On Campus

From Our Readers

RIT Works!


From the Archives

President's Message


Past Issues


RIT Home Search Index Directories Info-Center

Digital defense

RIT alumni find demand for specialized skills in the emerging field called ‘information security’

The sight of jet airliners crashing into American buildings awakened the nation to the realities of a dangerous world.

National security concerns motivated Bart G. Guerreri ’67 to found a company specializing in information security.

Yet two years after the terrorist nightmare of Sept. 11, 2001, inadequately protected computer systems leave the nation vulnerable to a different kind of catastrophe.

“For the first time in history, a handful of people in a backroom somewhere in a third-world country can launch a crippling attack,” says Bart G. Guerreri ’67 (mechanical engineering), chairman and president of DSD Laboratories Inc., an information technology company based in Sudbury, Mass. “Power grids, navigation, water systems, manufacturing processes, communications, financial institutions – any computer system that is networked can be disabled.”

While the threat of cyber Armageddon remains all too real, the information infrastructure is compromised daily by a growing list of annoying and expensive security breaches ranging from worms and viruses to hacker attacks and identity theft. A few examples: More than 82,000 hacking incidents were reported last year, up 56 percent from 2001, according to a federally funded research center at Carnegie Mellon University. The estimated cost of the so-called “I Love You” virus totaled $2.6 billion. And the rising flood of e-mail spam costs businesses millions in lost productivity.

Protecting computer data has become an industry dubbed “information security.” Many RIT graduates – from a variety of programs – are making careers in this field, both in the corporate world and in government agencies including law enforcement and the military.

Edward R. LaChanse Jr. ’89 (applied mathematics) is a major in the U.S. Army assigned to the 1st Information Operations Command (Land), Army Computer Emergency Response Team. As leader of the Regional Computer Emergency Response Team – South West Asia prior to and during the war in Iraq, “Our mission was to defend the U.S. Army infostructure from cyber threats – nation state hackers, cyber terrorists, anti-U.S. hackers, parasitic hackers and malicious code,” LaChanse says. “We took aggressive measures to ensure the survivability of the networks and the availabil-ity of the mission–critical data. The impact of our efforts allowed the combat commanders to communicate and execute the presidential directives on imposing our will on the Iraqi regime.”

The danger to national security motivated Guerreri to start a company.

“I got into this field because I feel quite passionately about the national security issues involved,” says Guerreri. But information security also holds tremendous business potential, he points out. Technology industry analyst IDC earlier this year predicted that the cyber-security market would reach $45 billion by 2006.

In 1999, Guerreri founded BackboneSecurity.com to provide cyber security resources for government, business and private organizations. Backbone offers network assessment, employee training and development of proprietary security devices. The company is one of seven approved by the National Security Agency to use their Information Security Assessment Training and Rating Program to perform information security assessments.

As Guerreri anticipated, the company has plenty of work. “We have an enormous backlog of business,” he says.

Human factors

Because the banking industry is highly regulated, Jessica Love’01 (MBA) feels it has been at the forefront of developing secure systems. As information security manager for ESL Federal Credit Union in Rochester, Love is responsible for setting up systems and procedures, including a security awareness training program for all employees in 22 company locations.

Damon Cortesi ’02, left, and D.J. Vogel ’01 are part of the information risk management group at a major accounting firm. They visited RIT in April to participate in an event sponsored by the Security Practices and Research Student Association, founded last year.

“I find that a lot of computer systems are developed for functionality, not security,” she says. Customers demand conveniences like online banking and 24-hour ATMs. Employees need to process more information faster. Technology and human factors sometimes fall short of expectations. “It’s so important to give people the access they need but not give them access they don’t need,” says Love.

Indeed, human factors are as important as technology – or more so.

D.J. Vogel ’01 (management information systems) and Damon Cortesi ’02 (biomedical computing) work in Chicago with the 50-person information risk management group at Crowe Chizek and Company LLC, one of the top 10 public accounting and consulting firms. Vogel heads “penetration testing” – sometimes described as “ethical hacking.” He and Cortesi spend much of their time trying to defeat their clients’ security systems – and they’re successful at least 98 percent of the time.

They work online and in person, getting in via the Internet or by talking their way past gatekeepers. They go through trash, find out who’s on vacation, pick up useful information from voicemail messages, and use their computer skills to break through the defenses of small as well as major financial institutions.

“The bigger it is, the easier it is to get in,” says Vogel. “Bigger systems have more room for holes.”

“I’ve gotten passwords from security guards,” Cortesi says. “You kind of feel bad because you play on people’s trust and innocence, but that’s our job.”

“We clean up after ourselves and train everybody in proper procedures,” adds Vogel. “When we go back to the same clients, people are smarter. Our job gets harder.”

Business considerations

Outside of the financial industry, business has been slow to embrace information security, some professionals believe. “It’s an expense with no perceived return on investment,” explains Jim Moore, RIT Information Security Officer. “Information security is not even considered like insurance, as there’s no statistical way to determine how much is ‘enough.’ It can be difficult to persuade business that protection of vital and sensitive information is akin to protecting people.”

