How to Staff Up for Security

Last year, David Saul, executive vice president and CIO of commercial insurer Zurich North America, pulled a dozen IT staffers away from their daily tasks to combat a virus that was attacking the company’s firewalls. They did a good job limiting the damage, but it took two days?two days in which other work did not get done. Next time, Saul hopes to be ready to respond before a threat surfaces. “We want to be in a safety zone that doesn’t require that kind of immediate mobilization,” he says.

That’s why Saul increased his full-time information-security staff from 12 to 18 people, mostly by training, reorganizing and reassigning IT people to security. “Good security equals prevention, detection and reaction,” says Saul, who is based in Schaumburg, Ill. “If you’re not going to staff to make the process work, then your exposure to security breaches is higher.”

That exposure is an increasingly widespread problem. In a 2001 survey of security practitioners conducted by the Computer Security Institute and the FBI, 85 percent of respondents (primarily from large corporations and government agencies) had detected computer security breaches in the previous year, and 64 percent of those respondents acknowledged suffering financial losses.

In fact, there’s no limit to the damage evildoers can inflict. Sept. 11 proved that. In this environment, many people believe that it’s sheer madness to have an IT staff handling information security on an ad hoc basis. “It’s a hard-and-fast rule, in my opinion,” says John Hartmann, vice president of security and corporate services of Cardinal Health, a $47 billion health-services provider in Dublin, Ohio. “If the two roles are shared, business priorities will drive security to a lower priority.”

Tim Mitchell, CIO of Sarnoff, an electronic, biomedical and information technologies company in Princeton, N.J., disputes that, saying that his IT staff handles security very well, thank you. But he does agree that people charged with security responsibility must be organized into a team?as his are?carrying out a coherent security program that sets out specific responsibilities and requires regular meetings.

A security team needs to set policies and procedures, assess vulnerability, detect intrusion, respond to incidents and manage security architecture. And perhaps most important of all, it needs a leader.

Finding skilled security professionals to carry out this mission can be tough, and the alternative?training in-house IT staffers who are security novices?can be costly and time-consuming. (Outsourcing security is another option. To read a cautionary tale about the pitfalls of outsourcing security, check out “Exposed,” at www.cio.com/printlinks.) But whichever route you choose, here are some ways to enhance your chances of success.

A Shopper’s Guide

CIOs looking to hire skilled, experienced security people could be in for a rude awakening: There aren’t many out there. The gap between supply and demand is the largest among all IT skills, says David Foote, president and chief research officer of Foote Partners, an IT-workforce research consultancy in New Canaan, Conn. “Employers can fill only one out of 13 jobs,” he says.

Nonetheless, the market has improved during the economic downturn; it’s much easier to hire skilled security people than it was a year ago. “[In early 2001], we were paying a lot of headhunter fees for recruiting,” says Bruce L. Murphy, CEO of Vigilinx, a security services company in Parsippany, N.J. “Now we don’t need to.” But even in a buyer’s market, CIOs need to know how to compete for the best candidates. Here’s what you can do.

Analyze your needs. No self-respecting security professional wants anything to do with a company that’s clueless about why it’s hiring him, says Lee Kushner, CEO of L.J. Kushner and Associates, a Freehold, N.J., recruiting company that focuses on security personnel. So figure out what your company needs, either through an in-house assessment or with the help of a consultancy. But be warned: Help doesn’t come cheap. Outside evaluation can run up to $500,000 for a full-blown examination of a global organization.

Look smart. The security industry is very insular, says Kushner, and potential employers need to know the secret handshakes. Specialized recruiters are the best way in. Unlike large general recruiting companies, specialized recruiters have deep and wide contacts in the security community. “I’ve tried all kinds of firms,” says Denis Verdon, first vice president and global head of information risk management for Instinet, a $1.5 billion New York City operator of an electronic trading network for institutional investors and brokers. “And usually it’s the specialists who provide higher rates of good-quality rŽsumŽs.”

CIOs who strike out on their own have to find their own leads. Bill Boni, chief information security officer for Motorola, the $30 billion communications equipment manufacturer in Schaumburg, Ill., says the military is a particularly good source for security people. Find them through newspaper ads in cities with large military populations, such as San Antonio and San Diego. Eddie Schwartz, former senior vice president of Guardent, a security-services company in Waltham, Mass., suggests contacting outplacement personnel at military bases.

Universities are a good source of entry-level people. Schwartz points to Bowling Green State University in Ohio, Purdue University, James Madison University and Virginia Tech, as having good IT programs with information security offerings. Contact their career placement offices for help.

Alan Paller, director of research for the SANS Institute, an information-security training and professional organization in Bethesda, Md., suggests that CIOs raid the security-services companies they’re using. “There are so many consulting firms, and so few that are doing well,” he says. “Many of their consultants are desperately looking for jobs in the real world.” Boni agrees, adding that, of course, the CIO should inform vendors that they’re in the market for personnel. Once the vendors know that, he says, those looking to downsize will be only too happy to help. And placing their consultants with the companies they do business with has an upside. “Now they’ve got an ongoing relationship with alumni inside your organization, who are well-positioned to identify other opportunities,” Boni says.

You’ve Got ’Em?Now What?

