Book Excerpt Part II: The Executive Guide to Information Security
By Mark Egan with Tim Mather
The following article is adapted from Chapter 1 of "The Executive Guide to Information Security," by Mark Egan with Tim Mather, which is scheduled to be published in November 2004. This is the second in a series of three.
The information security market is still in its infancy, with few formal standards established for products or services. The best way to characterize this market would be to compare it to the enterprise resource planning (ERP) market in the early 1980s. Companies at that time were purchasing finance, order processing, and manufacturing systems from separate vendors and having their IT staff integrate these products. This was a time-consuming and expensive process because no standards existed, and interoperability between different vendors was poor. The market then matured, and a small number of vendors such as SAP emerged as industry leaders. These leaders provided a complete solution for companies that included all the individual systems as part of their integrated ERP system. They also established the standards for smaller companies offering complementary functionality. Smaller companies either met the industry leader standards or found themselves pushed out of the market.
The information security industry is at a similar stage today, with several companies offering individual solutions such as firewalls that address only a portion of a company's security needs. As a result, their customers face the challenge of making all these solutions work together. Only early versions of standards exist, forcing companies to complete multiple installations of "point" solutions that provide individual components of their security systems.
As with the ERP systems, this will change as a small number of vendors emerge as leaders and offer complete solutions that can support the majority of a company's information security needs. Smaller niche players in the market will integrate their products with these leaders' standards because their customers will no longer be willing to have their IT staff perform this role. However, until this day comes, the IT staff continues to bear the daunting task of cobbling all these varied solutions together. They must deploy a constantly expanding list of products and complete the integration work to ensure that these components are working together.
Another significant challenge that IT technicians face is the sheer amount of data they need to absorb to understand and manage the current state of their computing environment. Each product generates alarms, logs, and so on that they must review to determine whether something is wrong.
Security products generate a great deal of data; however, only a small number of problems or "incidents" might be affecting the company. It is difficult for security staff to get an overall picture of the security environment and put plans in place to address the critical concerns. This is similar to the business challenge in the 1990s when executive information or decision support systems were developed to mine through large volumes of data to determine critical business trends. Several vendors now offer decision support systems to address this issue for business executives. The "holy grail" for the information security industry is to develop similar systems to solve this problem in the security arena.
An additional challenge is the relatively low priority that the software industry places on security. Although some leaders in the software industry have announced a new emphasis on security, the majority of the industry has yet to follow this example. They currently focus on making software easy to use and are under tremendous pressure to deliver new products and services, often sacrificing security. This results in the growing number of vulnerabilities. Until the software industry receives more pressure to prioritize security, even at the sacrifice of new features, this precarious situation will continue.
It will take some time for information security vendors to offer mature solutions to protect your business. In the meantime, you must develop strategies to mitigate these risks. The good news is that the security industry is following a similar pattern to other enterprise software industries, so these solutions will be forthcoming.
Shortage of information security staff
Finding qualified information security staff is a difficult task, which will likely continue to be the case in the near future. Driving the hiring challenge is the immaturity of the solutions from information security vendors, the limited number of qualified staff available, and the unique blend of information security skills required. Business executives will need to invest more in this area to overcome these challenges.
Due to the immature market, lack of standards, and numerous point solutions, training is a problem for security staff. The industry has not had the time to grow the staff necessary for these roles. In addition, the information security challenges keep growing at a rapid pace, constantly expanding the list of technology to be deployed, and the information security staff, put simply, just can't keep up. This translates into more time and money to get your staff trained on commercially available products.
Obtaining the necessary credentials for information security requires considerable training and experience. The Certified Information Systems Security Professionals (CISSP) credential is an internationally accredited certification and requires passing a test on a broad range of information security topics combined with a minimum of four years of work experience. The related System Security Certified Practitioner (SSCP) credential requires one year of experience plus passing an exam. Certified Information Security Manager (CISM) also requires a minimum number of years of information security experience along with successfully passing a written exam. All these certifications require ongoing annual training as part of their certification, and GIAC requires periodic testing every two years. Security professionals holding these certifications are in high demand, and employers will need to compete to attract them to their companies. Certified Information Systems Auditor (CISA) requires a minimum of five years of work experience before sitting for an exam. SANS Global Information Assurance Certifications (GIAC) requires candidates to submit a practical work assignment as part of their certification. Certified Information Security Manager (CISM) also requires a minimum number of years of experience.
In addition to specific technical training, information security staff members need to develop security enforcement skills that are not part of the traditional IT staff background. The military, intelligence, and law enforcement fields have traditionally conducted training in this area. In some respects, a company's security policies are similar to "laws" that must be enforced within a company, which requires specialized training. This unique requirement makes it difficult for existing IT staff to transition into information security roles without receiving specialized enforcement training.
Probably the greatest challenge in this area is finding a leader who has a broad background in the field and who can pull together an effective information security team. Few candidates have been in the information security field for more than a couple of years and have the required blend of technical and security enforcement skills. They also face the leadership challenge of taking inexperienced staff and developing them into effective information security professionals while dealing with ever-increasing security risks. These individuals are rare and in high demand.
Executives will need to consider longer-term strategies to address these needs because finding trained staff is not just a question of money but also a question of the time necessary to build the team around a limited number of qualified staff.
Mark Egan is chief information officer and vice president of Information Technology at Symantec.
Tim Mather is Symantec's Senior Director of Information Security, and is a Certified Information Systems Security Professional (CISSP) and a Certified Information Systems Manager (CISM).
|