informa
/
Risk
News

Jack of All Security Trades

To manage security, you also need to know people, math, and how to take out the garbage

2:00PM -- So you want to be an IT security professional. You've learned the ins and outs of firewalls, antivirus tools, and Trojans -- everything about the technology. You think you're ready, right?

Well, think again, bub. Because today's security expert needs to know a whole lot more than just technology. Take a look at the last week of security news and you'll see what I mean.

First, you need to know your math. A couple of government agencies found that out the hard way this week when they lost count of PCs and laptops containing classified and personal data. The Department of Energy's Counterintelligence Directorate, which maintains top-secret data on nuclear development and foreign espionage, is missing 20 computers, 14 of which may have contained classified data. (See Dude, Where's Your PC?) The Internal Revenue Service, meanwhile, has lost almost 500 laptops over the past three years, and it's estimated that half of them contained taxpayers' personal information. (See Audit Uncovers IRS Security Flaws.)

If one missing laptop can cause identity theft, employee dismissals, and millions of dollars in security overhauls at the Department of Veterans Affairs, then organizations should be looking at PC inventory control in a whole new way. It's no longer enough to know where most of your systems are.

Besides math, security professionals could use a good course in psychology, because the profile of today's hacker is changing. As we reported last week, there are at least eight types of individuals who are trying to break into your systems, and that doesn't count all of the different categories of insiders who may be trying to crack your security as well. (See Eight Faces of a Hacker.)

A good security plan doesn't just defend against current threats -- it anticipates future threats as well. If you're developing your plan, you would do well to look closely at the different psychological profiles of potential attackers and decide how you'll defend against each one. If you know your enemy, you'll be ready for him.

But it's not enough to know technology, math, and psychology -- now you need to know about trash. A Texas judge has begun a whirlwind campaign to enforce new laws requiring companies to properly dispose of paper records that contain personal information. And several companies, including Radio Shack, could soon find themselves facing reputation-damaging court cases and heavy fines. (See Garbage Out, Cops In.)

A bad mistake in taking out the garbage, then, could be as dangerous as the most sophisticated system hack. If you're in charge of your corporation's information security, you'd better keep an eye on the shredder as well as your security incident management system.

These are just a few examples of the sort of non-technical issues that security departments will probably have to grapple with every week in the future. You want to be a security professional? Go for it. But make sure you get an education that goes beyond pure technology -- you're going to need it.

— Tim Wilson, Site Editor, Dark Reading

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5