What Can a Computer Security Specialist Do for Your Business?

A computer security specialist can make a very significant contribution to your organisation's information security. In recent years, information security in general, and IT security in particular, has grown increasingly specialised and formalised. A general IT training is no longer sufficient to cover all technical aspects of the field, and so a computer security specialist is required for all but the most basic tasks.

So what does a computer security specialist actually do? There are several sub-fields of information security, and no one person can hope to be an expert in them all. But in general, IT security specialists usually have one or more of the following specialisations:
  • A penetration tester actively probes the defences of an organisation's computer systems and network infrastructure, either by mimicking a hacker attack from outside, or else by making use of varying degrees of insider knowledge.

  • An application tester performs a similar function for externally-facing servers, e.g. email, web, or FTP servers.

  • An information security auditor reviews a company's overall information security management system, comparing it against industry best practices such as the ISO 27001 standard.

  • An interim manager is hired by a company for a relatively short period, either to bridge a gap between permanent employees, or to deliver a one-off project (such as the planning and implementation of a full information security management system).

  • An outsourced CISO (Chief Information Security Officer) is another type of computer security specialist. He or she will work with a company on a longer-term basis to deliver their information security function, possibly on a part-time basis in the case of a smaller company.

  • A computer security consultant will be engaged for a clearly-defined project and for a relatively brief time, and will provide advice and recommendations which then need to be implemented. He or she may concentrate on information security as a section of corporate governance, focusing more on policies, procedures and people rather than exclusively on technology.

  • Certain organisations, such as Government agencies and the military, may have a need for expert cryptographers. However, very few commercial firms will need this level of expertise.

  • Finally, a computer security specialist may also run training courses and awareness campaigns, either general-purpose or customised to a particular organisation.
Clearly, one person cannot possibly cover all these varied functions, and so different experts will tend to specialise in one sub-field or another. A large company may have its own team of IT security specialists to cover all areas, but a smaller company will need to buy in this expertise from a specialist consulting firm.The field of information security is still in the process of maturing, as witnessed to by the plethora of different certifications for various sub-fields. It is important to ensure that the computer security specialist who ultimately carries out the work is certified to an appropriate standard and with an appropriate certification, and has a verifiable track record of reliable work. Picking the right person can be almost the hardest part of the project, since everything else depends on this. Hence it is all the more important that a hiring manager clearly understands the different types of expert as outlined above, and also that the strengths and limitations of each type are appropriate to the proposed project.Andrew Leith is a security consultant at commissum, a UK-based information security consultancy specialising in penetration testing, vulnerability assessment, ISO27001 consulting services, and security configuration of enterprise systems.

0 comments:

Post a Comment

Don't be shy: leave your comments