The security specialists
Safeguarding IT requires top-notch technical skills and solid business knowledge.
 
|
|||
 | |||
|
As director of IS for Sun Life Financial's U.S. operations, David Cullinane had his hands full. His responsibilities included risk assessment, setting policy standards, password protection and generally overseeing security for Sun Life's U.S. network.
"I had to deal with everything from how to configure a firewall to what's required so we could use digital signatures to sign a contract with partners," Cullinane says. "Being in security requires an incredible breadth of knowledge. I read constantly."
There's plenty to read - and learn - for security pros such as Cullinane, who has since moved on to a consulting job with hardware encryption vendor nCipher in Woburn, Mass. Password protection, digital signatures, network authentication and Secure Socket Layers are just some of the subjects to master.
See our related links
Yet technology is only part of the challenge. Becoming an IT security director requires familiarity with setting security policies and procedures as well as a solid understanding of the underlying business the company is securing, says Tom Clark, director of system security for MFS Investment Management in Boston.
"You really need to understand the firm's business plan and relate that to security," Clark says. "If we are rolling out a new Internet site or a new technology, I need to make sure I'm there at the right time putting in the right security tools to enable us to conduct business in a secure way."
Clark has worked in the security field for five years. To help him with the business end, he earned a master's degree in business administration several years ago. But while he also reads constantly, he says it's impossible for a security manager to be an expert in every aspect of the field.
"You may not be an encryption expert," he says. "But you have to know what it's all about. If you don't have that, you aren't going to be effective in this job because you will not have credibility."
Increasingly, security professionals are using certifications to boost their credentials and immerse themselves in the technology. Perhaps the most comprehensive of these is the Certified Information Systems Security Professional (CISSP) certification, which is offered by the International Information System Security Certifications Consortium.
Earning CISSP certification is difficult. It requires proficiency in 10 domains, among them cryptography, application and system development, disaster recovery, network security and investigations. Currently, there are only about 4,000 people with CISSP certifications. That might explain why Nick Sterling, who recruits security professionals at Boston Professional Search, says that those with the certification can often earn a premium on their salary.
"If there were two people going for the same position and one of them had the CISSP, they could probably get anywhere from 10% to 20% more," Sterling says. "It's kind of like the CPA of IT."
But others say managers view certifications differently, whether a CISSP or certifications offered by groups such as the System Administration, Networking and Security Institute, which offers certifications in such areas as forensics, VPNs and securing Unix.
"Certifications are an excellent mark that someone considers themselves a security professional and has a keen interest and some baseline knowledge," Clark says. "But I place more reliance on actual experience than on a certificate."
The security field is shifting constantly, according to Cullinane and others. On one hand, there is a trend toward increasing specialization. On the other hand, more and more firms are outsourcing their security operations and retaining just a handful of people to provide advice and consent about various security matters, Cullinane says.
For those looking to advance in the field, Eddie Schwartz, a vice president with Guardent, a security consulting firm in Boston, says a broad background is important.
"Being a generalist is a really a good thing," he says. "But understanding how data centers work and understanding how networks are put together and what databases do - plus having worked in security - is just as important."
Being a skilled communicator is also helpful, says Schwartz, who worked for five years as chief security officer for Nationwide Insurance.
"A big part of the job is dealing with the politics involved in making security successful," he says. "In my last job I was probably 50% politician, 30% salesman and 20% technologist."
But for those who are willing, there are plenty of opportunities. The number of firms that spend more than $1 million annually on security products and services has grown from 8% in 1998 to 25% today, according to one recent survey.
"This field is red-hot," MFS's Clark says.
Duffy is a freelance writer in Haydenville, Mass. He can be reached at tomduffy62@aol.com.
A site with wide-ranging information and services.
The Center for Education and Research in Information Assurance and Security, or CERIAS, a university-based center for research and education in information security.
System Administration, Networking, and Security Institute (SANS), a cooperative research and education organization through which more than 96,000 system administrators, security professionals, network administrators and others share information and search for solutions to common problems.
The Financial Services Information Sharing and Analysis Center, a quasi-public organization dedicated to protecting the infrastructure of the finance and banking industries.
Fusion newsletter subscription page
Certifications International Information System Security Certifications Consortium Inc.
SANs GIAC training and certification program
