Jim Elkins is the network administrator for Tippecanoe County, Ind. But recently he took on security responsibilities, in addition to his other duties, because the subject interests him and he thought it might be a good career move.
"It is effectively my own cost, effort and time," he said.
Given recent events like the outbreak of the SQL Slammer worm and the overhanging threat of terrorism, companies are thinking more about security. Yet the economy has put a crimp in many organizations' budgets. Hiring freezes and layoffs are not unusual, and the tough fiscal climate could make it difficult for many companies to hire security professionals -- who are expensive but worthwhile.
Making the leap from network or system administration to information security is a good opportunity for some IT professionals. Some companies are looking inward when looking for security staff. In some cases, employees take on security duties in addition to their other work. Other times, they move strictly to security.
There are many solid reasons for companies to cultivate their own security staff, rather than hire employees from other firms or outsource the work.
First, it can save companies money, because seasoned security pros aren't cheap to hire. Second, offering a benefit like training to existing employees is good for morale. Long-term employees may feel a little burnt out, and moving them to security could provide a refreshing challenge. Finally, there is value associated with a company's having security professionals who already know its systems and business goals.
On-the-job training is also a plus for the employees. Demonstrated security experience and training looks mighty good on a resume in a field that is booming. Analyst firm International Data Corp., Framingham, Mass., predicts that the market for security-related products and services will jump to $45 billion by 2006, up from $17 billion in 2001. Security hardware is the big winner, which will experience a projected compound annual growth rate of 25%, IDC said. It's not hard to see why there's a good market for professionals who know how to use that security technology.
Gene Fredriksen, vice president of information security for Raymond James Financial, a large financial services firm in St. Petersburg, Fla., got involved with security as an outgrowth of his IT career. "As more and more information was exposed to public networks, the skill sets changed from access management to information protection," he said. "Along with the new threat models came new technologies and tools."
One approach involves companies dealing with most things in-house but using consultants for projects that require specialized knowledge, said Tari Schreider, director of security for Extreme Logic, an e-business solutions provider and consulting firm. Sometimes internal staff "is too close to the forest to see the trees" when it comes to security issues. Also, consultants have a good perspective because they see how a variety of companies handle the same issue, Schreider said.
Tippecanoe network administrator Elkins has used this approach. Once, the county government needed some firewall work done and, though Elkins could do it, it was worth having a consultant in because the consultant could do it faster, he said.
For many, security is something one must learn by doing. Classroom experience is helpful, but nothing beats in-the-trenches skills that doing security work provides.
"Generally, it is better to develop talents through on-the-job training and mentoring," Fredriksen said.
Yet a novice security professional needs a firm grounding in the discipline's basics, Fredriksen said. Studying the 10 domains covered by the Certified Information Systems Security Professional (CISSP) certification is a good way to start. "Many times, people only focus on a narrow security focus, such as the technology side. These are the individuals that will be hampered later in their career because they are not well-rounded," he said.
Generally, a background in TCP and Internet technology, such as network administrator experience, is important for a security professional, said Sondra Schneider, CEO and founder of Security University, a security training company in Stamford, Conn. Security is, in a lot ways, a control device on a network, she said.
Prospective security professionals should also know how to read packet headers to identify intrusions, Elkins said.
Fredriksen has worked with a local college on a security curriculum for internal candidates. The goal of this training and the accompanying Systems Security Certified Practitioner (SSCP) certification is to raise the security awareness of employees. It also identifies motivated candidates for departmental positions, he said.
A variety of backgrounds, in areas such as network engineering, internal auditing and application development, serves a person well, Fredriksen said. "Please note that I did not say system administrator," he said. "In my experience, many people confuse user maintenance with information security."
But being a good security pro is more than bits and bytes. Security pros need to be inquisitive and perhaps "even nosy," Elkins said. "One must be able to imagine (at the very least) unscrupulous deeds," he said.
This is the first of a three-part series on IT security careers. Look for part two on Wednesday and part three on Thursday.
FOR MORE INFORMATION:
- FEEDBACK: Calling all security officers. Did you travel an internal career path?
Send your thoughts to News Writer Edward Hurley.