Corporations must elevate IT experts, U speaker says

A "cultural change" is needed in U.S. corporations to combat increasing computer security threats, a federal official said Tuesday at the University of Minnesota.

"The sophistication of cyber­attacks has increased tremendously," said Ron Ross, a security expert from the National Institute of Standards and Technology (NIST) in Maryland. "And what we see more and more is that corporate people don't know they've got a problem until a breach happens."

That can't go on, Ross told the audience at the U's Technological Leadership Institute, where he unveiled new computer security guidelines. Private companies and government agencies need to create the job of high-level special security expert, he said, a person with the authority to make sure that enterprisewide computer systems are as secure as possible from the day they are built.

That position, officially called "systems security engineer," isn't a new job category, Ross said. But a person in that job today lacks the authority to make computer security a top priority.

"We need to raise their stature" so that they can be heard by IT decisionmakers and top management, he said.

Ross' U hosts agreed.

"Where these jobs exist in Minnesota corporations today, they are mostly at the bottom of the pyramid, and are seen as just techies," said Gopal Khanna, a senior fellow at the Technological Leadership Institute.

Ross was in Minnesota to announce that NIST is helping define the job of computer security expert using accepted standards. While government agencies will be required to hire an expert with the NIST-mandated skills, it will be strictly voluntary for private companies.

Ross said the new guidelines have been in the works for more than two years, and thus aren't a response to any recent security breaches, such as the one at Minneapolis-based Target Corp., where hackers took 40 million debit and credit card numbers, along with the personal information of as many as 70 million people.

Like the security breaches themselves, the new preventive security measures may be expensive for corporations.

"It may be that you can't afford to do maximum security everywhere, that you only do it for the computer systems that are the most critical," Ross said. "But this is risk management, and it's not about perfection. It's about reducing the number of breaches, not eliminating them."