Reader ROI - Learn how to build a team to handle information security - Find out how to hire skilled security professionals - See how to use your IT organisation as a security staffing resource
LAST YEAR, DAVID SAUL, executive vice president and CIO of commercial insurer Zurich North America, pulled a dozen IT staffers away from their daily tasks to combat a virus that was attacking the company’s firewalls. They did a good job limiting the damage, but it took two days — two days in which other work did not get done. Next time, Saul hopes to be ready to respond before a threat surfaces. “We want to be in a safety zone that doesn’t require that kind of immediate mobilisation,” he says. That’s why Saul increased his full-time information-security staff from 12 to 18 people, mostly by training, reorganising and reassigning IT people to security. “Good security equals prevention, detection and reaction,” says Saul. “If you’re not going to staff to make the process work, then your exposure to security breaches is higher.” That exposure is an increasingly widespread problem. In a 2001 survey of security practitioners conducted by the Computer Security Institute and the FBI, 85 per cent of respondents (primarily from large corporations and government agencies) had detected computer security breaches in the previous year, and 64 per cent of those respondents acknowledged suffering financial losses. In fact, there’s no limit to the damage evildoers can inflict. In this environment, many people believe that it’s sheer madness to have an IT staff handling information security on an ad hoc basis. “It’s a hard-and-fast rule, in my opinion,” says John Hartmann, vice president of security and corporate services of Cardinal Health, a $US47 billion health-services provider. “If the two roles are shared, business priorities will drive security to a lower priority.” Tim Mitchell, CIO of Sarnoff, an electronic, biomedical and information technologies company, disputes that, saying that his IT staff handles security very well, thank you. But he does agree that people charged with security responsibility must be organised into a team — as his are — carrying out a coherent security program that sets out specific responsibilities and requires regular meetings. A security team needs to set policies and procedures, assess vulnerability, detect intrusion, respond to incidents and manage security architecture. And perhaps most important of all, it needs a leader. Finding skilled security professionals to carry out this mission can be tough, and the alternative — training in-house IT staffers who are security novices — can be costly and time-consuming. Outsourcing security is another option. But whichever route you choose, here are some ways to enhance your chances of success.
A Shopper’s Guide
CIOs looking to hire skilled, experienced security people could be in for a rude awakening: there aren’t many out there. The gap between supply and demand is the largest among all IT skills, says David Foote, president and chief research officer of Foote Partners, an IT-workforce research consultancy. “[In the US] employers can fill only one out of 13 jobs,” he says. But even in a buyer’s market, CIOs need to know how to compete for the best candidates. Here’s what you can do. Analyse your needs. No self-respecting security professional wants anything to do with a company that’s clueless about why it’s hiring him, says Lee Kushner, CEO of LJ Kushner and Associates, a recruiting company that focuses on security personnel. So figure out what your company needs, either through an in-house assessment or with the help of a consultancy. But be warned: help doesn’t come cheap. Outside evaluation can run up to $US500,000 for a full-blown examination of a global organisation. Look smart. The security industry is very insular, says Kushner, and potential employers need to know the secret handshakes. Specialised recruiters are the best way in. Unlike large general recruiting companies, specialised recruiters have deep and wide contacts in the security community. “I’ve tried all kinds of firms,” says Denis Verdon, first vice president and global head of information risk management for Instinet, a $US1.5 billion New York City operator of an electronic trading network for institutional investors and brokers. “And usually it’s the specialists who provide higher rates of good-quality résumés.” CIOs who strike out on their own have to find their own leads. Bill Boni, chief information security officer for Motorola, the $US30 billion communications equipment manufacturer, says the military is a particularly good source for security people. Universities are a good source of entry-level people. Alan Paller, director of research for the SANS Institute, an information-security training and professional organisation, suggests that CIOs raid the security-services companies they’re using. “There are so many consulting firms, and so few that are doing well,” he says. “Many of their consultants are desperately looking for jobs in the real world.” Boni agrees, adding that, of course, the CIO should inform vendors that they’re in the market for personnel. Once the vendors know that, he says, those looking to downsize will be only too happy to help. And placing their consultants with the companies they do business with has an upside. “Now they’ve got an ongoing relationship with alumni inside your organisation, who are well-positioned to identify other opportunities,” Boni says.
You’ve Got ’Em — Now What?
