CareerStrategies Information Security Careers News...

Where the Jobs Are in 2010

speciAl end-of-YeAr edition: reflections on 2009, perspectives on 2010

looking AheAd

CareerStrategiesDecember 2009Information Security Careers News & Education

Also Inside

Interview Excerpts

The 7 Do’s and Don’ts of Social Networking•

Beyond Certifications •What are the Qualifications that Really Stand Out?

Life After CISO •What are the Options?

John Rossi, National Defense University•

Dickie George, National Security Agency•

Pat Myers, (ISC)• 2

New Year Looks Promising for Professionals Skilled in Risk Management, Forensics

+

2 Information Security Media Group December 2009 Information Security Media Group December 2009

CareerStrategies

editorial staff

Tom Field, Editorial Director

Linda McGlasson, Managing Editor

Eric Chabrow, Managing Editor

Upasana Gupta, Contributing Editor

Karyn Murphy, Contributing Editor

About isMg

Headquartered in Princeton, New

Jersey, Information Security Media

Group, Corp. (ISMG) is a media company

focusing on Information Technology

Risk Management for vertical industries.

The company provides news, training,

education and other related content for

risk management professionals in their

respective industries. This information is

used by ISMG’s subscribers in a variety

of ways - researching for a specific

information security compliance issue,

learning from their peers in the industry,

gaining insights into compliance related

regulatory guidance and simply keeping

up with the Information Technology Risk

Management landscape.

contact

Corporate Headquarters:

4 Independence Way

Princeton, NJ 08540

Phone: (800) 944-0401

Email:[email protected]

www.ismgcorp.com

www.bankinfosecurity.com

www.cuinfosecurity.com

www.govinfosecurity.com

Now is the time to truly take information security

careers seriously.

I say this on behalf of industry professionals

because we’ve just seen a year in which

cybersecurity has gone mainstream in business

and government. From the president on down,

leaders everywhere now appreciate the value of

the information security professional. And we know

that new opportunities abound in such areas as

incident response, risk management and digital

forensics.

But I also say this on behalf of my own company, Information Security Media

Group, because we’re now redoubling our efforts to provide new, compelling

careers-oriented content across all of our sites.

Over the past several months, we’ve re-thought our approach to careers

coverage, assembled an impressive board of advisors (whom we’ll announce soon)

and initiated new articles, interviews and features that will debut in the new year.

2010 promises to be a good year for all of us – for those of us looking for that

next big job, as well as those of us who merely want to show you the way. To

prepare for the new year, we offer you this “best of” edition that includes articles,

interviews and special interactive features – a wealth of content at a time when

you face a bounty of career options.

Enjoy, and good luck in the New Year!

Best,

Tom Field

Editorial Director

Information Security Media Group

[email protected]

Welcome to the 2009 Careers ‘Yearbook’here’s Where We Use the best of ’09 to prepare

for an even better ‘10

Tom Field

letter from the editor

Information Security Media Group December 2009 3Information Security Media Group December 2009

call of duty: the new demand for business continuity professionals

Once seen as “insurance,” BC/DR pros now valued for

information assurance

career opportunities in incident response

What it takes to make it in one of security’s emerging fields

digital forensics: the chance to play detective

Work is hard, but jobs plentiful for professionals who like to

follow the evidence trail

the employment value of Multiple certifications

Map out your career - and then invest in it

interactive Map

The latest NSA-approved CAE Schools

community outreach: the need for information security pros

Interview with John Rossi, National Defense University

the cAe at 10

Interview with Dickie George of the NSA

invest in Your career

Interview with Pat Myers, Chair of (ISC)2

Where the Jobs Are in 20102009 was a tough year in many ways -- economic recession, massive layoffs,

high unemployment rate, scores of bank failures. But there is good news

for information security professionals looking for jobs within the public and

private sectors in 2010.

the 7 do’s and don’ts of social networking

Recruiters increasingly use sites to

recruit candidates — and screen their

behavior

beyond certifications

What are the qualifications that really

stand out on a resume?

life After ciso: What Are the options?

Tips on how to prepare for the next

big career move

8

14

18

22

28

26

40

42

4

32

36

10Featured Story

On the CoverAlso in this Issue...

Interviews

letter from the editor contents

44


BY UPASANA GUPTA

‘Securing employment is all about networking, and

candidates should spend time cultivating relationships and

investing in their online brand that will benefit them in the

future,” says Barbara Massa, VP, Global Talent Acquisition,

McAfee, Inc.

A recruiting tool

While not all companies use social media sites in the

hiring process, the numbers are growing. According to a

recent survey (June, 2009) by CareerBuilder, the number of

employers using social networking sites to screen candidates

has more than doubled since 2008. Out of more than

2,600 hiring managers, 45 percent reported using social

networking sites to research job candidates’ backgrounds

for information -- up from 22% in 2008.

Michele Porfilio, a strategic sourcing director for Crowe

Horwath LLP, a public accounting and consulting firm, says

“We leverage social media sites such as LinkedIn, Facebook,

and Twitter for our information security hiring needs.”

Based on the skill set in need, Crowe implements the tools

for target search and outreach and “within LinkedIn, we

continue our visibility in creating an information security

professionals pipeline,” she adds.

Besides LinkedIn, companies are establishing their

presence on FaceBook and Twitter by creating a corporate

page to increase visibility and open opportunities to

network within the information security industry.

Niche and boutique information security recruiting firms

such as BC Management and the Lenzner Group both use

LinkedIn extensively in their candidate search and selection

process and have established a strong contact base by

promoting active interaction with members and affiliated

member groups.

the 7 do’s and don’ts of social networkingRecruiters Increasingly Use Sites to Recruit Candidates — and Screen Their Behavior

“the number of employers using social networking sites to screen candidates has more than doubled since 2008.”

FaceBook, Twitter, LinkedIn — Social-networking sites are now used both as

recruitment tools for new talent and as screening sites for potential employees.

As such, information security professionals should be careful to cultivate the

right image on these and other popular sites.

social media


Tracy Lenzner, president of Lenzner Group, pays close

attention to a candidate’s LinkedIn bio, ensuring that

information on a resume is not in any way conflicting with

the candidate’s online profile.

Alicia Stevens, a senior recruiter with BC Management

uses corporate database and LinkedIn for conducting

research on prospective candidates and places a lot of

emphasis on:

Has the candidate spoken at industry events? •

Have they received any awards or public recognition? •

Do they have any relevant published papers or •

articles in their area of expertise?

Are they members of any associations? •

Do they actively participate in any forums or •

affiliated groups?

Do they hold professional industry certifications? •

the down side of social networking

“Today, however a candidate’s presence on social

networking sites can even hurt them,” says Eric Fiterman,

CEO and President of Methodvue, a private intelligence

organization. It is very easy to post information -- at times

too much information -- on these sites without thinking

that people may examine this information and judge their

character for a potential candidacy. Candidates need to

remember that the information they post remains forever,

Fiterman says.

In the same CareerBuilder survey, more than one-third of

employers that checked profiles said they had found content

that disqualified a potential hire. The top four reasons

for disqualification were that the potential candidate had

posted information about themselves:

Drinking or using drugs; •

Displaying inappropriate photographs; •

Bad-mouthing their previous employer; •

Showing poor communication skills. •

“Knowing who they are and selling that in your profile is

key,” says Massa.

the 7 do’s and don’ts

1) do be visible and add value

Be active in relevant member groups, forums and

associations. Have a targeted list of companies and

accordingly expand your network and connections to be

recognized by industry associates. Creating a concise profile

online is important for recruiters to find them in their

searches, however, “Job prospects should never say that

they are looking for a job on their profile and status update,

as that gives a desperate impression to hiring managers and

recruiters and often is a turnoff,” says Porfilio. Add value

by posting useful links or just comments that offer some

information that will help establish a candidate as someone

who knows things about their niche and area of expertise.

“creating an online personal brand can be a strong asset to a candidate’s job search and a great way to toot their horn.”

social media


2) don’t badmouth your current or previous employer:

Be careful and not gripe about your current or past

employers in your online profiles. This usually reflects badly

on the candidates and results in tarnishing their own image

in the eyes of hiring managers and recruiters. Also, if you are

currently employed, keep in mind any confidentiality and

conduct agreements you may have signed to ensure you are

not violating any terms.

