The recent bombings in Ahmedabad and Delhi, and the audacity of terrorists to inform through emails about the bombings prior to their happening were possible due to an unsecured Wi-Fi connection. A simple unsecure Wi-Fi connection used by terrorists exposed the importance of having secure measures in place and has caught the attention of entire country. Had terrorists been able to use such an unsecure Wi-Fi connection of an enterprise instead of someone's personal connection, the whole implications would have changed. The IT Security has become a prime concern for every enterprise. They have to ensure foolproof systems and implement stringent privacy laws to avoid any vulnerability misuse or loss of information. Information being the most valuable asset for an enterprise, its protection from unscrupulous elements has taken center stage as a strategic IT priority. Not only that, the worldwide regulatory compliances also requires that organizations better protect sensitive data and mitigate emerging threats. So, more organizations are recognizing the need for dedicated network professionals who can protect information from such threats.
Organizations are relying more on IT security professionals to protect not only their information assets but also their brand reputation, market value and to meet the compliance regulations. It is evident now that, security professionals have become an integral part of an organization's business model. As per a recent IDC study, the Indian industry is expected to generate a demand for 1, 22,874 network security professionals by 2009 whereas only 87,562 professionals would be available. This would result in a shortfall of over 35,000 professionals.
Professionals wanting to venture into security domain will have to hone skills beyond their IT skills and technical know-how. Soft skills in management and communications, as well as understanding of policy, processes and personnel will only add to their advantage. The professionals coming from networking background can take themselves into becoming Information Security experts, while the professionals coming from software development area can become engineers and researchers with companies developing security products.
Security of an IT system implies that the person responsible for its security should be abreast of the technological changes since new technologies would most definitely open up new avenues of threat. It will depend how proactively a security professional detects such possible threats and provide solutions to mitigate them and ensure that business productivity doesn't get hampered. The IT security industry has various opportunities that can be classified in three distinct areas, -security operations, security management and security investigations. The responsibilities will vary depending on the domain.
In the security operations domain, a security professional will focus on hardware and software part of the security for the organization's network and information assets. They will be ensuring that the organization's network remains free from any vulnerabilities. They also manage and implement applications like anti-viruses and Unified Threat Management devices to protect information.
The professionals in security management domain will be required to develop and implement security standards and procedures. They will be also be drafting regulatory policies for tackling issues related to information security.
|Abhay Valsangkar, Senior Director, Human Resources Symantec Corporation|
|Gartner claims security software revenue will total $219.4 million in 2008, a 13.5 percent increase from 2007. The market is forecasted to reach almost $240.4 million in 2012, an annual growth rate of 9.1 percent from 2007 to 2012. With such an exciting growth in the market, we clearly anticipate a requirement of skilled professionals in the area of software security. These may include those on the engineering side like - software design architects, software testers or for roles like QA, technical writing, sales and marketing and software management. Issues related to piracy, intellectual property, cyber crimes etc. herald the need for software security solutions all the more. This too, would increase the need for skilled professionals.|
The security investigation domain is a vast area. Professionals vary on the basis of their expertise; a penetration tester will be using his hacking skills to detect vulnerabilities in an application or organization's network. A Cyber Forensic Analysts will use the investigative skills and understanding of cyber laws, legal requirements on evidence and behavioral science to look into the issues related to cyber crimes, piracy and intellectual property rights.
Information security not only includes organizational data within the enterprise, but hosted online data as well. A major concern for enterprises is to secure their online data and websites. Therefore they are hiring auditors to report vulnerabilities in their websites through which a hacker can crash their site or leak data. Such a job can only be done better by a hacker himself. Ethical hackers have found recognition in enterprises where they help in plugging the vulnerable zones in a website or a network through which intruders can get access to unauthorized information. Though there are specialized post graduation courses in engineering for information security, there are also specialized certification exams available. A security professional can opt for these exams depending on the area of specialization.
|Lokesh Mehra, Regional Manager- Corporate Responsibility, Cisco South Asia|
|Varied skills are in vogue, it's no longer the virus and worms which could be the cause of headache for a security professional. The person would also be responsible to ensure intellectual property resides within the company and does not reach competitors. Secondly, the person needs to play an activist role within the organization educating people on compliance measures and how to protect information. Quite often, we all see people blurting their passwords openly in offices when faced with a technical glitch to get their problem resolved. The person needs to be an all rounder encompassing technical, communication, collaboration and advocacy as well as business skills to understand nuances of security impact in addition to gaining confidence of the senior management for funding and conformity.|
IT security is transforming from tactical strategies to information risk management. The traditional role of IT security was confined to firewall configurations and probably antivirus updates, which beginners in any organization are exposed to. With maturity and experience, a professional's role will evolve to protecting the enterprise from information loss and outages. At a CXO level the individual would justify the cost of ongoing and future investments to mitigate information risks. Aligning business objectives with a concise security strategy is a critical element in this role.
The job responsibilities of security professional are dependent on the nature of the enterprise and security requirements. Broadly they can be defined as below.
Information Security Operations- to maintain and monitor security in a specific IT environment by implementing relevant technology controls. The specific tasks would include network and technology infrastructure security control implementation, system and application security, installation and maintenance of firewall, antivirus software, intrusion prevention/detection systems and anti-spywares, etc.
Information Security Executive Management- to correlate broad security guidelines of the enterprise with security operations, security project management and implementation of security as per security architecture, risk & security monitoring, security program implementation.
Information Security Management – role includes Risk Management, Security Program Management, Data Security, Policy Creation and Maintenance, Incident Management, Business Continuity/Disaster Recovery, Security Architecture, Security Policy Creation and Maintenance.
Chief information Security Manager - Role includes design & development of information security policy, regulatory compliance and information security governance.
|Dr. Smita Dilip Totade, President, ISACA Pune Chapter|
|According to the Department of Labour, US “the demand for computer security specialists will grow as businesses and government continue to invest heavily in cyber security, protecting vital computer networks and electronic infrastructures from attack. The information security field is expected to bring many opportunities over the next decade as firms across all industries place a high priority on safeguarding their data and systems. I believe that numerous opportunities would be available at various levels for security professionals' worldwide...|
Security Advisors/Auditors – Independent experienced professionals would provide advisory services for Info security policy design, Risk Assessment, ISMS Compliance as per Global/industry accepted standards.
Also from a software development perspective, a career in security technologies offers a challenging and interesting growth path. Software development professionals are expected to have thorough knowledge of computer networking, various programming languages and the flaws that may exist while programming in these languages.
Security certification is the major criteria for IT project managers as companies are hiring certified professionals to safeguard their assets. The value of any certification depend on the candidate requirements, as getting certified in any another domain without any requirement does not prove fruitful. Therefore, getting specialized certification gives a broader perspective and adds value to the candidate's profile. Certifications for security include CISSP (Certified Information Security Professional), SSCP (Systems Security Certified Practitioner), CCSP (Cisco Certified Security Professional), GIAC Security essentials certification. CISSP provides solid information to security tacticians in 10 security domain. The CISSP credential is best for mid and senior-level managers who wish to or have already attained the positions of CISOs, CSOs and Senior Security Engineers. The early registration for this course can be done in USD 499. SSCP demonstrates the level of practitioner and is ideal for the candidates who are working toward or have already achieved positions as Senior Network Security Engineers, Senior Security Systems Analysts or Senior Security Administrators. The early registration for this course can be done in American $ 369.