July/August 2008 issue

How to get ahead in infosec

Gone are the days when infosec professionals were IT guys who had mistakenly stumbled into information security. Now, vendors and consultancy firms have an impressive array of qualified infosec pros to choose from. Wendy M Grossman asks how it’s possible to stand out from the crowd

It’s not so long ago – maybe five or six years – that someone in charge of recruiting infosecurity professionals probably knew everyone who mattered in the field. At the same time, most people entering the profession came from IT, often for no better reason than that they were the only people who’d ever set up a firewall.

Fred Piper, who founded the MSc (Master in Information Security) programme at Royal Holloway, University of London, and more recently a founder of the Institute of Information Security Professionals, says that as recently as the beginning of the 21st Century, infosecurity at the senior level was almost “a closed shop”. The direct impetus for setting up the IISP came when someone approached him at a conference and said, “This can’t go on, because now I have to prove to my board that my security people are competent and there’s no way of doing it.”

Things have changed. Demand for infosecurity professionals continues to grow worldwide. A report produced by Frost & Sullivan for the International Information Systems Security Certification Consortium (ISC2), which administers the CISSP exam, projects that the infosecurity workforce will grow from 1.66 million in 2007 to 2.69 million by 2012.

The latest survey from the corporate governance recruitment company Barclay Simpson, which serves primarily experienced practitioners, is a little less optimistic, given the tightening economy. However. it also notes that well-publicised data breaches are scaring companies, thus resulting in more infosec jobs.

Back to school

Expansion on this scale means that credentials are becoming increasingly important as a way of validating the backgrounds of strangers, while the pervasiveness of IT means that it is no longer possible to deal with infosecurity separately from more general business and regulatory issues.

Yesterday’s infosecurity professionals largely entered the profession more or less by accident; they came from IT and their hands-on experience was the only qualification they needed. Today’s prospective infosecurity professional needs both breadth and depth of knowledge, and should expect to need both experience and credentials.

“The industry is now becoming a profession,” says Paul Hansford, a member of the British Computer Society’s security forum. “When somebody like me came into the profession you learned as you went along because there weren’t professional qualifications.” Now, he says, “we’re seeing people who choose it as a profession and study for it.”

Ruth Jacobs, an information security specialist at Barclay Simpson, says the eight years she’s been recruiting in the security sector have been roughly the same: “It used to be seen as just an IT issue, and now it’s very much business-wide.” In addition, she says, even the IT side of things has broadened. Data deperimeterisation – the opening out of networks with mobile devices and workers – means that applications, as well as networks, must be secure, requiring different skills.

The findings of the tenth annual global information security survey, carried out by Ernst & Young for ISC2, bear this out.

The three biggest drivers behind organisations’ information security practices are no longer the former leader, technical threats such as worms and viruses and other attacks, but, in order: regulatory compliance, privacy and data protection, and meeting business objectives. Technical threats have dropped to sixth, behind enterprise risk management and negative publicity or reputation damage.

The Frost & Sullivan report also stresses the financial costs to businesses of data leakage, estimating these at £25 to £100 per record, not including reputation damage. Even the lower end of that scale makes a breach like last year’s lost HMRC discs look extremely expensive.

Pen testers

One of the big trends, therefore, is that organisations want people who understand both the language of IT and the language of management. Also valuable: legal knowledge, given the importance of compliance with regulations such as Sarbanes-Oxley (which applies to any company trading on the US stock exchanges), Basel II (for European banks), the payment card industry data security standard (DSS), HIPAA (for US health care data) and the forthcoming EU directive on auditing, as well as other national standards.

Andy Jones, a principal research consultant for the Information Security Forum says, “There’s a quote from the American Bar Association – “If you can find a lawyer who understands infosecurity you can’t afford them.”

“One of the things we’ve found in people who have chosen infosecurity as a profession,” Jones adds, “is that they all want to be pen testers. It sounds fun and sexy, but the world only needs a limited number of these. The industry needs people who can engage with the business.”

Kent Anderson, a member of ISACA’s security management committee, agrees: “Keeping a narrow, tool-oriented focus hasn’t really served business very well because what you have is techies trying to solve a business problem, where security is about trying to protect all assets – intellectual property, the information infrastructure, and computer networks.” Today’s infosecurity professional, therefore, must be equipped to talk to executives about the impact of risks to the organisation. You need three types of skill, says fellow ISACA security management committee member Rolf van Roessing: technical, business, and pure security. In addition, you need what he calls “social awareness”. That is, an understanding of what constitutes security risks in everyday life.

That kind of professional can find interesting work anywhere, in any industry. As an example, Andy Jones once worked for a brewery IT project to reduce fraud. One of the issues was the theft of aluminum kegs left lying outside pubs. Jones put in a tracking system. “Within three months we cracked an East End gang accounting for 80 per cent of our fraud.”

Crossroads

Generally speaking, says Jacobs, there are two career paths. One: working in an end-user environment, such as bank or manufacturer. Two: working for a vendor such as Symantec or RSA; a consultancy of any size from a boutique specialist to one of the big four accounting firms, or a systems integrator. Each has its benefits and pitfalls.

Working for a vendor, says Jacobs, “can be quite dangerous. If you’re working for a well-known vendor with great products, fantastic. But if it’s a vendor with an unknown product and not particularly successful and without a good understanding of the market, it can be hard to move on.” For example, she says, look at the area of public key infrastructures, which never grew as much as expected and is now off-the-shelf technology. “People end up with a specialised area and no demand.”

If, on the other hand, you’re thinking of working for a consultancy, check out the types of projects you’ll be working on and where they may be – some consultancies may have you working at distant locations four days a week for months.

“You need to work out when you’re entering the profession where you want to be,” she says. “The longer someone is in one of those areas, the harder it is to switch.”
As for finding jobs as a newcomer to the profession, she recommends surveying online job boards such as CWJobs and Jobserve, talking to general recruitment agencies, attending graduate recruitment fairs, and also talking direct to companies, both vendors and end users.

Working for a consultancy may give you greater breadth of experience than working in a single company would, says von Roessing. Overall, he says, “Pick the right mix of skills and subjects when you’re graduating.” And, he adds, make sure to avoid doing anything that could get you a criminal record. And do go for breadth of knowledge: “Those are the people who are going to be most successful. There will always be a need for specialists – but they’re putting themselves into a career box.”
In the end, however you enter the profession, there is no quick or easy road. The landscape for infosecurity is constantly changing – and the road doesn’t stop when you get a qualification.

“We want the MSc to be the beginning of something, not the end,” says Piper.