3) do be selective

Be careful with what information needs to be posted --

where you decide to post the information and how public

you make it, says Fiterman. A good practice is to restrict

posting personal information that may not be relevant to

professional career growth and development. Emphasis

should be placed on showcasing expertise and skill set and

work-related activities, including speaking engagements,

articles and papers published and core strengths.

4) don’t let out personal information in public

Tweet/chat/discuss regarding business and the emerging

trends in your industry, but limit posting information on

your personal life -- which can be a subject of major scrutiny

by recruiters and hiring managers. “My hiring decision

will definitely be influenced in learning that a candidate is

involved in playing cards as a hobby and is a member of any

affiliated association,” says Stevens.

5) do get valuable recommendations

Getting recommendations from former employers and

current supervisors is always good, says Massa. But

candidates should also go outside their organizations to seek

valuable recommendations and get endorsed by clients,

business partners and leaders that carry weight.

6) don’t use inappropriate language and photos

Most often candidates’ use of language and choice of

photographs posted are reasons for ticking off recruiters,

says Stevens. You need to ensure that information posted

is written professionally without use of swear words

and catchy phrases. Also, be very selective in posting

photographs and use your judgment to ensure that these

photographs are how you want the public to see you.

7) do create an online image

“Creating a powerful online brand is what will truly

distinguish candidates,” says Massa. You need to invest in

developing an online personality which will clearly set you

apart from your peers. You must consider:

What are the industry affiliations and groups with •

which you would like to be associated?

What are the leading edge conferences you want •

to be attending and participating in?

What kind of education and training do you •

want to be investing in to enhance your overall

qualification?

Invest in creating a name for yourself by blogging •

in recognized publications, creating an impressive

following on Twitter and LinkedIn, and constantly

appearing on conferences and speaking on

subject matter expertise.

Creating an online personal brand can be a strong asset

to a candidate’s job search and a great way to toot one’s

horn. When creating an online personal brand, job prospects

need to be sure to maintain continuity between all of the

sites they are using. “It’s about finding the right mix of sites

and content to best serve their goals,” says Allison Nawoj, a

senior career adviser from CareerBuilder. n

_________________________________________________Read the complete article online: http://careers.bankinfosecurity.com/articles.php?art_id=1957

“More than one-third of employers that checked profiles said they had found content that disqualified a potential hire.”


BY TOM FIELD

It’s time for information security professionals to give

back to their communities — to reach out and educate

businesses, schools and citizens about cybersecurity and

other relevant issues.

This is the message from John Rossi, professor of systems

management/information assurance at National Defense

University.

In an exclusive interview, Rossi discusses:

Why security professionals should practice outreach•

Potential venues for public speaking•

How to get started•

TOM FIELD: So the premise is that security professionals

should practice more outreach; what exactly do you mean

by that?

JOHN ROSSI: It is probably no secret that information

technology professionals and security professionals

specifically tend to be a little bit on the “geeky” side. We

hide in our offices, and we generate code or we write policy;

we will do telecommunications software, and we kind of

tend toward “leave us alone and let us do our thing.” But I

think where we really need to move is to integrate ourselves

better into the community.

We have seen years ago that CEO’s needed to have a

place at the corporate table; well, now we are saying that

Chief Information Security Officers also need a place at that

table. And not only at the corporate table, but I believe that

it is very important, professionally and personally, to reach

out to the community at large; our own local communities,

our libraries, our high schools, our junior high schools,

our colleges. And so what I mean is that the security

professional should get out and inspire, motivate, mentor

individuals and groups in the community.

community outreach: the need for information security prosInterview with John Rossi, National Defense University

interview

John Rossi


interview

FIELD: Well, you make a good point here, John. You know

these are stretching some new muscles for a lot of people

in the profession, so what are some effective ways that

security professionals can share their expertise?

ROSSI: Well, I will share with you what I have done, and

that way if I have walked the walked, then there are others

who can do it as well. There is nothing special about me.

What I have done is I have raised my hand to speak

at conferences, so security professionals that come to

conferences, security conferences, will get to hear whatever

I happen to be thinking of at the moment, whatever the

topic is, and that is one way.

Maybe a little more grassroots, though, is to get to the

youth of the community and speak in some of the inner city

schools. I have gone out to local inner city Washington, D.C.

high schools and spoken about fields, about careers in the

information technology field and the information assurance

field, and it kind of gives those youngsters something to look

up to, look forward to, see how they can contribute to the

community.

Another way is writing. Some people have a skill

in writing, and they don’t like to speak, they are very

uncomfortable. My wife would probably rather die than

have to give a presentation in front of an audience. So there

are many people who are nervous about that. Perhaps

we can write, and if we can write there are plenty of

newsletters and magazines that would love to publish well

thought out articles in the security field. n

_________________________________________________Read the complete interview transcript online: http://careers.bankinfosecurity.com/podcasts.php?podcastID=373

1/2 PAGE AD


Where the Jobs Are in 2010New Year Looks Promising for Professionals Skilled in Risk Management, Forensics

cover storY


2009 was a tough year in many ways — economic recession, massive layoffs, high unemployment rate, scores of bank failures. But there is good news for information security professionals looking for jobs within the public and private sectors in 2010.

BY UPASANA GUPTA

There are jobs aplenty, thought leaders say, for

information security professionals looking to change

jobs, move into leadership positions or switch industries

altogether.

The keys to success are to recognize the top growth areas,

and be prepared to tackle new skill sets.

“Companies today are looking to hire one or two key

information security professionals who are experts in a

broad range of security skills and are capable of playing

several different hats,” says Jeff Snyder, president of

securityrecruiter.com. Among the hot skills: access control,

user provisioning, digital forensics, incident handling, data

loss prevention and ethical hacking capabilities.

“We continue to see demand for positions including

security architecture, application security, risk management

and regulatory compliance,” he says, adding that

professionals with these skills will continue to be hired by

companies to play a critical role in safeguarding security

threats and challenges.

However, as automation and security monitoring

tools take over, some security functions such as patch

management, network monitoring, vulnerability analysis and

help desk functions will see more layoffs, hiring freezes and

outsourcing, says Brian Barnier, a board member with ISACA

and a senior partner with ValueBridge Advisors, a security

advisory and consulting firm based in Connecticut.

Yet, the role of risk management in information security

is being re-emphasized and will continue to be a key driver

impacting the profession and the job market, says Steve Katz,

former CISO at Citigroup, JPMorgan Chase and Merrill Lynch.

“IT security professionals increasingly will be asked to

act as advisers to senior business management on risk

management strategy going forward,” Katz says.

Following are the seven top growth areas for information

security professionals in 2010:

1. risk Management

“Cyber risk is real,” and companies are looking for

professionals who can understand the business risks to

be able to explain the value they’re providing to senior

management, says Katz. Organizations today are largely

concerned with viability and survivability, spending their

time, resources and efforts focused on meeting the industry

standards and regulatory checklist. They are not necessarily

taking a risk-based approach, Katz says. “They are saying ‘If I

do the checklist, then I must be okay,’ and that is really not a

good idea.”

Security professionals and leaders need to understand

how risks affect their own particular role and how that fits

within the overarching risk management process within

the organization. “Professionals who realize that security

is inextricably linked to business and business risks will be

successful and in demand in this market place,” says Mischel

Kwon, vice president of Public Sector Security Solutions for

the Worldwide Professional Services unit at RSA.

For security professionals and senior leaders hoping

to thrive and remain strong in the information security

discipline going forward, “The key will be to understand

that we all have a part to play in recognizing, evaluating and

mitigating risks,” says Kwon. Therefore, a proactive, efficient

and automated management of risks will ensure, she says,

“that we all have the information required to perform our

role and make important decisions in the future”.


2. security process Management

Increasingly, organizations focus their efforts in streamlining

and centralizing security processes to make security cost

effective and efficient. Better security process management

enables organizations to determine their most significant

security exposures, target their budgets toward addressing

the most critical issues, and then achieve the right balance

between cost and security, says Barnier. Therefore, business

and security process professionals will definitely see an

upswing in demand for their skills in:

Implementing multi-tasking solutions that protect data •

according to its risk classification levels;

Investing in the right mix of tools and technologies to •

manage multiple security measures;

Know when to outsource key services including network •

perimeter security; and

Having the ability to cross functionally operate and •

communicate with business units.