Once you’ve found the workers you want, you need to keep them. Tools, recognition and salary are the glue that will make them stick with you. Tools talk. Tools are crucial. Security professionals strive to be what they call masters, people at the top of the security pyramid. Making cutting-edge technology available to them will help them feel that they’re achieving that status. “If you make them work with old tools — mainframe applications and Novell, for example — you’ll really frustrate them,” says Paller. So if you’ve got a sophisticated IT environment, flaunt it. Some of the most desirable toys for security folk, according to HR consultant H Michael Boyd, include Nessus (a cutting-edge network scanner), Snort (a leading intrusion-detection tool) and RAT (a system-tester for routers). Make ’em feel loved. CIOs looking to woo candidates can offer to pay for training, certification and conference attendance. Recruiter Kushner says he’s negotiated conference attendance into employment agreements. Promising to send security people to at least one good conference or training program a year should keep them happy, says Paller. Security people also thrive on recognition, says Paller. This recognition should be more than a pat on the back or a “thank you” e-mail. It has to be public. A good tactic is allowing security people to present their work at a conference so that they get external validation too. Security professionals can lose motivation if they don’t feel they have management’s support. That is true for any employee, but the stakes are a lot higher when you’re dealing with people who have top-level access to your systems. Within reason, CIOs need to back security people in conflicts between security and business needs. Money talks too. Don’t forget to keep salaries competitive. In the US, line security engineers command anywhere from $60,000 at the lowest levels to the high-five figures at the top, and heads of security can command between $130,000 and $180,000, says Maria Schafer, program director for human capital management at Meta Group. The best way to benchmark salaries is by talking to specialised recruiters and networking among peers who have hired security people, because in an evolving field like security, salary surveys are usually out of date by the time they are published.
If you don’t want to go out on the open market, Paller suggests looking to your systems and network administrators. They’ve got great technical skills and probably good (albeit uneven) knowledge of security concepts and issues. And they’ve likely tinkered with the security of their environment and responded to incidents as part of their IT duties. “They’re just waiting for you to say: ‘We care enough about security to let you do it full-time, and we’ll keep your skills honed too.’,” says Paller. Consider giving them the training to become dedicated security staffers. But how do you get started? First, ask for volunteers. Boni, who’s built nearly his entire security staff by repositioning IT people, says that has worked best for him. “I’ve found that they just come out of the woodwork,” he says. When deciding whom to take, don’t just look for technical skills. Check for honesty and ethics (consider making a background check if they didn’t have one when they were hired) and look for interpersonal skills. You want someone who will work out differences with internal customers over security needs versus business requirements. “An individual with a collaborative touch will listen to what the business needs are and find a solution without falling back on a right/wrong, black/white approach that will anger the user,” says Cardinal Health’s Hartmann. Once you’ve identified the best candidates, get them trained. At the very least, they need training in general Security 101 issues, such as network security and security forensics, says Steve Katz, former chief information security and privacy officer of Citigroup and Merrill Lynch, and now an independent consultant. Then they can learn more discrete specialties, such as firewall administration and intrusion detection. There are several ways to train them, including the following. Have consultants train your staff. Training your new security people could take months. In the interim, someone has to handle your security needs, and most likely that will be a consultancy. That same company can be a great training resource, says Hartmann, who’s had security companies and Big Five companies train some of his security people. This training can be largely hands-on, and most companies will be happy to negotiate it into the contract, says Verdon. Offer certification courses. Experts say certification isn’t necessary for security professionals — it’s really experience and skills that count. Nonetheless, putting your staff through certification courses can be valuable, and it doesn’t have to be expensive. Have vendors provide training. Security products vendors such as CheckPoint Software Technologies, Cisco Systems and Symantec all provide extensive training on their tools, some of which lead to their own certifications. Paller says this kind of training is as important as conceptual training. But he warns that vendor training can be expensive. Organise internships. Boni recommends sending security people to other companies to have them intern with more experienced professionals. It’s easier if your company is affiliated with a larger organisation, he says, but other companies might also offer this opportunity, known as a secondment. “Basically they’ll take your staff person’s effort in exchange for free training and call it even,” he says. Keep up with the times. Because security is a rapidly changing field, ensure that your staff takes advantage of online threat-tracking resources such as SANS’ Incidents.org and Bugtraq at Security-Focus.com. Staffers should also attend the most important conferences, such as the RSA Conference and the SANS Conference, where they’ll network with peers. Finally, says Schwartz, security staff should update you about new threats on a weekly basis. “If the CIO gets an e-mail alert and sees something he’s never heard about from his security team, it’s an indicator that things aren’t going as they should,” he says. Of course, none of the steps outlined in this article will help you if you don’t establish security consciousness throughout your entire IT organisation, says Schwartz. “You can hire a million security people and not solve your problems if security isn’t embedded deep within everything you do in IT.”