In the current political climate, it's not surprising to find security a hot topic in the IT community. If the plethora of viruses and their variations were not enough, then the threat of industrial sabotage, hacking and even cyberterrorism are guaranteed to put the fear of god into even the most naive IT manager, not to mention their bosses.
A few recent facts and statements (and wet-finger-in-the-air predictions) bear this out:n 20 per cent of IT organisations surveyed by Meta Group had no way of knowing if their information security had been breached.
- According to the US Computer Emergency Response Team Coordination Centre, reported security incidents doubled in 2001, and were expected to double again in 2002.
- 90 per cent of cyberattacks take advantage of known security flaws or problems. (Source: Gartner G2)
- The global IT security market, including software, hardware and services, is expected to increase from $US17 billion in 2001 to $45 billion in 2006, with security hardware showing compound annual growth of 25 per cent, followed by services (24 per cent) and software (16 per cent). The Asia/Pacific market will have 34 per cent compound annual growth reaching a market size of $US5.8 billion in 2006, and in Australia spending on security solutions, one of the "top ten technologies for 2003", will surpass $915 million by the end of this year. (Source: IDC)
- 66 per cent of respondents to an IT&T training survey by Jobnet and IT Skills Hub said security will be the emerging technical skill in the next five years.
Training avenuesGlenn Miller, managing director of security products distribution house Janteknology, says that: "I believe that education, or more correctly the lack of education, is the single biggest obstacle to broad-based adoption of IT security measures and policies by end users. ... There are hundreds of thousands of networks in the world, but only a couple of hundred true 'experts'."
Dr Lauren May, senior lecturer at Queensland University of Technology's School of Software Engineering & Data Communications, agrees that there is a "shortage of IT security expertise". QUT is doing its bit to fill the gap. With a strong speciality in IT security (it is home to the Information Security Research Centre), its enrolments in IT security courses have grown from "a handful a decade ago" to 1008 undergraduate students and 368 postgraduates in 2002. Its first PhD (currently director of the Research Centre) graduated in 1991, and over the period 1992-2002 it had graduated seven Masters and 23 PhDs. That number has grown significantly, with current research student enrolments of nine Masters and 28 PhDs, enough to more than double the previous 10 years' output.
Kathleen Norman, marketing manager with training firm NETg, says that "Over the past year or so, we've seen growth in the number and popularity of security-related certification programs. Vendors, such as Cisco and Microsoft, have security-specific certification tracks or exams. Vendor neutral certification programs, such as CompTIA's Security+ and ISC2's CISSP, are also making an impact." So what areas of IT security are "hot" at the moment?
Norman says, "There aren't really any 'unhot' areas right now. While security infrastructure and administration training are popular, the greatest number of requests and queries lately concern end-user security awareness training. With more and more people using the Internet, the need to 'get back to basics' is a growing concern." Miller says that "The current state of IT security training is basically at the same stage as security products - a work in progress. There are several qualifications, such as CISSP, which have become popular along with a plethora of informal training programs provided in seminar format."
However, he adds that "IT security is a fast developing sector where there is often a lack of generally accepted standards and this is particularly true for training".Training pitfalls This issue of the changing nature of the IT security field is the one that most commentators have picked up on.
"The whole area of IT security is very dynamic," says May, "hence student issues include the need to:
- gain a good understanding of underlying concepts and how they interact,
- keep abreast of current relevant issues, and
- keep 'hands on' skills honed and up-to-date.
"Technological developments are quickly superseded. The industry issues are always demanding as the industry becomes ever more reliant on its IT infrastructures and the people who secure them. And legal issues very quickly become a can of worms."
The lack of a generally accepted "formal" qualification is what worries Miller.
"Many security practitioners today have developed their expertise through practical experience in a similar way to network managers some years ago. The company computer nerd became the de facto network manager and so it often is with security.
"I believe that it will be necessary for the adoption of a formal standard (ISO) for security practitioners. Currently anyone can claim to be a security 'expert' but due to the lack of a recognised formal qualification this title is meaningless."