3. business side of security

Organizations today are looking for forward-thinking

professionals who, instead of saying ‘no’, talk to their

business colleagues and see how they can get things done.

Another area of growth will be for more senior and

well-rounded security professionals who understand both

business and technology and can effectively communicate in

business terms to senior management. “At most companies

today, security projects are driven by compliance and audit

and as such lack a business alignment with security,” says

Kwon. As a result, security professionals are not working

on business problems, but rather on regulatory issues. “IT

security professionals will therefore need to have a greater

understanding of business if they are to succeed in the

next decade,” she says. These integrated skills are required

for better risk management practices, understanding,

implementing and managing emerging technologies, as well

as justifying budgets in tight economic times.

4. forensics and fraud detection/ prevention

Forensics has become critical in the last few years, as people

extensively use technology for criminal purposes and cyber

fraud. Three broad industries need qualified digital forensic

expertise on a daily basis:

Information Security• : to stop hackers, computer-

based attacks, and recover from data breach

incidents.

Legal• : Win civil and criminal cases involving

electronically stored evidence.

“it security professionals increasingly will be asked to act as advisers to senior business management on risk management strategy going forward.” - Steve Katz

Steve Katz


Law Enforcement/Defense Industrial Base• : to arrest

and prosecute criminals/deter enemies.

In the current job market, demand for such experts is

increasing in the United States, where many companies are

facing real-time cyber crime activities. “We have forensic

experts that we are looking for,” says Nadia Short, vice

president of strategy & business development at General

Dynamics Advanced Information Systems, which seeks

people that are able to lead the investigation and incident

response activities. These individuals primarily focus on the

ability to understand file systems, logs, histories, patching

and, more importantly, understand chain-of-custody

activities as, in Short’s words, “we look to provide that kind

of data to law enforcement officials as they look to put the

bad guys away.”

5. software and Application security

Specialized and niche security recruiters such as Snyder

continue to see a strong demand in the area of secure

software development and application security. Security

implications in software development, operations,

maintenance and deployment is gaining prominence “as

companies are increasingly focused in integrating security

with their software lifecycle to build superior, secure

products and applications,” says Snyder. “There will always

be a growing demand for qualified security programmers,

web application analysts, software engineers and security

architects,” he adds.

6. regulatory compliance

With new regulations and compliance requirements

expected in the New Year, there may be some significant job

openings at federal and state regulators. Crowe-Horwath’s

a top 10 accounting firm and risk management advisor and

senior executive Nathan Johns, a former FDIC examiner

himself, sees openings with increased regulations being

enforced at security outsourcing and offshoring services.

“Examiners will keep a close tab at where the data and

information is being sent and who takes ownership for this

data when information travels overseas,” he says. Other

areas getting emphasis will also be within new standards for

application and product development, testing and signoff.

7. emerging technologies

As consolidation and collaboration continues to take

place within the financial sector, the government places

emphasis on critical infrastructure protection. Emerging

technologies including virtualization and mobilization of

services, cloud computing, centralization of data centers

and services will call for a new breed of project based

consulting professionals, says Barnier — which translates to

a need for new and specialized skill set in these promising

technologies. n


“the keys to success are to recognize the top growth areas, and be prepared to tackle new skillsets.”


BY UPASANA GUPTA

When Anne Marie Staley first became a business continuity/

disaster recovery (BC/DR) professional, many organizations

minimized the role.

“Until recently, most organizations treated business

continuity like health insurance,” says Staley, senior manager

of Business Continuity Planning and Disaster Recovery for

North America at the New York Stock Exchange. “[They

focused on] getting the cheapest coverage, hoping nothing

ever happens, reluctantly paying the premium each month

and praying that when the inevitable happens, they have

enough coverage.”

Times clearly have changed. In this post-9/11 world,

BC/DR functions have emerged to play critical roles in

protecting organizations from natural, man-made and

pandemic disasters. “We are now seeing a wonderful

convergence and subsequent maturity in the form of a

new paradigm of business continuity management which

involves more formal risk management practices integrated

with information security,” Staley says.

With the emergence of BC/DR comes a greater emphasis

on hiring professionals with the right skills and credentials.

the right stuff

Risk assessment skills have become significant in business

continuity, says Stephanie Balaouras, principal analyst at

Forrester Research. In the past, organizations often focused

their BC/DR efforts on natural disasters and overlooked

mundane events that actually cause most disruptions —

power outages, IT failures and human error. But leaders

have come to realize that they must take the time to

conduct a more comprehensive risk assessment to identify

all probable risks to safeguard company reputation and

meet the expectations of customers, external parties and

internal auditors.

“Executives are forced to pay close attention to the areas

where businesses are struggling: testing more thoroughly

and frequently, involving business owners in the process

from start to finish, and ensuring the business continuity

readiness of strategic partners,” Balaouras says.

Also, the emergence of increased threats such as

pandemic outbreak, recession, power outages, terrorism

call of duty: new demand for business continuity professionalsOnce Seen as “Insurance,” BC/DR Pros Now Valued for Information Assurance

business continuity

“in this post-9/11 world, bc/dr functions have emerged to play critical roles in protecting organizations from natural, man-made and pandemic disasters.”


and cyber fraud pushes the need for qualified business

continuity professionals. “All of these events are

uncomfortably recent, and as we’ve learned, any of them

can bring a country or community — let alone a single firm

— to a standstill,” says Steve Ross, executive principal, Risk

Masters, Inc., a New York-based business continuity and

crisis management consulting firm.

The key questions: Who are the right people, and what

role do they play within an organization?

“The right fit for business continuity function is

professionals coming from a risk management background

with exceptional risk monitoring, measuring and mitigating

skills,” says Cheyene Haase, president of BC Management,

Inc. an executive search firm that places business continuity,

disaster recovery, information security and emergency

management professionals internationally.

key credentials

Among the business continuity credentials most demanded

by employers, Haase says:

certifications

Professionals holding industry certifications such as CBCP,

CISSP, CEM, PMP are largely preferred, as they show

individuals will stay current with the industry through

continuing education.

Academic Qualification

A college degree is very often a requirement for BC/DR

positions. “Furthermore, to achieve a leadership position,

holding a master’s degree puts a candidate in a more

favorable position compared to competitors,” says Hasse.

business and technology focus

Strong understanding of business and technology issues

in contingency planning, emergency response, crisis

management and communications, risk management,

organizational resiliency, IT continuity, testing,

implementation, and regulatory issues is essential.

prior business continuity planning experience

Previous experience developing contingency and business

continuity programs globally is often an experience highly

sought after by potential employers.

‘soft skills’ a Must in leadership roles

Individuals with well-rounded backgrounds in business

and technology understanding are largely preferred for

leadership roles. They also must possess the abilities to

build business cases and to communicate with peers, and to

senior management.

industry Associations

Professionals need to be associated with specific industry

associations dedicated to business continuity, as well as

related disciplines, including: Association of Contingency

Planners (ACP), Disaster Recovery Institute (DRI), Business

Continuity Planners Association ( BCPA).

In addition to their primary roles of business continuity

planning, business impact analysis and understanding of

key risks and vulnerabilities to the organization, business

continuity professionals also must: Seek input — from

executive management on risk tolerance, areas of concern

and unknowns. Discussions on risk perception, business

business continuity

“Who are the right people, and what role do they play within an organization?”


strategy and trends should become key aspects of moving

beyond the traditional focus on natural disasters, fires

and data corruption. “It’s important to plan for these

threats,” says Ross, “but also to get input from executive

management team about other financial and operational

risks that may not be receiving focused attention.” Get

Engaged — move beyond executing methodology and

begin learning the business, break down organizational

barriers that get in the way of understanding all aspects of

business continuity risk, and get involved by building teams

to address business continuity risk and lead them toward a

solution.

The recessionary impact is that organizations are

selective in hiring, continuing to try and “do more with

less.” Which means employees often need to wear several

hats in performing their role as BC professionals. A good

background in related skills such as information security,

risk management, incident response and business is hot in

the job market. The career growth in business continuity

is tremendous, says Ross, and individuals can branch into

risk management, crisis management, incident response,

physical security, strategic planning and policy roles as well

as get into upper management positions such as chief risk

officer and chief strategic advisor.

