Risk and reward as a data defender

Risk and reward as a data defender
Risk and reward as a data defender 

By Liz Warren
4 June 2007

Information security chiefs can work at the highest level of business 
and reap the financial benefits, but their livelihood is on the line if 
a breach occurs.

As information security has risen up the corporate agenda, the role of 
chief security officer has emerged to oversee it.

The CSO typically sits on the board and works alongside the chief 
executive and other senior managers to ensure that the organisation has 
the right security policies, procedures and technologies in place.

Adrian Asher, head of security at online gaming exchange Betfair, is one 
of this new breed of CSOs. "My role is to provide assurance to the 
business that our operations are secure," he says.

"For Betfair, that can mean anything from protecting against denial of 
service attacks to preventing users from repudiating bets they have 

Asher manages a team of 10 security specialists who advise him on 
particular areas of policy and research and implement technical systems. 
With CSOs looking to build these kinds of teams to support their 
security strategies, there is growing demand for security specialists at 
a lower level.

Premium rates

Security roles typically pay a premium of about 10% above rates for 
similar roles in other IT disciplines, said Sam Baxendale, sales manager 
at recruitment firm Computer People. But that premium comes with a 
downside, especially for the CSO.

"If there is a security breach, the buck stops with you and it is 
difficult to shift the blame," Baxendale says. "The result of any 
investigation is often a sacking."

Security is certainly not for the faint-hearted. Lysa Myers, a virus 
research engineer at security research firm McAfee Avert, says, "It is a 
fast-paced environment, and at times it can be overwhelming."

Myers analyses samples sent in by users of McAfee systems to determine 
the threats they contain, explain them customers, and add them to 
McAfee's detection and removal systems. She also provides training for 
internal staff and customers.

"You have to be able to switch gears quickly, from whatever you are 
working on to something else that is a higher priority. But there is 
something different every day, and always something new to learn," says 

Because the emphasis on security as a specialism is relatively recent, 
there are no clearly established career paths, especially to the CSO 
role. However, accreditation is becoming increasingly important.

At CSO level, employers look for candidates with CISSP (certified 
information systems security professional) certification, said John 
Whiting, managing director of the UK IT business at recruitment firm 
Harvey Nash. At a more junior level, supplier-specific qualifications 
such as Cisco, Nokia, Juniper and Checkpoint are in demand, he says.

Broad experience

However, most people seem to have fallen into security roles by 
accident, having been involved in a project where security was a prime 
concern, and experience across the full spectrum of IT is the best 
grounding, according to those working in security roles.

Asher says, "To be good in security, you have to be able to think from 
top to bottom and have done a little of each of the disciplines - 
network, database, applications and server admin - at a high level. 
Because you have to convince people who do these tasks every day to do 
them in a slightly different way, they have to respect you and you have 
to respect them, so you need some depth across all those areas."

Asher worked in network and server admin before becoming involved in a 
security-focused project to revamp Heathrow Airport's internet-based 

Similarly, Dave Martin, a managment consultant who jointly heads up the 
security consulting group at LogicaCMG, came from a background of 
programming, systems administration and operations management in the 
Royal Navy and defence contractor Plessey.

Working with security as a component of the systems he was developing 
gave Martin experience that he was able to transfer to a commercial 

He now conducts risk analyses of firms' systems, devises policies to 
mitigate those risks, and delivers security awareness training to 
end-users. Martin also carries out these functions internally to ensure 
that LogicaCMG's own operations remain secure.

On the supplier side, it is typical for security staff to join with 
generalist IT skills and to receive company-specific training on the 

Myers started off at McAfee in a secretarial role and began asking 
questions about the reports she was helping to compile. Over time, she 
took on analysis of more complex threats, and she is now McAfee's expert 
in malware related to IRC bots.

Interpersonal skills

However, the kind of technical skills Asher, Martin and Myers have 
developed are just one aspect of the security role. Interpersonal skills 
and business skills are equally key, especially at CSO level.

"You have to be an ambassador to senior managers and the board," says 
Asher. "Internal communications are a large part of the board."

Martin agrees. "Many technical people hit a glass ceiling in security, 
because you have to be able to talk business to senior business people," 
he says. "You often get people who are excellent technicians but cannot 
translate that into business issues."

But if you can master a security role, it can open doors. Whiting says, 
"There are big links between IT security, risk management, compliance 
and business continuity, so people coming from any of those areas are 
seeing avenues opening up across all of them. And it can provide a route 
to move into the operational side of the business from a pure technology 

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. 

Site design & layout copyright © 1986-2014 CodeGods