This story appeared on Network World at
http://www.networkworld.com/newsletters/sec/2009/050409sec1.html

IA career development: Need for IA professionals will grow Information assurance careers in a struggling economy

Security Strategies Alert
By
M. E. Kabay
Network World
05/05/2009

Recently I was asked by a journalist for comments on careers in information assurance. Little of what I wrote fit into the article, so I'm publishing my remarks here.

In response to a similar question some years ago, I published a paper for the American Association for the Advancement of Science which is still available as baseline information. A short piece entitled “Careers in Information Security” is available from my Web site and a longer piece is “Information Security Resources for Professional Development”.

We will see increasing integration of information assurance into the strategic thinking of organizations as managers realize that the economic downturn increases pressures for illegality. Employees and managers who are desperate for continued employment may find their ethical standards weakening; we already have documented cases from past years of employees and managers who have broken into competitors' systems to acquire competitive intelligence or to steal intellectual property that will yield an immediate economic advantage to their current employers. How many more will we see as they contemplate the specter of job loss?

The other factor I foresee is that the economic downturn will increase the demands of the market for better integration of security in commercial off-the-shelf software. Companies and other organizations which are counting pennies will become increasingly intolerant of the shoddy programming that has been typical of much of the software that passes for professional products in the current marketplace. Well-known errors that lead to common vulnerabilities as defined in the CVE (Common Vulnerabilities and Exposures) database will, in my view, become grounds for individual breach-of-contract lawsuits and possibly for class-action lawsuits. Readers may want to refer to Chapter 38, "Writing Secure Code" by Lester E. Nichols, Timothy Braithwaite and me from the recently released Computer Security Handbook, Fifth Edition (Wiley, 2009) (CSH5) for some useful background reading on these issues.

Another problem rooted in the poor economy is personnel management. As employees become more stressed, employee management for sound information security becomes increasingly important. Chapter 45 on “Employment Policies and practices” by Bridgitt Roberson and myself in the CSH5 presents practical advice.

IA professionals must understand that assuring the six fundamental attributes of information security is absolutely integral to meeting the strategic needs of every organization. Confidentiality, control or possession, integrity, authenticity, availability and utility (the Parkerian Hexad) are at the heart of IA (narrated PowerPoint file available). See Chapter 3, “Towards a New Framework for Information Security” by Donn B Parker in the CSH5.

At the same time, IA professionals must learn to apply rational risk management to all of our decisions; we cannot swagger around the organization barking orders at our colleagues as if we were zealots enforcing a mystical doctrine. IA serves the interests of the organization in a context of risk assessment and rational allocation of resources. IA personnel must use every managerial and psychological skill available to convince colleagues to collaborate in protecting information assets – coercion does not work. Thus in addition to technical understanding and skills, IA practitioners need to be able to listen, learn, analyze and respond to the needs of their colleagues and to recognize the strategic goals of the organization so that they can put their efforts where they will count.

Being able to communicate well is a tremendous asset for IA professionals, and that's why the Master of Science in Information Assurance (MSIA) at Norwich University includes so much analysis and writing as part of its curriculum. Many of our graduates have written back to us over the years to thank us for the honing of their communications skills.

Another side of career development is visibility. Practitioners will do well for their profession and for their careers by sharing knowledge with others through presentations at professional user group meetings and larger conferences. Young people, in particular, benefit in all ways by writing thoughtful, factual, insightful articles on information assurance issues; not only do they legitimately feel a glow of achievement in helping others, they also expose themselves to new challenges that encourage additional thought and they add credibility to their résumés.

A White Paper on “IA Education in a {Rec,Depr}ession” is available with an extended discussion of these topics.

I hope that readers who know young people (including high-school students) who have expressed interest in IA careers will pass this article on to them and to their guidance counselors. M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.