Beyond insurance, BC/DR now is valued for the level of

assurance the role brings to an organization, Staley says. “A

key strength of successful business continuity professionals

is their ability to facilitate a group of people toward a

solution to mitigate risk to an acceptable level.” n


“beyond insurance, bc/dr now is valued for the level of assurance the role brings to an organization.”


FULL PAGE AD


BY UPASANA GUPTA

This past Independence Day weekend, hackers targeted

government and business websites in the United States and

South Korea, causing confusion for network managers to

differentiate between legitimate and illegitimate web traffic.

In January, Heartland Payment Systems, the sixth-

largest payments processor in the U.S. announced it had

been breached in 2008. Hackers had gained access to its

computer networks and had been able to see credit card

and debit card numbers as they were processed for several

months in 2008, exposing an undetermined number of

merchant and retail consumers to potential fraud.

At numerous companies and agencies of late, disgruntled

employees have violated internal policies or misused

system access for their own monetary gain or for revenge

on employers. Insider threat is a growing criminal activity

— especially in the event of organizations merging, being

acquired and employees being laid off.

Security related incidents such as these have become

not only more numerous and diverse, but also more

damaging and disruptive. Incident handling and response

has, therefore, become increasingly popular for people to

consider as a career today.

“As we can take steps to reduce risk in cybersecurity but

cannot eliminate risk, we need to come to terms with that

fact that eventually there will be an incident and an incident

response team will be needed,” says Shane Sims, director in

career opportunities in incident responseWhat it Takes to Make it in One of Security’s Emerging Fields

incident response

“security related incidents have become not only more numerous and diverse, but also more damaging and disruptive.”


the forensic services practice at PricewaterhouseCoopers,

where he provides investigative, forensic technology,

security incident response and cybersecurity services to

commercial and government clients.

the Many hats of incident response

Expert security professionals with proficient skills in

preventive activities and appropriate response actions

can lower the number and potential of incidents at any

organization.

The incident handling and response team consists of a

variety of skill sets needing different people expertise:

network security specialist

Organizations constantly need a network and system

specialist who is extremely familiar working and configuring

routers, firewalls and intrusion detection systems.

penetration testers

Known as a white hat or ethical hackers, these individuals

are crucial to the team for assessing a system’s potential

vulnerabilities that may result from poor or improper

system configuration, known and/or unknown software

flaws, or operational weaknesses in process or technical

countermeasures.

incident handlers

Incident Handlers are people with thorough knowledge

of attack methodology and incident response, performing

analysis and response tasks for various sample incidents,

applying critical thinking skills in responding to incidents.

“They are the individuals who need to predict that problems

are going to happen and what action will be needed to

mitigate these issues,” says Peter Allor, steering committee

member of the Forum for Incident Response and Security

Teams (FIRST). He also is the program manager for cyber

incident and vulnerability handling for IBM.

forensics Analyst

This role specifically focuses on the rigorous, scientific

and thorough forensic analysis of computing systems for

evidence and impact of system compromise and digital

support of legal, HR, and ethics investigations. The role

includes the forensic analysis of digital evidence, and an

understanding of evidence handling, chain of custody, and

operating systems/file systems. This is an emerging vital role

in incident handling which has started getting attention and

recognition in recent years maintains, Mike Poor, founder

and senior security analyst for the DC firm Inguardians LLC.

research Analyst

Research analysts focus on learning new techniques,

mitigation and protection strategies, staying abreast of

technology to help in the incident response activities.

team leader

Team leaders are typically in charge of leading the team

through crises and is involved with people across business

units communicating what is going on, what it means and

what it costs to business.

Methodology

An incident response team generally follows the sequence

of steps in all types of attacks:

1) preparation & training

This includes methods to prevent attacks, as well as how

to respond to a successful one. In order to minimize the

potential damage from an attack, some level of preparation

is needed. These practices include backup of all key data

on a regular basis, monitoring and updating software on a

regular basis, updating anti-virus software and creating and

implementing a documented incident response policy.

Training is another step that is crucial for the execution

of the incident response plan. “The training, in my opinion,

should be provided in two forms at a minimum -- what I call

a walk-through drill and a tabletop exercise,” says Sims.

A walk-through drill is when one would get all of the

participants that would be involved in an incident response

incident response

“once an attack has been identified, steps must be taken to minimize the effects of the attack.”


into a room, create a breach scenario and then walk through

and actually tell them what they are supposed to do and

what the expectations are of them.

A tabletop exercise is where one gathers all of the

incident response players around a table and walk through a

breach scenario, asking the different folks who are required

to do certain actions to chime in and play the role that they

would in the incident response.

2) identification

While preparation is vital for minimizing the effects of an

attack, the first post-attack step in Incident handling is the

identification of an incident. Identification of an incident

includes knowledge of the fact that an attack is occurring, its

effects on local and remote networks and systems and from

where it originates.

3) containment

Once an attack has been identified, steps must be taken to

minimize the effects of the attack. Containment allows the

incident responder to protect other systems and networks

from the attack and limit damage. The response phase

details the methods used to stop the attack. Once the attack

has been contained, the final phases are recovery and

analysis.

4) recovery and Analysis

The recovery phase allows users to assess what damage has

been incurred, what information has been lost, etc. Once

the user can be assured that the attack has been contained,

it is helpful to conduct an analysis of the attack. Why did it

happen? Was it handled promptly and properly? Could it

have been handled better? The analysis phase allows the

users and responders to determine the reason the attack

succeeded and the best course of action to protect against

future attacks.

An incident handling and response team should be

trained to handle “these normal emergencies” that happen

day-to-day on the job as well as escalate to a learning and

protective mode and secure business and systems at any

organization, says Allor. “We need help now, not tomorrow,”

he states. “That is why incident response as a profession is

very high among people’s wish lists.”

necessary skills

To be successful the following skill sets are recommended by

practitioners.

An in-depth technical background

Professionals transitioning into this field need to have a

thorough knowledge of networks and systems, including

operating systems, desktop, servers and network

communications. Certain specialties like understanding web

and data applications and how they work helps big time,

says Poor. Usually a bachelor’s or associate degree in IT,

computer science or information assurance is preferred.

Ability to communicate

The ability to communicate is crucial, as professionals need

to be able to communicate to their clients or business units:

What is the issue/problem? What has been the impact?

“incident response can include a disruptive and erratic work schedule as well as high work pressure.”


What does that translate to business cost? What are the

possible options? When can these options be exercised? “I

primarily look for people who can effectively communicate

in plain English and understand the importance of being

conversant in such issues,” says Allor.

supporting the business

I.e. getting the business units to be involved in discussing

incident handling and response issues is fundamental to

see how to best secure the systems and business. “We as

practitioners need to provide value, which can be done by

understanding how business perceives the unerlying risks

and how jointly we can solve issues,” maintains Allor.

Ability to remain composed

“Ability to remain calm under fire is typically what I look for

while hiring candidates,” says Poor. “As practitioners we are

under the gun the majority of our work life and need to be

able to work effectively under this constant pressure.”

Work experience

All experts say that certifications such as the CISSP or the

GIAC- Incident handler certificate from SANS are secondary

preference compared to the level of work experience they

look for in hiring an incident handler. All require prior work

experience handling incidents and crisis situations. “What

we really look for in candidates is the technical ability to

perform,” adds Poor, including participation in security

associations, conferences and forums.

Ability to network

“When I have an issue, I reach out to my peers in companies

like Cisco, Juniper, HP to ensure a good fix can be applied

quickly to the problem,” says Allor. One needs to establish a

network outside the organization to get help when required.

A good entry point into incident handling and response is

for professionals already involved with security and network

monitoring systems having the desire to escalate and do

more. The salary range for incident response professionals is

typically between $70,000-$140,000 annually.

Where are the Jobs?

Incident response jobs are readily available with government

agencies, including Defense Department, Department of

Homeland Security, National Security Agency (NSA) and the

U.S. Treasury. Government contracting companies such as

General Dynamics, Booz Allen Hamilton, North Grumman

and Lockheed Martin increasingly hire individuals with this

expertise.

