CareerStrategies Information Security Careers News...
Transcript of CareerStrategies Information Security Careers News...
Where the Jobs Are in 2010
speciAl end-of-YeAr edition: reflections on 2009, perspectives on 2010
looking AheAd
CareerStrategiesDecember 2009Information Security Careers News & Education
Also Inside
Interview Excerpts
The 7 Do’s and Don’ts of Social Networking•
Beyond Certifications •What are the Qualifications that Really Stand Out?
Life After CISO •What are the Options?
John Rossi, National Defense University•
Dickie George, National Security Agency•
Pat Myers, (ISC)• 2
New Year Looks Promising for Professionals Skilled in Risk Management, Forensics
+
2 Information Security Media Group December 2009 Information Security Media Group December 2009
CareerStrategies
editorial staff
Tom Field, Editorial Director
Linda McGlasson, Managing Editor
Eric Chabrow, Managing Editor
Upasana Gupta, Contributing Editor
Karyn Murphy, Contributing Editor
About isMg
Headquartered in Princeton, New
Jersey, Information Security Media
Group, Corp. (ISMG) is a media company
focusing on Information Technology
Risk Management for vertical industries.
The company provides news, training,
education and other related content for
risk management professionals in their
respective industries. This information is
used by ISMG’s subscribers in a variety
of ways - researching for a specific
information security compliance issue,
learning from their peers in the industry,
gaining insights into compliance related
regulatory guidance and simply keeping
up with the Information Technology Risk
Management landscape.
contact
Corporate Headquarters:
4 Independence Way
Princeton, NJ 08540
Phone: (800) 944-0401
Email:[email protected]
www.ismgcorp.com
www.bankinfosecurity.com
www.cuinfosecurity.com
www.govinfosecurity.com
Now is the time to truly take information security
careers seriously.
I say this on behalf of industry professionals
because we’ve just seen a year in which
cybersecurity has gone mainstream in business
and government. From the president on down,
leaders everywhere now appreciate the value of
the information security professional. And we know
that new opportunities abound in such areas as
incident response, risk management and digital
forensics.
But I also say this on behalf of my own company, Information Security Media
Group, because we’re now redoubling our efforts to provide new, compelling
careers-oriented content across all of our sites.
Over the past several months, we’ve re-thought our approach to careers
coverage, assembled an impressive board of advisors (whom we’ll announce soon)
and initiated new articles, interviews and features that will debut in the new year.
2010 promises to be a good year for all of us – for those of us looking for that
next big job, as well as those of us who merely want to show you the way. To
prepare for the new year, we offer you this “best of” edition that includes articles,
interviews and special interactive features – a wealth of content at a time when
you face a bounty of career options.
Enjoy, and good luck in the New Year!
Best,
Tom Field
Editorial Director
Information Security Media Group
Welcome to the 2009 Careers ‘Yearbook’here’s Where We Use the best of ’09 to prepare
for an even better ‘10
Tom Field
letter from the editor
Information Security Media Group December 2009 3Information Security Media Group December 2009
call of duty: the new demand for business continuity professionals
Once seen as “insurance,” BC/DR pros now valued for
information assurance
career opportunities in incident response
What it takes to make it in one of security’s emerging fields
digital forensics: the chance to play detective
Work is hard, but jobs plentiful for professionals who like to
follow the evidence trail
the employment value of Multiple certifications
Map out your career - and then invest in it
interactive Map
The latest NSA-approved CAE Schools
community outreach: the need for information security pros
Interview with John Rossi, National Defense University
the cAe at 10
Interview with Dickie George of the NSA
invest in Your career
Interview with Pat Myers, Chair of (ISC)2
Where the Jobs Are in 20102009 was a tough year in many ways -- economic recession, massive layoffs,
high unemployment rate, scores of bank failures. But there is good news
for information security professionals looking for jobs within the public and
private sectors in 2010.
the 7 do’s and don’ts of social networking
Recruiters increasingly use sites to
recruit candidates — and screen their
behavior
beyond certifications
What are the qualifications that really
stand out on a resume?
life After ciso: What Are the options?
Tips on how to prepare for the next
big career move
8
14
18
22
28
26
40
42
4
32
36
10Featured Story
On the CoverAlso in this Issue...
Interviews
letter from the editor contents
44
4 Information Security Media Group December 2009 Information Security Media Group December 2009
BY UPASANA GUPTA
‘Securing employment is all about networking, and
candidates should spend time cultivating relationships and
investing in their online brand that will benefit them in the
future,” says Barbara Massa, VP, Global Talent Acquisition,
McAfee, Inc.
A recruiting tool
While not all companies use social media sites in the
hiring process, the numbers are growing. According to a
recent survey (June, 2009) by CareerBuilder, the number of
employers using social networking sites to screen candidates
has more than doubled since 2008. Out of more than
2,600 hiring managers, 45 percent reported using social
networking sites to research job candidates’ backgrounds
for information -- up from 22% in 2008.
Michele Porfilio, a strategic sourcing director for Crowe
Horwath LLP, a public accounting and consulting firm, says
“We leverage social media sites such as LinkedIn, Facebook,
and Twitter for our information security hiring needs.”
Based on the skill set in need, Crowe implements the tools
for target search and outreach and “within LinkedIn, we
continue our visibility in creating an information security
professionals pipeline,” she adds.
Besides LinkedIn, companies are establishing their
presence on FaceBook and Twitter by creating a corporate
page to increase visibility and open opportunities to
network within the information security industry.
Niche and boutique information security recruiting firms
such as BC Management and the Lenzner Group both use
LinkedIn extensively in their candidate search and selection
process and have established a strong contact base by
promoting active interaction with members and affiliated
member groups.
the 7 do’s and don’ts of social networkingRecruiters Increasingly Use Sites to Recruit Candidates — and Screen Their Behavior
“the number of employers using social networking sites to screen candidates has more than doubled since 2008.”
FaceBook, Twitter, LinkedIn — Social-networking sites are now used both as
recruitment tools for new talent and as screening sites for potential employees.
As such, information security professionals should be careful to cultivate the
right image on these and other popular sites.
social media
Information Security Media Group December 2009 5Information Security Media Group December 2009
Tracy Lenzner, president of Lenzner Group, pays close
attention to a candidate’s LinkedIn bio, ensuring that
information on a resume is not in any way conflicting with
the candidate’s online profile.
Alicia Stevens, a senior recruiter with BC Management
uses corporate database and LinkedIn for conducting
research on prospective candidates and places a lot of
emphasis on:
Has the candidate spoken at industry events? •
Have they received any awards or public recognition? •
Do they have any relevant published papers or •
articles in their area of expertise?
Are they members of any associations? •
Do they actively participate in any forums or •
affiliated groups?
Do they hold professional industry certifications? •
the down side of social networking
“Today, however a candidate’s presence on social
networking sites can even hurt them,” says Eric Fiterman,
CEO and President of Methodvue, a private intelligence
organization. It is very easy to post information -- at times
too much information -- on these sites without thinking
that people may examine this information and judge their
character for a potential candidacy. Candidates need to
remember that the information they post remains forever,
Fiterman says.
In the same CareerBuilder survey, more than one-third of
employers that checked profiles said they had found content
that disqualified a potential hire. The top four reasons
for disqualification were that the potential candidate had
posted information about themselves:
Drinking or using drugs; •
Displaying inappropriate photographs; •
Bad-mouthing their previous employer; •
Showing poor communication skills. •
“Knowing who they are and selling that in your profile is
key,” says Massa.
the 7 do’s and don’ts
1) do be visible and add value
Be active in relevant member groups, forums and
associations. Have a targeted list of companies and
accordingly expand your network and connections to be
recognized by industry associates. Creating a concise profile
online is important for recruiters to find them in their
searches, however, “Job prospects should never say that
they are looking for a job on their profile and status update,
as that gives a desperate impression to hiring managers and
recruiters and often is a turnoff,” says Porfilio. Add value
by posting useful links or just comments that offer some
information that will help establish a candidate as someone
who knows things about their niche and area of expertise.
“creating an online personal brand can be a strong asset to a candidate’s job search and a great way to toot their horn.”
social media
6 Information Security Media Group December 2009 Information Security Media Group December 2009
2) don’t badmouth your current or previous employer:
Be careful and not gripe about your current or past
employers in your online profiles. This usually reflects badly
on the candidates and results in tarnishing their own image
in the eyes of hiring managers and recruiters. Also, if you are
currently employed, keep in mind any confidentiality and
conduct agreements you may have signed to ensure you are
not violating any terms.
