Security Advisor

How To Be a Security Babe

If you want to do IT security because it’s “hot” right now, or because you think that’s where the money is, forget it. If you truly love the field, read on.

• By Roberta Bragg
• 08/01/2002

First, let me assure you that I’m using the word “babe” in a purely gender-neutral manner and don’t mean to imply that men can’t be security gurus. We often use the term “babe” to refer to members of both sexes. There’s Babe Ruth, Babe the dinosaur, Babe the pig (http://www.babeinthecity.com/), hunter and fisher Babe Winkelman (www.winkelman.com/), and Sonny and Cher’s immortal “I Got You Babe.” I’m also not implying that you have to be a hottie to succeed in security. With the exception of Scottie (my personal trainer) and a guy from some country I can’t pronounce who wants to be my intern, no one would ever associate me with that particular term.

So what do I mean? Perhaps you’re one of the many who have written for my help in “getting into security” or pursuing a security career. Perhaps you wonder if security is an area for you. Maybe you want the big bucks. Maybe you’re out of a job, find your engagement calendar empty, or otherwise think it’s time to change your game plan.

You Missed the Wave, Dude
Security isn’t the answer to your shrinking paycheck:. It won’t bring you fame and fortune; it won’t even get you an interview. If you don’t already have deep security knowledge, you don’t have time to gain it in order to ride the current wave. The days of success are long past for those armed with minimal knowledge and a pre-programmed security vulnerability scanner. The word “Security” in your title or your company’s name will get you no instant appreciation now. The market for security goods and services is more sophisticated than it was. To make your way, to survive, you have to be able to do more than know a few buzzwords.

This market isn’t a Mecca for those who want to relax, either. Security is 10 percent pure panic and 90 percent drudgery. It’s long hours with no reward. You’ll generally only get recognition when you fail. For me, it’s like I’m always hanging from a cliff by my fingernails and struggling to keep up with the dual demands of rapidly changing information and rarely changing attitudes. Sure, it’s fun to ramble about the foibles of most infrastructure gurus and rant and rage my way through a speech on security practices. But I can’t even talk about my greatest jobs, those where my input or my design prevented the success of a very determined attacker.

The Four-Step Program
Are you still reading, even after my attempts at dissuasion? You haven’t given up in despair? I don’t understand it, but OK. Since I haven’t managed to discourage you yet, let’s talk. You say you want to be a security babe, and you realize it’s not an easy thing. Here, in my humble opinion, is how to fulfill that goal. Your program should include these four steps.

Step One: Narrow Your Options
Your first step should be to determine exactly what you mean by “security.” Do you want to specialize in some technical aspect of security, say establishing and configuring perimeter defenses such as firewalls? Do you absolutely love decoding packets to figure out what’s happening on the wire? Are you obsessive-compulsive about the code you write? Does implementing technology excite you, or does the fact that your mistakes might provide a venue for an attacker to steal credit card numbers off your servers grab your guts? Would you rather manage or do? Does creating policy—written words which set the goals to which IT will have to aspire—float your boat? As you can see, there’s a wide range of careers in security. I know security officers who have never touched a server, and system admins who never should have.

To help you find your niche, consider attending a security conference. You’ll meet people who already work in the field, gain some security knowledge, and maybe make a few useful contacts. Check out the sites listed below and the conferences and seminars they offer. They represent many different sides of the security game. Just don’t assume you’ll see all security careers represented at any one event, or that you’ll be accepted with open arms when you say the words “Microsoft” and “security.”

• www.rsasecurity.com/
• www.sans.org
• www.gocsi.com/annual/index.html
• www.blackhat.com/
• www.defcon.org/
• www.issa.org
• www.misti.com

Step Two: Get Naked
Second, take a long look at yourself. Carefully review your background, successes and failures, dreams and reality. As they say in the weight-loss biz, stand in front of the mirror naked and take a good, long look. A clear understanding of your abilities, aptitudes and experience is the starting point. Having a clear goal will help you identify the path to take. Does something in your background fit your idea of this long-term goal? If your experience lies in networking or systems administration, you have a good foundation to build upon. Writing solid code and understanding good coding practices is paramount to many security careers. If you don’t have either of these skill sets, why are you reading this article? Seriously, while many security jobs don’t require you to code or to configure systems, they do require you to have knowledge in these areas. Get some. If you’re struggling in IT because of a lack of ability to do a job for which you were trained, what makes you believe that you can enter the security arena without any experience or education at all?

Now the good news—maybe: If you stop and think about it, much of what you do in IT is security-related. Most systems administrators spend a fair amount of time granting or preventing resource access. Security is, in large part, about exercising controls in order to protect resources. If, however, you get your chuckles from making complex systems work, or writing elegant code, or getting the best performance or throughput, or the most “bang for the buck,” then security may not be a wise choice for you.

On the other hand, if you feel that someone’s always looking over your shoulder; if you have multiple online personalities; change out your hard drive when you go online; subscribe to multiple security newsletters (and actually read and follow their advice); have been to Defcon or a CSI conference; downloaded all the NSA guidelines; know who Stephen Northcutt, Bruce Schneier, Mudge and cDc are; purchased the SANS checklists; and have www.microsoft.com/security as your default home page, you probably have the necessary makeup for the security field.