Linda Stutsman ’94, Xerox

Linda Stutsman ’94 (management information systems) agrees it can be a hard sell. Business leaders need to see information security as a business enabler rather than a technology expense, says Stutsman, chief information security officer for Xerox. “My team is very focused on the business, and Xerox has been very supportive of the effort.”

Stutsman has worked in the field for 15 years, on both the implementation and management sides, at Xerox and Kodak. In her current job, she heads the 18-member team responsible for global information security support for the company.

“The field has really evolved,” she says. “Originally, people in this profession typically came from physical security or military backgrounds. After that, there was more focus on the technology. Now, there is more of a business management emphasis.”

This is serious business, but information security professionals tend to possess an element of the elite gamer. Years before she attended RIT, Stutsman was working for a company that faced a computer attack. She worked with the experts who tracked down the problem, and found the process fascinating.

“This was cool, like a real-life game of Clue,” says Stutsman. “I wanted to get into this.”

In hiring, she looks for people with project management, security, technology and business experience – and doesn’t expect to find all of the elements in any one individual.

“There’s no way one person can know everything about this,” she says. But one characteristic is essential: a certain tenacious enthusiasm for this kind of work.

Bruce Nelson ’71, ’76, Kodak

“If you’re not passionate about this, you’ll burn out,” she says.
A former colleague of Stutsman’s embodies that. Bruce Nelson ’71,

’76 (B.S. and M.S., electrical engineering) spends his days protecting the e-mail system at Kodak. He joined the company soon after graduation and – because he learned as much as he could about computers at RIT – he gravitated into computer-related jobs at Kodak. He’s been involved in Internet and e-mail management since the company got online.

A big part of his job these days involves developing filters to weed out spam and protect the network from viruses and other dangers.

“Remember the ‘I Love You’ virus a few years ago? I saw it early,” he says. “It just smelled bad. My filter caught thousands.”

The avalanche of spam is an important business concern.

“It takes an average of five or six seconds to delete a spam message,” says Nelson. “When you’re talking about thousands of employees, it adds up.”

After three decades, Nelson still loves the work. “Every day is exciting. Every day, there’s a new problem.”

If Matt Carver ’01 (information technology) has an information security job 30 years from now, he expects that will suit him just fine.

“I see myself staying in this field for my entire career,” says Carver, a security analyst for industry giant Symantec Corp. in Herndon, Va. “It excites me.”

The former president of RIT’s Information Technology Student Organization, Carver went to work for a small company, Mountain Wave Technologies, after graduation. When the company was acquired by Symantec, he segued into the product delivery and response group, working on software that helps computer systems identify and track attack trends.

“This is the fastest-growing portion of the computer industry, so there’s more opportunity,” Carver says. “I was really, really lucky.”

Professional preparation

Nationwide, few academic programs in this field exist. Since 1990, a credential – CISSP for “Certified Information Systems Security Professional” – has been available by taking an exam offered through the International Information Systems Security Certifications Consortium Inc., a global, not-for-profit organization. Some in the industry – Guerreri included – feel that more should be done to raise the level of formal education.

Professional organizations provide opportunities for exchange of information. The Rochester Area Information Security Forum (RAISF) was founded by Linda Stutsman in 1999, now includes top-level information security professionals working at 11 major corporations and organizations. The group meets regularly to share best practices and offers study sessions for those interested in the CISSP exam.

An RIT student organization called Security Practices and Research Student Association (SPARSA), which networks with RAISF professionals, was formed last year. Members plan to pursue careers in this field.

“There’s an urgent national need for a next-generation workforce that understands information security and computer crime,” says Sam McQuade, assistant professor of criminal justice and a former program manager for the National Institute of Justice of the U.S. Department of Justice. Addressing this need has become a matter of national policy: The 2002 Cyber Security Research and Development Act calls for the National Science Foundation to award grants to institutions of higher education for establishing or improving undergraduate and master’s degree programs in computer and network security.

McQuade, who teaches courses in computer crime, explains that information security professionals need training in criminology, sociology, management, law and ethics as well as technical skills.

“This is truly a multidisciplinary issue,” says McQuade. “No one academic area can claim ownership of all there is to know.”

Personal responsibility

Jim Moore, RIT

Keeping the university’s information systems safe and secure is a high priority at RIT. Many are involved in the ongoing effort, but Jim Moore, the information security officer, is point man. The university – like other organizations – ultimately depends on the cooperation and responsibility of individuals.

“One person or department can’t do this alone,” he says.

Kimberley Laris ’99 (MBA), director of business processes and audit at RIT, agrees. “After auditing information security management processes for many companies before coming to RIT, my greatest concern is a lack of awareness. We shouldn’t live in fear, but we need to be informed. We need to understand our own risks and protect ourselves appropriately,” she says.

“Security is about providing people with the freedom to do what they need to do safely. I believe RIT is uniquely positioned to contribute valuable understanding of information security to the world through education.”

Kathy Lindsley

Back to Top