3) do be selective
Be careful with what information needs to be posted --
where you decide to post the information and how public
you make it, says Fiterman. A good practice is to restrict
posting personal information that may not be relevant to
professional career growth and development. Emphasis
should be placed on showcasing expertise and skill set and
work-related activities, including speaking engagements,
articles and papers published and core strengths.
4) don’t let out personal information in public
Tweet/chat/discuss regarding business and the emerging
trends in your industry, but limit posting information on
your personal life -- which can be a subject of major scrutiny
by recruiters and hiring managers. “My hiring decision
will definitely be influenced in learning that a candidate is
involved in playing cards as a hobby and is a member of any
affiliated association,” says Stevens.
5) do get valuable recommendations
Getting recommendations from former employers and
current supervisors is always good, says Massa. But
candidates should also go outside their organizations to seek
valuable recommendations and get endorsed by clients,
business partners and leaders that carry weight.
6) don’t use inappropriate language and photos
Most often candidates’ use of language and choice of
photographs posted are reasons for ticking off recruiters,
says Stevens. You need to ensure that information posted
is written professionally without use of swear words
and catchy phrases. Also, be very selective in posting
photographs and use your judgment to ensure that these
photographs are how you want the public to see you.
7) do create an online image
“Creating a powerful online brand is what will truly
distinguish candidates,” says Massa. You need to invest in
developing an online personality which will clearly set you
apart from your peers. You must consider:
What are the industry affiliations and groups with •
which you would like to be associated?
What are the leading edge conferences you want •
to be attending and participating in?
What kind of education and training do you •
want to be investing in to enhance your overall
qualification?
Invest in creating a name for yourself by blogging •
in recognized publications, creating an impressive
following on Twitter and LinkedIn, and constantly
appearing on conferences and speaking on
subject matter expertise.
Creating an online personal brand can be a strong asset
to a candidate’s job search and a great way to toot one’s
horn. When creating an online personal brand, job prospects
need to be sure to maintain continuity between all of the
sites they are using. “It’s about finding the right mix of sites
and content to best serve their goals,” says Allison Nawoj, a
senior career adviser from CareerBuilder. n
_________________________________________________Read the complete article online: http://careers.bankinfosecurity.com/articles.php?art_id=1957
“More than one-third of employers that checked profiles said they had found content that disqualified a potential hire.”
8 Information Security Media Group December 2009 Information Security Media Group December 2009
BY TOM FIELD
It’s time for information security professionals to give
back to their communities — to reach out and educate
businesses, schools and citizens about cybersecurity and
other relevant issues.
This is the message from John Rossi, professor of systems
management/information assurance at National Defense
University.
In an exclusive interview, Rossi discusses:
Why security professionals should practice outreach•
Potential venues for public speaking•
How to get started•
TOM FIELD: So the premise is that security professionals
should practice more outreach; what exactly do you mean
by that?
JOHN ROSSI: It is probably no secret that information
technology professionals and security professionals
specifically tend to be a little bit on the “geeky” side. We
hide in our offices, and we generate code or we write policy;
we will do telecommunications software, and we kind of
tend toward “leave us alone and let us do our thing.” But I
think where we really need to move is to integrate ourselves
better into the community.
We have seen years ago that CEO’s needed to have a
place at the corporate table; well, now we are saying that
Chief Information Security Officers also need a place at that
table. And not only at the corporate table, but I believe that
it is very important, professionally and personally, to reach
out to the community at large; our own local communities,
our libraries, our high schools, our junior high schools,
our colleges. And so what I mean is that the security
professional should get out and inspire, motivate, mentor
individuals and groups in the community.
community outreach: the need for information security prosInterview with John Rossi, National Defense University
interview
John Rossi
Information Security Media Group December 2009 9Information Security Media Group December 2009
interview
FIELD: Well, you make a good point here, John. You know
these are stretching some new muscles for a lot of people
in the profession, so what are some effective ways that
security professionals can share their expertise?
ROSSI: Well, I will share with you what I have done, and
that way if I have walked the walked, then there are others
who can do it as well. There is nothing special about me.
What I have done is I have raised my hand to speak
at conferences, so security professionals that come to
conferences, security conferences, will get to hear whatever
I happen to be thinking of at the moment, whatever the
topic is, and that is one way.
Maybe a little more grassroots, though, is to get to the
youth of the community and speak in some of the inner city
schools. I have gone out to local inner city Washington, D.C.
high schools and spoken about fields, about careers in the
information technology field and the information assurance
field, and it kind of gives those youngsters something to look
up to, look forward to, see how they can contribute to the
community.
Another way is writing. Some people have a skill
in writing, and they don’t like to speak, they are very
uncomfortable. My wife would probably rather die than
have to give a presentation in front of an audience. So there
are many people who are nervous about that. Perhaps
we can write, and if we can write there are plenty of
newsletters and magazines that would love to publish well
thought out articles in the security field. n
_________________________________________________Read the complete interview transcript online: http://careers.bankinfosecurity.com/podcasts.php?podcastID=373
1/2 PAGE AD
10 Information Security Media Group December 2009 Information Security Media Group December 2009
Where the Jobs Are in 2010New Year Looks Promising for Professionals Skilled in Risk Management, Forensics
cover storY
Information Security Media Group December 2009 11Information Security Media Group December 2009
2009 was a tough year in many ways — economic recession, massive layoffs, high unemployment rate, scores of bank failures. But there is good news for information security professionals looking for jobs within the public and private sectors in 2010.
BY UPASANA GUPTA
There are jobs aplenty, thought leaders say, for
information security professionals looking to change
jobs, move into leadership positions or switch industries
altogether.
The keys to success are to recognize the top growth areas,
and be prepared to tackle new skill sets.
“Companies today are looking to hire one or two key
information security professionals who are experts in a
broad range of security skills and are capable of playing
several different hats,” says Jeff Snyder, president of
securityrecruiter.com. Among the hot skills: access control,
user provisioning, digital forensics, incident handling, data
loss prevention and ethical hacking capabilities.
“We continue to see demand for positions including
security architecture, application security, risk management
and regulatory compliance,” he says, adding that
professionals with these skills will continue to be hired by
companies to play a critical role in safeguarding security
threats and challenges.
However, as automation and security monitoring
tools take over, some security functions such as patch
management, network monitoring, vulnerability analysis and
help desk functions will see more layoffs, hiring freezes and
outsourcing, says Brian Barnier, a board member with ISACA
and a senior partner with ValueBridge Advisors, a security
advisory and consulting firm based in Connecticut.
Yet, the role of risk management in information security
is being re-emphasized and will continue to be a key driver
impacting the profession and the job market, says Steve Katz,
former CISO at Citigroup, JPMorgan Chase and Merrill Lynch.
“IT security professionals increasingly will be asked to
act as advisers to senior business management on risk
management strategy going forward,” Katz says.
Following are the seven top growth areas for information
security professionals in 2010:
1. risk Management
“Cyber risk is real,” and companies are looking for
professionals who can understand the business risks to
be able to explain the value they’re providing to senior
management, says Katz. Organizations today are largely
concerned with viability and survivability, spending their
time, resources and efforts focused on meeting the industry
standards and regulatory checklist. They are not necessarily
taking a risk-based approach, Katz says. “They are saying ‘If I
do the checklist, then I must be okay,’ and that is really not a
good idea.”
Security professionals and leaders need to understand
how risks affect their own particular role and how that fits
within the overarching risk management process within
the organization. “Professionals who realize that security
is inextricably linked to business and business risks will be
successful and in demand in this market place,” says Mischel
Kwon, vice president of Public Sector Security Solutions for
the Worldwide Professional Services unit at RSA.
For security professionals and senior leaders hoping
to thrive and remain strong in the information security
discipline going forward, “The key will be to understand
that we all have a part to play in recognizing, evaluating and
mitigating risks,” says Kwon. Therefore, a proactive, efficient
and automated management of risks will ensure, she says,
“that we all have the information required to perform our
role and make important decisions in the future”.
12 Information Security Media Group December 2009 Information Security Media Group December 2009
2. security process Management
Increasingly, organizations focus their efforts in streamlining
and centralizing security processes to make security cost
effective and efficient. Better security process management
enables organizations to determine their most significant
security exposures, target their budgets toward addressing
the most critical issues, and then achieve the right balance
between cost and security, says Barnier. Therefore, business
and security process professionals will definitely see an
upswing in demand for their skills in:
Implementing multi-tasking solutions that protect data •
according to its risk classification levels;
Investing in the right mix of tools and technologies to •
manage multiple security measures;
Know when to outsource key services including network •
perimeter security; and
Having the ability to cross functionally operate and •
communicate with business units.
3. business side of security
Organizations today are looking for forward-thinking
professionals who, instead of saying ‘no’, talk to their
business colleagues and see how they can get things done.
