SINGAPORE NETWORK COMPUTING MAGAZINE ARTICLE ON COMPUTER SECURITY ISSUES Network Computing
Educating an Endangered World
Jeffrey Lim, 2-Jun-2004

Mention “CSI”, and most people immediately think of the hit TV crime series, Crime Scene Investigation. But long before TV’s CSI came along, there was another CSI that also dealt with crime—the prevention of cyber crime through the safeguarding of computer systems. This CSI, the Computer Security Institute, was formed in 1974 to advocate the critical importance of protecting information assets and providing education in this area.

Today, with about 4000 members, one quarter of whom reside outside the US, it is the world’s leading membership organisation specifically dedicated to serving and training the information, computer and network security professional. It does this through its newsletters and quarterly journals, two annual conferences, about 50 public classes of education a year and a significant amount of private training for corporations.

Network Computing Asia met with Robert Richardson, Editorial Director of CSI, to find out more about the work of CSI in the changing landscape of information security.

NCA: How has security concerns changed over the years?
Robert Richardson: Thirty years ago we had mainframes and the main concern was with physical security of the “glass house”. Those hired to handle security were mainly ex-cops, who worried about data theft by the removal of tapes or disk platters, and sometimes about fraud, especially for those in the financial sector. They did not worry about people accessing the computer because they controlled physical access, and terminals then did not have disk drives so it was not easy for anyone to steal the database.

One of the earlier changes occurred when more people started using databases and applications, leading to a concern about access, and hence identification issues with IDs and password management. CSI gained early expertise in these areas, and also in risk and vulnerability assessment, though the vulnerabilities were quite different then.
When LAN gained traction, things became more complex, and at that point the professionals in security started to become more technical. They now had two things to worry about—management policy issues, and network configuration issues. For example, they had to know how to segregate segments to prevent one department from seeing the data of another.

Networking became more complex, and we began to see certifications like “Certified Novell Engineer” appear. Then when people started hooking up to the ARPANET, the early Internet, all hell broke loose and the security industry grew very rapidly.

But a lot of things that made sense 20 years ago about management and identifying risk and coming up with policies to deal with them still apply. You see surveys that regularly tell you that the problem is with people, and that is not news. People are managed through management and policies, so we conduct training around these issues.

NCA: Could you tell us more about your training courses?
We have a faculty who are all practitioners in their own right, except for the Director of Education who works for CSI but was a practitioner for a long time. They conduct courses in their own specialty areas for CSI, and they develop their own materials. So when CSI offers a course, it will either have someone, or find someone, who has that expertise and work with him or her to develop the course material. Our focus is finding people who may not necessarily have training experience but have the necessary credentials to stand in front of trainees. For example, someone who has helped to design the specifications for the wireless spectrum. Over time, these people will also become excellent trainers.

While we conduct courses that prepare people for certification, CSI itself does not issue any certification. We do not want to be in a position of conducting certification and selling the courses for the certification.

Our courses include CISSP boot camp and training for Cisco certification, and we also have freestanding courses that members have indicated an interest in. An example of this is a two-day workshop on preliminary risk assessment, which is a moderated and guided walk-through of different topic areas. Here you not only learn about the topic areas but also do it, so by the end of the workshop you actually have the completed risk assessment

CONTINUED at weblink..........