Opinion: Staffing for security - Mission-critical positions

by Marcia J. Wilson, CCSP Staff Writer
March 16, 2004

"Reprinted from March 25, 2K3"

Staffing for security positions is a dilemma. Organizations are searching for the right mix of technologists and managers to meet the demands of securing networked computing environments.

Many of us who work in the profession are realizing that security clearances are becoming more of a requirement for the job. What are the mission-critical positions? Do you hire an MBA to run the program? Do you need a Ph.D. in computer science at the helm of security initiatives? Can you find someone who has the management and in-depth technology skills to move initiatives forward? What do you do? Who do you hire? Budgets are tight, yet security hires are a must. Here are some of the jobs that companies have posted on Internet job boards in recent months:

• Information security officer
• Senior director of risk management
• Technology risk management/chief information officer
• Vice president, information security operations
• Director, data security
• Security manager
• Network engineer security specialist
• Network security consultant
• Senior network architect
• Senior information systems auditor
• Senior security analyst
• IT security consultant
• Senior information security engineer
• Data security engineer

If you look at the job descriptions for each position, you quickly realize that there are not many well-defined positions. It appears that some companies are staffing from the top down and some companies are staffing from the bottom up, depending upon how far along the security path they are or how urgent the need is.

To staff for mission-critical positions defined to support a secure computing environment, it is critical to first design an organization or department that is wholly focused on security. You've got the chiefs: CIO (chief information officer), CTO (chief technology officer), CEO (chief executive officer), CFO (chief financial officer), COO (chief operating officer) and the newly defined CSO (chief security officer). And you've got the Indians, whose talents may include specific firewall configuration expertise, security awareness training, policy development, vulnerability management, intrusion-detection systems management, business continuity planning, disaster recovery, you name it.

In some companies, the CEO is the top dog with the other CXOs reporting in. Let's take that as a baseline and move down the chain. Information systems and technology has bounced around for years and has fallen under the responsibility of every chiefdom in existence. In some organizations, the CFO controls the money and if not in form, certainly in substance, owns the IT function. In other companies, the CIO reports directly to the CEO and owns all things related to "information."

Depending on the type of company you have, say manufacturing, the COO may own security, including data and physical security, but not the IT function.

There are many ways to organize and structure the responsibility. The key idea here is that security needs to be elevated to the same level of importance as accounting or production. There is also this idea of checks and balances. The responsibility and function of security needs to be a separate entity from IT and report to the highest possible organizational office.

IT, among others, has a little saying: "What they don't know won't hurt 'em." However, global internetworking has changed everything. What they don't know will hurt them. The IT department needs to be audited just like the finance department does.

I am a proponent of aligning business goals with security initiatives, so that would imply that I am also a proponent of designing a security organization from the top down, not from the bottom up.

I've noticed a trend among organizations that are beginning to hire security people. They hire a network architect or a firewall administrator and call it a day. The powers-that-be have no idea what needs to happen in what order to safeguard the organization's information assets. The mission-critical positions can be identified when an organization identifies a person, an office, a department or a division whose sole responsibility is to safeguard the organization's information assets. Once security owners are identified, an assessment can be made as to what additional staff is necessary based on current skill sets of employees and budgeting constraints. At minimum, an organization should conduct a business risk analysis and hire an outside firm to conduct an information security audit as two primary steps toward understanding the current security posture. Once you understand what you've got, you can move forward.

Recent legislation has brought security into the forefront of corporate consciousness. Recent world events and cyberterror threats are keeping security on the front burner. We can no longer plead ignorance. Organizations must understand what they've got and understand what they need to do and then hire the right people for the job.


*Note: Some links to stories may no longer function or now require you to register to view.





by Marcia J. Wilson ComputerCops Staff Writer

Marcia J. Wilson holds the CISSP designation and is the founder and CEO of Wilson Secure LLC , a company focused on providing independent network security auditing and risk analysis. She can be reached at .

---