Another area of growth will be for more senior and
well-rounded security professionals who understand both
business and technology and can effectively communicate in
business terms to senior management. “At most companies
today, security projects are driven by compliance and audit
and as such lack a business alignment with security,” says
Kwon. As a result, security professionals are not working
on business problems, but rather on regulatory issues. “IT
security professionals will therefore need to have a greater
understanding of business if they are to succeed in the
next decade,” she says. These integrated skills are required
for better risk management practices, understanding,
implementing and managing emerging technologies, as well
as justifying budgets in tight economic times.
4. forensics and fraud detection/ prevention
Forensics has become critical in the last few years, as people
extensively use technology for criminal purposes and cyber
fraud. Three broad industries need qualified digital forensic
expertise on a daily basis:
Information Security• : to stop hackers, computer-
based attacks, and recover from data breach
incidents.
Legal• : Win civil and criminal cases involving
electronically stored evidence.
“it security professionals increasingly will be asked to act as advisers to senior business management on risk management strategy going forward.” - Steve Katz
Steve Katz
Information Security Media Group December 2009 13Information Security Media Group December 2009
Law Enforcement/Defense Industrial Base• : to arrest
and prosecute criminals/deter enemies.
In the current job market, demand for such experts is
increasing in the United States, where many companies are
facing real-time cyber crime activities. “We have forensic
experts that we are looking for,” says Nadia Short, vice
president of strategy & business development at General
Dynamics Advanced Information Systems, which seeks
people that are able to lead the investigation and incident
response activities. These individuals primarily focus on the
ability to understand file systems, logs, histories, patching
and, more importantly, understand chain-of-custody
activities as, in Short’s words, “we look to provide that kind
of data to law enforcement officials as they look to put the
bad guys away.”
5. software and Application security
Specialized and niche security recruiters such as Snyder
continue to see a strong demand in the area of secure
software development and application security. Security
implications in software development, operations,
maintenance and deployment is gaining prominence “as
companies are increasingly focused in integrating security
with their software lifecycle to build superior, secure
products and applications,” says Snyder. “There will always
be a growing demand for qualified security programmers,
web application analysts, software engineers and security
architects,” he adds.
6. regulatory compliance
With new regulations and compliance requirements
expected in the New Year, there may be some significant job
openings at federal and state regulators. Crowe-Horwath’s
a top 10 accounting firm and risk management advisor and
senior executive Nathan Johns, a former FDIC examiner
himself, sees openings with increased regulations being
enforced at security outsourcing and offshoring services.
“Examiners will keep a close tab at where the data and
information is being sent and who takes ownership for this
data when information travels overseas,” he says. Other
areas getting emphasis will also be within new standards for
application and product development, testing and signoff.
7. emerging technologies
As consolidation and collaboration continues to take
place within the financial sector, the government places
emphasis on critical infrastructure protection. Emerging
technologies including virtualization and mobilization of
services, cloud computing, centralization of data centers
and services will call for a new breed of project based
consulting professionals, says Barnier — which translates to
a need for new and specialized skill set in these promising
technologies. n
_________________________________________________Read the complete article online: http://careers.bankinfosecurity.com/articles.php?art_id=1977
“the keys to success are to recognize the top growth areas, and be prepared to tackle new skillsets.”
14 Information Security Media Group December 2009 Information Security Media Group December 2009
BY UPASANA GUPTA
When Anne Marie Staley first became a business continuity/
disaster recovery (BC/DR) professional, many organizations
minimized the role.
“Until recently, most organizations treated business
continuity like health insurance,” says Staley, senior manager
of Business Continuity Planning and Disaster Recovery for
North America at the New York Stock Exchange. “[They
focused on] getting the cheapest coverage, hoping nothing
ever happens, reluctantly paying the premium each month
and praying that when the inevitable happens, they have
enough coverage.”
Times clearly have changed. In this post-9/11 world,
BC/DR functions have emerged to play critical roles in
protecting organizations from natural, man-made and
pandemic disasters. “We are now seeing a wonderful
convergence and subsequent maturity in the form of a
new paradigm of business continuity management which
involves more formal risk management practices integrated
with information security,” Staley says.
With the emergence of BC/DR comes a greater emphasis
on hiring professionals with the right skills and credentials.
the right stuff
Risk assessment skills have become significant in business
continuity, says Stephanie Balaouras, principal analyst at
Forrester Research. In the past, organizations often focused
their BC/DR efforts on natural disasters and overlooked
mundane events that actually cause most disruptions —
power outages, IT failures and human error. But leaders
have come to realize that they must take the time to
conduct a more comprehensive risk assessment to identify
all probable risks to safeguard company reputation and
meet the expectations of customers, external parties and
internal auditors.
“Executives are forced to pay close attention to the areas
where businesses are struggling: testing more thoroughly
and frequently, involving business owners in the process
from start to finish, and ensuring the business continuity
readiness of strategic partners,” Balaouras says.
Also, the emergence of increased threats such as
pandemic outbreak, recession, power outages, terrorism
call of duty: new demand for business continuity professionalsOnce Seen as “Insurance,” BC/DR Pros Now Valued for Information Assurance
business continuity
“in this post-9/11 world, bc/dr functions have emerged to play critical roles in protecting organizations from natural, man-made and pandemic disasters.”
Information Security Media Group December 2009 15Information Security Media Group December 2009
and cyber fraud pushes the need for qualified business
continuity professionals. “All of these events are
uncomfortably recent, and as we’ve learned, any of them
can bring a country or community — let alone a single firm
— to a standstill,” says Steve Ross, executive principal, Risk
Masters, Inc., a New York-based business continuity and
crisis management consulting firm.
The key questions: Who are the right people, and what
role do they play within an organization?
“The right fit for business continuity function is
professionals coming from a risk management background
with exceptional risk monitoring, measuring and mitigating
skills,” says Cheyene Haase, president of BC Management,
Inc. an executive search firm that places business continuity,
disaster recovery, information security and emergency
management professionals internationally.
key credentials
Among the business continuity credentials most demanded
by employers, Haase says:
certifications
Professionals holding industry certifications such as CBCP,
CISSP, CEM, PMP are largely preferred, as they show
individuals will stay current with the industry through
continuing education.
Academic Qualification
A college degree is very often a requirement for BC/DR
positions. “Furthermore, to achieve a leadership position,
holding a master’s degree puts a candidate in a more
favorable position compared to competitors,” says Hasse.
business and technology focus
Strong understanding of business and technology issues
in contingency planning, emergency response, crisis
management and communications, risk management,
organizational resiliency, IT continuity, testing,
implementation, and regulatory issues is essential.
prior business continuity planning experience
Previous experience developing contingency and business
continuity programs globally is often an experience highly
sought after by potential employers.
‘soft skills’ a Must in leadership roles
Individuals with well-rounded backgrounds in business
and technology understanding are largely preferred for
leadership roles. They also must possess the abilities to
build business cases and to communicate with peers, and to
senior management.
industry Associations
Professionals need to be associated with specific industry
associations dedicated to business continuity, as well as
related disciplines, including: Association of Contingency
Planners (ACP), Disaster Recovery Institute (DRI), Business
Continuity Planners Association ( BCPA).
In addition to their primary roles of business continuity
planning, business impact analysis and understanding of
key risks and vulnerabilities to the organization, business
continuity professionals also must: Seek input — from
executive management on risk tolerance, areas of concern
and unknowns. Discussions on risk perception, business
business continuity
“Who are the right people, and what role do they play within an organization?”
16 Information Security Media Group December 2009 Information Security Media Group December 2009
strategy and trends should become key aspects of moving
beyond the traditional focus on natural disasters, fires
and data corruption. “It’s important to plan for these
threats,” says Ross, “but also to get input from executive
management team about other financial and operational
risks that may not be receiving focused attention.” Get
Engaged — move beyond executing methodology and
begin learning the business, break down organizational
barriers that get in the way of understanding all aspects of
business continuity risk, and get involved by building teams
to address business continuity risk and lead them toward a
solution.
The recessionary impact is that organizations are
selective in hiring, continuing to try and “do more with
less.” Which means employees often need to wear several
hats in performing their role as BC professionals. A good
background in related skills such as information security,
risk management, incident response and business is hot in
the job market. The career growth in business continuity
is tremendous, says Ross, and individuals can branch into
risk management, crisis management, incident response,
physical security, strategic planning and policy roles as well
as get into upper management positions such as chief risk
officer and chief strategic advisor.
