Wednesday 13 June 2007

Who's the IT Security Expert?

So I'm the author of the ITSecurityExpert blog, but what's my background?

Well I'm based in the UK, so although I sing from the same hymn sheet as my US counterparts security wise, there are sometimes little twists with my view points. For instance in the UK we are governed by the Data Protection Act law, and there’s those pesky European laws to consider. Although I must stress I’m a Security Professional from a “techie” background rather than a background of “Law” or there I say it, “Quality”.

I've been in IT Security for over 15 years, to be honest at first I didn't realise I was doing IT Security, but looking back I certainly was. In the nineties I spent several years designing, building and implementing locked down (secured) Servers, Workstations and networks, which I installed onto Royal Navy battleships and submarines for a third party company. These IT systems didn't house anything exciting like weapon systems, just a boring engineering maintenance application. Still it was good fun going on board all those ships, as well as the social beer drinking side of things.

I have spent two years at a top UK Grammar (very posh) School, building a new secure Server room, physically separating the staff and pupil networks, and tracking down some quite clever pupil hackers etc. I have spent a few years running a European WAN for an American company, which kick started my Cisco side of my career, as I redesigned a secure WAN using Cisco Routers and Firewalls, by the way I’m a Cisco command line sort of guy rather than a web interface user. I recently spent 5 years at a blue chip document management company, which provided outsourced document management solutions, mainly to the financial sectors (i.e. household name banks). I started out designing, implementing secure solutions, but I soon ended up responsible for IT Security Management. Typical solutions were bank statement printing and credit card application document scanning. In fact it’s fair to say I learnt most of my security “know-how” by working with and having my sites and solutions security audited by a particular banking client, who consider themselves one of the world’s biggest banks with the best security (well they would say that).

Career highlights so far, well I once hit the European IT press for creating Europe’s first Satellite VPN in 2003.

I've had involvement in a real life major disaster recovery event, when in December 2005 the Buncefield Oil Depot in the UK exploded! It badly damaged my then employer’s primary solution site. The explosion was the largest explosion in peacetime Europe and it finished several businesses, however thanks partly to my IT system design, and my input within prior COB testing, the business was able to carry on providing solutions to it's clients (and their customers) unaffected, operating from a DR site.

Buncefield Explosion

At the moment I am employed by a large UK outsourcing company, I am responsible for securing several sites throughout the UK, including a hosted solution site which takes “a great deal” of online payments. So as well as the usual office level security, I’m dealing with PCI compliance, application development security and web application (web 2.0) security.

To go with my career security experience, I hold one or two certifications; to be honest I can be a bit of a cert junkie. I am a CISSP and I'm one exam short of my Cisco CSSP, which I plan to complete in the next couple of months. Cisco wise I hold Cisco Firewall Specialist, Cisco Information Security Specialists and the old CCNA, so I consider myself well versed with network level security. On the IT side I’m a Master CNE, and an MCP - I took the MCP exam as a bet, which I won.

As well as the technical side of Information Security, I tend to focus on educating the users, as I see them as the greatest security weakness of all. I have just started to produce a Podcast for home users to help them understand the basic security issues, so they can protect themselves at home. My podcasts aren’t meant for my fellow Security professionals, they cover stuff they should already know! Actually this is a good juncture to clear up the name, I regard myself as an IT Security Expert to the average Joe, I am certainly not pushing a status of "IT Security Expert – I know all!” to my fellow security bloggers, who in most cases are much further up the security tree than I, especially within those specialist security areas. Information Security covers a huge array of topics, I don’t think anyone can claim to be an “expert” across the board, and I certainly don’t.

Why blog? As I said in a previous blog, being in the Security business can be a lonely profession, especially if you work on your own, which I do most of the time. The Security Blogospheres to which I’m now a part makes an excellent forum for me to bounce my views and ideas with cutting edge security professionals, while providing an excellent place for me to develop and evolve my own security knowledge further. I also like to think I can contribute something back to the community. I believe in keeping an open mind, sharing ideas, respecting view points, not flaming and above all staying secure.

Finally I just like to thank Martin McKeay (Cobia) and at Alan Shimel (Still Secure) for allowing me to be a part of the Security Blogospheres, respectively the “Security Roundtable” and “Security Blogger’s Network”.

No comments: