Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
The botnet world is booming
What’s driving this university to IPv6? Going green
IT pros continue to lose jobs
How ending exclusivity agreements would change the telecom industry
How to use electrical outlets and cheap lasers to steal data
EMC distances rival NetApp
Crime lab saves energy costs by turning up heat in the data center
IBM security software masks confidential info
Google Native Client provides hints on Chrome OS gambit
Ericsson signs deal to run Sprint wireless, wireline networks
Verizon helping companies assess application vulnerabilities
Internet's biggest issue? IPv6 transition, new ARIN CEO says
Gmail, other Google apps, out of beta
Microsoft may have known about critical IE bug for months
Symantec de-duplication strategy targets data growth, virtual machines
Windows 7 ramp-up will be sharp
/

The security specialists

Safeguarding IT requires top-notch technical skills and solid business knowledge.

Related linksToday's breaking news
Send to a friendFeedback

By Tom Duffy
Network World, 05/28/01

As director of IS for Sun Life Financial's U.S. operations, David Cullinane had his hands full. His responsibilities included risk assessment, setting policy standards, password protection and generally overseeing security for Sun Life's U.S. network.

"I had to deal with everything from how to configure a firewall to what's required so we could use digital signatures to sign a contract with partners," Cullinane says. "Being in security requires an incredible breadth of knowledge. I read constantly."

There's plenty to read - and learn - for security pros such as Cullinane, who has since moved on to a consulting job with hardware encryption vendor nCipher in Woburn, Mass. Password protection, digital signatures, network authentication and Secure Socket Layers are just some of the subjects to master.

See our related links
Yet technology is only part of the challenge. Becoming an IT security director requires familiarity with setting security policies and procedures as well as a solid understanding of the underlying business the company is securing, says Tom Clark, director of system security for MFS Investment Management in Boston.

"You really need to understand the firm's business plan and relate that to security," Clark says. "If we are rolling out a new Internet site or a new technology, I need to make sure I'm there at the right time putting in the right security tools to enable us to conduct business in a secure way."

Clark has worked in the security field for five years. To help him with the business end, he earned a master's degree in business administration several years ago. But while he also reads constantly, he says it's impossible for a security manager to be an expert in every aspect of the field.

"You may not be an encryption expert," he says. "But you have to know what it's all about. If you don't have that, you aren't going to be effective in this job because you will not have credibility."

Increasingly, security professionals are using certifications to boost their credentials and immerse themselves in the technology. Perhaps the most comprehensive of these is the Certified Information Systems Security Professional (CISSP) certification, which is offered by the International Information System Security Certifications Consortium.

Earning CISSP certification is difficult. It requires proficiency in 10 domains, among them cryptography, application and system development, disaster recovery, network security and investigations. Currently, there are only about 4,000 people with CISSP certifications. That might explain why Nick Sterling, who recruits security professionals at Boston Professional Search, says that those with the certification can often earn a premium on their salary.

"If there were two people going for the same position and one of them had the CISSP, they could probably get anywhere from 10% to 20% more," Sterling says. "It's kind of like the CPA of IT."

But others say managers view certifications differently, whether a CISSP or certifications offered by groups such as the System Administration, Networking and Security Institute, which offers certifications in such areas as forensics, VPNs and securing Unix.

"Certifications are an excellent mark that someone considers themselves a security professional and has a keen interest and some baseline knowledge," Clark says. "But I place more reliance on actual experience than on a certificate."

The security field is shifting constantly, according to Cullinane and others. On one hand, there is a trend toward increasing specialization. On the other hand, more and more firms are outsourcing their security operations and retaining just a handful of people to provide advice and consent about various security matters, Cullinane says.

For those looking to advance in the field, Eddie Schwartz, a vice president with Guardent, a security consulting firm in Boston, says a broad background is important.

"Being a generalist is a really a good thing," he says. "But understanding how data centers work and understanding how networks are put together and what databases do - plus having worked in security - is just as important."

Being a skilled communicator is also helpful, says Schwartz, who worked for five years as chief security officer for Nationwide Insurance.

"A big part of the job is dealing with the politics involved in making security successful," he says. "In my last job I was probably 50% politician, 30% salesman and 20% technologist."

But for those who are willing, there are plenty of opportunities. The number of firms that spend more than $1 million annually on security products and services has grown from 8% in 1998 to 25% today, according to one recent survey.

"This field is red-hot," MFS's Clark says.

Duffy is a freelance writer in Haydenville, Mass. He can be reached at tomduffy62@aol.com.

RELATED LINKS

A site with wide-ranging information and services.

The Center for Education and Research in Information Assurance and Security, or CERIAS, a university-based center for research and education in information security.

System Administration, Networking, and Security Institute (SANS), a cooperative research and education organization through which more than 96,000 system administrators, security professionals, network administrators and others share information and search for solutions to common problems.

The Financial Services Information Sharing and Analysis Center, a quasi-public organization dedicated to protecting the infrastructure of the finance and banking industries.

Fusion newsletter subscription page

Certifications International Information System Security Certifications Consortium Inc.

SANs GIAC training and certification program


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.