|
|
|||||||||||||||||||||||||||||
|
IT Security - What it Takes to be successful
Data and application security, privacy and increasingly nowadays compliance are critical in today's hyper-networked world. As enterprises make their data and application available to the world, threats like denial of service, trojans, worms, phishing etc. proliferate. Internal security has also become increasingly critical with the growth in the number of devices and the need for remote access. IT security professionals are the final line of defense against both internal and external threats. Skills and talent required to be successful in IT security has also been evolving along with the threats. We caught up with experienced professionals in the field to find out what they think about the field, where its going and what is needed to be successful in this field. Follow the links below to see what they have to say...
Meet the IT Security Experts
We started out as a small endeavor to reach out and get the opinions and thoughts of people in the IT security field, and the response was overwhelming, we had close to 100% response rate. Its my pleasure to introduce them and also thank each one of them for their time, insights and advice.
IT Security - Need a Degree, Certification or Background?
What do you need to become a successful IT security expert - skills, degree, certification, or background?This is part of the What it takes to be successful in IT Security series. Click Here to see more Keith Crosley: You have to keep in mind I'm answering this from a marketing point of view. My role as Director of Corporate Communications at email security vendor Proofpoint is a marketing and communications role, but one where my technical background comes in very handy. I've been with Proofpoint since its relatively early days and so my job has had many different elements to it, including technical marketing aspects such a healthy dose of product marketing and, to a lesser extent, product management type activities. As for being an "expert," I'm certainly perceived as something of an expert since I am relatively visible in my work as a spokesperson for Proofpoint. I am regularly quoted in technical, trade and business press on various topics related to IT security, email security and related technology issues. But when I make those statements, there are often-times a lot of other smart people (whether engineers, product managers, industry analysts) behind me informing those opinions! In terms of my own background, I have a B.S. in Mechanical Engineering and also did several semesters of graduate studies in English Literature. Overall, my specialty is really communicating about technical topics, whether those are press releases, product collateral, audio or video media, social media, etc. Before joining Proofpoint, I certainly wasn't an IT security professional. My own background has been primarily in technical communications or marketing communications roles in high-tech startups. While there are many excellent marketers in high-tech without technical backgrounds, I do feel that having some sort of technical credentials and education is extremely helpful. In addition to being a communicator, I'm a technologist. Having programming, web development, and other technical skills has been crucial to my success in many different sectors (I've had a pretty varied career that has included scientific software, consumer entertainment, semiconductors, enterprise software, etc.). I think it's important for marketers to understand the technologies that are at the core of their businesses. To me, those skills are always transferable, regardless of the specific industry focus of your current company. Misha: I think it's important to have a right skills and background, but may be most important, wanted to be a EXPERT :). In addition, building relationships with others in the industry will always give you a leg up, if only through getting to know people who know security better (or differently) than you do. Darrell Jones: Degrees are useful to initially begin ones career, but experience is the key success factor for any IT professional. Until you have experienced an attempted or successful systems penetration, the complexities of role are truly not understood. Obtaining a strong background in systems engineering and administration is key. Until you understand how the items such as Active Directory, DMZ's, and storage work and are managed; you will not be anymore affective than a firewall log watcher. Robert Newby: You need to be able to think logically and to understand how IT 'fits together'. It's basically a matter of experience, and a certain amount of intelligence. Certification does not make an expert, it proves you have reached a certain level, and is a useful benchmark in getting jobs, nothing more. Lawrence Pingree: First, look at everything with the question: "How can this be broken, thwarted or hacked?" I feel it is important to have a good background in network and systems as an administrator in both. I personally believe that a person must have worked for a small company where they must wear multiple hats in their IT department so that they have experience in the roles they will be responsible for making policy for as a security person. It also has the added effect of educating a person in multiple technologies in a fast paced environment. Robert McArdle: More than anything else you need to have a passion for security, as opposed to simply IT in general. In security you are constantly trying to keep one step ahead of the current attacks, and that means keeping up with blogs, papers, tools etc on a regular basis - something thats hard to do if your heart is not 100% in it. For those who do enjoy security however the rewards far outweigh the downsides. In terms of skills etc a couple of key areas spring to mind. People who do really well in security tend to have a naturally curious nature; the type of people who really enjoy puzzle solving. A computer science degree with a strong grounding in networks is definately a good start. After that there are some excellent professional courses which are definately worth a look such as CEH, CISSP and the excellent courses offered by SANS. As a starting point I would also recommend subscribing to some security blogs. Start with only a small amount, and then gradually add more (and remove others) as you go along, otherwise the amount of posts will be a bit overwhelming. Some useful security blogs are Bruce Schneiers, EWeek, SecurityWatch and the blogs of the antivirus vendors.
