Building your Security Team
 


Secure Your Future ™ with The SCP.


With The Security Certified Program, IT Pros can become certified in the hottest sector of the Information Technology industry.


 



Building Your Security Team
Warren Peterson

In March of 2007, T.J. Maxx announced to the US Securities and Exchange Commission (SEC) that it had over 45 Million credit card and debit card numbers stolen from its internal IT systems. In May of 2007, a laptop from Los Alamos nuclear-weapons facility, which contained sensitive government documents, was taken on a personal vacation, and subsequently stolen. The US Pentagon computer systems are attacked hundreds of times each and every day.

These stories are becoming so commonplace that it is easy to read past them, or think that such an incident would not happen to your organization. Unfortunately the statistics and history do not tend to agree with that assumption. In the annual survey conducted by the Computer Security Institute (CSI) and the US Federal Bureau of Investigation (FBI) approximately half of those surveyed acknowledged a security breech within the previous year. Additionally, in what is an alarming trend, thirty-two percent (32%) acknowledged that their organization was the target of a specific attack – meaning non-random; those organizations were specifically targeted for attack. That figure, at 32% is expected to grow.

Clearly, the need for Information Security (InfoSec) has never been greater. From large to small, all organizations must address security. It is worth mentioning that small organizations need to take security just as seriously as large. This is for a unique reason.

It may very well be that a smaller organization is not as likely to be the recipient of a targeted attack. However, one of the primary means of attack is through the use of something call a Bot. Attackers will infect thousands (and often hundreds of thousands) of computers (which each become a Bot) to use in a coordinated attack on a large company.

So these attackers will need to attack and compromise these thousands of systems, and that is where the smaller organization may find their compromise. A Bot Army, as it can be called, of hundreds of thousands of computers, can be called upon to target one unique large company. If you are the owner of a smaller organization, you do not want your computer systems to be used in an attack on another organization.

It is for this reason, along with sound security practices for your own organization, that security matters, to both the big and the small.  

So the threat is real, but where to start when dealing with the response to the threat? There are many manufacturers of products and software that will try to make the case that if you only purchase their product, then your organization will be secure. While it may be true that the unique software or hardware that is being sold will help secure your organization, there simply is no magic product you can purchase and install that will make your computers and networks secure.

 

Let’s get started.

Your starting point needs to be your security team. You must have a team mindset, and must have team members in the proper positions, just like on a sports team. Now, if you are running a very small organization, this team might include you and your fellow workers, as this concept is not exclusive to technology gurus. In fact, as you will see shortly, perhaps the single most important aspect of building your security team will be with the non-technology folks inside the organization.

The weakest link theory applies to many facets of life and technology, and in the world of Information Security it applies just as well. In the world of computer and network security, often the area that is least addressed also happens to be the most important. That area is the education of the people who are using the computers and networks in the first place. People, us humans, are the cause of most of the security problems, but tend to be addressed only after (sometimes never!) buying the latest and greatest whiz-bang security product. Sadly, this is misplaced priority, and a sure formula for security problems in the future.

If you use a computer, you are considered an Information Worker. An Information Worker is the normal everyday user of computers and networks, in other words, all of the non-technology gurus! People at this level must have the proper education in order to fit into the security team of the organization. As we go through this discussion, we will talk about how the Information Workers can migrate from what some call the weakest link, to actually becoming security assets in the organization.

For us to move onto the team building concept without a proper framework for the discussion is quite difficult. To address this framework we at the Security Certified Program (SCP) have collaborated on what is called the IT Security Skills and Certification Map. This map will become the building block upon which our conversation and your team will be founded. Below you will find the Map embedded in this article. You can click on the image to open a new window with a high-resolution PDF version of the map. You are welcome to print out the high-res PDF for your own use, or to discuss with friends and colleagues.

One thing you should notice is that this map covers all positions from the Information Worker through the Executive IT level in an organization. This is because all levels have a role to play on the team. At no point is there a role that has no relationship to the security of the organization.

For the Smaller Organizations

In a moment, I will move to the aspects of building the security team in larger organizations, but I had mentioned earlier that even at a small business there is a way for you to build a security team. Small business in the United States actually accounts for the majority of business that is conducted in the US. You could argue that securing this segment of the economy is actually more critical than securing large organizations. It is the opinion of the author of this piece, that all organizations need proper security teams, regardless of size.

If yours is an organization where everyone is an Information Worker, and there are no dedicated IT or technology folks on staff, then you should require everyone in the organization to attend a Security Awareness Program, and keep those skills up to date. Simply knowing how to build strong passwords (that you can remember!), use email and the web securely will drastically increase the overall security posture of your organization.

For your team then, create a plan where every employee that uses a computer has time to take the Security Awareness Program. This type of course is delivered in an online format, so no travel or time away from the office is required. It is non-technical in nature, so everyone who takes the course should be able to gain solid security knowledge. If that is the extent of your team, then great! If your location does have a few folks in the IT world, then they should move on to the CompTIA Security+ certification, followed by the Security Certified Network Specialist (SCNS) certification.

 

 

For the Larger Organizations

Once we move into the space of the larger organizations, now we have moved into an area where the IT Security Skills and Certification Map becomes even more useful. We should start with the assumption that, as in the smaller organization, every single worker in the organization who uses or comes in contact with a computer system must attend a Security Awareness Program. Without addressing these critical workers, your organization is missing the foundation of solid security, and like in a physical structure, if the foundation is weak it is only a matter of time before the structure comes crashing down.

So we are starting with the assumption that all the information workers in your organization have gone through a Security Awareness Program, and keep those core skills up to date. As you may already know, from there it can get complicated. There are so many certifications, covering so many subjects, that it can seem overwhelming to determine which certification to follow. Like before, we shall return to the IT Security Skills and Certification Map.

