Computerworld - Two members of my security team gave their two-weeks' notice this week. Each departed for different reasons. Our most technical security engineer left to start his own company. Our security auditor jumped ship for one of the big consulting companies. It offered him a significant salary increase, more vacation time and the opportunity to build his own team.
We tried to keep both of them, without success. In my experience with the information security business, the average tenure for a security engineer seems to be about a year. Even in today's uncertain economic climate, keeping security professionals is a problem. But the more immediate question is, How do I keep things going until I can hire and train replacements?
Juggling Hats
With two staffers leaving at the same time, I have to make changes to the way we've been managing our security infrastructure. My role is expanded until we can find qualified replacements. I know that it will probably take at least a month to find people. And once we find and hire qualified candidates, it will take another month to train them and bring them up to speed. For at least two months, then, I must take responsibility for the infrastructure and programs that the workers were managing - or try to delegate them.
The department's core deployments include an intrusion-detection system, a two-factor authentication system and firewall management. In addition, we still have architecture reviews, audits, secure server baseline construction, policy creation and review, and plenty of other one-off issues that typically plague the department.
In order to deal with the increased workload, I need to off-load certain aspects of our daily activities to other areas of the company. This week, I focused on our intrusion-detection system deployment and our SecurID authentication infrastructure. The security department is responsible for incident response related to alerts generated by Tripwire, from Portland, Ore.-based Tripwire Inc. We are also responsible for the day-to-day administrative activities related to the SecurID infrastructure.
We run Tripwire on more than 50 Unix servers within our DMZ and corporate network. They are currently configured to send alerts via e-mail to an alias account to which the security department and the Unix administrator are subscribers. I also configured Tripwire to run a check on five especially critical files at 10-minute intervals. For example, the /etc/passwd and the /etc/shadow files contain information on accounts and passwords. If someone were to add an account, the password and shadow files would change, and Tripwire would issue an alert on that change.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
