Digital
defense
RIT alumni
find demand for specialized skills in the emerging field called
‘information security’
The sight of jet airliners
crashing into American buildings awakened the nation to the realities
of a dangerous world.
 |
| National security
concerns motivated Bart G. Guerreri ’67 to found a company
specializing in information security. |
Yet two years after
the terrorist nightmare of Sept. 11, 2001, inadequately protected
computer systems leave the nation vulnerable to a different kind
of catastrophe.
“For the first
time in history, a handful of people in a backroom somewhere in
a third-world country can launch a crippling attack,” says
Bart G. Guerreri ’67 (mechanical engineering), chairman
and president of DSD Laboratories Inc., an information technology
company based in Sudbury, Mass. “Power grids, navigation,
water systems, manufacturing processes, communications, financial
institutions – any computer system that is networked can
be disabled.”
While the threat of
cyber Armageddon remains all too real, the information infrastructure
is compromised daily by a growing list of annoying and expensive
security breaches ranging from worms and viruses to hacker attacks
and identity theft. A few examples: More than 82,000 hacking incidents
were reported last year, up 56 percent from 2001, according to
a federally funded research center at Carnegie Mellon University.
The estimated cost of the so-called “I Love You” virus
totaled $2.6 billion. And the rising flood of e-mail spam costs
businesses millions in lost productivity.
Protecting computer
data has become an industry dubbed “information security.”
Many RIT graduates – from a variety of programs –
are making careers in this field, both in the corporate world
and in government agencies including law enforcement and the military.
Edward R. LaChanse
Jr. ’89 (applied mathematics) is a major in the U.S. Army
assigned to the 1st Information Operations Command (Land), Army
Computer Emergency Response Team. As leader of the Regional Computer
Emergency Response Team – South West Asia prior to and during
the war in Iraq, “Our mission was to defend the U.S. Army
infostructure from cyber threats – nation state hackers,
cyber terrorists, anti-U.S. hackers, parasitic hackers and malicious
code,” LaChanse says. “We took aggressive measures
to ensure the survivability of the networks and the availabil-ity
of the mission–critical data. The impact of our efforts
allowed the combat commanders to communicate and execute the presidential
directives on imposing our will on the Iraqi regime.”
The danger to national
security motivated Guerreri to start a company.
“I got into this
field because I feel quite passionately about the national security
issues involved,” says Guerreri. But information security
also holds tremendous business potential, he points out. Technology
industry analyst IDC earlier this year predicted that the cyber-security
market would reach $45 billion by 2006.
In 1999, Guerreri founded
BackboneSecurity.com to provide cyber security resources for government,
business and private organizations. Backbone offers network assessment,
employee training and development of proprietary security devices.
The company is one of seven approved by the National Security
Agency to use their Information Security Assessment Training and
Rating Program to perform information security assessments.
As Guerreri anticipated,
the company has plenty of work. “We have an enormous backlog
of business,” he says.
Human factors
Because the banking
industry is highly regulated, Jessica Love’01 (MBA) feels
it has been at the forefront of developing secure systems. As
information security manager for ESL Federal Credit Union in Rochester,
Love is responsible for setting up systems and procedures, including
a security awareness training program for all employees in 22
company locations.
 |
| Damon
Cortesi ’02, left, and D.J. Vogel ’01 are part
of the information risk management group at a major accounting
firm. They visited RIT in April to participate in an event
sponsored by the Security Practices and Research Student Association,
founded last year. |
“I find that a
lot of computer systems are developed for functionality, not security,”
she says. Customers demand conveniences like online banking and
24-hour ATMs. Employees need to process more information faster.
Technology and human factors sometimes fall short of expectations.
“It’s so important to give people the access they need
but not give them access they don’t need,” says Love.
Indeed, human factors
are as important as technology – or more so.
D.J. Vogel ’01
(management information systems) and Damon Cortesi ’02 (biomedical
computing) work in Chicago with the 50-person information risk
management group at Crowe Chizek and Company LLC, one of the top
10 public accounting and consulting firms. Vogel heads “penetration
testing” – sometimes described as “ethical hacking.”
He and Cortesi spend much of their time trying to defeat their
clients’ security systems – and they’re successful
at least 98 percent of the time.
They work online and
in person, getting in via the Internet or by talking their way
past gatekeepers. They go through trash, find out who’s
on vacation, pick up useful information from voicemail messages,
and use their computer skills to break through the defenses of
small as well as major financial institutions.
“The bigger it
is, the easier it is to get in,” says Vogel. “Bigger
systems have more room for holes.”
“I’ve gotten
passwords from security guards,” Cortesi says. “You
kind of feel bad because you play on people’s trust and
innocence, but that’s our job.”
“We clean up
after ourselves and train everybody in proper procedures,”
adds Vogel. “When we go back to the same clients, people
are smarter. Our job gets harder.”
Business considerations
Outside of the financial
industry, business has been slow to embrace information security,
some professionals believe. “It’s an expense with
no perceived return on investment,” explains Jim Moore,
RIT Information Security Officer. “Information security
is not even considered like insurance, as there’s no statistical
way to determine how much is ‘enough.’ It can be difficult
to persuade business that protection of vital and sensitive information
is akin to protecting people.”
 |
| Linda Stutsman
’94, Xerox |
Linda Stutsman ’94
(management information systems) agrees it can be a hard sell.
