how to get ahead in infosec
TRANSCRIPT
20 JULY/AUGUST 2008
StrategyHow to get ahead in infosec Gone are the days when infosec professionals were IT guys who had mistakenly stumbled into information security. Now, vendors and consultancy fi rms have an impressive array of qualifi ed infosec pros to choose from. Wendy M Grossman asks how it’s possible to stand out from the crowd
It’s not so long ago – maybe fi ve or six years – that someone in
charge of recruiting infosecurity professionals probably knew
everyone who mattered in the fi eld. At the same time, most
people entering the profession came from IT, often for no better
reason than that they were the only people who’d ever set up
a fi rewall.
Fred Piper, who founded the MSc (Master in Information
Security) programme at Royal Holloway, University of London,
and more recently a founder of the Institute of Information
Security Professionals, says that as recently as the beginning
of the 21st Century, infosecurity at the senior level was almost
“a closed shop”. The direct impetus for setting up the IISP
came when someone approached him at a conference and
said, “This can’t go on, because now I have to prove to my
board that my security people are competent and there’s no
way of doing it.”
Things have changed. Demand for infosecurity professionals
continues to grow worldwide. A report produced by Frost & Sullivan
for the International Information Systems Security Certifi cation
Consortium (ISC2), which administers the CISSP exam, projects that
the infosecurity workforce will grow from 1.66 million in 2007 to 2.69
million by 2012.
The latest survey from the corporate governance recruitment
company Barclay Simpson, which serves primarily experienced
practitioners, is a little less optimistic, given the tightening economy.
However. it also notes that well-publicised data breaches are scaring
companies, thus resulting in more infosec jobs.
Back to schoolExpansion on this scale means that credentials are becoming
increasingly important as a way of validating the backgrounds of
strangers, while the pervasiveness of IT means that it is no longer
possible to deal with infosecurity separately from more general
business and regulatory issues.
Yesterday’s infosecurity professionals largely entered the
profession more or less by accident; they came from IT and
their hands-on experience was the only qualification they
needed. Today’s prospective infosecurity professional needs
both breadth and depth of knowledge, and should expect to
need both experience and credentials.
“The industry is now becoming a profession,” says Paul Hansford,
a member of the British Computer Society’s security forum. “When
somebody like me came into the profession you learned as you went
along because there weren’t professional qualifi cations.” Now, he says,
“we’re seeing people who choose it as a profession and study for it.”
Ruth Jacobs, an information security specialist at Barclay
Simpson, says the eight years she’s been recruiting in the
Today’s prospective infosecurity professional needs both breadth and depth of knowledge, and should expect to need both experience and credentials
is055p20_23.indd 20is055p20_23.indd 20 05/08/2008 10:45:5805/08/2008 10:45:58
FEATURE
21JULY/AUGUST 2008
security sector have been roughly the same: “It used to be
seen as just an IT issue, and now it’s very much business-
wide.” In addition, she says, even the IT side of things has
broadened. Data deperimeterisation – the opening out of
networks with mobile devices and workers – means that
applications, as well as networks, must be secure, requiring
different skills.
The fi ndings of the tenth annual global information security
survey, carried out by Ernst & Young for ISC2, bear this out.
The three biggest drivers behind organisations’ information
security practices are no longer the former leader, technical
threats such as worms and viruses and other attacks, but, in
order: regulatory compliance, privacy and data protection, and
meeting business objectives. Technical threats have dropped to
sixth, behind enterprise risk management and negative publicity
or reputation damage.
The Frost & Sullivan report also stresses the fi nancial costs to
businesses of data leakage, estimating these at £25 to £100 per
record, not including reputation damage. Even the lower end of that
scale makes a breach like last year’s lost HMRC discs look extremely
expensive.
Pen testersOne of the big trends, therefore, is that organisations want
people who understand both the language of IT and the
language of management. Also valuable: legal knowledge,
given the importance of compliance with regulations such as
Sarbanes-Oxley (which applies to any company trading on the
US stock exchanges), Basel II (for European banks), the payment
card industry data security standard (DSS), HIPAA (for US
health care data) and the forthcoming EU directive on auditing,
as well as other national standards.
Andy Jones, a principal research consultant for the Information
Security Forum says, “There’s a quote from the American Bar
Association – “If you can fi nd a lawyer who understands infosecurity
you can’t aff ord them.”
Organisations want people who understand both the language of IT and the language of management
is055p20_23.indd 21is055p20_23.indd 21 05/08/2008 10:46:0005/08/2008 10:46:00
FEATURE
22 JULY/AUGUST 2008
“One of the things we’ve found in people who have chosen
infosecurity as a profession,” Jones adds, “is that they all want to
be pen testers. It sounds fun and sexy, but the world only needs a
limited number of these. The industry needs people who can engage
with the business.”