Beyond insurance, BC/DR now is valued for the level of
assurance the role brings to an organization, Staley says. “A
key strength of successful business continuity professionals
is their ability to facilitate a group of people toward a
solution to mitigate risk to an acceptable level.” n
_________________________________________________Read the complete article online: http://careers.bankinfosecurity.com/articles.php?art_id=1932
“beyond insurance, bc/dr now is valued for the level of assurance the role brings to an organization.”
Information Security Media Group December 2009 17Information Security Media Group December 2009
FULL PAGE AD
18 Information Security Media Group December 2009 Information Security Media Group December 2009
BY UPASANA GUPTA
This past Independence Day weekend, hackers targeted
government and business websites in the United States and
South Korea, causing confusion for network managers to
differentiate between legitimate and illegitimate web traffic.
In January, Heartland Payment Systems, the sixth-
largest payments processor in the U.S. announced it had
been breached in 2008. Hackers had gained access to its
computer networks and had been able to see credit card
and debit card numbers as they were processed for several
months in 2008, exposing an undetermined number of
merchant and retail consumers to potential fraud.
At numerous companies and agencies of late, disgruntled
employees have violated internal policies or misused
system access for their own monetary gain or for revenge
on employers. Insider threat is a growing criminal activity
— especially in the event of organizations merging, being
acquired and employees being laid off.
Security related incidents such as these have become
not only more numerous and diverse, but also more
damaging and disruptive. Incident handling and response
has, therefore, become increasingly popular for people to
consider as a career today.
“As we can take steps to reduce risk in cybersecurity but
cannot eliminate risk, we need to come to terms with that
fact that eventually there will be an incident and an incident
response team will be needed,” says Shane Sims, director in
career opportunities in incident responseWhat it Takes to Make it in One of Security’s Emerging Fields
incident response
“security related incidents have become not only more numerous and diverse, but also more damaging and disruptive.”
Information Security Media Group December 2009 19Information Security Media Group December 2009
the forensic services practice at PricewaterhouseCoopers,
where he provides investigative, forensic technology,
security incident response and cybersecurity services to
commercial and government clients.
the Many hats of incident response
Expert security professionals with proficient skills in
preventive activities and appropriate response actions
can lower the number and potential of incidents at any
organization.
The incident handling and response team consists of a
variety of skill sets needing different people expertise:
network security specialist
Organizations constantly need a network and system
specialist who is extremely familiar working and configuring
routers, firewalls and intrusion detection systems.
penetration testers
Known as a white hat or ethical hackers, these individuals
are crucial to the team for assessing a system’s potential
vulnerabilities that may result from poor or improper
system configuration, known and/or unknown software
flaws, or operational weaknesses in process or technical
countermeasures.
incident handlers
Incident Handlers are people with thorough knowledge
of attack methodology and incident response, performing
analysis and response tasks for various sample incidents,
applying critical thinking skills in responding to incidents.
“They are the individuals who need to predict that problems
are going to happen and what action will be needed to
mitigate these issues,” says Peter Allor, steering committee
member of the Forum for Incident Response and Security
Teams (FIRST). He also is the program manager for cyber
incident and vulnerability handling for IBM.
forensics Analyst
This role specifically focuses on the rigorous, scientific
and thorough forensic analysis of computing systems for
evidence and impact of system compromise and digital
support of legal, HR, and ethics investigations. The role
includes the forensic analysis of digital evidence, and an
understanding of evidence handling, chain of custody, and
operating systems/file systems. This is an emerging vital role
in incident handling which has started getting attention and
recognition in recent years maintains, Mike Poor, founder
and senior security analyst for the DC firm Inguardians LLC.
research Analyst
Research analysts focus on learning new techniques,
mitigation and protection strategies, staying abreast of
technology to help in the incident response activities.
team leader
Team leaders are typically in charge of leading the team
through crises and is involved with people across business
units communicating what is going on, what it means and
what it costs to business.
Methodology
An incident response team generally follows the sequence
of steps in all types of attacks:
1) preparation & training
This includes methods to prevent attacks, as well as how
to respond to a successful one. In order to minimize the
potential damage from an attack, some level of preparation
is needed. These practices include backup of all key data
on a regular basis, monitoring and updating software on a
regular basis, updating anti-virus software and creating and
implementing a documented incident response policy.
Training is another step that is crucial for the execution
of the incident response plan. “The training, in my opinion,
should be provided in two forms at a minimum -- what I call
a walk-through drill and a tabletop exercise,” says Sims.
A walk-through drill is when one would get all of the
participants that would be involved in an incident response
incident response
“once an attack has been identified, steps must be taken to minimize the effects of the attack.”
20 Information Security Media Group December 2009 Information Security Media Group December 2009
into a room, create a breach scenario and then walk through
and actually tell them what they are supposed to do and
what the expectations are of them.
A tabletop exercise is where one gathers all of the
incident response players around a table and walk through a
breach scenario, asking the different folks who are required
to do certain actions to chime in and play the role that they
would in the incident response.
2) identification
While preparation is vital for minimizing the effects of an
attack, the first post-attack step in Incident handling is the
identification of an incident. Identification of an incident
includes knowledge of the fact that an attack is occurring, its
effects on local and remote networks and systems and from
where it originates.
3) containment
Once an attack has been identified, steps must be taken to
minimize the effects of the attack. Containment allows the
incident responder to protect other systems and networks
from the attack and limit damage. The response phase
details the methods used to stop the attack. Once the attack
has been contained, the final phases are recovery and
analysis.
4) recovery and Analysis
The recovery phase allows users to assess what damage has
been incurred, what information has been lost, etc. Once
the user can be assured that the attack has been contained,
it is helpful to conduct an analysis of the attack. Why did it
happen? Was it handled promptly and properly? Could it
have been handled better? The analysis phase allows the
users and responders to determine the reason the attack
succeeded and the best course of action to protect against
future attacks.
An incident handling and response team should be
trained to handle “these normal emergencies” that happen
day-to-day on the job as well as escalate to a learning and
protective mode and secure business and systems at any
organization, says Allor. “We need help now, not tomorrow,”
he states. “That is why incident response as a profession is
very high among people’s wish lists.”
necessary skills
To be successful the following skill sets are recommended by
practitioners.
An in-depth technical background
Professionals transitioning into this field need to have a
thorough knowledge of networks and systems, including
operating systems, desktop, servers and network
communications. Certain specialties like understanding web
and data applications and how they work helps big time,
says Poor. Usually a bachelor’s or associate degree in IT,
computer science or information assurance is preferred.
Ability to communicate
The ability to communicate is crucial, as professionals need
to be able to communicate to their clients or business units:
What is the issue/problem? What has been the impact?
“incident response can include a disruptive and erratic work schedule as well as high work pressure.”
Information Security Media Group December 2009 21Information Security Media Group December 2009
What does that translate to business cost? What are the
possible options? When can these options be exercised? “I
primarily look for people who can effectively communicate
in plain English and understand the importance of being
conversant in such issues,” says Allor.
supporting the business
I.e. getting the business units to be involved in discussing
incident handling and response issues is fundamental to
see how to best secure the systems and business. “We as
practitioners need to provide value, which can be done by
understanding how business perceives the unerlying risks
and how jointly we can solve issues,” maintains Allor.
Ability to remain composed
“Ability to remain calm under fire is typically what I look for
while hiring candidates,” says Poor. “As practitioners we are
under the gun the majority of our work life and need to be
able to work effectively under this constant pressure.”
Work experience
All experts say that certifications such as the CISSP or the
GIAC- Incident handler certificate from SANS are secondary
preference compared to the level of work experience they
look for in hiring an incident handler. All require prior work
experience handling incidents and crisis situations. “What
we really look for in candidates is the technical ability to
perform,” adds Poor, including participation in security
associations, conferences and forums.
Ability to network
“When I have an issue, I reach out to my peers in companies
like Cisco, Juniper, HP to ensure a good fix can be applied
quickly to the problem,” says Allor. One needs to establish a
network outside the organization to get help when required.
A good entry point into incident handling and response is
for professionals already involved with security and network
monitoring systems having the desire to escalate and do
more. The salary range for incident response professionals is
typically between $70,000-$140,000 annually.
Where are the Jobs?
Incident response jobs are readily available with government
agencies, including Defense Department, Department of
Homeland Security, National Security Agency (NSA) and the
U.S. Treasury. Government contracting companies such as
General Dynamics, Booz Allen Hamilton, North Grumman
and Lockheed Martin increasingly hire individuals with this
expertise.
Within banking and financial services, consulting
and advisory firms such as KPMG, Deloitte,
PricewaterhouseCoopers and others have a constant
demand for incident handlers and responders. Usually
large community banks, credit unions and national and
international banks hire these professionals to act as first
responders and investigators to incidents and attacks.
