The ABCs of security team building

Computerworld - When Tony Ames was hired as an internal auditor for a large West Coast university four months ago, his first order of business was to find out if anyone in the school's information technology department had a clue about information security. So Ames (not his real name, per his request) surveyed the school's 41 technical employees and their bosses so he could determine the baseline security skill set for the department and find out how far he had to go to organize and train an information security team.

Ames told his story to 50 of his peers who recently gathered to hear Michele Guel's full-day training seminar during the SANS Institute's Network Security 2000 conference in Monterey, California.

Guel said she started out six years ago as Cisco Systems Inc.'s only around-the-clock security engineer. She remained the only full-time security engineer for three years and said it almost burned her out.

Things got so bad, Guel said, she started hanging around human resources, checking new employees at the door to see if they had even a hint of security skills or an interest in the subject.

"I talked to interns, students, part-timers, even hobbyists," said Guel. To boost coverage, she said, she began to supplement security support from outside the security department with network administrators who had to pull weekly five-hour shifts on the security watch.

With barely more than 3,000 Certified Information System Security Professionals in the U.S., it's no wonder organizations look within their corporate rank-and-file for even the tiniest seeds of IT security understanding.

Many in Guel's audience said they liked the idea of looking through the organization for people with baseline IT security interests in order to grow a security team, although they questioned the use of itinerant workers for such a critical function.

"Interns are a good source of labor, but most companies don't have the resources Cisco does to do background checks on interns and part-time workers," said one audience member, a network security manager for a technology services vendor on the West Coast, who also asked for anonymity.

Despite the difficulty in finding qualified people, Guel had a number of suggestion as to what to do once you found your candidates, including the following:


• Interns with the proper background checks are excellent candidates for operational security projects, including patching, testing, developing and installing security tools.



• Part-timers and students are best-suited to answer the day-to-day security questions coming from users.



• Those with management backgrounds may end up evaluating the security impact of major projects.



• Programmers/developers with security interest may evaluate the use of new Internet technologies.



• For short-term projects, outside consultants may be a good source of labor, if companies can stomach the $400 per hour average rates for this level of expertise.