Guardians of The Gate

Name: Jonathan Taylor

Title: Enterprise security engineer

Company: Sutter Health, Sacramento, Calif., a nonprofit services organization for 25 affiliate hospitals in Northern California

30-second resume: Taylor has worked in IT since 1994. After graduating from Brigham Young University in Provo, Utah, he joined a value-added reseller. While moonlighting as a Windows NT Server instructor at MTI College of Business and Technology in Sacramento, a fellow teacher told him about an opening at Sutter Health. He joined the company in 1997, first working on a project to roll out a Windows NT platform throughout the company's health care affiliates. Taylor switched to IT security in early 2000.

Skills boost: On-the-job training is the best way to learn, says Taylor. "There's very little training for information security," he says. "And even if there was, it's such a vast field that it would be difficult to get what you need for your particular industry or job."

Still, Taylor has found some courses that help him keep current. His most recent training came from Foundstone Inc., a security services firm in Mission Viejo, Calif. At its Web hacking course, he learned about common Web site vulnerabilities that hackers exploit - vulnerabilities that existed within Sutter Health's public site.

"It was a great big eye-opener," he says.

Other resources that Taylor uses to learn about potential security risks are newsgroups and Web sites devoted to IT security. He says there's a helpful bug list on the Web site of San Mateo, Calif.-based SecurityFocus.

Taylor says the mechanics of his job haven't changed since the events of Sept. 11; what's different is the interest that company executives now have in security. "When we would see patterns of risk before 9/11, people were apt to dismiss it," says Taylor. "Now when we say we have a concern, people's eyes go wide open."

- Johnson is a contributing writer in Seattle.

Skills

• Keeping unauthorized people out of systems is the primary task for a security professional, so become skilled at performing risk assessments and working with firewalls, access controls, authentication software, digital certificates, network management security tools and intrusion-detection systems.
• Networking fundamentals are a must, so brush up on TCP/IP. Count on employers asking about your experience with Cisco Systems Inc. products. They will also expect you to know how to administer common server operating systems such as Solaris, Windows NT and 2000, and Linux.
• Bonus tip: If you have been through the firestorm of a disaster recovery effort or have designed and implemented a security system, you'll be in demand.

Training

• Certifications: The Certified Information Systems Security Professional (CISSP) certification is administered by the Dunedin, Fla.-based arm of the International Information Systems Security Certification Consortium Inc. It runs five-day boot camps to prepare people for the CISSP test.
• Bonus pay? Not likely; the payback for certification is more often a job rather than a salary boost. Some employers list "certification strongly preferred" in job postings; others require one or more certifications. Without them, your resume could be tossed.

Salaries

There are security job openings all over, including one for a manager of security and disaster recovery with a five- to seven-year track record, a CISSP certification, and experience with virtual private networks, encryption and intrusion-detection software. Location: Augusta, Ga. Salary: Up to $75,000

• A financial services firm seeks a data security administrator with systems administration, firewall, intrusion-detection and programming skills. Location: Dallas Salary: Up to $70,000
• Hot industry: With the federal government beginning well-funded cybersecurity projects, the job market in the government sector is hot, particularly in the Washington area.

SOURCES: Nick Doty, editorial director at Techies.com Inc. in minneapolis; Thomas Woods, principal at Magee Resource Group in Shreveport, La.; Julie Larson, vice president of information security, risk assessment, awareness and compliance at Comerica Inc. in Detroit.

The Security Action Plan

Stories in this report:

• The Security Action Plan
  
• The Story So Far: IT Security and Disaster Recovery
  
• Maximum Security Returns
  
• Manage Those Patches!
  
• Build a Computer Incident Response Team
  
• Let the Pros Investigate Computer Crimes
  
• Watch Out for Wireless Rogues
  
• For Disaster Recovery, Put Your IT Eggs in Different Baskets
  
• Denying Network Service
  
• Think Like a Terrorist
  
• Field Report: Out from the Shadows
  
• How to Thrive in the IT Security Market
  
• The Next Chapter: Predictions about IT security
  
• IBM's view of the hot trends in IT security
  
• Case studies in IT security and disaster recovery
  
• Intrusion-detection systems are evolving
  
• Reporter's Notebook: IT Security
  
• Top 10 Vulnerabilities in Today's Wi-Fi Networks