Step Three: Get Trained
Now that you know where you are and what you want to do, determine what you need to do to get there. Each security opportunity may require a different skill set, a different level of education. Where not long ago there were no “security degrees” and only a smattering of certifications, both formal education and a plethora of certification programs now exist. The opportunities for education have multiplied like hack attacks on a new IIS server.

Are formal education programs the way to go? Remember: Security as a career has gone through its first two phases. In the first one, a need evolved as the natural result of the mainframe culture. Many people got trained on the job, some were trained by the military, and others were gifted with deep talent and mathematical education. Few had formal training in computer security, per se. In the second phase, a large demand meant even inexperienced people could earn money peddling security advice, and many self-proclaimed hackers—the guys with the experience—were able to cut their hair and morph into security consultants.

Now we’re in stage three. There’s still a large demand, but buyers are more knowledgeable. To get hired, you need some proof of expertise. If you don’t have experience, do you have certification or education? Employers today are certification-shy, and bad experiences with paper MCSEs have contributed to this. Several very good education alternatives exist, and you should start at www.nsa.gov/isso/programs/nietp/newspg1.htm. Among the offerings on the National INFOSEC Education & Training Program Web site are the 36 universities designated “Centers of Excellence in Information Assurance Education” by the National Security Agency. Take a look at these programs; you’ll find that not one of them is a short-term answer to your goals. Most are traditional four-year undergraduate programs, or master’s and doctorate programs. Some of the more well-known of these schools include:

• Carnegie Mellon University, www.heinz.cmu.edu/infosecurity/. The school is well-known as the host location for the Computer Emergency Response Team (CERT), as well as many fine programs that offer education in information security.
• George Mason University, www.isse.gmu.edu/~csis/index.html.
• James Madison University, www.infosec.jmu.edu/program/html/classroom.htm. JMU offers a master’s degree program with a concentration in information security, taught entirely online.
• North Carolina State University, http://ecommerce.ncsu.edu/infosec/courses.html. It offers undergraduate, master’s and doctorate programs in information assurance.
• University of Idaho, www.csds.uidaho.edu/, has the Center for Secure and Dependable Software (CSDS).

Be sure to check out the new Federal Cyber Service: Scholarship for Service programs if you’re studying information security in college. U.S. citizens can get two years of their information security education paid for in return for two years of government information security work. Pay attention to the qualifications: Not every program—nor every candidate—qualifies. You must be enrolled in an info sec curriculum in one of several qualifying colleges before you can apply. Several of the programs referenced above participate in the program. Your best source of information is their Web sites.

And don’t forget that good old practice of studying on your own or with your buds. I don’t have to tell you that many of your peers in IT run extensive home test networks. If you’re thinking of hitting the consultant career path, this is essential. It’s my belief that you can earn the equivalent of a master’s degree if you’re willing to invest in a subscription to MSDN and TechNet, cobble together a few boxes in your basement and spend hours and hours with them. Note that it’s my belief: I know of no college that will give you credit for your wee-hour explorations of PKI, IPSec, kerberos, group policy or other security-related items.

Many vendors have certifications, too. If you work extensively with their products or wish to, these certs, listed in Table 1, may help. Experience is more important, but studying for certification isn’t a bad way to develop well-rounded product knowledge

Step Four: Market Research
Research the job market. IT security employment is currently suffering a softening of the market. Visit IT recruiter L.J. Kusner (www.ljkushner.com/) to get the skinny on where they think it’s headed; if you’re qualified, post a resume.

Visit popular headhunter sites and do a search on information security. At Career Builder (www.headhunter.net) I found more than 3,000 jobs from the keywords “information security.” Granted, a lot of jobs didn’t fit my definition of info sec, but many did. Poring over the possibilities might just reveal some ideas you hadn’t considered. How about being a senior fraud examiner, security manager, risk management-security and regulatory manager, security engineer, IT auditor, security engineering specialist, IT risk management specialist, policy maintenance senior specialist, acquisition security specialist, network security integrator, chief information privacy officer, security analyst, security system installer, director of IT security, or HIPAA information security officer? Job listing sites are an excellent way to learn about the various security job categories and required experience level. You may be startled to learn that many pay less than a good network administrator job.

Graze through popular security product sites. Many of them have employment sections. Working for a security consulting firm or product company can boost your career. A word to the wise: Research the financial stability of these companies before you join. Many security startups got their funding during the high-tech expansion wars, when the word “Internet” was synonymous with “Cha-ching!” and adding the word “security” was a double guarantee. Many of these companies are just treading water now; make your own inquiries before diving in.

Think outside the box. Did you notice the acronym “HIPAA” in the job list above? It stands for Health Insurance Portability and Accountability Act of 1996. Some of the regulations of this act mean radical changes in the way hospitals, doctor offices, insurance companies and anyone who handles patient information must do their job. While many institutions have a strategy in place, others are still trying to understand what they need to do. In either case, there will be a continued demand for IT security people in the health care industry.

If You’re Still Interested…
By now you should have an idea that being a security babe is not donning a 10-year-old’s T-shirt or doing the rock star strut across a stage. There’s no surgical security implant or Viagra for the brain. You’ve found there’s a crying need for those who know IT security, but no money to pay them; hordes of security babe wannabes; and an immature industry where even the definition of “security professional” is undecided. If somehow you’ve made it to this point, you probably still want to pursue the dream, so go for it. I’ve got you, babe, or am I mumbling through my fingers?