Sebastian Bortnik: I'll answer in two parts. More Questions Answered
IT Security - Technical or Management
Is IT security becoming a more technical position or becoming more management-oriented, like planning, assessment, compliance etc.?This is part of the What it takes to be successful in IT Security series. Click Here to see more Keith Crosley: Well, there are definitely changes on both fronts. As security threats proliferate and become more diverse, there are new specialty areas opening up. For example, one might specialize in email versus web security. But really, you only see that level of specialization in larger organizations. In a lot of IT organizations, IT security is just one of many hats worn by an IT manager or director. As regulatory compliance becomes more important and affects a larger number of organizations (I'm thinking here of things like US state encryption laws, data protection regulations and guidelines, which are really proliferating) there are more and more IT security roles that are management oriented. Keep in mind, however, that roles like CSO (Chief Security Officer) and CISO (Chief Information Security Officer) are still relatively uncommon compared to the number of CIO roles out there (not to mention the more rare Chief Compliance Officer, Chief Privacy Officer, etc.)! But overall, I would say that security is a clear growth area inside of IT. Misha: Of course, it should combine all of the mentioned, may be less management-oriented. David Oxley: I think it's going in both directions. As management and the compliance side of things becomes more and more important, people with a deeper knowledge of the technologies involved are that much more important. Darrell Jones: It is becoming more management oriented. With federally mandated rules such as HIPPA or SOX, there has been extensive review and action to sure up the security of organizations systems and data. Today, penetration tests are common place. Therefore, a security professional is more in a consulting/managerial role because of all the specialization in the security field. In the past, security leaders start off their careers in technical roles, but all the positions including the hands on technical roles are becoming more consultative. Robert Newby: It depends on which route you take. I have been technical support, sales engineer, product manager, architect and now a consultant - I started off technical and realised I wanted to do more on the management side, so worked my way towards it. You tend to move into more management orientated jobs with experience and length of time served in a company. I've moved companies and contracted, so never got into senior management positions, but my work is very much management orientated. Robert McArdle: It really depends to be honest, I think it is about finding the balance between the two. Some security roles will be very technical, others quite management-orientated, and lot more will fall in the middle ground. The security industry is quite broad in its scope including everything from reverse engineers, penetration testers, system security engineers, qa, consultants, managers and a whole lot more. Whether you find yourself leaning more towards the technical side or the management side there will certainly be roles that suit you focus, so it is best to concentrate on the areas that most interest you. Sebastian Bortnik: IT security is becoming increasingly a matter of management. For proper management of information security in an organization, it is necessary to supplement the technology with process management, human resources, training and other non-technical factors. However, this doesn't mean that there aren't issues or jobs for more technical skills. But definitely, the CISO (Chief Information Security Officer) role needs management knowledge. Shakeel Ali : Due to the vertical growth in new and advance technology, it is quite acceptable that many companies required more technical expertise than just management. Although, for higher-level positions such as, Chief Information Officer or Chief Technical Officer, it is quite often that both skills are necessary to run the organization. Thus, IT Security has become a mixture of technical and management areas. Richard Stiennon: It is splitting. On the one hand researchers and product developers are facing a continuous change in the technology of attacks as well as defenses. On the other hand regulatory compliance is pushing a huge boom in the managerial side. Vijay Vedanabhatla: It is becoming more business specific. There are numerous tools/methodologies that help you in identifying vulnerabilities. But how do these relate to the specific business? This will be the question moving forward. Moreover during these crunch times, its all about ROI.
IT Security Certification - Is it a Must?