Within banking and financial services, consulting

and advisory firms such as KPMG, Deloitte,

PricewaterhouseCoopers and others have a constant

demand for incident handlers and responders. Usually

large community banks, credit unions and national and

international banks hire these professionals to act as first

responders and investigators to incidents and attacks.

Incident response can include a disruptive and erratic

work schedule as well as high work pressure. Job seekers

need to be prepared, very committed and passionate to take

this up as a career, Poor mentions.

“We are like medical practitioners in our field,” he says,

“where we are on call 24/7 and are paged to handle a crisis

situation.” n



BY UPASANA GUPTA

After Hurricane Katrina devastated much of Louisiana, the

state was granted $9 billion for recovery and disbursement

to individual homeowners. Keith Barger, a director in KPMG’s

Forensic practice in Houston, was put in charge of a forensics

and fraud team to ensure verification of insurance claims,

investigations and to trace fraud activities. This work kept

Barger’s team busy for a year and a half.

“Forensics is broader in scope than people anticipate it,”

Barger says.

He specializes in electronic data discovery, data analytics

and investigative services in support of civil litigation and

provides advisory services regarding technology related

matters. He also provides expert witness testimony when

appropriate in connection with these services. His in-house

team is involved in high-profile investigations, applying tools

and methodologies to data analytics, data mining, recovering

deleted files, tracing internet activities and many other tasks.

Most of his clients are government agencies and large private

corporations. The team consists of-:

A forensics manager who has direct oversight of the •

forensics practice and is qualified to certify a forensics

lab environment;

Evidence custodians who basically are involved in •

tracing, recovering and storing evidence;

Research and development individuals who maintain •

databases and spend time keeping abreast of

emerging technologies, software and methodologies;

Cell phone and digital media specialists; and•

Intrusion detection professionals.•

The forensics profession today is fast-growing because of

the increasing number of cyber crime activities that occur

throughout the world, maintains Barger.

the emergence of forensics

“Forensics has become very important in the last 10-12 years

since one great disadvantage of technology’s integration into

society is the capacity for people to use the technology for

criminal purposes,” says Jill Slay, PhD, CISSP, FACS, PCP, MIEEE

Member, (ISC) 2 Board of Directors.

The types of crimes that can be committed using

technology can be represented in two distinct categories:

crimes committed using a computer (e.g. hacking, fraud) and

those committed against computers (e.g. Denial of Service).

“In today’s economy more people are working remotely,

which provides greater opportunities for malicious

employees to create harmful attacks,” says Paul Henry, SANS

Institute certified instructor in Forensics and cyber crime

and president of Forensics & Recovery LLC, an independent

digital forensics: the chance to play detectiveWork is Hard, But Jobs Plentiful for Professionals Who Like to Follow the Evidence Trail

forensics


network breach and computer forensics investigative

company based in Florida.

Forensic computing can be described as the investigation

into criminal or unethical activities that may have left digital

or electronic evidence. Although this definition appears

simplistic, adds Slay, it specifies the existence of digital

evidence, which is the very core of “computing” in the term

forensic computing.

In the current job market, demand for such experts is

increasing in the United States, where many companies are

facing real-time cyber crime activities. “We have forensic

experts that we are looking for,” says Nadia Short, vice

president of strategy & business development at General

Dynamics Advanced Information Systems, who seeks people

that are able to lead the investigation and incident response

activities. They primarily focus on the ability to understand

file systems, logs, histories, patching and, more importantly,

understand chain-of-custody activities as we look to provide

that kind of data to law enforcement officials as they look to

“put the bad guys away.”

career options

The typical career path/responsibilities for forensics

professionals include:

entry-level forensic Analyst

Analyses of hardware, including applications/operating

systems, storage media, file systems, imaging hard drive

etc. Forensics professionals need to know in-depth how

computer systems work and operate, says, Eric Fiterman,

CEO & president of Methodvue, a private intelligence

organization specializing in the discovery and deterrence of

complex threats to people, commerce, and governance.

forensic senior Analyst

Analyses of software, applications, know-how of data

capture including volatile and non-volatile data. Recovery

of sensitive data whether documents, emails, graphics,

cookies, etc. Ability to identify the source and origin of a

particular disruption or security issue, says Fiterman. Being

able to answer “How bad is the damage both in financial

and technical terms and who was responsible for this

crime?”

investigation specialist

Forensic investigation services cover all areas of computer

misuse, Internet/email abuse, fraud, pornography, hacking

and intellectual property theft. Investigation procedures

are needed, and in many cases required, to guarantee that

found evidence can withstand examination in court.

expert Witness

A lot of times forensics investigation requires presentation

in court, and needs the services of an expert witness

who testifies that evidence discovered in any particular

case will withstand examination, says Eric Robi, CCE, an

expert witness and president of Federal Forensics Group,

an independent consulting firm specializing in computer

forensics and analysis. The expert witness is usually required

to provide an independent expert testimony in the form

of expert opinion, present the findings in laymen terms

forensics

“the forensics profession today is fast-growing because of the increasing number of cyber crime activities that occur throughout the world.”


and in the written reports in court presentation and/

or examination. Provide easy to read and well-organized

“expert” reports to support the testimony including reports

and statements that are provided to verify where and how

data have been recovered, processed, etc.

Management position in forensics

These days large companies have their own forensics

and e-discovery teams that do the required investigation,

analysis and recovery of systems and data. Most places

require a senior forensics manager to lead and support the

team as well as directly report to senior management.

Job requirements

Forensics experts recommend an undergraduate degree in

computer science or engineering, specializing in forensic

computing or IT security. Next: a master’s degree and

specialized training by vendor certification companies

including SANS Institute, which offers GIAC Certified

Forensics Analyst (GCFA); the EC Council for its Certified

Computer Hacker (CEH); and International Society of

Forensic Computer Examiners (ISFCE) offering the Certified

Computer Examiner (CCE). “Hiring an interesting mix of

individuals of technology level professionals with strong IT

background and law enforcement professionals has been

successful for my team,” says Barger.

In addition, vendor product training is essential for

forensics professionals from forensics software providers,

including EnCase Guidance Software, Access Data, and

Microsoft.

“Skills and abilities would be the logical and

mathematical ones of science and engineering and the

problem solving skills needed in detection as well as in the

sciences,” says Slay. Capacity to do tedious work with very

strong analytical skills and solid background in information

technology and network security is required in forensics,

adds Henry.

on the Job

Henry indicates that starting salary for a professional

in forensics is around $70,000 annually, assuming the

candidate possesses the necessary IT and analytical

background and training required. The salary range is high

for senior analysts and professionals between $150,000-

$300,000 annually.

Among the challenges on the job:

long hours

The work is challenging when data needs to be analyzed and

recovered from very large hard drives and applications using

varied tools to confirm analysis, says, Henry.

keeping pace with technology

Things change so fast that maintenance, training and

education of tools/software for analysis and investigative

support becomes very difficult and at times expensive.

cloud computing

With the practice of cloud computing, “We do not have

evidence at one place, information is stored in bits and

pieces at different times, in different places which gets very

challenging,” says Fiterman.

For more information on career options in forensics:

The International Association of Computer •

Investigative Specialists (IACIS)

The International Society of Forensic Computer •

Examiners (ISFCE)

American College of Forensic Examiners (ACFE)•

Cyber Security Institute•

Digital Forensics Certification Board (DFCB) • n


“forensic computing can be described as the investigation into criminal or unethical activities that may have left digital or electronic evidence.”


FULL PAGE AD


BY TOM FIELD

Ten years ago, the National Security Agency (NSA) started up

the Centers of Academic Excellence program to encourage

stronger information assurance programs at colleges and

universities. Initially, there were 7 designated CAE schools.

Today, the ranks have swollen to over 100 CAE-designated

schools, and information assurance professionals are much

better prepared to tackle the cybersecurity challenges we

face.

Dickie George, Information Assurance Technical Director

within the NSA, discusses:

The CAE program’s core mission;•

Benefits of the program for participating schools •

and students; and

What to expect from CAE in its second decade.•

TOM FIELD: Dickie, let’s take a step back here just for a

second and describe for us the core mission of the CAE

program.

