Safe and secure

Dwayne Moehl, project director of enterprise systems at Northwestern Memorial Hospital in Chicago, needs two good network security professionals for the 720-bed facility.

In addition to securing the hospital network from the IP layer to the end user, Moehl must comply with federal health care privacy regulations that are long on requirements for protecting patient data but short on system specifics. And in the post-Sept. 11 environment, he’s trying to safeguard the hospital’s complex network with increased automation.

It’s a job Moehl can’t do alone, even with the security knowledge he’s gained by creating network architectures.

“What I do know is, there’s a lot of stuff I don’t know,” he says. In addition, Moehl says, new security techniques and risks seem to surface every week.

That’s why Northwestern, with 167 IT professionals on staff, is adding an executive security management position, as well as a hands-on network security post. The hospital isn’t alone in seeking network security expertise: Many companies, especially those involved in e-commerce or regulated by the federal government, have been making network security an IT priority in the past year. And because there’s an insufficient supply of skilled professionals to meet the growing demand, network security is emerging as IT’s next hot job market.

A Fertile Field

“One of the broadest gaps between supply and demand is in security,” says David Foote, a Computerworld (U.S.) columnist and president and chief research officer at Foote Partners LLC, an IT workforce research and consulting firm in New Canaan, Conn. “Demand is particularly rapid for people who can walk and talk security as well as business issues.”

Descriptions and titles for network security positions are still in flux. In general, responsibilities of security administrators and analysts include creating network security policies and procedures and implementing and overseeing tools to support them. Salaries for these jobs range from US$75,000 to US$100,000, assuming a minimum of three to five years of experience.

Engineer/architect positions are more technical and may encompass creating secure networks, plus building firewalls, implementing intrusion-detection systems, handling incident response and performing some management responsibilities. Salaries for these positions range from US$85,000 to US$140,000, depending on industry, geographic region and the demands of the job, says Tracy Lenzner, president of Lenzner Group, an IT security recruiting firm in Las Vegas.

Because understanding TCP/IP is critical to many security functions, network professionals have an advantage in entering the security arena. But networking skills alone won’t win jobs. “Security is another level of skills and knowledge you must put on a seasoned networking background,” says Moehl.

For example, network security professionals must first understand how applications perform at the packet level and then learn to recognize minor anomalies in packet size or order that signal an attack, says Jonathan Taylor, an enterprise security engineer at Sutter Health, a Sacramento, Calif.-based nonprofit health care network that serves more than 100 communities.

Also, employers demand candidates with practical security experience, say recruiters. Network security professionals and recruiters recommend getting this experience by working on security projects employers already have under way. Taylor says he got involved with security through a network engineering project and “fell in love with it.”

Sold on Certification

Taylor and other professionals also add to their skills by attending security conferences, scouring security bulletin boards and books, and enrolling in security education and certification programs. The two certifications most in demand among employers are the Certified Information Systems Security Professional (CISSP) from the International Information Systems Security Certification Consortium Inc. in Framingham, Mass., and Global Information Assurance Certification (GIAC), which is offered by the SANS Institute in Bethesda, Md.

Such certifications often yield bonus pay, says Foote. His research through the third quarter of last year shows that the median bonus for CISSP-certified network security professionals was 8 per cent of base pay; the median bonus for GIAC-certified professionals was 5 per cent to 12 per cent of base pay.

As security is growing in importance, it’s also getting more funding. “I’m hearing it’s easier to get security budget dollars these days,” says Todd Furney, manager of systems and network security at the Chicago Board Options Exchange.

That doesn’t mean network security is being handed a blank cheque. “A big part of your job is selling security to management,” says Furney. He and others emphasize that good communication skills and business knowledge are necessary to succeed in either specialized security niches or on security management career tracks.

Do’s and Don’ts

Do look for security jobs in industries that must comply with privacy regulations, such as banking and health care. The more specific your business knowledge of these industries and the regulations they face, the more valuable you are, say recruiters.

Do consider gaining security skills for wireless networks and devices. “Wireless is going to be a tremendous area,” says Tracy Lenzner, president of Lenzner Group. She and other recruiters say they expect that market to heat up this year.

Do build your soft and business skills for more options along a security career path. Network security professionals say they must be able to show management how security measures fit into a company’s business plan.

Don’t expect security courses and certifications to substitute for hands-on, practical network security experience. Instead, lend your networking expertise to security projects within your company to gain experience.

Don’t become a criminal hacker, or “black hat,” thinking you’ll parlay that experience into a corporate job. “You’ll permanently damage your career,” warns Jonathan Taylor, an enterprise security engineer at Sutter Health.

Sharon Watson is a freelance writer in Chicago.