Secure Your Mobile Career

Date:   Saturday , September 30, 2006

The recent proliferation of mobile devices such as smartphones, PDAs, laptops and USB drives has thrown up enormous challenges in the security space. International Data Corporation (IDC) predicts that by 2007, 90 percent of corporate mailboxes will be accessed by mobile devices. The dependency on mobile devices has fueled a huge demand for well trained and experienced IT security professionals.

Career options like hosting Internet Service Providers (ISP) and content providers are the obvious choices in mobile security, as is the demand for application porting. Specific security requirements are also coming up in hardware in the area of embedded system. On the other hand, application testing, porting and secure content development/management are options in the software domain. Consulting opportunities are also abundant for Ethical Hackers/Pen testers, vulnerability testers as well as application security specialists.

K. K. Chaudhary, Head - Client Solutions Group at SecureSynergy feels that currently in India, mobile security, being a relatively new realm, there are very few professionals working exclusively in this domain. “But it is not difficult for a security professional to switch to the mobile domain if he has expertise in networking and systems/database administration and some coding experience in any of the major platforms,” he says. Though some development tools are similar to that of desktop security, certain skill sets are specific for mobile security professional, which he needs to fathom.

The main skills of techies in mobile security include: a good understanding of the mobile technology with domain knowledge of GSM, GPRS, 3G/WiMAX, WLL, Microwave, VSAT, WEP and encryption security technologies. Such people should also have the skills of exploiting the vulnerabilities in such systems and the ability to ‘patch’ them and master the code-writing skill.

In addition they are expected to use a few freely available tools such as NetStumbler, AirSnort, WEPCrack, AirMagnet, Wireless Security Auditor, SiVuS, RF-Dump-the-new in a simulated environment. They can also learn management products governing this space like Credant (Mobile Data Protection) and Safend (End point security).
Companies generally look out for two types of professionals in the mobile security space: process experts and technical experts. With standard certifications, technical experts are expected to have proficiency in deploying firewalls, intrusion detection and encryption systems, anti-virus suites et al. to ward off attackers, worms and viruses from a mobile device. For process experts, domain knowledge, such as conducting risk analysis and vulnerability assessments, develop policies and designing the Information Security Management System are vital.

Currently more skilled manpower is required in areas like, storage security, bandwidth
management, RFID, end-point security, encryption technology, malicious code management, phishing and data on the fly.

According to Altaf Halde, Country Manager, Pointsec Mobile Technology, “With the growth of collaboration and mobility requirements, use of hitherto unprotected channels will increase-like video-conferencing and mobile messaging for business purposes and communication with devices like security entry points or RFID tags.”
As devices participate in multiple networks, such as voice networks, WLANs, mobile data networks, corporate LANs, the Internet, and even sensor networks, techies will start to offer comprehensive content security offerings to protect corporate communications using their networks, augmenting gateway and device-level protection.
“This means that stovepipe solutions will no longer suffice. Enforcing policy separately across a plethora of channels will soon become unmanageable,” he adds.

Security experts should also have the know-how on ILP (Information Leak Protection) products and Endpoint Control Solutions, which prevent the use of both unauthorized software like P2P clients and also unauthorized peripherals like USB drives and other removable media.

At the same time, with mobile banking getting more proactive, PKI (Public Key-Infrastructure) is gaining grounds. A PKI manager is expected to combine technologies, policies and practices that help in identifying, authenticating and protecting information assets and transacting on mobile devices. To excel in this area, he should have expertise in niche components such as digital certificates, Registration Authorities (RAs), security-enabled applications, databases and Lightweight Directory Access Protocol (LDAP), points out Gokul S. Janga, General Manager of Aventail.

He feels that if one aspires to be a specialist or consultant, he needs to know the business aspects alongside technology. He should not only be well versed with the risks that threaten the security of mobile devices, but also the preventive and remedial actions for these threats. He should be equipped with adequate functional knowledge in components of the security system, since he will be pitted against highly skilled hackers.
“One should also be abreast of technological changes, since new technologies open up new avenues of threat to an IT system,” says Pradeep Aswani, Chief Executive Officer of VPN Dynamics, security training company.

To be on the toes, he recommends that techies should know the laws and the regulations that apply to information security and those pertaining to mobile security and data retention. One can go for certifications like CISA (Certified Information Systems Auditor), CISSP (Certified Information Systems Security Professional), BS7799 Lead Auditor/Lead Implementer and HIPAA Certified Professionals.

But Aswani also believes that certifications and accreditations notwithstanding, work experience is the crucial element for a security professional. Continuous monitoring of vendors who provide newer versions of software and patches are key to staying ahead of the game. “In security, you are only as good as your last update,” he quips.
Attending symposiums/forums help, as one gets to know the emerging technologies, policies and competitors’ moves. SecureSynergy and RSA Security host frequent conferences on mobile security. Companies like Aventail, Fortinet and SecureSynergy have various customized courses on wireless security and ethical hackers for techies with over 3-4 years in the field.
Currently, mobile security is too nascent a field in India to comment on a standard pay package. But Payscale MIS salary survey 2006 brings to light that at the entry level, a security professional can make anything from Rs. 2.5-3 lakhs and a certified techie can reach anywhere between Rs. 4-5 lakhs with three years of experience. With over
5-7 years of experience, his annual compensation can reach as high as Rs. 7-10 lakhs or even higher, depending on industry verticals. For example,
the pay package is higher for security managers in the BFSI as compared to supply chain and manufacturing.

With companies increasingly looking for qualified mobile security professionals who can provide them a degree of confidence and assurance, techies can look forward to a secured mobile career in the days to come.