Incident response can include a disruptive and erratic
work schedule as well as high work pressure. Job seekers
need to be prepared, very committed and passionate to take
this up as a career, Poor mentions.
“We are like medical practitioners in our field,” he says,
“where we are on call 24/7 and are paged to handle a crisis
situation.” n
_________________________________________________Read the complete article online: http://careers.bankinfosecurity.com/articles.php?art_id=1724
22 Information Security Media Group December 2009 Information Security Media Group December 2009
BY UPASANA GUPTA
After Hurricane Katrina devastated much of Louisiana, the
state was granted $9 billion for recovery and disbursement
to individual homeowners. Keith Barger, a director in KPMG’s
Forensic practice in Houston, was put in charge of a forensics
and fraud team to ensure verification of insurance claims,
investigations and to trace fraud activities. This work kept
Barger’s team busy for a year and a half.
“Forensics is broader in scope than people anticipate it,”
Barger says.
He specializes in electronic data discovery, data analytics
and investigative services in support of civil litigation and
provides advisory services regarding technology related
matters. He also provides expert witness testimony when
appropriate in connection with these services. His in-house
team is involved in high-profile investigations, applying tools
and methodologies to data analytics, data mining, recovering
deleted files, tracing internet activities and many other tasks.
Most of his clients are government agencies and large private
corporations. The team consists of-:
A forensics manager who has direct oversight of the •
forensics practice and is qualified to certify a forensics
lab environment;
Evidence custodians who basically are involved in •
tracing, recovering and storing evidence;
Research and development individuals who maintain •
databases and spend time keeping abreast of
emerging technologies, software and methodologies;
Cell phone and digital media specialists; and•
Intrusion detection professionals.•
The forensics profession today is fast-growing because of
the increasing number of cyber crime activities that occur
throughout the world, maintains Barger.
the emergence of forensics
“Forensics has become very important in the last 10-12 years
since one great disadvantage of technology’s integration into
society is the capacity for people to use the technology for
criminal purposes,” says Jill Slay, PhD, CISSP, FACS, PCP, MIEEE
Member, (ISC) 2 Board of Directors.
The types of crimes that can be committed using
technology can be represented in two distinct categories:
crimes committed using a computer (e.g. hacking, fraud) and
those committed against computers (e.g. Denial of Service).
“In today’s economy more people are working remotely,
which provides greater opportunities for malicious
employees to create harmful attacks,” says Paul Henry, SANS
Institute certified instructor in Forensics and cyber crime
and president of Forensics & Recovery LLC, an independent
digital forensics: the chance to play detectiveWork is Hard, But Jobs Plentiful for Professionals Who Like to Follow the Evidence Trail
forensics
Information Security Media Group December 2009 23Information Security Media Group December 2009
network breach and computer forensics investigative
company based in Florida.
Forensic computing can be described as the investigation
into criminal or unethical activities that may have left digital
or electronic evidence. Although this definition appears
simplistic, adds Slay, it specifies the existence of digital
evidence, which is the very core of “computing” in the term
forensic computing.
In the current job market, demand for such experts is
increasing in the United States, where many companies are
facing real-time cyber crime activities. “We have forensic
experts that we are looking for,” says Nadia Short, vice
president of strategy & business development at General
Dynamics Advanced Information Systems, who seeks people
that are able to lead the investigation and incident response
activities. They primarily focus on the ability to understand
file systems, logs, histories, patching and, more importantly,
understand chain-of-custody activities as we look to provide
that kind of data to law enforcement officials as they look to
“put the bad guys away.”
career options
The typical career path/responsibilities for forensics
professionals include:
entry-level forensic Analyst
Analyses of hardware, including applications/operating
systems, storage media, file systems, imaging hard drive
etc. Forensics professionals need to know in-depth how
computer systems work and operate, says, Eric Fiterman,
CEO & president of Methodvue, a private intelligence
organization specializing in the discovery and deterrence of
complex threats to people, commerce, and governance.
forensic senior Analyst
Analyses of software, applications, know-how of data
capture including volatile and non-volatile data. Recovery
of sensitive data whether documents, emails, graphics,
cookies, etc. Ability to identify the source and origin of a
particular disruption or security issue, says Fiterman. Being
able to answer “How bad is the damage both in financial
and technical terms and who was responsible for this
crime?”
investigation specialist
Forensic investigation services cover all areas of computer
misuse, Internet/email abuse, fraud, pornography, hacking
and intellectual property theft. Investigation procedures
are needed, and in many cases required, to guarantee that
found evidence can withstand examination in court.
expert Witness
A lot of times forensics investigation requires presentation
in court, and needs the services of an expert witness
who testifies that evidence discovered in any particular
case will withstand examination, says Eric Robi, CCE, an
expert witness and president of Federal Forensics Group,
an independent consulting firm specializing in computer
forensics and analysis. The expert witness is usually required
to provide an independent expert testimony in the form
of expert opinion, present the findings in laymen terms
forensics
“the forensics profession today is fast-growing because of the increasing number of cyber crime activities that occur throughout the world.”
24 Information Security Media Group December 2009 Information Security Media Group December 2009
and in the written reports in court presentation and/
or examination. Provide easy to read and well-organized
“expert” reports to support the testimony including reports
and statements that are provided to verify where and how
data have been recovered, processed, etc.
Management position in forensics
These days large companies have their own forensics
and e-discovery teams that do the required investigation,
analysis and recovery of systems and data. Most places
require a senior forensics manager to lead and support the
team as well as directly report to senior management.
Job requirements
Forensics experts recommend an undergraduate degree in
computer science or engineering, specializing in forensic
computing or IT security. Next: a master’s degree and
specialized training by vendor certification companies
including SANS Institute, which offers GIAC Certified
Forensics Analyst (GCFA); the EC Council for its Certified
Computer Hacker (CEH); and International Society of
Forensic Computer Examiners (ISFCE) offering the Certified
Computer Examiner (CCE). “Hiring an interesting mix of
individuals of technology level professionals with strong IT
background and law enforcement professionals has been
successful for my team,” says Barger.
In addition, vendor product training is essential for
forensics professionals from forensics software providers,
including EnCase Guidance Software, Access Data, and
Microsoft.
“Skills and abilities would be the logical and
mathematical ones of science and engineering and the
problem solving skills needed in detection as well as in the
sciences,” says Slay. Capacity to do tedious work with very
strong analytical skills and solid background in information
technology and network security is required in forensics,
adds Henry.
on the Job
Henry indicates that starting salary for a professional
in forensics is around $70,000 annually, assuming the
candidate possesses the necessary IT and analytical
background and training required. The salary range is high
for senior analysts and professionals between $150,000-
$300,000 annually.
Among the challenges on the job:
long hours
The work is challenging when data needs to be analyzed and
recovered from very large hard drives and applications using
varied tools to confirm analysis, says, Henry.
keeping pace with technology
Things change so fast that maintenance, training and
education of tools/software for analysis and investigative
support becomes very difficult and at times expensive.
cloud computing
With the practice of cloud computing, “We do not have
evidence at one place, information is stored in bits and
pieces at different times, in different places which gets very
challenging,” says Fiterman.
For more information on career options in forensics:
The International Association of Computer •
Investigative Specialists (IACIS)
The International Society of Forensic Computer •
Examiners (ISFCE)
American College of Forensic Examiners (ACFE)•
Cyber Security Institute•
Digital Forensics Certification Board (DFCB) • n
_________________________________________________Read the complete article online: http://careers.bankinfosecurity.com/articles.php?art_id=1674
“forensic computing can be described as the investigation into criminal or unethical activities that may have left digital or electronic evidence.”
Information Security Media Group December 2009 25Information Security Media Group December 2009
FULL PAGE AD
26 Information Security Media Group December 2009 Information Security Media Group December 2009
BY TOM FIELD
Ten years ago, the National Security Agency (NSA) started up
the Centers of Academic Excellence program to encourage
stronger information assurance programs at colleges and
universities. Initially, there were 7 designated CAE schools.
Today, the ranks have swollen to over 100 CAE-designated
schools, and information assurance professionals are much
better prepared to tackle the cybersecurity challenges we
face.
Dickie George, Information Assurance Technical Director
within the NSA, discusses:
The CAE program’s core mission;•
Benefits of the program for participating schools •
and students; and
What to expect from CAE in its second decade.•
TOM FIELD: Dickie, let’s take a step back here just for a
second and describe for us the core mission of the CAE
program.