Business leaders need to see information security as a business
enabler rather than a technology expense, says Stutsman, chief
information security officer for Xerox. “My team is very
focused on the business, and Xerox has been very supportive of
the effort.”
Stutsman has worked
in the field for 15 years, on both the implementation and management
sides, at Xerox and Kodak. In her current job, she heads the 18-member
team responsible for global information security support for the
company.
“The field has
really evolved,” she says. “Originally, people in
this profession typically came from physical security or military
backgrounds. After that, there was more focus on the technology.
Now, there is more of a business management emphasis.”
This is serious business,
but information security professionals tend to possess an element
of the elite gamer. Years before she attended RIT, Stutsman was
working for a company that faced a computer attack. She worked
with the experts who tracked down the problem, and found the process
fascinating.
“This was cool,
like a real-life game of Clue,” says Stutsman. “I
wanted to get into this.”
In hiring, she looks
for people with project management, security, technology and business
experience – and doesn’t expect to find all of the
elements in any one individual.
“There’s
no way one person can know everything about this,” she says.
But one characteristic is essential: a certain tenacious enthusiasm
for this kind of work.
 |
| Bruce Nelson ’71,
’76, Kodak |
“If you’re
not passionate about this, you’ll burn out,” she says.
A former colleague of Stutsman’s embodies that. Bruce Nelson
’71,
’76 (B.S. and
M.S., electrical engineering) spends his days protecting the e-mail
system at Kodak. He joined the company soon after graduation and
– because he learned as much as he could about computers
at RIT – he gravitated into computer-related jobs at Kodak.
He’s been involved in Internet and e-mail management since
the company got online.
A big part of his job
these days involves developing filters to weed out spam and protect
the network from viruses and other dangers.
“Remember the
‘I Love You’ virus a few years ago? I saw it early,”
he says. “It just smelled bad. My filter caught thousands.”
The avalanche of spam
is an important business concern.
“It takes an
average of five or six seconds to delete a spam message,”
says Nelson. “When you’re talking about thousands
of employees, it adds up.”
After three decades,
Nelson still loves the work. “Every day is exciting. Every
day, there’s a new problem.”
If Matt Carver ’01
(information technology) has an information security job 30 years
from now, he expects that will suit him just fine.
“I see myself
staying in this field for my entire career,” says Carver,
a security analyst for industry giant Symantec Corp. in Herndon,
Va. “It excites me.”
The former president
of RIT’s Information Technology Student Organization, Carver
went to work for a small company, Mountain Wave Technologies,
after graduation. When the company was acquired by Symantec, he
segued into the product delivery and response group, working on
software that helps computer systems identify and track attack
trends.
“This is the
fastest-growing portion of the computer industry, so there’s
more opportunity,” Carver says. “I was really, really
lucky.”
Professional
preparation
Nationwide, few academic
programs in this field exist. Since 1990, a credential –
CISSP for “Certified Information Systems Security Professional”
– has been available by taking an exam offered through the
International Information Systems Security Certifications Consortium
Inc., a global, not-for-profit organization. Some in the industry
– Guerreri included – feel that more should be done
to raise the level of formal education.
Professional organizations
provide opportunities for exchange of information. The Rochester
Area Information Security Forum (RAISF) was founded by Linda Stutsman
in 1999, now includes top-level information security professionals
working at 11 major corporations and organizations. The group
meets regularly to share best practices and offers study sessions
for those interested in the CISSP
exam.
An RIT student organization
called Security Practices and Research Student Association (SPARSA),
which networks with RAISF professionals, was formed last year.
Members plan to pursue careers in this field.
“There’s
an urgent national need for a next-generation workforce that understands
information security and computer crime,” says Sam McQuade,
assistant professor of criminal justice and a former program manager
for the National Institute of Justice of the U.S. Department of
Justice. Addressing this need has become a matter of national
policy: The 2002 Cyber Security Research and Development Act calls
for the National Science Foundation to award grants to institutions
of higher education for establishing or improving undergraduate
and master’s degree programs in computer and network security.
McQuade, who teaches
courses in computer crime, explains that information security
professionals need training in criminology, sociology, management,
law and ethics as well as technical skills.
“This is truly
a multidisciplinary issue,” says McQuade. “No one
academic area can claim ownership of all there is to know.”
Personal responsibility
 |
| Jim Moore, RIT |
Keeping the university’s
information systems safe and secure is a high priority at RIT.
Many are involved in the ongoing effort, but Jim Moore, the information
security officer, is point man. The university – like other
organizations – ultimately depends on the cooperation and
responsibility of individuals.
“One person or
department can’t do this alone,” he says.
Kimberley Laris ’99
(MBA), director of business processes and audit at RIT, agrees.
“After auditing information security management processes
for many companies before coming to RIT, my greatest concern is
a lack of awareness. We shouldn’t live in fear, but we need
to be informed. We need to understand our own risks and protect
ourselves appropriately,” she says.
“Security is
about providing people with the freedom to do what they need to
do safely. I believe RIT is uniquely positioned to contribute
valuable understanding of information security to the world through
education.”
Kathy
Lindsley
