The information technology security field puts a lot of emphasis on a layered approach to protecting data networks. Given the growth these past few years in the number of IT security professionals hired by colleges and universities, we need to come up with a similar strategy to promote and protect the human network—a support system of information sharing among individuals and groups with a common interest in security issues.
The EDUCAUSE/Internet2 Computer and Network Security Task Force (http://www.educause.edu/security) focuses on organizing the higher education community to develop effective information-sharing mechanisms. At a recent EDUCAUSE/Internet2 Security Professionals Conference, EDUCAUSE staff conducted interviews with several attendees to learn how they became acclimated to the profession and to ask what advice they would give new security professionals. Not surprisingly, they overwhelmingly observed that the key to success is to establish a network of like-minded individuals or groups to whom you can turn for advice and support. Education and prior experience might help you obtain a position as a new security professional, but the most critical investment you can make once on the job is to establish and sustain a human network of resources that will serve you throughout your career.
Information sharing is not limited to identifying technical vulnerabilities or reporting security incidents, although information sharing at the response stage is critically important. Information sharing throughout the information security lifecycle (the stages of detect, mitigate, prepare for, prevent, and respond to) is extremely useful, however, especially for someone who is new to the profession or their institutional role. Security professionals can benefit from leveraging the successes of others and take comfort in learning from other people's mistakes.
Establishing Connections
As the number of IT security professionals has grown within higher education and across other sectors, so have the opportunities to quickly establish a professional network of peers. Although any security professional starting a new position should be careful not to become a victim of information overload, several proven resources frequently mentioned by people interviewed at the security conference can benefit you early in your career.
Subscribe to Online Discussion Groups and Mailing Lists
Some of the key resources identified include:
- EDUCAUSE Security Discussion Group (http://www.educause.edu/groups/security): Provides a forum to identify problems and share strategies or solutions to improve the security of college and university computers and networks.
- Research and Education Networking Information Sharing and Analysis Center, or REN-ISAC (http://www.ren-isac.net): Provides early warning about imminent threats, along with applicable response or self-defense advice, to the higher education and research networking community.
- SANS Internet Storm Center (http://isc.sans.org/): Provides an analysis and warning service to Internet users and organizations and actively works with Internet service providers to fight back against the most malicious attackers.
A number of other mailing lists, newsgroups, and community resources are identified under the "Discussion Groups" tab at https://library.educause.edu/topics/cybersecurity.
Explore Directories and Social Networks
An excellent resource for identifying colleagues is the recently updated EDUCAUSE Peer Directory (http://www.educause.edu/p2p; see the sidebar). If you are new to your organization or to higher education, you might want to create a profile. This allows you to find other people interested in subject areas such as "security," "privacy," or "policy." You can further refine your search by adding additional subject areas or selecting geographic locations to find people located near your institution. Other social networks can provide similar functionality across sectors.
Another approach is to identify area colleges and universities and seek to locate peers through use of their online institutional directories. Many state university systems or flagship universities are good points of contact because they tend to take the lead in coordinating periodic meetings of the IT security professionals in the area and sometimes host statewide conferences.
Attend Conferences and Training Sessions
Conferences, seminars, and training programs are designed to promote professional development. They also provide unique forums for getting to know people in the field. The breaks, lunches, receptions, and other social aspects of conferences and meetings provide ideal opportunities for meeting new colleagues and identifying potential resources. Attendee registration lists can be an important resource, especially if they are available in advance, as is usually the case for EDUCAUSE events.
The EDUCAUSE & Internet2 Security Professionals Conference (http://www.educause.edu/securityconference) has become the leading higher education event on information security. Preconference seminars, keynote speakers, concurrent sessions, and corporate displays provide a wealth of information and resources. More importantly, the conference is an opportunity to meet annually with peers to exchange ideas and establish connections that you can add to your human network.
Similarly, the SANS-EDU Partnership Series (http://www.sans.org/partnership/) provides high-quality training that is affordable and accessible to institutions of higher education. Many states also hold annual IT security conferences for higher education that are extremely affordable and convenient. Participation in events, especially at local venues, can be invaluable in helping you make connections with your peers.
Forging Relationships and Building Trust
You do not have to be the Lone Ranger when it comes to tackling the job of an IT security professional. If fortunate, you will become part of a team or have other resources close at hand. More likely than not, though, you will enter the job feeling isolated and uncertain of where to begin. You certainly won't want to go through difficult situations alone, so you should reach out for help. By doing so, you can also demonstrate your interest in learning and succeeding in your role.
Participate Actively in the Community
The best way to become recognized, respected, and trusted within the community is to actively participate in the well-known information-sharing forums already mentioned. You don't have to be an expert to gain recognition. Asking intelligent, thoughtful, and honest questions on a mailing list is an excellent way to both obtain advice and gain respect from the community. Most conferences provide birds-of-a-feather sessions, discussion sessions, and other informal opportunities to learn and to meet your peers.
