technology skills covering implementation to mitigate risks, and also higher-level skills in policy and standards. "Both those sorts of skills are increasingly hard to come by."
A worldwide problem, it comes down to the issue of critical mass - people joining the herd over the years, says Smith. He explains that a number of years ago the global market lacked experts in network operating systems, and as more people entered the industry they viewed this as a huge growth area - hence the explosion of MCSEs (Microsoft Certified Systems Engineers) and CNEs (Cisco Network Engineers). "The same rings true of security engineers," he says. But he feels the situation will gradually improve as the industry goes through the same cycle, and more engineers from networking and OS backgrounds cross-train.
The Computing Technology Industry Association (CompTIA) in the US states succinctly the skills dilemna the IT security ranks are facing: "The more experts there are in trained information security, the easier it will be for private companies and governments to recruit and retain skilled workers who can implement the complex systems needed today to protect data and prevent cybercrime."
According to Mark Bouchard, Meta Group Asia Pacific program director, global networking strategies, businesses are clearly at the beginning of helping create a generation of well-rounded security experts. He explains: "The most typical approach is to take vendor-offered training courses associated with any specific security product an organization purchases. Sadly, for many organizations, that is the extent of the security training for their (so-called) security personnel. Or perhaps they attend a few security-oriented conferences, more likely to gain exposure to a wide range of products or technologies for potential future use than to "be trained".
Malcolm Fry, a local IT service management expert with 30 years experience, says specifically, it's areas as basic as help desk support where security training is lacking in particular.
Fry said most help desks are trained to hand out passwords to absent-minded users, not spot callers who intend to abuse the system.
"The biggest single weakness in IT is the lack of root-cause analysis and poor asset management. If I know how to fix something, I should take the next step and stop it from happening again," he says.
There are three types of e-security training. Firstly, a product-specific certification which security engineers usually take. Secondly, training in risk management expertise, typically done via a niche professional training course, and lastly vocational training which provides more specialised skills through security-focused electives in mostly IT degrees.
Unisys' Ghosh sends his mid-level people to product-specific courses as they cover the most common security product areas like Checkpoint, Symantec and Cleartrust's Mimesweeper, he says.
According to Ghosh, there are 27 professional certifications on the market. The two getting the most airplay are CISSP (Certified Information Systems Security Professional) and the SANS GIAC (Global Information Assurance Certification).
The leading non-vendor related certification in its field, the CISSP is aimed a mid-level pro';s like security consultants. Students study a body of knowledge covering 12 generic areas including security management, encryption and firewalls and must sit an exam to qualify for the certificate - hence its "inch thick but a mile wide"nickname. Delegates must have at least three years industry experience before sitting the test. While the course is European and US-run, for the first time Australians can access it locally through the QLD chapter of the Information Systems Security Association (ISSA). It costs $US450 to take the test through ISSA-QLD, and 35 people have booked to take it.
SANS GIAC on the other hand is suited to the more junior-level security consultant or engineer as it provides a good introduction to the basics of security, according to Ghosh. Higher level GIAC training requires delegates to submit papers which are vetted by industry experts, Smith says.
Over 2,500 people are SANS GIAC-certified globally with many more in the pipeline, says Smith. Course topics range from Intrusion Analyst, Incident Handling, Firewall Analysis and many others. To gain GIAC Security Engineer status, Smith says students must pass over 90 per cent in at least one topic area and pass six subjects. While distance may seem a barrier to entry for students here, most of them do the GIAC tests online - with some extra reading required along the way - and have a great online community to help them prepare for the exams, according to Smith. "Both CISSP and SANS GIAC require ongoing commitments and continuing certification," he adds.
Such certifications often yield bonus pay, according to Foote Partners. The firm's research late last year showed that the median bonus for CISSP-certified network security professionals was 8 percent of base pay; the median bonus for GIAC-certified professionals was 5 percent to 12 percent of base pay.
In Bouchard's view, professional certifications are a "whole other avenue to pursue." He explains: "The certifications themselves vary in terms of worthiness, but they all indicate that recipient knows at least something, if not a fair amount, about information security."
