Building the Human Foundation for IT Security
Many of our modern technologies have brought with them a trade-off between reward and risk. We depend on our cars, for instance, even though we all know that accidents happen. To mitigate the risk of driving, we maintain our automobiles and wear our seat belts. Auto manufacturers have added air bags and reinforced the structure of their cars. But no matter how safe and secure the car itself, we are all still vulnerable to the other drivers on the road.
Today, computers and IT systems send information across a different kind of highway, creating boundless opportunities, again with startling risks. And while the equipment we use for IT gets better and better, we find that there is one element of uncertainty in this new world that is the same as ever — the behavior of human beings.
According to a December 2002 survey of 638 U.S. organizations conducted by the Computing and Technology Industry Association (CompTIA), nearly one-third of companies had experienced between one and three major security breaches over the previous six months. In nearly all cases, human error was the most likely cause. Eighty percent of those respondents felt that a lack of security knowledge or training, and a resultant failure to follow security procedures, was the root cause of their troubles. When asked about possible solutions to this problem, 96 percent of the respondents said they would recommend security training for their IT staff, with 73 percent favoring a comprehensive security certification. Yet 69 percent of these companies had trained less than one-quarter of their IT staff, and 22 percent had trained none of their IT employees on security to date.
Information systems today power our telephone systems, upon which emergency services depend. They power hospitals, storing patient records and tracking care. They power airports, banks and other essential pieces of our modern lives. The risks involved in interrupting these systems carry far more gravity than ever before. And as good as our technology is getting, it’s still only as secure as the IT professionals who implement and configure it.
The U.S. Department of Homeland Security in its National Strategy to Secure Cyberspace has said that the two major barriers to improving cyber-security are a lack of familiarity, knowledge and understanding of security issues, and an inability to find sufficient numbers of adequately trained or appropriately certified personnel to create and manage secure systems. The department’s conclusion echoes the opinion of many in the IT industry. And for the first time, companies are working together to build a foundation of the skills necessary to effectively design and administer the security of IT systems.
The Role of Certification
Certifications in general provide a helpful marking point for IT professionals to validate their skills and for employers to evaluate current and potential staff members. Certifications, as much as college degrees, are a wonderful tool for documenting what we’ve learned and helping employers distinguish between the professionals who possess the required skills and those who don’t. They help both employers and IT professionals evaluate skill sets.
Also like a professional with a college degree, an IT professional who has obtained a security certification is not necessarily a full-blown expert on IT security. A decade ago, certification seemed like a Holy Grail for IT professionals. A certified professional had “arrived,” it was thought. But anyone who’s ever worked with a lawyer or a doctor knows that a person with five or 10 years of experience is generally quite preferable to someone who’s just completed her residency or passed his bar exam.
Much like a bar exam, certification could never substitute for years of experience. It shows only that a person basically knows what it takes—the person possesses the baseline skills and has done the homework necessary to be fit for that role. The certification proves that the foundational skills are there.
But as we’ve discussed, this distinction is increasingly critical. With IT so pervasive in our economy today, the stakes are much higher for companies that employ unskilled network administrators. A decade ago, the biggest price a company would generally pay for unskilled IT administration was downtime or wasted resources. And those things are bad enough. But when compared to someone hacking private information and then disclosing it, or shutting down a major service, or changing public records, it pales.
Today there is malicious intent; hackers aren’t just hacking for the fun of it. Today a criminal doesn’t have to go to the bank to rob it. He can be hundreds or thousands of miles away, at any time of the day or night. Today a skilled hacker could potentially shut off runway lights, overturn a criminal conviction or open up a dam, with catastrophic consequences.
Security Certifications From Microsoft and CompTIA
Recently Microsoft, together with industry consortium CompTIA, made an announcement that it has taken the next step in this direction by creating formalized, standardized certifications for IT security professionals. The new certifications are part of a security-specialization program for both the Microsoft Certified Systems Administrator (MCSA) and Microsoft Certified Systems Engineer (MCSE) credentials. These programs provide a way for IT professionals to assess their current skills, develop those skills they still need and validate their ability to design and manage a secure computing environment.
While the core MCSA and MCSE certifications examine the participant’s ability to implement baseline security measures, the new MCSA: Security and MCSE: Security designations go beyond that baseline and look specifically at things like managing and troubleshooting service packs and security updates, and being able to implement and troubleshoot secure communications channels.
In addition, CompTIA’s Security+ certification is included in the program, allowing IT professionals to obtain platform-neutral security expertise. CompTIA represents more than 15,000 members across the IT industry, including hardware and software manufacturers, solution providers, distributors and educational organizations. Released in December 2002, Security+ has been adopted by a number of certification providers as a component of their certification programs.
The beauty of the CompTIA model is that it relies on industry cooperation. Companies across the industry, even intense rivals, sit down across the table and agree on what these certifications need to contain. With Security+, not only did major industry players come to the table, but for the first time government agencies contributed as well—The National Institute of Standards and Technology, the FBI and the Department of Defense, to name a few. To my knowledge, it’s probably the first time in the IT world that training and certification have been acknowledged by the federal government as an important element in solving a nationwide problem.
For IT professionals who are interested in obtaining the security certification but are not sure how to begin, an up-front, cost-free skills assessment can help. The assessment will provide a tailored road map for obtaining the knowledge and skills required to fulfill the role of security specialist with a clear view for anyone looking to develop core security skills.
This alone can save a company and its IT professionals a great deal of time—imagine being asked to become a security specialist without even knowing what skills that job requires. Fortunately you don’t have to spend a month or more just figuring out what you need to know, as Microsoft and CompTIA have done that legwork for you.
Both the Microsoft security specializations and the Security+ designation have undergone a rigorous, methodical process to ensure t