Kent Anderson, a member of ISACA’s security management
committee, agrees: “Keeping a narrow, tool-oriented focus hasn’t
really served business very well because what you have is techies
trying to solve a business problem, where security is about
trying to protect all assets – intellectual property, the information
infrastructure, and computer networks.” Today’s infosecurity
professional, therefore, must be equipped to talk to executives
about the impact of risks to the organisation. You need three
types of skill, says fellow ISACA security management committee
member Rolf van Roessing: technical, business, and pure
security. In addition, you need what he calls “social awareness”.
That is, an understanding of what constitutes security risks in
everyday life.
That kind of professional can find interesting work
anywhere, in any industry. As an example, Andy Jones once
worked for a brewery IT project to reduce fraud. One of the
issues was the theft of aluminum kegs left lying outside pubs.
Jones put in a tracking system. “Within three months we
cracked an East End gang accounting for 80 per cent of our
fraud.”
CrossroadsGenerally speaking, says Jacobs, there are two career paths.
One: working in an end-user environment, such as bank or
manufacturer. Two: working for a vendor such as Symantec or
RSA; a consultancy of any size from a boutique specialist to one
of the big four accounting fi rms, or a systems integrator. Each
has its benefi ts and pitfalls.
Working for a vendor, says Jacobs, “can be quite dangerous. If
you’re working for a well-known vendor with great products, fantastic.
But if it’s a vendor with an unknown product and not particularly
successful and without a good understanding of the market, it can be
hard to move on.” For example, she says, look at the area of public
WHICH QUALIFICATIONS?
Qualifi cations by themselves won’t get you a job, but having them can
keep your CV from being thrown in the bin.
The list of available qualifications looks like alphabet soup.
Rolf von Roessing divides them into two categories: knowledge-
based and experience-based. The knowledge-based variety
includes vendor-issued qualifications and those issued by some
non-profit organisations that essentially test what you know.
The much smaller group of experience-based qualifications like
the CISM require you to demonstrate not only knowledge but
understanding; they aim to test your ability to think around
security issues.
“If you have several years’ experience you can pass them,” von
Roessing says of these, “but if not it’s probably diffi cult.”
Besides the ones von Roessing mentions, there are also academic
qualifi cations such as the MSc off ered by Royal Holloway and several
other universities around the UK.
The really hard part is knowing which to invest in. Von
Roessing suggests it’s a good idea to check on the maturity of
the organisation off ering the qualifi cation. Some organisations,
he says, “live off certifying people. We’ve seen in some cases that
the profession is diluted because one year you would have 2 000
certifi ed people and then fi ve years later 47 000. It’s not a realistic
proportion.” Plus, he says, an older organisation (like his own group,
ISACA, which was founded in 1969) off ers new professionals a
global network of professionals to join, in addition to certifi cations.
“You need to join a community and learn from older guys. It’s
essential, I feel.”
Also, remember to look beyond the pure security
qualifications, says John Colley. “The most important qualification
after the CISSP is an MBA. That reflects the fact that to get to the
more senior positions you have to have business experience and
understanding.”
Ruth Jacobs’ best advice: look at the ads on the IT job boards
and see what qualifications are being asked for before deciding
what to go for. Barclay Simpson runs a qualifications page on its
website in the security section and also publishes an annual report
on the sector.
ENISA publishes a guide to infosecurity qualifi cations at http://www.
enisa.europa.eu/
You need to work out when you’re entering the profession where you want to be…The longer someone is in one area, the harder it is to switchRuth Jacobs
Ruth Jacobs, Barclay Simpson Andy Jones, ISF
is055p20_23.indd 22is055p20_23.indd 22 05/08/2008 10:46:0105/08/2008 10:46:01
FEATURE
23JULY/AUGUST 2008
key infrastructures, which never grew as much as expected and is
now off -the-shelf technology. “People end up with a specialised area
and no demand.”
If, on the other hand, you’re thinking of working for a
consultancy, check out the types of projects you’ll be working
on and where they may be – some consultancies may have you
working at distant locations four days a week for months.
“You need to work out when you’re entering the profession where
you want to be,” she says. “The longer someone is in one of those
areas, the harder it is to switch.”
As for fi nding jobs as a newcomer to the profession, she
recommends surveying online job boards such as CWJobs and
Jobserve, talking to general recruitment agencies, attending graduate
recruitment fairs, and also talking direct to companies, both vendors
and end users.
Working for a consultancy may give you greater breadth
of experience than working in a single company would, says
von Roessing. Overall, he says, “Pick the right mix of skills
and subjects when you’re graduating.” And, he adds, make
sure to avoid doing anything that could get you a criminal
record. And do go for breadth of knowledge: “Those are the
people who are going to be most successful. There will always
be a need for specialists – but they’re putting themselves into
a career box.”
In the end, however you enter the profession, there is
no quick or easy road. The landscape for infosecurity is
constantly changing – and the road doesn’t stop when you get a
qualifi cation.
“We want the MSc to be the beginning of something, not the end,”
says Piper.
The three biggest drivers behind organisations’ information security practices [are] in order: regulatory compliance, privacy and data protection, and meeting business objectives
is055p20_23.indd 23is055p20_23.indd 23 05/08/2008 10:46:0505/08/2008 10:46:05