It's a dreary day in Georgetown, with rain lashing at the windows of the Marriott Conference Center. Inside Salon H, a group of government employees is paying rapt attention as Sondra Schneider, a small woman with an arsenal of electronic gadgetry, charges through a presentation on the technologies that will soon make computer passwords obsolete.
The air is dense with geekspeak spiced with a dash of federalese. There's talk about encryption and nonrepudiation, digital signatures and biometrics, and more acronyms than you'll find in a bowl of alphabet soup: PKI, VPN, CHAP, TACACS. All this for the DOD and the DOJ, the FAA and the OMB!
During the break, I do what you're supposed to do at conferences: I mingle. Seeing me approach, Philip, a curly-haired guy in the back row, looks anxious. I ask him where he works. He looks at my notepad and considers bolting for the door. "I, uh, am a contractor for the INS," he says reluctantly. "Cool!" I say. "What do you do?" Panic creeps into his voice, as if an image of his credentials being shredded flashes before his eyes. "Uh, I work with biometric [censored], encrypting [censored] for [censored]," he replies. "But you can't use that."
There's a guy in a striped sweater and glasses in the front row who looks brave. I lean over. "Hi!" I say, trying not to sound like I'm grilling an Al Qaeda operative. "What are you working on?" He looks at me as if I've just asked for the PIN to his Cayman Islands bank account. "Army. Comanche helicopters. It's classified."
Welcome to the brave new world of high-tech security, where the unintelligible language of 21st-century computing fuses with the once-unimaginable threats that the country faces. Before September 11, corporate and government security experts worried primarily about online identity theft, credit-card fraud, and rogue hackers. Now they've put cyberterrorism at the top of the list of threats that keep them up at night.
That's bad news for companies, but it's a business opportunity for organizations that are looking to train security professionals to defend their systems. One of the newest and savviest organizations to stake a claim in this space is Security University, an outfit that offers advanced information-security training for executives, network professionals, and systems administrators.
The so-called dean of the university is Schneider, a diminutive cybercommando whose mission is to train an elite corps of security specialists — much as the Army trains the Green Berets. "I didn't go to war. I didn't fight for my country. But I can make a big difference when it comes to training those people and giving them the tools they need," says Schneider, who is Security University's founder and CEO.
A fledgling operation based in Stamford, Connecticut, Security University is nearly as virtual as a digital signature: There is no campus, no classrooms, and no war room. Schneider and her team of 18 instructors travel the world, holding classes on such topics as intrusion detection, advanced firewalls, PKI (public-key infrastructure, a framework for the secure exchange of digital information), and forensics. Take eight classes and a tough test, and you could earn AIS (Advanced Information Security) Certification, a proprietary credential that the school plans to begin offering next year.
Other organizations provide similar credentials in this field, among them recognition as a Certified Information Systems Security Professional (CISSP) from (ISC)2 and a Global Information Assurance Certification (GIAC) from the SANS Institute. But Schneider maintains that the training at Security University offers more hands-on experience than the others — a process, she says, that helps students understand how to protect the path to a network's critical assets more effectively and to evaluate new software and security devices before committing company resources to their purchase.
"Lectures are valuable for managers, but they aren't as good for practitioners," Schneider says. "We take our students through the full life cycle of a security technology and its application, including multiple corporate or government scenarios. We encourage people to play with the latest toys that we get from vendors. Most people would never have a chance to do this at work. But if they don't try them, how can they go to management and recommend buying them?"
While Security University's courses may seem esoteric to a nonprofessional, Schneider's tales of information-security lapses can curl the hair of even the most naive generalist. During one security assessment, she says, it took a team of experts just three and a half minutes to access a nuclear power plant electronically. Even a semiskilled hacker can change an IP address in under three seconds. Schneider also warns that something as simple as leaving an "out of office" message on your computer can leave you open to cybermischief.
Frank Groneman, a network-security engineer at Gtech Corp., a Rhode Island firm that provides high-tech services for approximately 70% of the world's lotteries, says that Security University courses gave him the hands-on experience that he was looking for. "I learn by doing," he says. "I can watch people put up slides all day, but it doesn't really sink in." Like many other firms with high-level security needs, Gtech encourages staffers to keep up to speed on the latest advancements — or risks — in the field. "We need to have absolute security," Groneman says. "One transaction could be worth $200 million to $300 million."
One year after launching the university, Schneider tried to sell it to a New York firm (she won't reveal the name). When that deal didn't work out, she took back ownership and relaunched this past March. Now, she says, her goals are to expand her course offerings, recruit more instructors, and roll out the first AIS Certification test by mid-2003. But her one driving concern, she says, is to spread the word about the urgent need for enhanced information security. "If somebody said, 'Here's $100 million, what do you want to do with it?' I would offer 10 times more programs, decrease the cost of classes, and make sure that millions of people get trained."
Tell that to Congress, says Philip, our secretive friend from the INS, whose agency has come under attack for its failures before and after September 11. "Until recently, we've had antiquated network procedures because improvements didn't get funded," he says. "Faulting folks at the INS or the Border Patrol for security lapses is totally misplaced."
Contact Sondra Schneider by email (firstname.lastname@example.org).
Sidebar: The Case of the Phony Fingerprint
As the furor over missed signals by the FBI and the CIA demonstrates, there's no shortage of ways in which humans can screw up security. And even the most sophisticated security system can't always defend against human foibles. Take the latest favorite gizmo of Sondra Schneider, the founder and CEO of Security University. A handheld biometric fingerprint-sensor and smart-card device, this gadget allows you to program your fingerprint in, keeping your system secure from access by anyone but you. Or does it?
Last fall, Schneider hooked up the gadget to her computer and scanned in her fingerprint. On her hard drive was a presentation that she was scheduled to deliver at Comdex, the big computer show in Las Vegas. But 20 hours before leaving, she accidentally grabbed the handle of a hot pot on her stove, searing her fingers down to the bone — and destroying her fingerprint.
As luck would have it, Schneider has an identical twin. So she called her sister, who lives in San Diego, told her to hop on the next plane to Las Vegas, and hoped for the best. At the convention, her sister was able to log on to Schneider's computer, and the presentation was saved.
Her obvious take-away?
"Companies should be sure to ask employees who have high access to knowledge inside an enterprise if they have an identical twin," she warns. Otherwise, they're a security risk."
A version of this article appeared in the August 2002 issue of Fast Company magazine.