Sarbanes-Oxley for India. NOW !!

Security theft opens market for IT workers
By Charlie Anderson
The Business Journal of Kansas City
Updated: 8:00 p.m. ET June 12, 2005

Kris Drent leaps out of his seat and throws his body against a conference room door like a power forward boxing out an opponent for a rebound.

Drent, co-founder of Security PS Inc., actually is impersonating a CFO from a previous engagement. It was that finance chief's way of saying: "Nothing leaves this room."

Thus is the life of an information security professional, a cadre whose profile rises with each new revelation of data theft or loss, such as those reported by ChoicePoint Inc., Bank of America and CitiFinancial Inc. Fear of a breach in data security drives companies to pay people like Drent as much as $225 an hour to hack their corporate networks and expose holes that need plugging.

"As you can tell," Drent said, "we obviously love what we do."

There's demand for more like him. The number of information security techs is expected to double worldwide, from 1.1 million in 2003 to 2.2 million in 2008, according to a study commissioned by the International Information Systems Security Certification Consortium, which certifies security professionals.

It's unclear how many security techs work locally, but evidence suggests that the number is increasing.

That's good news for a tech work force that has been downsized, outsourced and dot-bombed in the past few years. It also provides a sexier career track for IT professionals who have grown weary of installing software for a living.

"It's intriguing," said Jody Brazil, vice president of FishNet Security Inc. "There's that James Bond appeal."

FishNet may be the best local example of the boom. The nine-year-old firm consults with corporate and government clients on IT security plans and then sells hardware and software to protect networks from attacks.

The company has grown to 110 employees nationwide -- 60 in Kansas City -- and reported revenue of $44.5 million in 2004. FishNet raised $12 million in equity investment earlier this year, and founder Gary Fish has said that he hopes to take the closely held firm public within three years.

Smaller companies, such as Security PS and Archer Technologies LLC, both of Overland Park, have sprouted up since 2000 with a singular focus on IT security.

Then there are the big accounting and consulting firms, such as Ernst & Young LLP, that are rapidly hiring security professionals to beef up their Sarbanes-Oxley Act compliance teams.

Archer Technologies CEO Jon Darbyshire ran Ernst & Young's national security practice from Kansas City before starting his software company. He said that in four years, Ernst & Young's security practice grew from zero to 1,500 people nationwide.

"We were bringing in 300, 400 people a year," Darbyshire said.

And that was before Sarbanes-Oxley, which requires CEOs and CFOs of public companies to sign off on the integrity of their companies' financial reporting systems. Most interpret this as including the security, as well as the accuracy, of financial data.

Companies don't want to be the next one in the string of headlines about data breaches, said Stephen Gillilan, an adjunct professor at the Keller Graduate School of Management at DeVry University. A California law requires notification after a breach; a national disclosure law is being discussed in Washington.

"Security is getting baked into everything now," Gillilan said.

The primary reason for heightened security awareness is the increased risk for companies doing business on the Internet.

Banks offer online bank statements, hospitals offer online billing, and retailers take credit cards on the Web. A decade ago, this data wasn't floating around cyberspace, where skilled criminals could pick it off.

At a local bank that he won't name, Drent said he was able to pull off something called "session-thefting," in which he jumped into someone else's online access to an internal system.

"I did a few things and became CFO of the company," he said.

That's chilling news for the software development community, which has seen its reputation sullied by such easy hacking of programs.

"I think we are doing a disservice if we don't teach security," said Deep Medhi, a University of Missouri-Kansas City professor of computer science from India.

Based on the job prospects for the sector, students may demand classes in security.
© 2005 The Business Journal of Kansas City.