It's no secret that corporate IT systems are constantly threatened by hacker attacks and virus outbreaks. But only recently have companies come to realise the potential dollar costs of security lapses.
"The really bad security breaches that would make the hair on the back of your neck stand up are not being reported [in the media]," says David Foote, a managing partner at Foote Partners LLC, a US-based research and consulting firm specialising in the IT workforce. "But companies know about them, and they're scared."
As companies place an increased emphasis on security, says Foote, the role of the security professional is changing from a strictly back-office IT support role to one that's strategically tied in with the entire company.
"The stakes are high," says Foote, who is also a Computerworld columnist. "And the higher the stakes get, the more [security] is a business issue."
That means security professionals, especially those in top-level positions, will not only have to master technology to protect a company's IT systems, but they will also need to understand a company's entire business and be able to pinpoint which security breaches most threaten its bottom line.
Here's someone who's doing just that and is exactly the type of security professional companies will need most in the years to come.
Name: Chuck Ryan
Title: Director of information security
Company: Molex Inc., a 19,000-employee manufacturer of electrical and fibre-optic connection systems in Illinois.
Previous experience: Ryan is one of those experienced hands who were there in the early days of corporate IT and have watched their careers grow since. He graduated in 1982 from The Citadel in Charleston, SC, with a bachelor's degree in math and computer science. He was soon installing and tuning early-model operating systems at companies such as Pittsburgh-based aluminium giant Alcoa Inc.
In the early 1990s, when the field of IT security was just being born, Ryan landed a job as a data security administrator at Glaxo Inc., a pharmaceutical company in Research Triangle Park, N.C. He set security policy for a workforce of approximately 70,000 at Glaxo.
Ryan's experience gave him a thorough knowledge of the technical side of security, for example how to combat viruses and set up firewalls. He says those skills are important for anyone in the profession. But he also emphasises the importance of good communication and business skills.
"Tools come and go," Ryan says of security technology. "But policy is the foundation, what makes things happen."
Responsibilities: At Molex, Ryan decides what the company's security policies will be, relays them to employees and does internal audits to make sure those guidelines are being followed.
To protect the company from virus attacks, for example, Ryan decides what antivirus software will be installed on employees' computers and also writes instructions that employees at all levels of the company can understand.
Ryan says many security professionals make the mistake of focusing too narrowly on technology. He works closely with departments across the entire company to make sure that his policies are actually accomplishing what they're supposed to.
That's especially challenging - and important - in a global company like Molex. Predicting how workers will deal with something like a virus outbreak is easier said than done when you have offices as far away as Ukraine and Singapore, Ryan says.
"You always have a preconceived notion of how the organisation works," says Ryan. "But you have to go [to each country] to understand exactly what is going on."
And that's exactly what Ryan did. Shortly after he was hired, he toured Molex offices in Asia, Europe and Latin America. He found big differences in the way offices in different countries used technology - variations that would have to be accounted for in the company's security policies.
For example, a security policy might tell employees to go to an IT help desk when they encounter a virus attack, but the instruction won't make much sense in an office that uses roving IT support professionals instead of help desks, as Ryan found in some of the foreign offices he visited.
Now, Ryan sends his new policies to managers throughout the world for review. He also keeps in close contact with those managers by telephone and e-mail to make sure the policies are effective.
Working across national borders takes strong cross-cultural skills, says Ryan, but he also needs to be a good communicator and leader at the home office.
As the only employee specifically charged with IT security, he works especially closely with infrastructure managers and systems analysts to make sure they're making security a priority. He says he's a strong believer in the notion that security should be integrated into the work of the entire IT team and not limited to security specialists.
"I've been in environments where . . . there was a barrier between the two groups," Ryan says. "The security folks would almost talk down to the infrastructure group. You don't get anything done in a situation like that."
Who he is: Chuck Ryan
Job title: Director of information security
Company and location: Molex Inc., Lisle, Ill.
Nature of his work: Sets security policy and performs internal audits to make sure security guidelines are followed.
How he got the job: Ryan was contacted about the position by a recruiter specialising in placing security professionals.
Skills required: Thorough knowledge of IT infrastructure and IT security technology like firewalls and antivirus software is a must. But Ryan says that good writing, communication and business skills are also indispensable for anyone setting security policy.
Training needed: Ryan's only formal degree is a bachelor's degree in math with a focus on computer science, which he got in the early 1980s. He picked up most of his skills on the job, which he says is true of most security professionals. Becoming a Certified Information System Security Professional four years ago upped the number of job offers he gets, and he advises other security professionals to get the certification.
Salary potential: Ryan says most security professionals earn $US100,000 to $US200,000 per year.
Career path: "There's no end to what I could do careerwise," says Ryan. He's constantly getting job offers, since security professionals are in such high demand. His mix of writing and technical skills also sets him in good stead for a wide range of other business roles.