Once you’ve found the workers you want, you need to keep them. Tools, recognition and salary are the glue that will make them stick with you.

Tools talk. Tools are crucial. Security professionals strive to be what they call masters, people at the top of the security pyramid. Making cutting-edge technology available to them will help them feel that they’re achieving that status. “If you make them work with old tools?mainframe applications and Novell, for example?you’ll really frustrate them,” says Paller. So if you’ve got a sophisticated IT environment, flaunt it. Some of the most desirable toys for security folk, according to H. Michael Boyd, a Walpole, Mass., HR consultant, include Nessus (a cutting-edge network scanner), Snort (a leading intrusion-detection tool) and RAT (a system-tester for routers).

Make ’em feel loved. CIOs looking to woo candidates can offer to pay for training, certification and conference attendance. Recruiter Kushner says he’s negotiated conference attendance into employment agreements. Promising to send security people to at least one good conference or training program a year should keep them happy, says Paller.

Security people also thrive on recognition, says Paller. This recognition should be more than a pat on the back or a “thank you” e-mail. It has to be public. A good tactic is allowing security people to present their work at a conference so that they get external validation too.

Security professionals can lose motivation if they don’t feel they have management’s support. That is true for any employee, but the stakes are a lot higher when you’re dealing with people who have top-level access to your systems. Within reason, CIOs need to back security people in conflicts between security and business needs.

Money talks too. Don’t forget to keep salaries competitive. Line security engineers command anywhere from $60,000 at the lowest levels to the high-five figures at the top, and heads of security can command between $130,000 and $180,000, says Maria Schafer, program director for human capital management at Meta Group in Stamford, Conn. The best way to benchmark salaries is by talking to specialized recruiters and networking among peers who’ve hired security people, says Murphy, pointing out that in an evolving field like security, salary surveys are usually out-of-date by the time they are published.

Inside Moves

If you don’t want to go out on the open market, Paller suggests looking to your systems and network administrators. They’ve got great technical skills and probably good (albeit uneven) knowledge of security concepts and issues. And they’ve likely tinkered with the security of their environment and responded to incidents as part of their IT duties. “They’re just waiting for you to say, ’We care enough about security to let you do it full-time, and we’ll keep your skills honed too,’” says Paller. Consider giving them the training to become dedicated security staffers. But how do you get started?

First, ask for volunteers. Boni, who’s built nearly his entire security staff by repositioning IT people, says that has worked best for him. “I’ve found that they just come out of the woodwork,” he says.

When deciding whom to take, don’t just look for technical skills. Check for honesty and ethics (consider making a background check if they didn’t have one when they were hired) and look for interpersonal skills. You want someone who will work out differences with internal customers over security needs versus business requirements. “An individual with a collaborative touch will listen to what the business needs are and find a solution without falling back on a right/wrong, black/white approach that will anger the user,” says Cardinal Health’s Hartmann.

Once you’ve identified the best candidates, get them trained. At the very least, they need training in general Security 101 issues, such as network security and security forensics, says Steve Katz, former chief information security and privacy officer of Citigroup and Merrill Lynch, and now an independent consultant in Melville, N.Y. Then they can learn more discrete specialties, such as firewall administration and intrusion detection. There are several ways to train them, including the following.

Have consultants train your staff. Train- ing your new security people could take months. In the interim, someone has to handle your security needs, and most likely that will be a consultancy. That same company can be a great training resource, says Hartmann, who’s had security companies and Big Five companies train some of his security people. This training can be largely hands-on, and most companies will be happy to negotiate it into the contract, says Verdon.

Offer certification courses. Experts say certification isn’t necessary for security professionals?it’s really experience and skills that count. Nonetheless, putting your staff through certification courses can be valuable, and it doesn’t have to be expensive. Organizations such as Computer Security Institute, Information Systems Audit and Control Association, International Information Systems Security Certification Consortium and SANS offer broad-based training that can ultimately lead to certification.

Have vendors provide training. Security products vendors such as Check Point Software Technologies, Cisco Systems and Symantec all provide extensive training on their tools, some of which lead to their own certifications. Paller says this kind of training is as important as conceptual training. But he warns that vendor training is expensive. Check Point certifications, for example, can cost up to $4,300.

Organize internships. Boni recommends sending security people to other companies to have them intern with more experienced professionals. It’s easier if your company is affiliated with a larger organization, he says, but other companies might also offer this opportunity, known as a secondment. “Basically they’ll take your staff person’s effort in exchange for free training and call it even,” he says.

Keep up with the times. Because security is a rapidly changing field, ensure that your staff takes advantage of online threat-tracking resources such as SANS’s Incidents.org and Bugtraq at Security-Focus.com. Staffers should also attend the most important conferences, such as the RSA Conference and the SANS Conference, where they’ll network with peers. Finally, says Schwartz, security staff should update you about new threats on a weekly basis. “If the CIO gets an e-mail alert and sees something he’s never heard about from his security team, it’s an indicator that things aren’t going as they should,” he says.

Of course, none of the steps outlined in this article will help you if you don’t establish security consciousness throughout your entire IT organization, says Schwartz. “You can hire a million security people and not solve your problems if security isn’t embedded deep within everything you do in IT.”