Most organizations today have finally come to see information security as a business enabler and not simply as a black hole where they dump their money. Companies are putting security into every aspect of their operations to maximize productivity and profits. And they are hiring information security professionals at record rates to help them build and maintain secure networks.
Look out, though: There may be a missing piece to security that businesses aren’t considering. While information security professionals can implement a suitable set of controls -- policies, processes, procedures, and organizational structures, as well as software and hardware protection -- that may not be enough anymore. It may be time we all accept that simply everyone who touches information technology should understand information security threats and solutions.
This new emphasis on "security understanding for everyone" has to start with the IT department and, especially, network administrators. A recent study suggested that a high percentage of IT executives still have little idea how many breaches their network is being hit with every day, let alone any understanding of the type of incident and method of attack.
Being in the dark is never a good idea in security and often results in bad things happening. We at least need network administrators who can recognize anomalies and report them immediately to the CIO, as well as to the information security department.
We need an IT staff that has a solid foundation in information security best practices, from the upper echelon to the IT rookie. They need to implement all their information technology solutions in parallel with the security policy of the organization. Information security people converse in their own language, just as IT people converse in theirs. We need a common language and a common understanding.
Organizations can also mitigate security threats by conducting workforce awareness programs to help prevent spam, phishing, and virus attacks. Last year, one of my colleagues, Will Pelgrin, the director of the New York State Office of Cyber Security and Critical Infrastructure, conducted a pair of anti-phishing exercises within his own organization. He routed a bogus phishing email from outside the agency and delivered it to 10,000 employees. The intent of the exercise was to test employees' willingness to give up personally identifiable information to a supposedly trusted source.
Phase 1 of the test results showed 17 percent of the employees followed the link to the password-checker site; 15 percent tried to interact with the password checker; and 3 percent cut and pasted the URL into a browser. After implementing awareness training within the agency, results from phase 2 of the test showed only 14 percent of the staff followed the link; 8 percent interacted with the form; and 5 percent cut and pasted the URL.
As more organizations form dedicated information security departments, there is a danger that security training for IT professionals will be neglected. Research by (ISC)2 (the International Information Systems Security Certification Consortium) has found that reporting lines for security are going outside the IT department more and more, with only 29 percent of chief information officers having ultimate responsibility for security in their organization these days.
What we’re seeing is that there are people who will never pursue security certification or a dedicated information security career, yet they will still have significant responsibility for information security. As much of the information security function moves out of IT, there is a risk that these people will not receive any training or certification.
It is important that IT professionals who do not have formal security qualifications study for and obtain security certifications, such as the SSCP (Systems Security Certified Practitioner). The qualification is designed to validate IT professionals’ mastery of the technical implementation of systems security and their ability to collaborate with information security managers and executives responsible for security policy.
I believe that getting a formal qualification in security could give IT professionals more flexibility in their careers, as well as help institutionalize security into the day-to-day operations. As time goes on, we see more and more convergence of IT operations and security. Certifications, like the SSCP, make IT professionals more marketable and more valuable in any IT organization.
Certification also brings other value to the IT professional’s career, including professional education opportunities, peer networking and industry communication, invaluable forums and events, and more.
And let’s not forget about job opportunities. If you asked me who I would hire -- an an IT professional without security knowledge or one with security knowledge -- I’d feel much more comfortable hiring the latter. As IT increasingly becomes more and more a key part of our lives, the certification of people who run these critical systems will be more and more important.
— Howard Schmidt, Former White House cybersecurity adviser