Is Certification in IT Security an Absolute Must?This is part of the What it takes to be successful in IT Security series. Click Here to see more Keith Crosley: Depends on what one wants to do, but there is definitely value in things like CISSP certification . In my own job as a marketer, this isn't a requirement, but I have met a number of technical marketing, professional services and sales engineering types in our industry who have benefited from such certifications. Misha: In now world, you should have certification if you want to invited to interview :), but I'd like to believe that it's still not must. David Oxley: No. It's a great help, and almost always worthwhile. However, skill trumps certification in most circumstances. Darrell Jones: No, experience and hands on knowledge is a must. Certification is a nice to have. Robert Newby: Absolutely not, however it helps you get noticed in a crowd, and at a time when jobs are thin on the ground and hard to get, they are useful. I'm not a big fan of certification, but I have been a CISSP for 3 years, and just qualified for this year's CLAS intake - so I guess I realize the significance of them. Lawrence Pingree: CISSP is a must for security engineering, CISA and CISM is important for management and audit.
Sebastian Bortnik:here isn't an absolute must. There are a lot of issues and variables. In my opinion, the absolute must is knowledge. You can't develop on IT Security without your skills. Nevertheless, certifications are an excellent added value to qualify for a job, or to have better chances. Shakeel Ali : They are required to prove your skills level and background in security field. Richard Stiennon : Not at all but it is a great start. Vijay Vedanabhatla: If you have the experience to support it, you do not need certification. But the industry loves certifications.
|
|||||||||||||||||||||||||||||
| RECENT STORIES | |||||||||||||||||||||||||||||
Keith Crosley: An email security evangelist/researcher, Keith is
the key spokesperson for Proofpoint, the leading independent provider
of email security, email archiving and data loss prevention solutions.
You can follow him on his 
Misha Hanin: 10+ years technical experience in systems
administration, network administration, Misha is an expert at managing
Microsoft, Novell networks including managing the ceurity of the
networks. He is a frequent contributor to the 
Darrell Jones: With past expeirnces such as Director of App
Engineering Operations at Kaiser and IT Director at Guaranty Bank,
Darrell has the unique ability to manage numbers, people and processes.
Darrell has a Masters with a focus on IT Security. He is currently the
National IT Program Portfolio Liaison at Kaiser Permanente.
Lawrence Pingree: Vice President of the Digital Forensics
Association, Member of the Open Web Application Security Project,
Member of the Silicon Valley chapter of the ISSA (Information Systems
Security Association), Lawrence has over 13 Years of Information
Technology and Security experience. His certifications include CISSP,
CCSA, CCSE, CCSI, NSA, ICE, NSS, NCSA, NCSP. He covers hot topics in IT
Security in 
Robert McArdle: Having worked in Symantec and currently working
at Trend Micro, saying Robert is interested in security and Malware
would be redundant. He is a mentor for the SANS Incident Handling and
Hacker Exploits Certificate (GCIH) and also for their Security
Essentials Certificate (GSEC), as well a member of the SANS Advisory
Board. His current title at Trend Micro is "Senior Antivirus
Specialist". He blogs at 
Sebastian Bortnik: Working as a security analyst in ESET,
Sebastin's job is to conduct research in Security and Malware. He is an
active participant in security conferences and seminars. 
Shakeel Ali: one of the core founders of Cipher Storm Company,
Shakeel's expertise in security industry has put up marvelous benefits
to various businesses and government institutions. He currently holds
the industry leading certifications including CEH, SnortCP, OSCP, CCNA
and MSc InfoSec. Shakeel is also an active and independent researcher
who has been evangelizing security practices via articles and blog at
Ethical-Hacker.net. He has also assessed and measured the security of
several business applications and network infrastructures for global
organizations. He manages 
Richard Stiennon: A veteran of the security industry and as an
industry analyst, Richard advises enterprises, and government agencies
better protect their networks, and helps vendors serve those needs. He
is currently writing "Surviving Cyber War" to be published fall, '09.
He covers security news, events and his thoughts in
Vijay Vedanabhatla: A senior consultant in the Enterprise Risk
Services practice of Deloitte & Touche, Vijay specializes in the
area of Security & Privacy Services. 
IT Security - What it Takes to be successful