DICKIE GEORGE: Well, the core mission is to look at the

students that are being produced today to educate them to

become future cybersecurity experts. It’s a tough world out

there, and there are a lot of adversaries that have access

today that they didn’t have 15 years ago. These students

have to be capable of addressing the threats that these

adversaries provide. You see everyday in the newspaper

where credit card numbers are lost, there is fraud, there’s

identity theft. We need to have professionals who are ready

to address those threats, and this program is designed to

make the students aware of those treats and to give them

the tools and the capabilities, the skills that they need to

address those threats.

FIELD: Now you’ve had 10 years to watch students go

through the program and go into their careers. What have

the cAe at 10Interview with Dickie George of the NSA

interview

Dickie George


interview

you seen as some of the outstanding career paths of these

students who have completed these programs?

GEORGE: We’ve seen every path imaginable. We’ve seen

students that have worked through our government.

Mischel Kwon is one of the graduates, and she was running

CERT until just recently. We see several students have gone

to become very strong researchers and faculty members

throughout the country, and we see a large number of

students that have gone to DHS and to NSA and are reaping

the efforts that we have in cybersecurity for the nation. In

addition to the normal things that you think, like working at

very, very large companies that deal with security and cyber

across the country.

FIELD: So, you’ve got one decade under your belt with this

program now. If you were to project into the future another

10 years, what do you think we can expect to see come from

this program in the second decade?

GEORGE: I would like to see it expand, get more schools.

We already have two levels in the program. We have the

CAE and the CAR, which are research universities. We

would like to see, more soon, we would like to see more

collaboration. We need to get down to the community

colleges, the two-year schools, so we need an expansion in

the program. I would like to see an emphasis on getting to

students earlier in their careers — even to hit them in high

school, not as part of this program, but as a preparation so

they understand the value of this program in their future.

Some of the things that we do when we talk to high school

students is we try to explain to them how interesting the

problems are, how important they are, and that there is

a future in being a cyber scientist beyond just teaching,

which is important in itself, beyond just working for the

government. There is an aspect of being a cyber-skilled

scientist in every aspect of life today, and you can get this

through this program, and you get there much better

prepared than you do without this program. Educating all of

the citizens of the country to the threat and how to address

the threat is one of the key aspects that we need to address

as a nation, and this CAE program is the best way we have to

get those people out there who understand the threat and

can help to make others understand the threat. n


“i would like to see an emphasis on getting to students earlier in their careers — even to hit them in high school, not as part of this program, but as a preparation so they understand the value of this program in their future.”


BY UPASANA GUPTA

“Jobless recovery.” That’s one term used by observers to

describe today’s economy. It means that the economy is

slowly improving, but without the corresponding growth in

hiring and new job creation.

To stand out in the hiring process, then, IT pros must seek

out not just one, but multiple professional certifications to

specialize and bolster their resumes, says Brian R. Schultz, a

senior board member (ISC)² who holds these certifications:

CISSP-ISSMP, ISSAP, CISM and CISA. “Security certifications

are on employers’ minds these days, as companies look for

certified personnel to safeguard assets,” says Tracy Lezner,

CEO, Lenzner Group, an executive security search and

consulting services firm based in New York. “We are seeing

more and more employers make certification a standard and

a criterion for hire.”

In this situation, security professionals need to make

the right decision pursuing multiple certifications. Kent

Anderson, CISM, a senior member of ISACA’s Security

Management Committee, advises prospects to ask ‘Where

do I want to go in my career?” Then weigh the value of

certifications. “The power of certification is amazing to help

security practitioners be whatever they want to be in the

future,” he says.

Ronald W. Pelletier, CISSP, CISA, CISM, CBCP, is a former

senior manager of security risk advisory services at Ernst

& Young, LLP. He was recently laid off and has acquired a

the employment value of Multiple certificationsMap Out Your Career — And Then Invest in It

professional certifications

“to stand out in the hiring process, then, it pros must seek out not just one, but multiple professional certifications to specialize and bolster their resumes.”



new position as a senior security consultant with a private

security consulting company. Being certified in multiple

areas of specialization within security definitely gives him

an edge in the hiring and interview process. “There is a

confidence level in the job search, interview approach

and overall job performance which certifications provide,”

Pelletier says.

hiring Manager’s view

For Debbie Wheeler, chief information security officer (CISO)

at Fifth Third Bank, certifications make a difference when

evaluating a multitude of candidates and are used as an

initial prioritization of candidates. “Certifications can initially

draw a hiring manager’s attention to a specific candidate,

but hiring decisions, ultimately come down to the hands-on

experience and overall qualifications of the individual,” she

says.

For security positions, Wheeler usually looks for CISSP,

CISA or CISM certifications, followed by other industry or

software-specific certifications such as forensic certifications

or tool-based certifications.

“When competing against someone else, one would

like to think having multiple certifications will help over

someone not having any or not the right combination,”

says Richard J. Roberts, RF, ARM, CPCU, ALCM, MBA,

a senior board member with the Risk and Insurance

Management Society (RIMS). In the end, no matter how

many certifications one has, it still comes down to how

one applies those certifications and how one uses that

acquired information to help their present or new employer.

“Certifications always bring value and speak volumes of an

individual’s capability,” says Anderson. A combination of

the right certifications tells employers that this person is

committed, adaptable and possesses the breath and depth

of knowledge and experience required for the job.

Security professionals, however, need to convey how

all of their background will help the employer, so the

certifications are just a piece of the puzzle. “The blending of

proper expertise with proper education and certification will

work the best for all individuals,” adds Roberts. “The key to

this is that you need to be able to communicate your value

to employers.”

types of certification

There are basically two types of certification available:

Technical and experience-based. Within Technical the most

common are: CompTIA Security, certified ethical hacking

(CEH), the global information assurance certification (GIAC)

and vendor certifications offered by Cisco and Microsoft

such as, CCIE, CCNA, CCNP, MCSE, MCSA are very popular.

Experience-based certifications, which are most sought

after, include: The certified information systems security

professionals (CISSP), the certified information systems

auditor (CISA) and the certified information security

manager (CISM).

“When competing against someone else, one would like to think having multiple certifications will help over someone not having any or not the right combination.” - Richard J. Roberts

Richard J. Roberts


The market is flooded with a host of technical

certifications provided by vendor product companies - all

of which help individuals gain technical competency and

demonstrate thorough understanding of Internet and

security technologies. These certifications are good to

pursue for individuals who want to stay in the technical field,

for example: network engineers, network and database

technicians, system administrators, system architects, etc.

The technical certification, adds Anderson, “makes

the individual competent technology-wise, but does not

necessarily help him grow in his career. Experience-based

certifications are the ones which add value toward future

growth. The goal here is to not just take the test and pass

the exam, but enrich your career through continuous

learning and improvement.”

To secure multiple certifications, security professionals

should first map out a career path for themselves. Specialize

based on where you want to be. For example: You are five

years into your career as a security practitioner and envision

being a chief information security officer (CISO). You then

need to look at certifications that will help you get there.

Look for experienced-based certifications like the CISSP,

CISM, CISA, CPP, RIMS Fellow (RF), which are most valuable

as an individual moves to senior positions, demonstrating

not just depth, but breadth of knowledge.

boot camps vs. self study

Have a career focus while choosing to specialize in multiple

areas. “Do not go for a shot gun approach,” says Schultz.

Enrolling in boot camps can help pass the exam, and is

recommended for individuals with solid security experience

who basically need to just hone their skills. Boot camps,

however, are not helpful for fresh graduates or junior

security practitioners, as they only aid in passing the test,

present short-term memory and do not reflect absorption of

principles in key security domains. “Purchasing a good study

book and spending six months or so learning the material

and principles is what goes a long way,” adds Schultz.

Usually boot camps cost varies from $2,000-$3,500 for

most technical and experience-based certifications, and

training time duration varies anywhere from 3-5 days. Self

study on the other hand is cheaper, but time-consuming and

requires planning and discipline.

take a layered Approach

“Security practitioners should take the certification in steps,”

maintains Anderson. For example, if you are already CISSP

certified and want to specialize in audits and take up CISM

certification, then first get into the desired job role and

become acclimated with the job function requirements.

