When Robert Garigue first delved into IT security in 1976, the career profile for a security administrator was vastly different from what it is today.
“I don’t think there was that kind of formalism around information security management practices as there is today,” recalled Garigue, chief information security officer for the Bank of Montreal (BMO) in Toronto. “You would come into security by virtue of systems administration and by managing a larger structure of computational resources.”
Garigue got his first taste of security when he went into the military. He spent 23 years there; during that period he was a software engineer and managed large projects for command and control information systems and weapons systems.
Since then, however, the security hiring landscape has changed. Garigue said that these days, candidates for security positions often hold professional designations such as Certified Information Security Systems Professional (CISSP) and the Global Information Assurance Certification (GIAC) from the SANS Institute.
Those certifications “give an indication of the domain of specific competencies and understanding” of the professional. IT security is now more well-defined as a career; the professionals that choose to pursue it may come from a range of academic backgrounds but they all have some sort of computer science training as well as specialized education in specific IT security disciplines.
Training for the job
For the last four years, BMO has had almost 30 students from the University of Waterloo participate in a security analyst co-op at the bank’s headquarters. Garigue said the skills they develop fall within both the technical and broader management categories.
“They learn things like how to make sure policies are embedded and can be tracked and followed. Sometimes the job involves auditing, and other times it’s more about communication skills or project management. All those people have strengths and weaknesses in different areas, so as they move up the career progression, they are put into positions that leverage their strengths,” he said.
Algonquin College in Ottawa offers a wide scope of information security training. Syd Hancock, coordinator of the one-year post-diploma Information Systems Security program, which graduates 20 to 25 students every year, said the program teaches the technological side of security through courses in cryptography, telecommunications security and secure system design, as well as management-oriented courses like policy writing, legal issues, risk analysis and disaster recovery.
“I believe that the industry is looking for a broad scope, a technologist who might specialize in one or two of those technical areas but who also has management capabilities,” said Hancock. He said that most students prefer the technical courses, having previously obtained an IT-related diploma as a prerequisite. But if they anticipate a full career, they also need to be prepared in the managerial area.
A wide range of skills will come in handy down the road if the student eventually decides to pursue a career with a consulting company, Hancock noted. “IT security consulting firms are particularly interested in a wide scope of skills right away, because they cater to a wide variety of clients, whereas critical functions like finance or telecommunications might hire a graduate for a more narrow scope, a specialist to fill each of the different security areas.”
The big interview
Raj Mohamanlall is the latest employee to join security consulting firm WhiteHat Inc. in Burlington, Ont. Although his academic background is in molecular genetics, Mohamanlall said he always found IT more interesting than what he was studying in school, and security was always something of a hobby for him. The IT skills he developed on the side have led him to positions ranging from network administrator to independent consultant.
Mohamanlall said the interview process for the security consultant position at WhiteHat was “quite rigorous. The day that I was interviewed, I met all the partners separately and that took three to four hours. By then you get a good inkling of what the company is about.”
Feeling nervous might be natural, but Mohamanlall said IT security job candidates must also display “an underlying confidence in their abilities and what they’re talking about” in all areas, including technical knowledge, business practices and customer focus.
A person who is strong in all those areas can be difficult to find, said WhiteHat’s chief security officer Tom Slodichak. “We need people that can deal with different environments, personalities and people, and graciously communicate with our clients, rather than being totally 100 per cent matter-of-fact tech heads.”
Psychological testing and background checks are IT security hiring realities that Hancock said Algonquin students are warned about from the get-go, “so [they] don’t think they can hide something,” he said. “People who want to get into this business really have to see this as a profession and not as something that they dabble in. They have to be above reproach because they will hold others accountable for following rules.”
The psychological test WhiteHat administers consists of questions ranging from math to “what-if” scenarios. “They measure things like social orientation, judgment, logic, the ability to communicate, organization, ethics, and their general personality profile,” said Leanne Bucaro, WhiteHat executive vice-president.
Mohamanlall said he found the test stressful. “I don’t want to repeat and I’m glad it’s over,” he laughed.
According to Lori Sabat, CEO of IT security recruitment firm Sabat Group in Frenchtown, N.J., the hottest security positions today fall within security architecture, security applications development, and high-level network engineering and consulting.
“PKI is also making a comeback,” she said, adding that her clients are “tying PKI in some cases to smart cards and active directory programs.”
Security consulting firms are looking for either product-specific implementation skills, or capabilities that are specific to successful compliance with ISO standards and regulations like Sarbanes-Oxley.
She added: “They also look for other typical-type roles like attack and penetration, security assessments and policy.”