Security: Key to Your Career
The intensified concern about security is undeniable, and it is no different in the IT industry. The need and demand for the security of information is as much a priority as national safety. Taking this into consideration, how can you as an IT professional align yourself to capitalize on the new opportunities available in this field? And what does being that ideal security professional require?
Who Is Affected by Information Security?
First, let’s look at who is impacted by the need for increased information security. It is not just the IT staff, but rather each and every worker in an organization. Think of the need for information security like a pyramid with three main levels. At the top are the high-level, fully qualified security consultants and chief technical executives who have the ability to look at an organization in its entirety and make specific recommendations about the risks, the way the business should be structured from a technology standpoint and how to mitigate the risk at a very high level. This group needs to define the security parameters and credentials of a security professional and be thoroughly trained and certified.
In the middle of the pyramid, you have the people who support the network and infrastructure. This includes the thousands of certified professionals who work on networks and data centers. They are extremely important because they largely define the security framework that lies below the security architecture of the organization. This group encompasses everyone within the IT department, from the network engineers to the systems administrators to the desktop support analysts. These individuals need to be retrained on what they do to properly shore up security in their organization. It is not just the responsibility of the security personnel, but rather everyone in the IT arena to be most effective.
At the very bottom of the pyramid is every knowledge worker. What fundamental things do they do day in and day out on their computers and on the network? If every one of these individuals were trained on and did just a few specific things in regard to overall information security, significant improvements would be made. This includes everything from protected passwords and user rights down to secure use of communication tools, such as instant messenger and e-mail. In general, everyone who operates a computer in a network capacity needs to be retrained to be more security-aware.
“There is always the possibility of tremendous threats and widespread, catastrophic terrorist incidents,” said Tom Santaniello, U.S. public policy manager with CompTIA. “But what is even more startling is the amount of vulnerabilities we leave ourselves open to. We do need the very high-level security training, but what will make the biggest impact is the mid- to entry-level training. If we start to address some of the basic principles, we can eliminate a lot of these liabilities. There will always be threats, you cannot control that, but what you can control is your level of vulnerability.”
Information security initiatives are not just centered on securing information against terrorism and protecting the economy. They are also about securing information to comply with federal, state and local government standards.
The Need for Information Security
The real link to cyber-terrorism is the fact that the United States could be brought to its knees at a variety of levels—militarily, economically or politically—if its critical infrastructure were to be attacked. If the Internet were brought down or if major financial institutions were crippled, even for an hour or two, the cost to the economy and to consumer confidence would be enormous.
“Clearly the increasing prevalence of technology-related criminal activities, such as identity theft and online fraud, and the more spectacular exploits of hackers and other cyber-criminals, show that the challenges are very real,” said Bill Boni, chief information security officer for Motorola. “The difficulty is finding, identifying, prioritizing and deploying appropriate safeguards consistent with the business interests and critical operational needs—especially in this very dynamic space that deals with a diverse array of threats and risks that are developing and changing rapidly.”
Nearly every corporation can be considered vulnerable to being brought down by a criminal or cyber-attack. Statistics from the 2002 FBI/CSI Computer Crime and Security Survey show some of the potential for loss:
- Ninety percent of large corporations and government agencies had security breaches in the past 12 months.
- Eighty percent of these organizations acknowledged financial losses due to computer breaches.
- Forty-four percent were willing and/or able to quantify their financial losses, and reported more than $455 million in financial losses.
From these staggering statistics, it is obvious that the need to protect valuable company assets has shifted from the IT data center to a corporate priority. Security threats originate from both inside and outside the organization. If employees are not properly trained on security issues, vital information could fall into the wrong hands.
Greatest Security Risks in IT
“I do not think that people want to talk about what a significant cyber-attack would mean for our economy,” said Santaniello, CompTIA. “What if some incident occurred that led people to believe that any electronic transaction with your ATM or credit card left you vulnerable? If we had to constantly overcome these hurdles—which directly affect our economy—we are going to fall victim. In my opinion, the economy is at stake, and this is what IT security is about.”
In March 2003, CompTIA released “Committing to Security: A CompTIA Analysis of IT Security and the Workforce,” in which human error—not technical malfunction—was reported to be the most significant cause of IT security breaches in the public and private sectors. In fact, this was the case for more than 63 percent of identified security breaches. Additionally, 80 percent of respondents said that a lack of IT security knowledge and training, or failure to follow security procedures, were the root causes of human error.
“Some of the security breaches are malicious and intentional, but the majority of them occur because people do not have the proper training, proper processes are not put into place, or it was purely an accident,” said Kris Madura, CompTIA Security+ program manager. “Considering the power behind that statistic, it shows that although there have been tremendous advancements in security technology, no one can rely on that technology when it comes to the security of their organization if people are not properly trained and aware.”
Most of this comes down to the basics for the general computer workers in an organization.
“Some of the greatest risks are things that IT professionals know about already, such as employees having their passwords on sticky notes on their computer,” said Tiffany Olson, manager of government affairs for Symantec. “It is important that all employees who have access to a network and to information know how to secure it properly. Otherwise, they are a vulnerability. Too many companies are not providing training on best practices for information security, and you cannot blame the employee if they have not been trained.”
Information Security Training and Certification
So you know that there is a need and demand for security professionals. What can you do to get into this field? While there are many paths and options available in the security arena, the track is not as easily defined as earning a Microsoft Certified Systems Administrator (MCSA) certification to become a network administrator.
One area that has been lacking is that foundational security level, which CompTIA is working to defin