Lynn McNulty | Information security goes pro
- By William Jackson
- May 01, 2008
During 30 years in government service and more than a decade as a consultant, Lynn McNulty has been recognized as a leader in making information security a profession rather than a job.
Most recently, the International Information Systems Security Certification Consortium, for which he is the director of government affairs, made him the third Fellow of (ISC)2. He has served as associate director of computer security at the National Institute of Standards and Technology and played a major role in formulating the Computer Security Act of 1987.GCN: You have been recognized by (ISC)2 for your professional contributions to information security. What do you feel have been your most significant achievements?
One is to be a spokesperson for information security, providing leadership and framing issues in terms that senior management could understand and act upon. I think I have helped to take something that can be complex and technical and reduce it to a managerial issue that could be understood and a course of action decided upon. I've also tried to be a representative for people who work in information security and may not have had a champion for their interests. I think, in a lot of cases, people who worked in information security in the civilian agencies had no one to go to bat for them. I've tried to be that in my career in government. And I've tried to be an advocate for professionalizing the information security workforce and having the field recognized as a separate and distinct career.GCN: Has senior management become more aware and supportive of information security?
I believe they have. They have been told to 'get it' by the Congress. The passage of the [Federal Information Security Management Act] bill and other legislation that preceded it has forced senior management to get involved and try to become part of the solution rather than being indifferent.
There are always some enlightened managers who realize that security is a fundamental component of any well-managed information system. But across government during most of my career, that has been the exception rather than the rule.GCN: What is the greatest advancement in information security you have seen?
The incorporation of the Internet into the business of the government and the private sector, with all of its attendant problems, has been one of the forces that has elevated the whole security issue. Information security also has become a separate and distinct career field.
People can come into this field and spend a satisfying 30 years working in it without having to go somewhere else to get a promotion or a pay raise.GCN: What are the most significant challenges remaining to be tackled?
The great remaining challenge is to integrate security into the business applications that many organizations are implementing. All of the issues that come with authentication, privacy, continuity of operations ' those are real challenges as we move on in the Information Age and replace paper-based business practices.GCN: In what ways has information security become more professional?MCNULTY:
We now have many universities and colleges someone can graduate from with a major in information security.
People are now earning master's degrees and Ph.D.s in information security, which you could not find 25 years ago.
When I came into government, we were placed all over the board. I was in a physical security job series, other people were [information technology] specialists, others were in general management. Now most of the people working in the field are in the IT job series. I have long been calling for security people to be broken out of that with their own job series.
There also is a growing body of recognized professional certifications which have general acceptance in the workforce. We see programs in the Defense and State departments where they are basing some of the personnel decision on certifications.
These jobs are also well-compensated, and IT security people also are increasingly holding senior management jobs. And people who don't perform, particularly at the level of chief information officer, are getting fired. There is some accountability in this field.GCN: Are schools doing a good enough job educating security professionals?
I have served on panels with the National Science Foundation for the federal Scholarship for Service program, and I think the programs are very good.
The graduates are very well motivated, and I'm impressed with what I see. An area I'd like to see development in is information security programs at the community college level. I think there is great opportunity for people getting work at the network administrator level who also need to have a security background.GCN: How well is the government recruiting and retaining security professionals?
I think they're doing a good job of recruiting. I think the government competes for these people very well. The government has challenging opportunities for them. The Scholarship for Service program has a two-year commitment to the government, and after that, it becomes a choice of whether they stay or whether they go to work for a contractor that can offer a larger salary. There is also an issue that the national security components of the government seem to be taking a disproportionate share of the people coming out of the program.
You don't find many of them going to the smaller agencies because there often are not open positions available for them to move into when they graduate.
So that's an area that needs to be looked at.GCN: What impact has the growing acceptance of professional certification had on IT security?
I think it has had a big impact. The Defense Department mandate that all of their IT security professionals must obtain professional certification within three years is having a big ripple effect across government. You're looking at 90,000 to 100,000 people in the Defense Department.
People across the entire career field realize that professional certification is a metric that employers will be looking for.GCN: Are federal IT security regulations working, or do we need to revamp the regulatory underpinnings, such as FISMA?
I think there is agreement that some changes are needed in FISMA, but on the whole, I think most everyone would agree it has had a positive impact in forcing senior management to pay attention to IT security. The problem that many people are having with the various regulatory regimes is that they are being stretched very thin, and they are having a tough time meeting all of the timelines and requirements being put on them. I think we are paying for many years of underinvestment in the IT security field.GCN: Has the government been a leader in IT security, or is it behind the private sector?
It's a mixed bag. Some components of the private sector, the financial services community is one that is always held up, have more integrated programs than the government.
But the government has also been a leader in addressing some privacy implications of IT. The government has really stepped out to address the large losses of personal information.
Some parts of the private sector may be ahead in the area of compensation for IT security people, but government is not competitive across the board in the entire IT field. But the government has challenging work which people can find a lot of satisfaction in, so there is no clear winner or loser here.