Over the past few years, Information Security has emerged as a separate and distinct profession from traditional systems and physical security career fields.
Business, government, and consumers all want the ability to conduct business at Internet speed with the assurance of real-world security. The ease of use, global connectivity and speed with which information can be accessed and transactions processed are all components of the Internet value proposition. With these advances in connectivity and convenience, also come new threats to ensuring privacy and security in the global virtual environment.
Business, government and consumers must calculate the ROI based on the value of being able to perform all of the communication, information access and financial transaction functions the Internet makes possible, versus being restricted from using the Internet to conduct these familiar online activities. This equation makes a very strong ROI case for investing in information security, because what it's really all about is being able to do things – communicate, access information and conduct transactions – that couldn't otherwise be done because of the security implications.
Relationships in a networked world are conducted in a virtual community in which a high level of trust is mandatory. Ensuring the integrity of the IT infrastructure to create the necessary trusted environment involves more than technology and tools. More than firewalls, passwords and intrusion detection software, organizations are finding that qualified personnel are the key to establishing and maintaining the stability and security of complex networked information systems.
Just as creating quality intrusion detection systems can take years of development, so does nurturing the information security professional. A bachelor's degree in information security or a related discipline is the ideal starting point for new professionals who wish to pursue a career in information security. Beginning in the universities and colleges, the information security professional begins to have instilled the rigors and ethics required for a successful career. The academic environment builds the foundation of knowledge required to enter the workplace and begin to accumulate the years of experience necessary to receive professional certified status.
The evolving strategic and tactical needs of employers and the information community changes the nature of the profession as well as the individual careers of information professionals – growth in the industry drives growth in the profession.
As security awareness increases and new regulations and legislation are passed, additional areas of specialization are created in response to these changes. In recent years the federal government's efforts to ensure the privacy and security of personal financial and medical information have resulted in the passage of the Gramm-Leach-Bliley Act (GLB) and the Health Insurance Portability and Accountability Act (HIPAA).
The GLB requires full compliance with provisions that guard the integrity, confidentiality and availability of non-public customer data, and applies to financial institutions, banks, credit unions, securities brokers and other companies "significantly involved" in financial activity.
HIPAA includes provisions that encourage electronic transactions and also require new safeguards to protect the security and confidentiality of individual health information. Currently, the House of Representatives Government Reform Technology Committee is beginning to lay the groundwork for legislation that will require publicly traded companies to report cyber attacks.
During the course of their careers, the information security professional must be responsive to these changes in legislation, business practices, and generally accepted security standards, and may find it appropriate to concentrate on a specific area of the career field, such as security architecture, management, engineering or privacy specializations, to name a few.
In the past, technology alone was widely considered the "magic bullet" for securing the information infrastructure. However, the best available firewall is useless when a hacker dupes an unsuspecting employee to obtain a system password – one of the most common causes of infrastructure intrusion – or, the firewall administrator has the device misconfigured. Now, most organizations realize that qualified personnel, armed with the best credentials, are necessary to protect information assets. It is clear that personnel are the only resource that can create and implement a security policy for an organization. Technology alone is no longer sufficient for striking a balance between business risks and costs.
The growth of the Internet continues to drive the demand for information security professionals, and as businesses and government have transitioned from brick-and-mortar operations to click-and-mortar enterprises, we place ever-increasing reliance on the integrity and availability of information. These enterprise applications are deployed across an ever-changing electronic landscape, and our reliance on a shared infrastructure carries a number of inherent security risks.
Throughout their careers, information security professionals face a wide range of changing demands in acceptable levels of safe standards, creating a significant demand for "lifecycle" support for the information security professional and their employer. This "cradle-to-grave" concept of support for the information security professional will expand over time as the profession matures and membership grows.
Dow A. Williamson, CISSP, is the Director of Corporate Communications for the International Information Systems Security Certification Consortium (ISC)2, the non-profit international leader dedicated to training, qualifying and certifying information security professionals worldwide.