This lack of a formal qualification standard creates a difficult situation for end users, he says, as they too do not possess sufficient knowledge to be able to make informed judgements when it comes to employing or contracting security services. "This situation will often lead to dissatisfaction and wasted money on the part of the end users. Similar to the old saying about advertising - 50 per cent of your budget is wasted - knowing which 50 is the difficulty."Training opportunities What is driving the need for IT security also drives the training undertaken.
"Training is critical," says Jobnet's sales manager, Henry Talbot. "But the main thing to come out of all this is if you're going to do training you must put it in the context of what's happening in the industry. Before you jump into a training course you really need to investigate and do your research on the area of the IT industry you're looking at."
That context, according to IDC, is made up of the three main drivers in the demand for security services: increased Internet and intranet usage; increased complexity from both a business and an IT perspective; and the rise of mobile computing.
End users, the company says, want and deserve services that can be easily deployed and maintained, that can be understood, and that lower the cost of ownership. This is very important given the high level of enterprise uncertainty about exactly what, and how much security they really need.
Al Passori, a vice president with Meta Group's executive directions service and co-author of the Group's "2003 Enterprise Security Desk Reference", says that security professionals will need to have a broader focus, integrating policy and process.
"Many security professionals focus solely on managing individual projects and the issues at hand, and fail to gain a role in IT security risk management strategic planning. Determining the business tolerance for risk, identifying and communicating security risks and risk mitigation options, and articulating the security program costs and benefits to key individuals in IT and business management ahead of time are best practices and should become corporate mandates." And, by implication, also key areas for student consideration.
May adds a couple of "soft" issues that need to be addressed. She says there is general misunderstanding among industry, government and the community "of even basic concepts". Added to this is the "extreme diversity in political ideologies relating to security issues, evidenced by the diversity of legislative approaches to these issues. This is a derivative of the controversial 'right to privacy of the individual' versus 'security of the nation' debate, where we have the two extremes and all shades of grey in between."
Ultimately, it comes back down to having appropriate qualifications that are relevant to the industry and employers.
Miller says: "I see the current situation as an opportunity for the government to establish a regulatory framework (licensing) for IT security practitioners similar to that which exists for physical security operators. Such a licence would set a minimal level of expertise and avoid many of the pitfalls which end users face today."
But training goes beyond the formal security practitioner, he says.
"The issue of security training is just as important for in-house end-user staff as it is for security practitioners. It is of no use having retained a capable security consultant if staff are not sufficiently trained to implement and maintain the organisation's security plan.
"Notwithstanding the foregoing, I don't doubt that these issues will be dealt with. The entire market is on a steep learning curve with IT security, but in the fullness of time, knowledge will catch up with the technology just as it has always done."Career opportunities
One reason why security is a hot issue in training circles is that it is also a hot issue in the upper echelons of management.
IDC says it has found that "perceptions of security investments have shifted up to a strategic level within organisations, and this has moved discussions about enterprise security from the back room to the boardroom".
The company says that security is now viewed as an "integral element of sound management and a key part of effective corporate governance".
Organisations are adopting a more proactive mindset by designing a security architecture that addresses long-term business needs, it says.
All of this means that security is top of mind with management, and that security experts have the boss's ear, raising employment prospects considerably. IDC predicts that these prospects are threefold:
- Increased demand for security services as companies continue to need help developing enterprise-wide risk management strategies to mitigate any potential liabilities and provide a trusted environment for stakeholders.
- A return to market growth for security administration, authorisation, and authentication (3A) software due to the broad consumption of these technologies by identity management and Web services security.
- The continued popularity of security appliances as a means of delivering software because of the wide coverage of the products. In this way, a single appliance can solve multiple enterprise security needs.
May also believes that employment prospects are good: "IT security professionals are always in demand because they provide a critical service."
"Topics such as basic password management, workstation security, security policies, and antivirus software are all increasingly in demand," Norman said.
Ultimately, May says, the issues facing students are the same as for any other specialisation: how do I get into the area, and where will I find a job when I qualify?
"IT security education is very demanding both for students and educators. Today's world demands expertise in this area. For those who accept the challenge, the rewards are well worth the effort."