He pinpoints the more recognized certifications as the CISSP and SSCP (Systems Security Certified Practitioner) offered by the International Information Systems Security Consortortium based in Massachussets, the ISACA's CISA (Certified Information Systems Auditor), the SANS Institute's various security offerings, TruSecure's ICSP (ICSA Certified Security Professional) and any of Cisco's Internet security certifications.
Unisys' Ghosh says professional niche certifications are always a good personal differentiator, showing employers you have some strong certification brands behind your name, particularly international ones like CISSP and SANs.
Furthermore, attaining such certifications stands you in good stead for positions like business analyst, security auditor, security manager or security consultant in areas like risk assessment, policy writing and performing ISO 177999 work for clients, says Smith.
For the organisation seeking other niche training solutions, Bouchard recommends they turn to the Big Five - like PwC for risk management - or niche vendors such as e-Secure or Communications Design to train security employees in various topics. He recommends, however, to use "references to establish the outfits' credentials, training plans and approach, and track-record -particularly since no one company stands out for security training in Australia."
Vendor and Government Initiatives
A security training centre dedicated to Public Key Infrastructure (PKI) and digital certificate solutions opened in Melbourne in February. Aimed at educating Australian IT professionals in the rapidly growing Internet security market, it was the first VeriSign training centre outside the US, and was established within eSign Australia's e-commerce data and regional operations centre in South Melbourne.
The first training course started on March 19. The centre's training manager Leanne Fleming - a fomer IS supervisor for the Australian Army - said the course "met the tactixcal and technical requirements of the defence force."
Banks and government agencies use the training facility, and eSign Australia managing director Gregg Rowley believes it could play a role in addressing the exodus of computer crime specialists from police agencies to private industry.
The centre closely resembles a high-security military installation - using biometric hand scanners and other biometric technology - and is one of the most secure private sector data centres in the Southern Hemisphere .
The extent of the government's effort to bolster the computer security ranks in the private and public sector has been evident since the end of 2000. The National Office for the Information Economy has been trying to mould more security careers through universities and TAFE colleges by co-developing plans with them for accredited IT security courses.
Already meeting the market's demand for more specialised security skills are the universities of Wollongong, and Curtin University in WA among some. Ghosh cites Wollongong's postgraduate certificate in Cybercrime as an example of an excellent course as it trains people in the criminal aspects and technology developments in cybercrime." Also, Curtin is one of the first universities in Australia offering a bachelor's degree in IT with an information security major, he says.
Later in the year, the University of Technology, Sydney will offer for the first time a postgraduate certificate in cybercrime, a course training students in the legal aspects of computer crime, and only open to law students, according to Ghosh, who will lecture in that course.
Beginning in second semester this year,UTS is expecting an intake of around 30 people, all of whom are qualified lawyers from police, government and private organisations, working in fields like intellectual property and computer crime. UTS is also targeting the Asia Pacific with the offering, specifically in countries like China and Vietnam to meet increasing demand from senior prosecutors, according to Ghosh.
The Last Word
Ghosh considers 5 per cent of one's annual salary a reasonable share of one's salary to be invested in training. Over 2001 he allocated a $240,000 budget to train 16 staff from his team - security managers, enterprise security specialists and risk assessment analysts - (around $15,000 per employee), sending them on a day-long training course as well as a conference. He also ensures they are trained in CDTS and take up regular self-based training throughout the year.
But ultimately there are no certifications which match the power of personal research, he says. "There's a lot to be said about personal study. If you're driven, you''ll understand the basics as a lot of security is about intutition. I'm seeing most people take this path."
"Most people do product certifications because they need that as a fundamental and those do satisfy at a very basic level. Whilst that worked a few years ago, the industry's become a little more sophisticated. Now employers want people who are visionary; who can re-evaluate their organisation's defences as well as be able to implement security systems. So you're always going to have the market split."
Julekha Dash and Pete Young contributed to this article.