THE BRILLIANT AND NASTY ROGUE

At a table equipped with two computers, Mark Coletta (not his real name to protect his privacy) plies his trade. The intense, lanky 24-year-old is hunting for holes in a corporate network.

Mark seeks clues that will reveal operating systems, firewalls, or user names. Any one of these could become a key for breaking into the system. He thinks purely as a brilliant but nasty rogue hacker.

But Mark is no malicious rogue hacker. He’s a security engineer at an information security company where he’s paid to tinker with clients’ networks and uncover their vulnerabilities.

With cybercrime increasingly making news headlines, services such as vulnerability assessments, integration of firewalls and other security components, and subscription-based managed security are in high demand. That demand is spawning a lucrative market. IT security services will generate up to $8.6 billion worldwide in 2001 and are growing at a per-year compound rate of 50%, predicts research firm GartnerGroup.

IT security services are definitely growing, both in demand and in supply. There’s a lot of user demand and an enormous number of companies starting in this space.

Most other security people are vulnerability experts who have switched their black rogue hacker hats for white hats. Many ex-hackers have become security consultants. Their vision now is to simplify the security process using the Internet by documenting the best security practices and then providing them to clients over the Web. Tying security into a company’s e-commerce^[ii] strategy also is key. Most people in this business are just out of school.

Meetings with prospective clients begin with a knowledge test of what and whom you know. Once some sort of connection is established, the client will pose technical questions about any number of areas, such as databases, Unix, or the Novell platform.

The thing that makes the security professional different from other IT professionals is that you have to know something about everything. Some clients, influenced by media reports of computer crimes or by upper management pushing a security plan, are ready to “pull the trigger” immediately. Others, though, are hit with sticker shock.

They don’t understand how much security costs. Mark has to provide a clear return on investment statement. It’s the same problem an insurance agent has. Mark has to identify the probability that something will happen—it’s the downstream effect.

To devise a security plan for a client, Mark makes a technical assessment of a network and combines it with his own interviews and observations. He assesses a company’s “pain threshold,” or how much security risk it can endure before the business would shut down. Once completed, a security plan can be 600 pages long. Mark then either implements the plan or recommends how the client can enact it.

^[ii]John R. Vacca, Electronic Commerce, Third Edition, Charles River Media, 1999.