Building trust is also important before you can participate in vetted communities such as REN-ISAC that depend on their members to treat sensitive information in a confidential manner. Building trust requires more than mere recognition by others that you exist. Working collaboratively on projects or putting yourself into situations where you can demonstrate your reliability to your peers will put you on the path to becoming a trustworthy member of the community.
Seek a Mentor and Support Group
Many of us look to our supervisors for advice and counsel. In some cases, this person might have performed your job previously and can help you learn the ropes. This rarely happens in IT security because the field is so new—many IT security professionals are the first to hold their jobs at the institution. Therefore, a new IT security professional might need to consult a peer (for example, an IT security professional at another institution) or even an IT security professional from government or industry to perform the role of mentor or guide.
IT security is a challenging field in colleges and universities, and you should not underestimate the value of a coach, cheerleader, advocate, or supporter. A mentor could be someone who helps you understand the duties and roles of your position. Or, a mentor could be someone who is more generally familiar with the institution, including the institutional culture and internal politics, and can guide you past potential pitfalls. A mentor is simply someone who can serve as a sounding board, both to help you realize your potential and to help you respond to difficult situations. You might consult more than one mentor, taking advantage of each person's specific expertise.
As the old adage goes, there is safety in numbers. You might find it useful to locate a small group of colleagues to join for information sharing. Many existing affinity groups are based on institutional type, size, or location. The annual EDUCAUSE & Internet2 security conference features a birds-of-a-feather evening session, for example, based on existing groups (Ivy-Plus, CIC, VA SCAN, and so forth) and other possible groupings (small colleges, commuter and two-year colleges, research universities, and so on). Groups organized according to state or region are particularly effective because they permit periodic face-to-face meetings.
Leverage Government and Industry Partners
Higher education security professionals tend to think that the information security challenges encountered are unique to higher education because of its special qualities. True, the culture of openness at educational institutions and the decentralized nature of larger institutions add complexity to our situation. But there are information security professionals working for state and federal government agencies and in the private sector from whom we have much to learn. Organizations like InfraGard (http://www.infragard.net), the Electronic Crimes Task Force (http://www.ectaskforce.org/), local ISACA chapters (http://www.isaca.org), and others provide excellent forums through which to meet local leaders. They also offer opportunities to expand your professional network.
Contributing and Giving Back to the Community
Many different options permit you to contribute to the IT security community. Giving back to the community builds your professional reputation and increases your opportunities to collaborate with your peers.
Share Effective Practices and Solutions
The mission of the EDUCAUSE/Internet2 Security Task Force is to improve information security and privacy across the higher education sector by actively developing and promoting effective practices and solutions for the protection of critical IT assets and infrastructures. The task force uses the Effective IT Security Practices Guide (http://www.educause.edu/security/guide) as a wiki environment for capturing effective practices and solutions. The guide provides an online forum for highlighting institutional approaches, challenges, and successes to solving everyday IT security problems. Everyone in the higher education IT security community is invited to contribute.
Individuals can also share ideas by responding to queries on discussion groups. Responding to the annual security conference call for proposals is another way to contribute your ideas; if your proposal is selected, you can share your ideas through a conference presentation or panel discussion.
Join a Committee or Working Group
The Security Task Force, REN-ISAC, SANS-EDU Advisory Group, and other organizations largely accomplish their work through volunteer efforts. While each organization provides professional and support staff, their goals simply could not be accomplished without active involvement from the community. Therefore, we urge IT security professionals to consider how to participate in the many opportunities available throughout the year.
By participating in community-driven organizations designed to address member needs, you can also influence the strategy and future directions of these groups. Moreover, the community is always looking for individuals who can step into leadership roles. Individuals should take the initiative in suggesting activities to pursue and in leading project teams.
Serve as a Mentor
The importance of having someone to serve as a coach, guide, or mentor was emphasized earlier. Regardless of your years of experience, you have the capacity to serve as a mentor to others, especially those who are new to the profession. Make yourself available. Respond to inquiries on discussion lists. Call someone on the phone and offer to get together for lunch. Or, periodically touch base by phone. Establish a small group where each of you can help the others perform your jobs better.
Mentoring seems like a daunting responsibility, but it can be as simple as making yourself available to help others along their path.
Conclusion
Information sharing is a core value for IT security professionals. It is also a familiar concept for those who work at institutions of higher education because of our long history of collaboration and openness. Information sharing has become part of the national fabric as we attempt to secure cyber assets and protect the homeland. The establishment of effective information sharing mechanisms within higher education is especially important for IT security professionals as we forge a new profession and build a future that supports scholarship and innovation.