Organizations Hiring InfoSec Professionals

By Peter H. Gregory

These days it might be easier to ask, what types of organizations don’t hire information security professionals? Every organization that uses computers and networks must employ people with security skills and knowledge. With the frequency of malware attacks, even a one‐person IT department must be knowledgeable about basic security skills.

The following types of technology activities beg for security skills:

  • Providing secure Internet connections

  • Managing login credentials and access known as Identity Access Management

  • Allowing secure remote access for valid users

  • Providing supplier, partner, or customer access via Virtual Private Networks

  • Maintaining secure email servers

  • Managing and protecting the information on file servers

  • Managing laptop computers for a mobile workforce

  • Creating secure in‐house written software

  • Maintaining enterprise application access with user accounts

When an organization has one or more of the preceding in its technology environment, the organization’s IT department had better have one or more of its IT people with some security skills. Otherwise, a lot is going to go wrong. Take another look at the preceding list, only this time check out the consequences of poor security:

  • Internet connection: Attacks from the Internet; malware from watering hole attacks.

  • Login credentials: Attackers who stop at nothing to guess login credentials, including the use of automated tools that can perform brute‐force attacks, in which thousands of different passwords per hour are guessed until the right one is found. Then it’s “game over”!

  • Remote access: Brute‐force attacks against user accounts, eventually leading to successful break‐ins.

  • Supplier, partner, or customer access: Attacks from supplier, partner, or customer organizations. Misuse and abuse by personnel with poor judgment in those organizations.

  • Email server: Incoming spam, malware, and phishing attacks.

  • File server: Access management issues, data loss through lax access permissions; malware hosted on file server.

  • Laptop computers: Stolen laptop computers with loss of data stored on them; attempts to break into organizations based on login information stored on stolen laptops.

  • Inhouse written software: Exploitable vulnerabilities leading to data loss.

  • Enterprise applications: Access management issues, people with excessive access privileges, terminated employees with still‐active user accounts.

Now, look at the list one last time, to see what technology and security professionals need to do to protect systems and data:

  • Internet connection: Network engineers need to understand how to make edge devices (the routers, firewalls, and other devices at an organization’s outer boundary) resistant to attack. They also need to be able to install and manage firewalls and other protective devices with their complex rulesets to let the good guys in and keep the bad guys out, and to prevent malicious software from getting into the organization.

  • Login credentials: User IDs, passwords, and security tokens are issued only to authorized personnel. In larger organizations, automated tools are used to reduce errors and watch for problems. Many systems can be configured to prevent brute‐force attacks.

  • Remote access: Some personnel must have access to an organization’s internal network from any location. A remote access system must be built correctly so that only authorized personnel can get in.

  • Supplier, partner, or customer access: Most organizations rely on other organizations for supplies, personnel, or services. In many such cases, people in those external organizations need access to internal resources. Every aspect of this process must be done right to prevent cybercriminals from exploiting external access and stealing data.

  • Email server: Because email servers are connected to the Internet, systems engineers need to know how to correctly configure and “harden” email servers to prevent intruders from compromising the organization’s email communications.

  • File server: Internal and external file servers must be correctly configured and managed to protect all sensitive information stored on them and to prevent intruders from being able to access sensitive data.

  • Laptop computers: Personnel who build and manage laptop computers (as well as tablets and other cool devices that everyone wants) must include the latest measures, such as whole‐disk encryption and advanced malware prevention tools, to prevent the compromise of data stolen on laptops, as well as to protect the systems that laptops are permitted to connect to.

  • Inhouse written software: Software developers need to understand how to write software that will be resistant to attacks such as buffer overflow, script injection, and authentication bypass.

  • Enterprise application with user accounts: Personnel who manage user accounts for enterprise applications need to keep accurate records and use detailed procedures to make sure that no unauthorized personnel are given user accounts. Also, applications must be configured to track all user logins, and create alerts if any user accounts are under attack.

As you can see from this list, which is but a sampling of all the aspects that require security expertise in an organization, a wide set of skills is required for all IT workers, including specialized security personnel.