Learn while you work; then get the exam details and

necessary paperwork completed. Submit them with the

required authorities and set a timeline based on which

you can decide to take the test. A good practice is to gain

a broad certification like the CISSP while still in school or

early in the security profession, and then gradually get a

specialized certification based on job function and future

goal.

seek Management’s support

Mention to your organization’s management team about

your career goal and where you envision being. Discuss

it with them and see how you can balance work and take

out time to study. “Most employers today are extremely

supportive, as they clearly see the value addition in

employee education and certification,” says Schultz.

“Our organization will reimburse an employee for the

fees associated with passing their certification exam, but

we do not pay for boot camps or other training camps

associated with the exams,” says Wheeler. “We have had

many individuals successfully take and pass the CISSP and

other exams through independent study.” n


“to secure multiple certifications, security professionals should first map out a career path for themselves.”


FULL PAGE AD


BY UPASANA GUPTA

The CISSP has become almost ubiquitous among information

security professionals. The same can be said for many

industry- and technology-specific certifications.

And while certifications are not perfect, they are a decent

way for security professionals to learn how to perform

complex job functions and display basic expertise in required

skill sets, as well as enhance their standing as generalists.

At the same time, certifications offer a potential employer

a standard by which to assess whether a job candidate has

the security expertise he/she is going to need to know for a

specific job.

“Certifications in this arena have become a prerequisite

for an information security job,” says Tracy Lenzner, CEO,

Lenzner Group, an executive security search and consulting

services firm based in New York. “We are seeing more and

more employers make certification a standard and a criterion

for hire”. So, what is it — beyond certifications — that really jumps

out from a resume and impresses a prospective employer?

We asked several hiring managers for their insights on

what they seek in prospective hires.

nothing like experience

Certifications show a certain amount of base skills

the candidate will possess in terms of the theoretical

understanding and knowledge. But there’s nothing like

hands-on experience in the job, says Nathan Johns, executive

beyond certifications: What are the Qualifications that really stand out on a resume?Hint: There’s Nothing Like Hands-On Experience


“so, what is it, beyond certifications, that really jumps out from a resume and impresses a prospective employer?”



with Crowe Horwath LLC, and former chief of information

technology at the FDIC. “If two equal candidates in terms

of work experience are vying for a job, then the candidate

holding certifications will probably have the upper

hand,” Johns says. “However, a certified person with little

experience will not fare so well against an uncertified person

with a lot of experience”.

Jennifer Bayuk, former CISO at Bear Stearns & Co.,

looks for security professionals who are able to distinguish

themselves via their resume by communicating the type of

problems they can solve and by providing a clear picture

of how they best fit the job position by giving examples of

work accomplished in the field. “There is no substitute for

hands on experience”.

For Debbie Wheeler, chief information security officer

(CISO) at Fifth Third Bank, certifications make a difference

when evaluating a multitude of candidates and are used

as an initial prioritization of candidates. “Certifications

can initially draw a hiring manager’s attention to a specific

candidate, but hiring decisions ultimately come down to

the hands-on experience and overall qualifications of the

individual.”

Among the factors weighed beyond certifications:

Academic background and technical Ability

Bayuk seeks evidence of technical ability and depth of

technology understanding, as demonstrated by an advanced

degree in computer science or information assurance;

relevant published papers and related project work; and

work experience that maps directly to the job function.

business Understanding of security

Talking the language of business — and a business

understanding of security with good communication skills

and ability to stand up and present at executive meetings

— is another area that candidates should build upon, adds

Nathan. “Investing in a management and business course

often helps to gain an edge over other security candidates.”

internal branding

“Today, getting a basic security certification is not enough

to differentiate and get a job; security professionals need to

differentiate themselves through outstanding performance

and internal branding,” says Lee Kushner, president, L.J.

Kushner and Associates, LLC, an executive search firm

dedicated exclusively to the Information Security industry

and its professionals.

And then there are the soft skills. Security professionals

need to know how they project themselves to their

colleagues and management team. What is the impression

of them and their work that others around carry and talk

about?

Kushner further adds that security professionals will need

to give importance to moving beyond baseline requirements

by:

Thinking about the industry affiliations and •

groups they want to be associated with;

What are the leading edge conferences they •

want to be attending and participating in;

What kind of skill set they want to be focusing •

on, leading a path to specialization; and

What kind of education and training they want •

to be investing in to enhance their overall

qualification.

tips for Moving beyond certifications

Hiring managers offer these tips to security professionals

who want to enhance their resumes after they attain their

necessary certifications:

earn a reputable University degree

Earn a reputable university degree by one of the National

Security Agency (NSA) approved and accredited academic

“security professionals need to know how they project themselves to their colleagues and management team.”


institutions in information assurance. Also, candidates

should look for programs that combine technical training

with business strategy and management courses.

think from a business perspective

Besides knowing how to operate and excel in security

tools and solve problems from an engineering background,

candidates need to focus on how these solutions affect the

organization from a risk and compliance perspective and

also direct efforts in making security a business driver.

set Up a home laboratory and get hands-on experience

Security professionals should invest in a serious lab

environment and implement what they find interesting

during their studies especially with readily available

freeware versions of technologies/software used. This gives

IT professionals the opportunity to acquire knowledge of

the underlying theories and provides them with an outlet to

implement security practices in real-world situations.

internship in it security

Candidates who are still in school should consider taking up

relevant projects and an internship in information security.

This will help to provide an opportunity to get hands-on

real-world security experience and also help in networking

within the security market for future job prospects.

Join groups

Join local security groups and associations like ISSA, ISC2,

ASIS, InfraGard including Blackhat, RSA, MISTI.

subscribe

Subscribe to targeted newsletters and forums including Sans

Institute, ISACA and others. n


“today, getting a basic security certification is not enough to differentiate and get a job; security professionals need to differentiate themselves through outstanding performance and internal branding.” - Lee Kushner


FULL PAGE AD


BY UPASANA GUPTA

You’ve spent years in information security, toiling your way

to the top — to the CISO role. What’s next? What are your

career options, and how should you prepare for exploring

them?

Jennifer Bayuk is the former CISO at Bear Stearns & Co.

She became an independent consultant after the company

was acquired by JPMorgan Chase early last year. Bayuk notes

that, “The CISO title is something that sticks with you. It is

not so much a title as a mindset. I was recently invited to

be on a panel of CISOs at a conference, and suggested that

it was inappropriate. But a colleague joked, ‘Once a CISO,

always a CISO,’ and I knew what he meant.” She wants to

remain independent and participate in projects and research

that will increase national security as well as equip future

security professionals.

Bayuk’s transition didn’t happen overnight, though. It

came after careful consideration — and preparation — for

“life after CISO.”

Here are some tips for security leaders considering their

next career moves.

know Your options

It’s always good to have career options, but there are times

in your leadership career when you especially should start

making plans, says Charlie Miller, former director of vendor

governance at Merrill Lynch:

All talk, no Action

When there are numerous senior management changes and

most of the CISO’s time is spent explaining what they do, vs.

doing what needs to get done.

treading Water

When leaders are shifted to maintenance as opposed

to building a security program and team within their

organization.

To prepare themselves for their next move, existing CISOs

need to make sure they stay current with their industry

and profession. Which means attending and participating

in security and industry relevant seminars and webinars,

reading professional reports, books, etc., subscribing to

journals, magazines, newsletters, joining industry groups,

and professional associations.

And since security these days is much more about the

business than the technology, CISOs also must focus on

life After ciso: What are the options?Tips on How to Prepare for the Next Big Career Move

leadership

“it’s always good to have career options, but there are times in your leadership career when you especially should start making plans.”


leadership

improving their understanding of business concepts and

communications. This is the competency that will impress a

future employer or client, and yet it’s often overlooked by

busy executives caught up in the daily grind.

Another key piece of advice: Network, network, network.

“Do your job effectively as a CISO, build relationships in

your current job with trusted peers, supervisors and your

extended network,” says Steve Katz, credited as the world’s

first chief information security officer. “The more trust you

build in your current position, the more opportunities you

will get after leaving the CISO position.”

