Friday, November 8, 2024

Not All Security Pros are Equal

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Companies are facing a tough challenge these days. Security risks, like

the recent Zotob virus, are on the rise and security specialists are in

high demand. This is forcing many companies to take on anyone calling

themselves a security guru. But experts warn that organizations should

look for a lot more than certifications before allowing someone to

protect their corporate assets.

”Just having certifications doesn’t make you a guru. Anyone can read a

book and study for a test,” says Stan Oien, manager of security

specialists at CDW Corp., a provider of technology products and services

in Vernon Hills, Ill. ”You need to look at their experience. Have they

worked with the equipment that you have in-house and what is their

philosophy about security?”

Oien says one immediate giveaway about a true security guru is the

passion they show for the subject and technology. ”You can see the

excitement when people start talking about it,” he says.

Companies are quick to be fooled by certifications that candidates put on

their resumes. While Oien thinks these are important, he says they must

be balanced with real-world experience. ”You could have all these

certifications and they could go stale pretty quickly,” he says.

Rick Stiffler, senior manager of certification and learning development

at Cisco Systems Inc. in Austin, Texas, agrees.

”If a person is going to dedicate themselves to being a true security

guru, then they’re going to have to constantly read up on new viruses,

constantly evaluate new products and constantly attend conferences and

training,” he says.

He says companies are too quick to shy away from allowing their employees

to continue their education or go to training. ”Training is always one

of the hard skill sets to measure whether you’re getting the return on

your dollar right away. Something has to break or go wrong for companies

to know whether their ‘insurance’ policy paid off,” he adds.

A combination of real-world skills, industry certifications like the SANS

Global Information Assurance Certification (GIAC), and vendor-based

certifications (which Cisco offers) are a true measure of a person’s

ability, according to Stiffler.

But Sondra Schneider, founder and CEO of Security University, a Stamford,

Conn.-based classroom and online educational outlet, says the critical

skill that security gurus need is to fully understand how their own

network functions.

”For instance, no certification can completely teach you about viruses.

You get to understand viruses by understanding how your network is

vulnerable to them,” she says.

Schneider also advocates that security gurus start out as IT pros. ”The

skill set should be how the network works, and more than just IP. You

should know how [Microsoft] Exchange works and how you authenticate to

the network,” she says.

She also says ”a skilled security person knows what vendor tools can

help them quickly identify an attack and, according to policy they’ve

set, how to respond to the attack.

”With Zotob, you don’t have days, weeks or months to learn about it,”

Schneider adds. ”No one’s getting trained on this particular virus. You

need someone who can spot the threat and then figure out how to patch for

it or defend against it.”

Experts agree that to be a security guru, you need to know your way

around the top products in a variety of categories.

”You need to be comfortable driving the big three firewalls from Cisco,

Check Point and Juniper,” says Joel Snyder, senior partner at Opus One,

a consultancy in Tucson, Ariz.

Snyder concurs with Schneider that understanding basic IP and TCP/IP is

mission-critical. He also recommends being able to work with protocol

analyzers and wireless network discovery tools.

”To be a true network security pro, you need to have deployed a

firewall, installed and managed an intrusion detection system, installed

a site-to-site IPSec VPN, put together a remote access VPN, and have done

some amount of penetration testing,” he says.

He also recommends that security gurus have experience in writing up a

security policy and doing forensic investigations on networks.

But Joanne Kossuth, CIO at Olin College in Needham, Mass., says she’s

skeptical of depending on one security know-it-all. Instead, she believes

her whole staff should be trained in security, knowing how to to look at

logs and detect traffic anomalies or stop virus attacks.

She adds that getting someone with too much experience is out of the

realm for many small-to-midsize companies. ”It’s hard to justify a

six-figure salary for someone just for security,” she says.

Oien is in the same camp.

”You shouldn’t expect someone to be a Jack of all trades. A well-rounded

team is necessary,” he says. In fact, Oien makes sure his group is

well-versed in the basics, such as anti-virus, spyware, content

filtering, encryption and wireless security.

Both Oien and Kossuth are proponents of ongoing training, making sure

their teams continue their security education. ”They go to workshops and

then share their knowledge with each other,” Kossuth says.

Oien warns that companies also should push for non-technology

disciplines, such as regulatory compliance. ”It’s important to have

knowledge of industry regulations as part of your security guru

arsenal,” he says.

Subscribe to Data Insider

Learn the latest news and best practices about data science, big data analytics, artificial intelligence, data security, and more.

Similar articles

Get the Free Newsletter!

Subscribe to Data Insider for top news, trends & analysis

Latest Articles