By Liz Warren
4 June 2007
Information security chiefs can work at the highest level of business
and reap the financial benefits, but their livelihood is on the line if
a breach occurs.
As information security has risen up the corporate agenda, the role of
chief security officer has emerged to oversee it.
The CSO typically sits on the board and works alongside the chief
executive and other senior managers to ensure that the organisation has
the right security policies, procedures and technologies in place.
Adrian Asher, head of security at online gaming exchange Betfair, is one
of this new breed of CSOs. "My role is to provide assurance to the
business that our operations are secure," he says.
"For Betfair, that can mean anything from protecting against denial of
service attacks to preventing users from repudiating bets they have
Asher manages a team of 10 security specialists who advise him on
particular areas of policy and research and implement technical systems.
With CSOs looking to build these kinds of teams to support their
security strategies, there is growing demand for security specialists at
a lower level.
Security roles typically pay a premium of about 10% above rates for
similar roles in other IT disciplines, said Sam Baxendale, sales manager
at recruitment firm Computer People. But that premium comes with a
downside, especially for the CSO.
"If there is a security breach, the buck stops with you and it is
difficult to shift the blame," Baxendale says. "The result of any
investigation is often a sacking."
Security is certainly not for the faint-hearted. Lysa Myers, a virus
research engineer at security research firm McAfee Avert, says, "It is a
fast-paced environment, and at times it can be overwhelming."
Myers analyses samples sent in by users of McAfee systems to determine
the threats they contain, explain them customers, and add them to
McAfee's detection and removal systems. She also provides training for
internal staff and customers.
"You have to be able to switch gears quickly, from whatever you are
working on to something else that is a higher priority. But there is
something different every day, and always something new to learn," says
Because the emphasis on security as a specialism is relatively recent,
there are no clearly established career paths, especially to the CSO
role. However, accreditation is becoming increasingly important.
At CSO level, employers look for candidates with CISSP (certified
information systems security professional) certification, said John
Whiting, managing director of the UK IT business at recruitment firm
Harvey Nash. At a more junior level, supplier-specific qualifications
such as Cisco, Nokia, Juniper and Checkpoint are in demand, he says.
However, most people seem to have fallen into security roles by
accident, having been involved in a project where security was a prime
concern, and experience across the full spectrum of IT is the best
grounding, according to those working in security roles.
Asher says, "To be good in security, you have to be able to think from
top to bottom and have done a little of each of the disciplines -
network, database, applications and server admin - at a high level.
Because you have to convince people who do these tasks every day to do
them in a slightly different way, they have to respect you and you have
to respect them, so you need some depth across all those areas."
Asher worked in network and server admin before becoming involved in a
security-focused project to revamp Heathrow Airport's internet-based
Similarly, Dave Martin, a managment consultant who jointly heads up the
security consulting group at LogicaCMG, came from a background of
programming, systems administration and operations management in the
Royal Navy and defence contractor Plessey.
Working with security as a component of the systems he was developing
gave Martin experience that he was able to transfer to a commercial
He now conducts risk analyses of firms' systems, devises policies to
mitigate those risks, and delivers security awareness training to
end-users. Martin also carries out these functions internally to ensure
that LogicaCMG's own operations remain secure.
On the supplier side, it is typical for security staff to join with
generalist IT skills and to receive company-specific training on the
Myers started off at McAfee in a secretarial role and began asking
questions about the reports she was helping to compile. Over time, she
took on analysis of more complex threats, and she is now McAfee's expert
in malware related to IRC bots.
However, the kind of technical skills Asher, Martin and Myers have
developed are just one aspect of the security role. Interpersonal skills
and business skills are equally key, especially at CSO level.
"You have to be an ambassador to senior managers and the board," says
Asher. "Internal communications are a large part of the board."
Martin agrees. "Many technical people hit a glass ceiling in security,
because you have to be able to talk business to senior business people,"
he says. "You often get people who are excellent technicians but cannot
translate that into business issues."
But if you can master a security role, it can open doors. Whiting says,
"There are big links between IT security, risk management, compliance
and business continuity, so people coming from any of those areas are
seeing avenues opening up across all of them. And it can provide a route
to move into the operational side of the business from a pure technology
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com