ADVERTISEMENT

ABOUT US

Launched in 2007, WhiteHatWorld.com is the online resource for key decision makers working in the security industry.

WhiteHatWorld.com looks at all aspects of the security industry, with in-depth analysis, webcasts, whitepapers and targeted regional training opportunities.

Think of WhiteHatWorld.com as your security information gateway!

LATEST NEWS

(ISC)2 members can receive CPE Credits for all WhiteHatWorld webcasts.

 

Please Check our Website Next Week for a Complete List of All 2010 WhiteHatWorld.com Events!

Upcoming Events Date Event/Topic February 17, 2010 2:00PM EST THOUGHT LEADERSHIP ROUNDTABLE The Continuing Evolution of SIEM Moderator: Mark Bouchard February 24, 2010 2:00PM EST   Late Breaking Computer Attack Vectors Webcast Moderator: Paul Asadoorian Sponsor: WebSense, Patriot technologies February 25, 2010 2:00PM EST RSA Custom webcast Building a Business Case for Two Factor Authentication February 25, 2010 2:00PM EST RSA Custom webcast Fraud

Click Here to register for any upcoming WhiteHatWorld.com webcast.

Security: Smartest Bet for 2010 and Beyond

How a perfect storm of business and technology drivers makes security the best place to be, particularly for those who work in consulting.

By David Foote

Every once in a while a unique combination of factors comes together to create seemingly unstoppable momentum, bringing with it sensational new job, skill, and career opportunities for a few lucky segments of IT professionals. It happened with the introduction of the personal computer into the business environment in 1981, and also when the Internet gained widespread acceptance as a business platform around 1995.

This time, IT security is the beneficiary of a ‘perfect storm' of momentum drivers, including constant fears of increasing data threats, more regulation, accelerating customer expectations and demand for security solutions across new platforms.

The boom in virtualization, mobile computing, cloud computing, and many other emerging technologies are driving demand for deep technical infrastructure and applications security skills for these emerging platforms.

Another driver, long a conversation but now a reality, is the splitting of business/strategic risk and operational security roles in business line units. New and emerging corporate and business line security jobs are screaming for security pros with a range of specialized skills in business, industry and functional domains. These pros are needed to assist in a variety of long overdue risk management, governance, process, and integration activitie across new and existing platforms.

So, unlike most other IT job segments, there will be plenty of action for IT security professionals this year and beyond, but with a twist.

Constrained by hiring restrictions and finite resources while pressured to deliver quicker results, employers will be focusing less on filling jobs and more on acquiring critical skills, primarily through outside contractors and consultants. In this environment, predictable, high-impact execution will be key to job security for infosec managers and professionals.

Managed services will also spawn a lot of security jobs. Compound annual growth rate projections through 2014 are as high as 27 percent for some segments of managed security services, which is expected to exceed $6 billion in revenues by 2011. (For specific skills and certifications in demand, see our Ranked Hot List at the end of this column.)

What should unemployed or underemployed security pros be doing right now to capitalize on this bounty? One answer is social media. According to recruitment solutions provider Jobvite, 80 percent of employers are using or plan to use social media to fill vacancies in 2010, while 59 percent of recruiters are using Facebook and 42 percent are using Twitter.

2010 will be all about connecting a plentiful supply of security-skilled talent with narrowly focused demand. Employers are looking for you, so make sure you can be found. Think outside the box and apply your skills to emerging new technologies and supporting business-line requirements in an agile IT economy.

David Foote is chief executive and chief research officer of Foote Partners. Security Skills HOT LIST

Foote Partners' ranked hot list of the 24 most in-demand, market competitive IT certifications for the first half of the new year includes these 12 security certifications:

• GIAC Certified Incident Handler (#3 rank)
  • Systems Security Certified Practitioner (#4 rank)
• Check Point Certified Security Administrator (#8 rank)
  • Certified Information Systems Auditor (#11 rank)
  • Check Point Certified Security Expert (#14 rank)
• GIAC Certified Forensics Analyst (#15 rank)
• GIAC Certified Intrusion Analyst (#16 rank)
  • EC-Council/Certified Hacking Forensics Investigator (#19 rank)
  • GIAC Security Audit Essentials (#20 rank)
• GIAC Certified Incident Manager (#22 rank)
• Check Point Certified Master Architect (#23 rank)
• GIAC Secure Software Programmer (#24 rank)