DICKIE GEORGE: Well, the core mission is to look at the
students that are being produced today to educate them to
become future cybersecurity experts. It’s a tough world out
there, and there are a lot of adversaries that have access
today that they didn’t have 15 years ago. These students
have to be capable of addressing the threats that these
adversaries provide. You see everyday in the newspaper
where credit card numbers are lost, there is fraud, there’s
identity theft. We need to have professionals who are ready
to address those threats, and this program is designed to
make the students aware of those treats and to give them
the tools and the capabilities, the skills that they need to
address those threats.
FIELD: Now you’ve had 10 years to watch students go
through the program and go into their careers. What have
the cAe at 10Interview with Dickie George of the NSA
interview
Dickie George
Information Security Media Group December 2009 27Information Security Media Group December 2009
interview
you seen as some of the outstanding career paths of these
students who have completed these programs?
GEORGE: We’ve seen every path imaginable. We’ve seen
students that have worked through our government.
Mischel Kwon is one of the graduates, and she was running
CERT until just recently. We see several students have gone
to become very strong researchers and faculty members
throughout the country, and we see a large number of
students that have gone to DHS and to NSA and are reaping
the efforts that we have in cybersecurity for the nation. In
addition to the normal things that you think, like working at
very, very large companies that deal with security and cyber
across the country.
FIELD: So, you’ve got one decade under your belt with this
program now. If you were to project into the future another
10 years, what do you think we can expect to see come from
this program in the second decade?
GEORGE: I would like to see it expand, get more schools.
We already have two levels in the program. We have the
CAE and the CAR, which are research universities. We
would like to see, more soon, we would like to see more
collaboration. We need to get down to the community
colleges, the two-year schools, so we need an expansion in
the program. I would like to see an emphasis on getting to
students earlier in their careers — even to hit them in high
school, not as part of this program, but as a preparation so
they understand the value of this program in their future.
Some of the things that we do when we talk to high school
students is we try to explain to them how interesting the
problems are, how important they are, and that there is
a future in being a cyber scientist beyond just teaching,
which is important in itself, beyond just working for the
government. There is an aspect of being a cyber-skilled
scientist in every aspect of life today, and you can get this
through this program, and you get there much better
prepared than you do without this program. Educating all of
the citizens of the country to the threat and how to address
the threat is one of the key aspects that we need to address
as a nation, and this CAE program is the best way we have to
get those people out there who understand the threat and
can help to make others understand the threat. n
_________________________________________________Read the complete interview transcript online: http://careers.bankinfosecurity.com/podcasts.php?podcastID=320
“i would like to see an emphasis on getting to students earlier in their careers — even to hit them in high school, not as part of this program, but as a preparation so they understand the value of this program in their future.”
28 Information Security Media Group December 2009 Information Security Media Group December 2009
BY UPASANA GUPTA
“Jobless recovery.” That’s one term used by observers to
describe today’s economy. It means that the economy is
slowly improving, but without the corresponding growth in
hiring and new job creation.
To stand out in the hiring process, then, IT pros must seek
out not just one, but multiple professional certifications to
specialize and bolster their resumes, says Brian R. Schultz, a
senior board member (ISC)² who holds these certifications:
CISSP-ISSMP, ISSAP, CISM and CISA. “Security certifications
are on employers’ minds these days, as companies look for
certified personnel to safeguard assets,” says Tracy Lezner,
CEO, Lenzner Group, an executive security search and
consulting services firm based in New York. “We are seeing
more and more employers make certification a standard and
a criterion for hire.”
In this situation, security professionals need to make
the right decision pursuing multiple certifications. Kent
Anderson, CISM, a senior member of ISACA’s Security
Management Committee, advises prospects to ask ‘Where
do I want to go in my career?” Then weigh the value of
certifications. “The power of certification is amazing to help
security practitioners be whatever they want to be in the
future,” he says.
Ronald W. Pelletier, CISSP, CISA, CISM, CBCP, is a former
senior manager of security risk advisory services at Ernst
& Young, LLP. He was recently laid off and has acquired a
the employment value of Multiple certificationsMap Out Your Career — And Then Invest in It
professional certifications
“to stand out in the hiring process, then, it pros must seek out not just one, but multiple professional certifications to specialize and bolster their resumes.”
Information Security Media Group December 2009 29Information Security Media Group December 2009
professional certifications
new position as a senior security consultant with a private
security consulting company. Being certified in multiple
areas of specialization within security definitely gives him
an edge in the hiring and interview process. “There is a
confidence level in the job search, interview approach
and overall job performance which certifications provide,”
Pelletier says.
hiring Manager’s view
For Debbie Wheeler, chief information security officer (CISO)
at Fifth Third Bank, certifications make a difference when
evaluating a multitude of candidates and are used as an
initial prioritization of candidates. “Certifications can initially
draw a hiring manager’s attention to a specific candidate,
but hiring decisions, ultimately come down to the hands-on
experience and overall qualifications of the individual,” she
says.
For security positions, Wheeler usually looks for CISSP,
CISA or CISM certifications, followed by other industry or
software-specific certifications such as forensic certifications
or tool-based certifications.
“When competing against someone else, one would
like to think having multiple certifications will help over
someone not having any or not the right combination,”
says Richard J. Roberts, RF, ARM, CPCU, ALCM, MBA,
a senior board member with the Risk and Insurance
Management Society (RIMS). In the end, no matter how
many certifications one has, it still comes down to how
one applies those certifications and how one uses that
acquired information to help their present or new employer.
“Certifications always bring value and speak volumes of an
individual’s capability,” says Anderson. A combination of
the right certifications tells employers that this person is
committed, adaptable and possesses the breath and depth
of knowledge and experience required for the job.
Security professionals, however, need to convey how
all of their background will help the employer, so the
certifications are just a piece of the puzzle. “The blending of
proper expertise with proper education and certification will
work the best for all individuals,” adds Roberts. “The key to
this is that you need to be able to communicate your value
to employers.”
types of certification
There are basically two types of certification available:
Technical and experience-based. Within Technical the most
common are: CompTIA Security, certified ethical hacking
(CEH), the global information assurance certification (GIAC)
and vendor certifications offered by Cisco and Microsoft
such as, CCIE, CCNA, CCNP, MCSE, MCSA are very popular.
Experience-based certifications, which are most sought
after, include: The certified information systems security
professionals (CISSP), the certified information systems
auditor (CISA) and the certified information security
manager (CISM).
“When competing against someone else, one would like to think having multiple certifications will help over someone not having any or not the right combination.” - Richard J. Roberts
Richard J. Roberts
30 Information Security Media Group December 2009 Information Security Media Group December 2009
The market is flooded with a host of technical
certifications provided by vendor product companies - all
of which help individuals gain technical competency and
demonstrate thorough understanding of Internet and
security technologies. These certifications are good to
pursue for individuals who want to stay in the technical field,
for example: network engineers, network and database
technicians, system administrators, system architects, etc.
The technical certification, adds Anderson, “makes
the individual competent technology-wise, but does not
necessarily help him grow in his career. Experience-based
certifications are the ones which add value toward future
growth. The goal here is to not just take the test and pass
the exam, but enrich your career through continuous
learning and improvement.”
To secure multiple certifications, security professionals
should first map out a career path for themselves. Specialize
based on where you want to be. For example: You are five
years into your career as a security practitioner and envision
being a chief information security officer (CISO). You then
need to look at certifications that will help you get there.
Look for experienced-based certifications like the CISSP,
CISM, CISA, CPP, RIMS Fellow (RF), which are most valuable
as an individual moves to senior positions, demonstrating
not just depth, but breadth of knowledge.
boot camps vs. self study
Have a career focus while choosing to specialize in multiple
areas. “Do not go for a shot gun approach,” says Schultz.
Enrolling in boot camps can help pass the exam, and is
recommended for individuals with solid security experience
who basically need to just hone their skills. Boot camps,
however, are not helpful for fresh graduates or junior
security practitioners, as they only aid in passing the test,
present short-term memory and do not reflect absorption of
principles in key security domains. “Purchasing a good study
book and spending six months or so learning the material
and principles is what goes a long way,” adds Schultz.
Usually boot camps cost varies from $2,000-$3,500 for
most technical and experience-based certifications, and
training time duration varies anywhere from 3-5 days. Self
study on the other hand is cheaper, but time-consuming and
requires planning and discipline.
take a layered Approach
“Security practitioners should take the certification in steps,”
maintains Anderson. For example, if you are already CISSP
certified and want to specialize in audits and take up CISM
certification, then first get into the desired job role and
become acclimated with the job function requirements.
Learn while you work; then get the exam details and
necessary paperwork completed. Submit them with the
required authorities and set a timeline based on which
you can decide to take the test. A good practice is to gain
a broad certification like the CISSP while still in school or
early in the security profession, and then gradually get a
specialized certification based on job function and future
goal.
seek Management’s support
Mention to your organization’s management team about
your career goal and where you envision being. Discuss
it with them and see how you can balance work and take
out time to study. “Most employers today are extremely
supportive, as they clearly see the value addition in
employee education and certification,” says Schultz.
“Our organization will reimburse an employee for the
fees associated with passing their certification exam, but
we do not pay for boot camps or other training camps
associated with the exams,” says Wheeler. “We have had
many individuals successfully take and pass the CISSP and
other exams through independent study.” n
_________________________________________________Read the complete article online: http://careers.bankinfosecurity.com/articles.php?art_id=1265
“to secure multiple certifications, security professionals should first map out a career path for themselves.”
Information Security Media Group December 2009 31Information Security Media Group December 2009
FULL PAGE AD
32 Information Security Media Group December 2009 Information Security Media Group December 2009
BY UPASANA GUPTA
The CISSP has become almost ubiquitous among information
security professionals. The same can be said for many
industry- and technology-specific certifications.
And while certifications are not perfect, they are a decent
way for security professionals to learn how to perform
complex job functions and display basic expertise in required
skill sets, as well as enhance their standing as generalists.
At the same time, certifications offer a potential employer
a standard by which to assess whether a job candidate has
the security expertise he/she is going to need to know for a
specific job.
“Certifications in this arena have become a prerequisite
for an information security job,” says Tracy Lenzner, CEO,
Lenzner Group, an executive security search and consulting
services firm based in New York. “We are seeing more and
more employers make certification a standard and a criterion
for hire”. So, what is it — beyond certifications — that really jumps
out from a resume and impresses a prospective employer?
We asked several hiring managers for their insights on
what they seek in prospective hires.
nothing like experience
Certifications show a certain amount of base skills
the candidate will possess in terms of the theoretical
understanding and knowledge. But there’s nothing like
hands-on experience in the job, says Nathan Johns, executive
beyond certifications: What are the Qualifications that really stand out on a resume?Hint: There’s Nothing Like Hands-On Experience
professional certifications
“so, what is it, beyond certifications, that really jumps out from a resume and impresses a prospective employer?”
Information Security Media Group December 2009 33Information Security Media Group December 2009
professional certifications
with Crowe Horwath LLC, and former chief of information
technology at the FDIC. “If two equal candidates in terms
of work experience are vying for a job, then the candidate
holding certifications will probably have the upper
hand,” Johns says. “However, a certified person with little
experience will not fare so well against an uncertified person
with a lot of experience”.
Jennifer Bayuk, former CISO at Bear Stearns & Co.,
looks for security professionals who are able to distinguish
themselves via their resume by communicating the type of
problems they can solve and by providing a clear picture
of how they best fit the job position by giving examples of
work accomplished in the field. “There is no substitute for
hands on experience”.
For Debbie Wheeler, chief information security officer
(CISO) at Fifth Third Bank, certifications make a difference
when evaluating a multitude of candidates and are used
as an initial prioritization of candidates. “Certifications
can initially draw a hiring manager’s attention to a specific
candidate, but hiring decisions ultimately come down to
the hands-on experience and overall qualifications of the
individual.”
Among the factors weighed beyond certifications:
Academic background and technical Ability
Bayuk seeks evidence of technical ability and depth of
technology understanding, as demonstrated by an advanced
degree in computer science or information assurance;
relevant published papers and related project work; and
work experience that maps directly to the job function.
business Understanding of security
Talking the language of business — and a business
understanding of security with good communication skills
and ability to stand up and present at executive meetings
— is another area that candidates should build upon, adds
Nathan. “Investing in a management and business course
often helps to gain an edge over other security candidates.”
internal branding
“Today, getting a basic security certification is not enough
to differentiate and get a job; security professionals need to
differentiate themselves through outstanding performance
and internal branding,” says Lee Kushner, president, L.J.
Kushner and Associates, LLC, an executive search firm
dedicated exclusively to the Information Security industry
and its professionals.
And then there are the soft skills. Security professionals
need to know how they project themselves to their
colleagues and management team. What is the impression
of them and their work that others around carry and talk
about?
Kushner further adds that security professionals will need
to give importance to moving beyond baseline requirements
by:
Thinking about the industry affiliations and •
groups they want to be associated with;
What are the leading edge conferences they •
want to be attending and participating in;
What kind of skill set they want to be focusing •
on, leading a path to specialization; and
What kind of education and training they want •
to be investing in to enhance their overall
qualification.
tips for Moving beyond certifications
Hiring managers offer these tips to security professionals
who want to enhance their resumes after they attain their
necessary certifications:
earn a reputable University degree
Earn a reputable university degree by one of the National
Security Agency (NSA) approved and accredited academic
“security professionals need to know how they project themselves to their colleagues and management team.”
34 Information Security Media Group December 2009 Information Security Media Group December 2009
institutions in information assurance. Also, candidates
should look for programs that combine technical training
with business strategy and management courses.
think from a business perspective
Besides knowing how to operate and excel in security
tools and solve problems from an engineering background,
candidates need to focus on how these solutions affect the
organization from a risk and compliance perspective and
also direct efforts in making security a business driver.
set Up a home laboratory and get hands-on experience
Security professionals should invest in a serious lab
environment and implement what they find interesting
during their studies especially with readily available
freeware versions of technologies/software used. This gives
IT professionals the opportunity to acquire knowledge of
the underlying theories and provides them with an outlet to
implement security practices in real-world situations.
internship in it security
Candidates who are still in school should consider taking up
relevant projects and an internship in information security.
This will help to provide an opportunity to get hands-on
real-world security experience and also help in networking
within the security market for future job prospects.
Join groups
Join local security groups and associations like ISSA, ISC2,
ASIS, InfraGard including Blackhat, RSA, MISTI.
subscribe
Subscribe to targeted newsletters and forums including Sans
Institute, ISACA and others. n
_________________________________________________Read the complete article online: http://careers.bankinfosecurity.com/articles.php?art_id=1424
“today, getting a basic security certification is not enough to differentiate and get a job; security professionals need to differentiate themselves through outstanding performance and internal branding.” - Lee Kushner
Information Security Media Group December 2009 35Information Security Media Group December 2009
FULL PAGE AD
36 Information Security Media Group December 2009 Information Security Media Group December 2009
BY UPASANA GUPTA
You’ve spent years in information security, toiling your way
to the top — to the CISO role. What’s next? What are your
career options, and how should you prepare for exploring
them?
Jennifer Bayuk is the former CISO at Bear Stearns & Co.
She became an independent consultant after the company
was acquired by JPMorgan Chase early last year. Bayuk notes
that, “The CISO title is something that sticks with you. It is
not so much a title as a mindset. I was recently invited to
be on a panel of CISOs at a conference, and suggested that
it was inappropriate. But a colleague joked, ‘Once a CISO,
always a CISO,’ and I knew what he meant.” She wants to
remain independent and participate in projects and research
that will increase national security as well as equip future
security professionals.
Bayuk’s transition didn’t happen overnight, though. It
came after careful consideration — and preparation — for
“life after CISO.”
Here are some tips for security leaders considering their
next career moves.
know Your options
It’s always good to have career options, but there are times
in your leadership career when you especially should start
making plans, says Charlie Miller, former director of vendor
governance at Merrill Lynch:
All talk, no Action
When there are numerous senior management changes and
most of the CISO’s time is spent explaining what they do, vs.
doing what needs to get done.
treading Water
When leaders are shifted to maintenance as opposed
to building a security program and team within their
organization.
To prepare themselves for their next move, existing CISOs
need to make sure they stay current with their industry
and profession. Which means attending and participating
in security and industry relevant seminars and webinars,
reading professional reports, books, etc., subscribing to
journals, magazines, newsletters, joining industry groups,
and professional associations.
And since security these days is much more about the
business than the technology, CISOs also must focus on
life After ciso: What are the options?Tips on How to Prepare for the Next Big Career Move
leadership
“it’s always good to have career options, but there are times in your leadership career when you especially should start making plans.”
Information Security Media Group December 2009 37Information Security Media Group December 2009
leadership
improving their understanding of business concepts and
communications. This is the competency that will impress a
future employer or client, and yet it’s often overlooked by
busy executives caught up in the daily grind.
Another key piece of advice: Network, network, network.
“Do your job effectively as a CISO, build relationships in
your current job with trusted peers, supervisors and your
extended network,” says Steve Katz, credited as the world’s
first chief information security officer. “The more trust you
build in your current position, the more opportunities you
will get after leaving the CISO position.”
