Not All Security Pros are Equal

With security issues ranking at the top of IT's list of concerns, many companies are looking to hire 'security gurus' to keep their information and profits safe. But beware -- not just anyone should be protecting your network.
Companies are facing a tough challenge these days. Security risks, like the recent Zotob virus, are on the rise and security specialists are in high demand. This is forcing many companies to take on anyone calling themselves a security guru. But experts warn that organizations should look for a lot more than certifications before allowing someone to protect their corporate assets.

''Just having certifications doesn't make you a guru. Anyone can read a book and study for a test,'' says Stan Oien, manager of security specialists at CDW Corp., a provider of technology products and services in Vernon Hills, Ill. ''You need to look at their experience. Have they worked with the equipment that you have in-house and what is their philosophy about security?''

Oien says one immediate giveaway about a true security guru is the passion they show for the subject and technology. ''You can see the excitement when people start talking about it,'' he says.

Companies are quick to be fooled by certifications that candidates put on their resumes. While Oien thinks these are important, he says they must be balanced with real-world experience. ''You could have all these certifications and they could go stale pretty quickly,'' he says.

Rick Stiffler, senior manager of certification and learning development at Cisco Systems Inc. in Austin, Texas, agrees.

''If a person is going to dedicate themselves to being a true security guru, then they're going to have to constantly read up on new viruses, constantly evaluate new products and constantly attend conferences and training,'' he says.

He says companies are too quick to shy away from allowing their employees to continue their education or go to training. ''Training is always one of the hard skill sets to measure whether you're getting the return on your dollar right away. Something has to break or go wrong for companies to know whether their 'insurance' policy paid off,'' he adds.

A combination of real-world skills, industry certifications like the SANS Global Information Assurance Certification (GIAC), and vendor-based certifications (which Cisco offers) are a true measure of a person's ability, according to Stiffler.

But Sondra Schneider, founder and CEO of Security University, a Stamford, Conn.-based classroom and online educational outlet, says the critical skill that security gurus need is to fully understand how their own network functions.

''For instance, no certification can completely teach you about viruses. You get to understand viruses by understanding how your network is vulnerable to them,'' she says.

Schneider also advocates that security gurus start out as IT pros. ''The skill set should be how the network works, and more than just IP. You should know how [Microsoft] Exchange works and how you authenticate to the network,'' she says.

She also says ''a skilled security person knows what vendor tools can help them quickly identify an attack and, according to policy they've set, how to respond to the attack.

''With Zotob, you don't have days, weeks or months to learn about it,'' Schneider adds. ''No one's getting trained on this particular virus. You need someone who can spot the threat and then figure out how to patch for it or defend against it.''

Experts agree that to be a security guru, you need to know your way around the top products in a variety of categories.

''You need to be comfortable driving the big three firewalls from Cisco, Check Point and Juniper,'' says Joel Snyder, senior partner at Opus One, a consultancy in Tucson, Ariz.

Snyder concurs with Schneider that understanding basic IP and TCP/IP is mission-critical. He also recommends being able to work with protocol analyzers and wireless network discovery tools.

''To be a true network security pro, you need to have deployed a firewall, installed and managed an intrusion detection system, installed a site-to-site IPSec VPN, put together a remote access VPN, and have done some amount of penetration testing,'' he says.

He also recommends that security gurus have experience in writing up a security policy and doing forensic investigations on networks.

But Joanne Kossuth, CIO at Olin College in Needham, Mass., says she's skeptical of depending on one security know-it-all. Instead, she believes her whole staff should be trained in security, knowing how to to look at logs and detect traffic anomalies or stop virus attacks.

She adds that getting someone with too much experience is out of the realm for many small-to-midsize companies. ''It's hard to justify a six-figure salary for someone just for security,'' she says.

Oien is in the same camp.

''You shouldn't expect someone to be a Jack of all trades. A well-rounded team is necessary,'' he says. In fact, Oien makes sure his group is well-versed in the basics, such as anti-virus, spyware, content filtering, encryption and wireless security.

Both Oien and Kossuth are proponents of ongoing training, making sure their teams continue their security education. ''They go to workshops and then share their knowledge with each other,'' Kossuth says.

Oien warns that companies also should push for non-technology disciplines, such as regulatory compliance. ''It's important to have knowledge of industry regulations as part of your security guru arsenal,'' he says.

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.