Businesses Beefing Up on IT Security Specialists

In the wake of increased high-profile cybersecurity breaches, new research shows businesses are beefing up on their IT security specialists. The 2012 Career Impact study by (ISC)2, a nonprofit organization representing security specialists worldwide, found that 72 percent of businesses hired new employees last year specifically for their information security skills. Sixty-two percent of businesses reported they are looking to hire additional information security employees in 2012. "This data reflects the increase in security breaches we saw throughout 2011 and the fact that organizations, both in the public and private sector, are finally realizing the importance of implementing sound security programs that should be run by experienced and qualified professionals," said W. Hord Tipton, executive director of (ISC)². "Even in tough economic times, information security professionals are in high demand by hiring managers and organizations who understand that their skill sets are not only paramount to their organization's ability to conduct business, but also give them a competitive advantage." As demand for IT security specialists increases, the research shows many organizations are doing more to reward the qualified employees they already have on staff. Nearly 70 percent of those surveyed received a salary increase in 2011, with 55 percent expecting another raise in 2012. "While it’s a very positive sign that this field continues to grow and is somewhat 'recession-proof,' one of the biggest challenges that remains is finding enough of the right people with the appropriate security skills to fill the huge void that exists right now," Tipton said. "We must continue to build this workforce at an aggressive pace." The study shows the top skills hiring managers are looking for include operations security, security management practices, access control systems/methodology, security architecture/models, risk management, telecom/network security, applications/system development security and cloud/virtualization. The research was based on surveys of more than 2,200 security specialists from around the world.

Set to Be Worst Year Ever for Security Breaches

Sony, the data-security firm RSA, Lockheed Martin, the email wholesaler Epsilon, the Fox broadcast network, NASA, PBS, the European Space Agency, the FBI, the British and French treasuries — and, just this morning, the banking and insurance giant Citigroup. What do all these organizations have in common? Along with dozens of other companies and government agencies, they were victims of massive network security breaches in the first six months of this year. "In the last 10 years, I don't think we've seen breaches that have affected consumers at this scale," said Ondrej Krehel, information security officer for Scottsdale, Ariz.-based Identity Theft 911. "It's been the worst year in a decade." [Behind the Cybercrime Surge: Smarts, Laziness and Cool] Tim Armstrong, malware researcher for the Russian security firm Kaspersky Lab, agreed. "It's only June," Armstrong said, "but it has already [been an] impressive year for breaches." Sony, RSA and Epsilon usher in the season The worst three cybersecurity incidents of the year so far have involved RSA, Epsilon and Sony. In mid-March, Boston-based cryptography firm RSA suffered a massive network intrusion that resulted in the theft of information related to its SecurID tokens. Forty million people use the tokens to access the internal computer networks of 25,000 corporations, government organizations and financial institutions. Two months later, defense contractor Lockheed Martin had its own networks penetrated by attackers who used "cloned" RSA tokens made with data taken in the original breach.Unconfirmed reports named defense contractors Northrop Grumman and L-3 Communications as other victims. In early April, hackers penetrated the internal networks of Epsilon, a Texas-based firm that handles email communications for more than 2,500 clients worldwide. The companies affected by the Epsilon hack included Ameriprise Financial, BestBuy, Capital One Bank, Citi, JPMorgan Chase, TiVo, U.S. Bank and dozens more. Last (but not least in the eyes of some gamers) is Sony. Since early April, the Japanese entertainment and electronics giant has been fighting different groups of hackers. One group stole the personal information of 102 million registered users of the PlayStation Network (PSN) and other online gaming services. "I believe that the PSN breach has made it [penetrating a network] somewhat fashionable," Armstrong said. "Despite the obvious negative implications, the recent compromises have a 'hacktivism' ring to them that engenders support and even motivates some that may not normally cross the line." Who else has been hacked? Other organizations who've had their security compromised in 2011 include NASA's Goddard Space Flight Center, which lost confidential satellite data in an April hack, and InfraGard, an FBI affiliate that was compromised by the hacking group LulzSec, which also attacked PBS, Nintendo and Fox. To this list we can also add the European Commission, blogging platform WordPress, the Institute of Electrical and Electronics Engineers (IEEE), TripAdvisor, Gawker Media, speed trap warning service Trapster and the Pentagon's official credit union. Chet Wisniewski, senior security advisor with the security firm Sophos, suggested that major companies, especially ones that store large amounts of sensitive consumer data on their networks, simply aren't taking security seriously enough. That lax attitude, coupled with cybercriminals who are technologically savvy enough to perform sophisticated network intrusions, has made 2011 a year dozens of major companies will remember — and hopefully never repeat. Where do we go from here? The security forecast for the rest of the year, security experts say, is not looking too sunny. "I see the trend getting worse," Armstrong said. "Due to the lax security posture of many large-scale global companies, it has now become almost trivial for a motivated group or individual to find a way in. "Add to that the potential of gaining huge amounts of valuable information, and I think we see a trend that can only grow until companies finally make more effort." "It's not over yet," Wisniewski said. Although these sophisticated network intrusions have all targeted companies and governmental organizations, it’s the individual consumer's personal information that ultimately is the most valuable to a cybercriminal. "We should be conscious of the fact that we cannot trust companies to protect our data properly and be cautious who we give our information to," Wisniewski said. "Do we really need to provide our full name, postal code, birth date, etc. to get a frequent shopper card at the supermarket?" [How to Disappear Almost Completely … and Protect Yourself from Data Breaches] To keep your identity and data safe, Krehel advises people to prepare a list of institutions to contact in the event your personal data is stolen. It's also important to never divulge non-essential information such as your mother's maiden name, which can be used to steal your identity, and to use a different password for each online account.

Every Business Needs a Security Plan

Too many businesses wait until it's too late to think about their company's physical security and cybersecurity issues. That's not good for business, according to Mike Howard, chief security officer for Microsoft. Howard, an ex-CIA officer who handles all physical security for the company's worldwide operations, says that integrating a security team or plan into your company's day-to-day operations is the key to getting the most value from it. "Security is not something that should be thought of as 'break glass only in times of emergency,'" he told BusinessNewsDaily in an exclusive interview. "It affects a brand's reputation, can result in lawsuits, and requires initial investments up front." If you don't want to spend money on security now, you'll surely pay more later, he said. Howard should know. His security team is ultimately responsible for the safety and security of Microsoft's entire executive team, its 90,000 employees, roughly 90,000 contractors, 700 facilities in more than 100 countries worldwide and all of the visitors to those facilities. He's also responsible, of course, for all of their computers and hardware and the information it they contain. [The Man Who Keeps Microsoft Safe and Secure] Howard said it's understandable that businesses may not spend a lot of time focusing on security. "Businesses rightly so are focused on making a profit and that's going to be their natural concentration," he said. "I understand a company's main emphasis is not on security." It's a mistake, however, to underestimate the importance of security issues at a business of any size, Howard said. "Companies don't take the time to understand the role of security in an organization," he said, referring to everything from employee safety to theft to cybersecurity. "When it comes time to carve out funds for security, there's a benign lack of knowledge or interest because there are higher priorities." Howard has made it one of his top priorities to educate Microsoft's senior management about how important security is. "Businesses are a microcosm of society and there is a tendency to be in denial about having a general security awareness. The mindset is, it's never going to happen to us." He said that companies tend to want to spend money on what's most likely to give them a visible and timely return on investment.