Following are four distinct career paths that security
leaders have followed post-CISO:
1. independent consulting:
Many former CISOs embrace the path of being an
independent consultant either on a temporary or
permanent basis. “I like working for myself, “says Miller,
who is now on the verge of forming a LLC with an associate,
focusing on Information security outsourcing, privacy,
training and awareness programs. He consults to the Santa
Fe Group on enhancing the BITS Shared Assessments
Program used by institutions when evaluating a third-party
provider control environment. “Independent consulting
is successful when a strong reputation is built around the
individual,” says Katz, a prominent figure in the network
security discipline. For over twenty-five years, Katz has
been directly involved in establishing, building and
directing Information Security and Privacy functions. He
is the founder and president of Security Risk Solutions, an
information security company providing consulting and
advisory services to major, mid-size and startup companies
and an executive advisor to Deloitte.
Executives should rely heavily on building reputation
and networking before jumping ship, as people will want to
know “who you really are” maintains Katz.
2. Advisory and partnership role:
A trend also seen among former security leaders is to take
up an advisory and partnership role with one of the major
consulting companies, security vendor and educational
organizations, helping them manage their clients’ health
in areas of security and privacy risks. Katz, for instance,
is currently an advisor to Deloitte in the area of risk
management and security practices. “I have seen several
of my colleagues — former CISOs within the government
— take up positions with companies like McAfee and
Symantec, as an advisor on their business, sales and
marketing end,” says Daniel J. Lohrmann, the Michigan
chief technology officer (CTO) and Deputy Director of the
Infrastructure Services Administration within the Michigan
Department of Information Technology (MDIT). Prior to
becoming Michigan’s CTO, he was Michigan’s first chief
information security officer (CISO) from May 2002 until
January 2009.
“Ultimately your choices depend on what opportunities
are available at the time you make the change,” Warren
Axelrod, research director for Financial Services for the
United States Cyber Consequences Unit. “Right now, in this
time of retrenchment, the job market outlook for CISOs
is pretty glum. However, there is a substantial demand
for subject-matter expertise and advice that comes from
many years of on-the-job information security and privacy
experience.”
Axelrod is executive advisor to the Financial Services
Technology Consortium. Most recently, he was the chief
privacy officer and chief business information security
officer for US Trust, the private wealth management division
of Bank of America.
38 Information Security Media Group December 2009 Information Security Media Group December 2009
3. teaching and Mentoring:
“Security is the most valuable thing we have,” says Bayuk,
who is also a professor at Stevens Institute of Technology,
where she teaches enterprise security architecture. Both
Miller and Axelrod have done webinars for various security
clients on topics ranging from vendor governance, business
continuity and cybersecurity to outsourcing in security.
Lohrmann believes strongly in mentoring and providing
leadership insights by taking up opportunities in speaking
engagements, authoring blogs and books and by being a
member of professional organizations such as InfraGard
to make security more effective. He is also a distinguished
lecturer for the Masters Program in Information Assurance
at Norwich University.
4. continue in the corporate World:
If you’ve been a successful CISO in one specific business or
industry, why not consider a similar role in another type
of organization entirely? As Lohrmann points out, “The
similarities (in roles) are greater than the differences.” The
key difference: the specific culture and the way business
cases are built to emphasize enterprise security in each
organization.
Many former security leaders move on to equivalent
positions or greater roles in banking, consulting and
government organizations where their knowledge,
experience and skills are easily transferrable. For instance,
take the case of Rhonda MacLean, a former CISO of Bank
of America, who returned to the corporate world and took
up a Global CISO position with Barclay’s Global Retail and
Commercial Banking sometime last year. She however,
recently left Barclay’s.
Again, Lohrmann in his existing CISO position was asked
to become an acting CTO for the state of Michigan even
without a formal interview process.
essential skills for a successful transition:
Below are four basic elements provided by Katz to all
existing CISOs who are looking to make a transition.
excellent track record
You must have an excellent track record to be respected
and admired as a leader. While still in office, invest time and
effort in building a strong reputation.
professional proficiency
Develop professional skills, including business, management,
security and compliance — all elements that the role
demands for outstanding work performance.
relationship building skills
Invest in building meaningful relationships in your current
job with trusted peers, supervisors and extended network
within the industry and outside.
self Marketing skills
You need to have excellent marketing skills to be able
to internally sell security within the organization. Be
able to build and present business cases effectively to
management. n
_________________________________________________Read the complete article online: http://careers.bankinfosecurity.com/articles.php?art_id=1594
“to prepare themselves for their
next move, existing cisos need to
make sure they stay current with
their industry and profession.”
Information Security Media Group December 2009 39Information Security Media Group December 2009
FULL PAGE AD
40 Information Security Media Group December 2009 Information Security Media Group December 2009
BY TOM FIELD
Despite the recession and record job losses, information
security remains a top concern for public and private sector
organizations. But what can security professionals do to
protect their careers and be considered for these jobs?
In an exclusive interview, Pat Myers, chair of (ISC)2,
discusses:
Top security and risk management issues •
facing organizations;
How security professionals can protect and •
invest in their careers; and
Advice for people looking to either start or •
move into an information security career.
TOM FIELD: What should security professionals be doing
now to really invest in and protect their careers?
PAT MYERS: Well, you know, if you’re protecting your
company’s data, then the second part really comes
automatically, because you are investing in your career. My
advice is to spread the responsibility around, and that is,
as I mentioned, including something like a risk council. Be
sure that you essentially document all of the, either the
recommendations on your company’s vulnerabilities, you
know, and it certainly doesn’t hurt to keep your resume up
to date, either.
FIELD: Sure. What do you find differentiates a candidate in
times like these, when there are so many applicants for a
single job, even? What really stands out on a resume?
MYERS: You will see that job requirements today are
preferred or required certifications. And they usually list
what they are. So, they are looking for people who have
a track record, and have experience, and they also have a
certification. There are so many new certifications that have
come about in the last few years, and concentrations in
management, architecture, engineering. So, they are looking
to pigeonhole, you know, specific skill sets that individuals
have in the security area.
invest in Your careerInterview with Pat Myers, Chair of (ISC)2
interview
Pat Myers
Information Security Media Group December 2009 41Information Security Media Group December 2009
interview
FIELD: You know, at (ISC)2, you’ve offered some new
certification programs of late, haven’t you?
MYERS: That’s correct. We have just recently launched a
certification for the Software Security Lifecycle Professional,
the CSFLP, and we are in the process of now reviewing
individuals who already have experience in this area that
wish to get this certification, and we are very excited
about it, because there is a terrific response already to this
certification, around the globe. It is something that has
been needed. As we started out our conversation, I talked
to you about software vulnerabilities, and this particular
certification goes direct to that problem.
FIELD: Right. Now, one last question for you, Pat. If you were
going to offer advice to professionals, either looking to start
a career in information security, or maybe they’re mature in
a career and want to switch into information security, what
would you advise them?
MYERS: Well, they are two different questions. First of all, if
you’re not in the profession, and you want to start looking
at going into the profession, I would suggest that you, first
of all, start training yourself. You can do this, there are so
many free courses out there, the web is full of information,
that you review something like the common body of
knowledge, which the profession uses to talk to each other
about security, 10 different domains, and that sort of thing.
So, get yourself familiar with the lingo, the language, the
concepts of security. There are many IT jobs that have, as
a side security function. A part of their job is, maybe not
mainly security, but includes some security. So I would start
out in that area. You know that in order to get one of our
(ISC)2 certifications that you do have to have experience in
the field. So, the more experience you can start out with,
then the easier you are going to get your credentials a little
bit later. Now, if you’re already in the security field, then I
suggest you consider advancing your career by looking at
one of the other certifications, the concentrations that we
have talked about already. And if you are in the career, and
you find yourself out of a job, maybe if you have the luxury,
you should step back and reboot yourself, by evaluating your
career goals and objectives, and determining what is the
next credential that you might need to look at for getting the
few jobs that you already mentioned that are out there for
the highly skilled. n
_________________________________________________Read the complete interview transcript online: http://careers.bankinfosecurity.com/podcasts.php?podcastID=203
“You will see that job requirements today are preferred or required certifications.”
42 Information Security Media Group December 2009 Information Security Media Group December 2009
nsA-Approved cAe schools106 Universities Stand Out for Information Assurance Programs
BY UPASANA GUPTA
The National Security Agency (NSA), through the National INFOSEC Education and Training Program (NIETP), identifies 106
universities that conform to its standard for acceptable programs in information security today. Criteria for that determination
are derived from recommendations of the National Security Telecommunications and Information System Security Committee
(NSTISSC).
_________________________________________________
Read the complete list online at http://www.bankinfosecurity.com/articles.php?art_id=1970
interactive map
Information Security Media Group December 2009 43Information Security Media Group December 2009
FULL PAGE AD
interactive map