You know that your staff needs security skills, but with so many courses and certification available it can be daunting trying to figure out how they all fit together. In a moment, we will use the map, but before hand, let’s discuss a common analogy.

If you are running a hospital, you need medical specialists and professionals at every level. It would not make sense for each person in the hospital to have the exact same educational history.

At the starting point your medical staff would require the core knowledge, of anatomy, how medical systems and processes work, and so on. Once that person is ready to move on, he or she will need to learn the actual hands-on skills of how to perform procedures, and how to use the tools of the trade.

Moving on still, that person may now be at a stage in his or her career where learning specific techniques and specialties makes sense, such as becoming a heart surgeon. As you continue to move ahead in the career, the chief of staff and medical management needs yet other skills, on how to run a floor or run the hospital itself.

Likewise, it doesn’t make sense for all your IT staff to have the exact same security education, and now using the IT Security Skills and Certification Map, we will walk through the process building your security team.

Building Your Team

At the starting level, all of your IT workers, your full IT staff that touches and uses computers should have the Security Awareness Program, or similar security background. If not, taking this online course is a great way to get those people started in the overall process. From this point forward, it will be assumed that all of your staff has taken this course, or has that base level of knowledge.

From there, you need your IT workers to obtain the CompTIA Security+ certification. This certification will provide the solid base-level knowledge that all other educational programs use as a starting point. For your IT workers, it will not be enough that they have this knowledge, they also need some level of hands-on skill to go along with the knowledge.

Therefore, for your IT workers, you will also need to blend in the Security Certified Network Specialist (SCNS) certification. Once your IT workers have this blend of CompTIA’s Security+ and their SCNS, you have added a critical piece of your security team.

Moving forward on your staff will be the actual IT workers who are responsible for the security of the organization. These individuals will need the same as the previous group, Security+ and SCNS, but will also require more hands-on skills, adding the Security Certified Network Professional (SCNP).

All right, this is a lot of information, so let’s review thus far. At this stage, you have ensured that all of the employees in the organization have taken the Security Awareness Program and have that important knowledge. You have instructed all your IT workers to complete their Security+ and SCNS certifications, providing both security knowledge and hands-on skills. Lastly, the individuals who work directly in the security systems of your organization have completed their Security+, SCNS, and SCNP certifications.

At this stage, you are building a very well-rounded security team, but you are not done yet. This is like building the medical staff without the specialists and people to run the hospital. There are still these two more areas of your security team that you must address.

The next stage is the specialists. You will without a doubt require some of your security professionals to become proficient at a specific technology or skill set for your organization, and here is where (as in the medical world) the divergence of options is great. If you will require wireless expertise, you will instruct those who are given the task of securing the wireless networks the following path: Security+, SCNS, SCNP, and then CWSP (this is a Planet3 Wireless certification). If you will require Cisco security experts, you will instruct those individuals on a similar path, only moving towards Cisco at the end: Security+, SCNS, SCNP, and then CCSP (this is a Cisco security certification).

As you can see the specialized security skills can provide many unique paths. For your own unique organization, plan the path towards both the security skills you need addressed now, and those you plan on addressing in the future.

As you move up towards the executive end of the spectrum, here more design and compliance skills are required, versus the hands-on at the previous levels. There are specific certification programs designed for this level as well, including the CISSP, SSCP, and CISM. You may have some folks who are currently operating as the security specialists who have the competency and drive to move upwards, in which case, one (or more) of these certifications would be an appropriate path for those people.

Looking at the map, and the previous section, you can not only see exactly where your current staff should be placed on your security team, but you can also project into the future with their placements. Map out each employee, looking at what skills he or she should have right now, and then map them to the corresponding certification program. Likewise, map out each employee and where you expect them to be in the future, and you can map their future certification path.

To read the full objectives covered in the SCNS certification, click here.
To read the full objectives covered in the SCNP certification, click here.
To read the full objectives covered in the SCNA certification, click here.

To prepare for the SCNS certification, we recommend the Tactical Perimeter Defense (TPD) course. TPD course information can be found here. To prepare for the SCNP certification, we recommend the Strategic Infrastructure Security (SIS) course. SIS course information can be found here.

 

Following this plan will ensure you have built not only a well balanced security team for today, but have built a great security team for the future as well.

Have a great day! Warren Peterson

About the Author: Warren Peterson is the President, and co-founder of the Security Certified Program (SCP). In addition to his role as President, Warren also functions as the lead author for instructional content, and has written nine leading IT security books, including all current SCP courses.

In 1999, it was Warren’s vision to create a program that addressed IT security, and the SCP was born. Warren has overseen the company’s growth from delivering security programs in one Chicago classroom to SCP courses delivered on a global scale. Warren can be reached at: Warren@SecurityCertified.Net.

 
 
ner
The SCP Recommends
that candidates attend
classes delivered only
by an organization that
is an Authorized
Training Partner (ATP).



SCP Global Training Map

(C) 2007 Security Certified Program, LLC. All Rights Reserved. All content of this website is the property of Security Certified Program, LLC, and may not be copied, distributed, or otherwise reproduced without written permission. The SCP, SCP, SCNP, SCNA, SCTP and Secure Your Future are trademarks of Security Certified Program, LLC. All other logos used on this site are with the expressed permission of their respective owners, and use implies no ownership rights to partner logos. Legal Info.
Locate a Testing Center

SCP Exams are available within the global networks of our testing partners,
Thomson Prometric
and Pearson VUE.

Click on a center to Schedule your SCP Exams!
SCP Practice Exams
Before you sit for the official SCP Exams, you may test your knowledge at the only authorized practice test provider for the SCP: MeasureUp.Com.