Security Competencies

Areas of specializations of most interest to employers in 2010 (according to our survey research involving 2,000 employers) include:

• Application Security
• Biometrics
• Data Leak Prevention
• Disk and File Level Encryption Solutions
• Ethical Hacking
• Forensic Analysis
• Governance, Compliance & Audit
• Identity & Access Management
• Incident Handling & Analysis
• Intrusion Detection and Prevention
• Litigation Support (e-discovery)
• Network Security
• Penetration Testing
• Regulatory Compliance & Audit
• Secure code development
• Security Architecture
• Smart Cards, Disposable Passwords, Tokens
• Threat/ Vulnerability Assessment Management
• VOIP Security
• Web Content Filters

Personal Health Records Online – Promise or Problem?

Once personal health data is out there, it's likely to remain forever.

By Barbara Filkins

Individuals are increasingly requesting to be an active partner in their own health care. At the heart of this trend is the personal health record or PHR, which is a health record initiated and maintained by an individual.

Online PHRs are provided by health care providers (hospitals, clinicians) and payors (insurers), employers, and commercial vendors that market directly to the consumer (Google Health, Microsoft Health Vault, and other lesser known services). They collect data from many sources and make this information accessible online to anyone who has the necessary electronic credentials to view the information.

Compiling your medical data in one place offers many benefits: It lets you be the custodian of your health information; makes comprehensive medical information available to emergency workers; prevents unnecessary, excessive or duplicate testing and treatment; and assists audit claims for accuracy—so long as records are accurate.

However, as with any Internet-facing system, online PHRs are vulnerable to unauthorized access, compromise of personal identifiable information (either at rest or in transit), and lack of availability due to physical loss or damage at the backend data center.

Legally, a PHR is not the same as an electronic health record (EHR), which is legally mandated information related to the medical care provided by clinicians to patients.

PHRs provided by healthcare entities (providers and payors) may be covered under the HIPAA regulations. However these regulations do not apply to commercial PHR vendors. Google, Microsoft, and others may structure their policies to be stronger than legislated mandates, or they may not.

Then there are the partner connections to consider. Just like any cloud service provider, PHRs link to multiple sources—the consumer's EHR, lab provider, primary physician, specialists, pharmacists, etc. The link may be secure, but the data shared between them may not be accurate, as Dave deBronkart, a kidney cancer survivor, found when he transferred his medical records to Google Health.

Because Google's codes lacked detail of a complete medical record, deBronkart was wrongly informed by his Google application that his cancer had spread to either his brain or spine—a frightening and untrue diagnosis he had never gotten from his doctors.

Consider, also, the sale of personal health information, which current regulations prohibit. However, policy makers, payors, hospitals, and pharmaceutical companies use de-identified clinical data to analyze clinical practices and glean information about health trends. This data represents about five percent of total annual sales for the $8-$10 billion U.S. clinical information market, according to estimates by George Hill, an analyst at Leerink Swann, a health care investment bank.

Controls governing the release of de-identified health information can't protect consumers from the digital trail that they themselves have left on the Web. In 2006, computer scientists at the University of Texas at Austin re-identified anonymous Netflix customers by correlating film preferences with personal profiles on imdb.com, the Internet movie database.

Today's online technology is evolving, and current privacy and security methods may not yet have caught up with potential threats that exist for PHR medical data ‘in the cloud.' An online PHR service needs to convey the limitations and implications of its privacy and security policies to its consumers.

Continuing research and intelligent regulation must focus on the content—medical data—and the privacy and security of that data as it passes through different providers. Online PHR providers should be responsible to accurately represent data gathered from other sources. They should also educate consumers on content accuracy and safety of their PHR data.

Barbara Filkins, involved in healthcare since 1996, is an expert on HIPAA-related legislation and how it applies to the implementation of electronic health information and the privacy and security of on-line data. She is currently involved in the procurement and/or implementation of several electronic health record systems and is a SANS Analyst author and webcast speaker.