Following are four distinct career paths that security

leaders have followed post-CISO:

1. independent consulting:

Many former CISOs embrace the path of being an

independent consultant either on a temporary or

permanent basis. “I like working for myself, “says Miller,

who is now on the verge of forming a LLC with an associate,

focusing on Information security outsourcing, privacy,

training and awareness programs. He consults to the Santa

Fe Group on enhancing the BITS Shared Assessments

Program used by institutions when evaluating a third-party

provider control environment. “Independent consulting

is successful when a strong reputation is built around the

individual,” says Katz, a prominent figure in the network

security discipline. For over twenty-five years, Katz has

been directly involved in establishing, building and

directing Information Security and Privacy functions. He

is the founder and president of Security Risk Solutions, an

information security company providing consulting and

advisory services to major, mid-size and startup companies

and an executive advisor to Deloitte.

Executives should rely heavily on building reputation

and networking before jumping ship, as people will want to

know “who you really are” maintains Katz.

2. Advisory and partnership role:

A trend also seen among former security leaders is to take

up an advisory and partnership role with one of the major

consulting companies, security vendor and educational

organizations, helping them manage their clients’ health

in areas of security and privacy risks. Katz, for instance,

is currently an advisor to Deloitte in the area of risk

management and security practices. “I have seen several

of my colleagues — former CISOs within the government

— take up positions with companies like McAfee and

Symantec, as an advisor on their business, sales and

marketing end,” says Daniel J. Lohrmann, the Michigan

chief technology officer (CTO) and Deputy Director of the

Infrastructure Services Administration within the Michigan

Department of Information Technology (MDIT). Prior to

becoming Michigan’s CTO, he was Michigan’s first chief

information security officer (CISO) from May 2002 until

January 2009.

“Ultimately your choices depend on what opportunities

are available at the time you make the change,” Warren

Axelrod, research director for Financial Services for the

United States Cyber Consequences Unit. “Right now, in this

time of retrenchment, the job market outlook for CISOs

is pretty glum. However, there is a substantial demand

for subject-matter expertise and advice that comes from

many years of on-the-job information security and privacy

experience.”

Axelrod is executive advisor to the Financial Services

Technology Consortium. Most recently, he was the chief

privacy officer and chief business information security

officer for US Trust, the private wealth management division

of Bank of America.


3. teaching and Mentoring:

“Security is the most valuable thing we have,” says Bayuk,

who is also a professor at Stevens Institute of Technology,

where she teaches enterprise security architecture. Both

Miller and Axelrod have done webinars for various security

clients on topics ranging from vendor governance, business

continuity and cybersecurity to outsourcing in security.

Lohrmann believes strongly in mentoring and providing

leadership insights by taking up opportunities in speaking

engagements, authoring blogs and books and by being a

member of professional organizations such as InfraGard

to make security more effective. He is also a distinguished

lecturer for the Masters Program in Information Assurance

at Norwich University.

4. continue in the corporate World:

If you’ve been a successful CISO in one specific business or

industry, why not consider a similar role in another type

of organization entirely? As Lohrmann points out, “The

similarities (in roles) are greater than the differences.” The

key difference: the specific culture and the way business

cases are built to emphasize enterprise security in each

organization.

Many former security leaders move on to equivalent

positions or greater roles in banking, consulting and

government organizations where their knowledge,

experience and skills are easily transferrable. For instance,

take the case of Rhonda MacLean, a former CISO of Bank

of America, who returned to the corporate world and took

up a Global CISO position with Barclay’s Global Retail and

Commercial Banking sometime last year. She however,

recently left Barclay’s.

Again, Lohrmann in his existing CISO position was asked

to become an acting CTO for the state of Michigan even

without a formal interview process.

essential skills for a successful transition:

Below are four basic elements provided by Katz to all

existing CISOs who are looking to make a transition.

excellent track record

You must have an excellent track record to be respected

and admired as a leader. While still in office, invest time and

effort in building a strong reputation.

professional proficiency

Develop professional skills, including business, management,

security and compliance — all elements that the role

demands for outstanding work performance.

relationship building skills

Invest in building meaningful relationships in your current

job with trusted peers, supervisors and extended network

within the industry and outside.

self Marketing skills

You need to have excellent marketing skills to be able

to internally sell security within the organization. Be

able to build and present business cases effectively to

management. n


“to prepare themselves for their

next move, existing cisos need to

make sure they stay current with

their industry and profession.”


FULL PAGE AD


BY TOM FIELD

Despite the recession and record job losses, information

security remains a top concern for public and private sector

organizations. But what can security professionals do to

protect their careers and be considered for these jobs?

In an exclusive interview, Pat Myers, chair of (ISC)2,

discusses:

Top security and risk management issues •

facing organizations;

How security professionals can protect and •

invest in their careers; and

Advice for people looking to either start or •

move into an information security career.

TOM FIELD: What should security professionals be doing

now to really invest in and protect their careers?

PAT MYERS: Well, you know, if you’re protecting your

company’s data, then the second part really comes

automatically, because you are investing in your career. My

advice is to spread the responsibility around, and that is,

as I mentioned, including something like a risk council. Be

sure that you essentially document all of the, either the

recommendations on your company’s vulnerabilities, you

know, and it certainly doesn’t hurt to keep your resume up

to date, either.

FIELD: Sure. What do you find differentiates a candidate in

times like these, when there are so many applicants for a

single job, even? What really stands out on a resume?

MYERS: You will see that job requirements today are

preferred or required certifications. And they usually list

what they are. So, they are looking for people who have

a track record, and have experience, and they also have a

certification. There are so many new certifications that have

come about in the last few years, and concentrations in

management, architecture, engineering. So, they are looking

to pigeonhole, you know, specific skill sets that individuals

have in the security area.

invest in Your careerInterview with Pat Myers, Chair of (ISC)2

interview

Pat Myers


interview

FIELD: You know, at (ISC)2, you’ve offered some new

certification programs of late, haven’t you?

MYERS: That’s correct. We have just recently launched a

certification for the Software Security Lifecycle Professional,

the CSFLP, and we are in the process of now reviewing

individuals who already have experience in this area that

wish to get this certification, and we are very excited

about it, because there is a terrific response already to this

certification, around the globe. It is something that has

been needed. As we started out our conversation, I talked

to you about software vulnerabilities, and this particular

certification goes direct to that problem.

FIELD: Right. Now, one last question for you, Pat. If you were

going to offer advice to professionals, either looking to start

a career in information security, or maybe they’re mature in

a career and want to switch into information security, what

would you advise them?

MYERS: Well, they are two different questions. First of all, if

you’re not in the profession, and you want to start looking

at going into the profession, I would suggest that you, first

of all, start training yourself. You can do this, there are so

many free courses out there, the web is full of information,

that you review something like the common body of

knowledge, which the profession uses to talk to each other

about security, 10 different domains, and that sort of thing.

So, get yourself familiar with the lingo, the language, the

concepts of security. There are many IT jobs that have, as

a side security function. A part of their job is, maybe not

mainly security, but includes some security. So I would start

out in that area. You know that in order to get one of our

(ISC)2 certifications that you do have to have experience in

the field. So, the more experience you can start out with,

then the easier you are going to get your credentials a little

bit later. Now, if you’re already in the security field, then I

suggest you consider advancing your career by looking at

one of the other certifications, the concentrations that we

have talked about already. And if you are in the career, and

you find yourself out of a job, maybe if you have the luxury,

you should step back and reboot yourself, by evaluating your

career goals and objectives, and determining what is the

next credential that you might need to look at for getting the

few jobs that you already mentioned that are out there for

the highly skilled. n


“You will see that job requirements today are preferred or required certifications.”


nsA-Approved cAe schools106 Universities Stand Out for Information Assurance Programs

BY UPASANA GUPTA

The National Security Agency (NSA), through the National INFOSEC Education and Training Program (NIETP), identifies 106

universities that conform to its standard for acceptable programs in information security today. Criteria for that determination

are derived from recommendations of the National Security Telecommunications and Information System Security Committee

(NSTISSC).

_________________________________________________

Read the complete list online at http://www.bankinfosecurity.com/articles.php?art_id=1970

interactive map


FULL PAGE AD

interactive map

44 Information Security Media Group December 2009

4 Independence Way | Princeton, NJ 08540

ISMGCorp.com

CareerStrategies Information Security Careers News...

Documents

Transcript of CareerStrategies Information Security Careers News...