Companies are facing a tough challenge these days. Security risks, like
the recent Zotob virus, are on the rise and security specialists are in
high demand. This is forcing many companies to take on anyone calling
themselves a security guru. But experts warn that organizations should
look for a lot more than certifications before allowing someone to
protect their corporate assets.
”Just having certifications doesn’t make you a guru. Anyone can read a
book and study for a test,” says Stan Oien, manager of security
specialists at CDW Corp., a provider of technology products and services
in Vernon Hills, Ill. ”You need to look at their experience. Have they
worked with the equipment that you have in-house and what is their
philosophy about security?”
Oien says one immediate giveaway about a true security guru is the
passion they show for the subject and technology. ”You can see the
excitement when people start talking about it,” he says.
Companies are quick to be fooled by certifications that candidates put on
their resumes. While Oien thinks these are important, he says they must
be balanced with real-world experience. ”You could have all these
certifications and they could go stale pretty quickly,” he says.
Rick Stiffler, senior manager of certification and learning development
at Cisco Systems Inc. in Austin, Texas, agrees.
”If a person is going to dedicate themselves to being a true security
guru, then they’re going to have to constantly read up on new viruses,
constantly evaluate new products and constantly attend conferences and
training,” he says.
He says companies are too quick to shy away from allowing their employees
to continue their education or go to training. ”Training is always one
of the hard skill sets to measure whether you’re getting the return on
your dollar right away. Something has to break or go wrong for companies
to know whether their ‘insurance’ policy paid off,” he adds.
A combination of real-world skills, industry certifications like the SANS
Global Information Assurance Certification (GIAC), and vendor-based
certifications (which Cisco offers) are a true measure of a person’s
ability, according to Stiffler.
But Sondra Schneider, founder and CEO of Security University, a Stamford,
Conn.-based classroom and online educational outlet, says the critical
skill that security gurus need is to fully understand how their own
network functions.
”For instance, no certification can completely teach you about viruses.
You get to understand viruses by understanding how your network is
vulnerable to them,” she says.
Schneider also advocates that security gurus start out as IT pros. ”The
skill set should be how the network works, and more than just IP. You
should know how [Microsoft] Exchange works and how you authenticate to
the network,” she says.
She also says ”a skilled security person knows what vendor tools can
help them quickly identify an attack and, according to policy they’ve
set, how to respond to the attack.
”With Zotob, you don’t have days, weeks or months to learn about it,”
Schneider adds. ”No one’s getting trained on this particular virus. You
need someone who can spot the threat and then figure out how to patch for
it or defend against it.”
Experts agree that to be a security guru, you need to know your way
around the top products in a variety of categories.
”You need to be comfortable driving the big three firewalls from Cisco,
Check Point and Juniper,” says Joel Snyder, senior partner at Opus One,
a consultancy in Tucson, Ariz.
Snyder concurs with Schneider that understanding basic IP and TCP/IP is
mission-critical. He also recommends being able to work with protocol
analyzers and wireless network discovery tools.
”To be a true network security pro, you need to have deployed a
firewall, installed and managed an intrusion detection system, installed
a site-to-site IPSec VPN, put together a remote access VPN, and have done
some amount of penetration testing,” he says.
He also recommends that security gurus have experience in writing up a
security policy and doing forensic investigations on networks.
But Joanne Kossuth, CIO at Olin College in Needham, Mass., says she’s
skeptical of depending on one security know-it-all. Instead, she believes
her whole staff should be trained in security, knowing how to to look at
logs and detect traffic anomalies or stop virus attacks.
She adds that getting someone with too much experience is out of the
realm for many small-to-midsize companies. ”It’s hard to justify a
six-figure salary for someone just for security,” she says.
Oien is in the same camp.
”You shouldn’t expect someone to be a Jack of all trades. A well-rounded
team is necessary,” he says. In fact, Oien makes sure his group is
well-versed in the basics, such as anti-virus, spyware, content
filtering, encryption and wireless security.
Both Oien and Kossuth are proponents of ongoing training, making sure
their teams continue their security education. ”They go to workshops and
then share their knowledge with each other,” Kossuth says.
Oien warns that companies also should push for non-technology
disciplines, such as regulatory compliance. ”It’s important to have
knowledge of industry regulations as part of your security guru
arsenal,” he says.