Taking security up a notch

Every Thursday night, Dara Murray can be found donning her bowling shoes and shirt for a game with her local league at Shady Grove Lanes in Maryland.

Every Thursday night, Dara Murray can be found donning her bowling shoes

and shirt for a game with her local league at Shady Grove Lanes in Maryland.

She has been attached to those lanes ever since she met her husband,

Gary, there in 1990 while bowling on an opposing team.

The bowling alley may be the one place where Murray's competitive streak

doesn't emerge. It's her escape from work, where she is known to be aggressive,

hard-working and enthusiastic.

That approach to work has taken Murray up the ladder during her 15 years

with the federal government, to where she is the new director of the Security

Programs Staff in the National Science Foundation's Division of Information

Systems.

Murray spends her days at NSF tucked away in her office studiously doing

her research, writing and rewriting and hoping for good grades.

NSF's mission is to support the top research at the nation's colleges

and universities, where grades are a common measure of performance. Murray's

job is not academic, but it does require her to educate NSF's workers and

raise the agency's computer security grade from a B-minus to an A.

"We consider ourselves an 'A' organization," said Linda Massaro, NSF's

chief information officer. "We have a lot of the pieces, but we haven't

brought them together yet. [Murray's] got to find out why we got the grade

that we did."

Doing so might be easier than her last information security job, at

the Justice Department, where the farewell gift from her colleagues was

a golf shirt with an F taped to the back. The letter refers to the F that

Justice received on its computer security report card from Rep. Stephen

Horn (R-Calif.) in September.

Although NSF's B-minus computer security grade was the highest rating

Horn gave other than the B to the Social Security Administration, improvement

remains a daunting task for Murray, who started her job Sept. 22.

Justifying Security

The first barrier Murray faces will be convincing people at NSF that

the security measures she will recommend are necessary. Right now, she is

updating and creating policies for remote access and for firewall management.

She also wants to use more sophisticated intrusion- detection systems and

more stringent encryption and to see how NSF could be a leader in public-key

infrastructure.

"I need to implement policy, which may not be well-received here," Murray

said. "It will take me time to understand the corporate culture. I come

from an agency where everybody carries guns."

At NSF, the campus-like environment means more openness than at her

two previous workplaces: Justice and the Nuclear Regulatory Commission.

Because Murray knows that nobody likes security, "I have to be more gentle

instead of going like gangbusters."

The first way to do that is to raise awareness about information security,

Murray said. Recipients of NSF grants at academic institutions are the agency's

business partners, but some NSF grantees' computers were involved in widespread

denial-of-service attacks this year. Murray said she needs to find an effective

yet diplomatic way of teaching grantees what security measures to implement

so that can't happen again, particularly since NSF's proposal and grant

system, FastLane, is now completely online.

"You cannot police it, but you can educate," said Murray, whose Virginia

license plate reads PC COP. "We're doing things right at NSF; we have the

right bells and whistles and firewalls." But more needs to be done, she

added.

Murray, 36, has developed information security training programs for

attorneys and the blind and has developed certification and accreditation

programs for Attorney General Janet Reno. But entering the computer field

was never her top preference, she said.

Murray dreams of teaching computer science at a university, living at

the beach — she has a beach house in West Ocean City, Md. — working at a

hospital and spending as much time as possible with her 5-year-old daughter,

Allie.

"I didn't want to get into computers," she said. Computer programming

turned her off when she was taking classes at Montgomery College, where

she had to learn the Cobol programming language on index cards because

the personal computers had not been delivered. "If you dropped those cards,

it was over," she said.

During college, she also volunteered at Shady Grove Hospital in Maryland

in the outpatient clinic. She hopes one day to volunteer at a hospital again

and has made her love of music a hobby — she plays electric guitar and is

a 1960s and 1970s rock trivia expert. But with some persuading from her

father and brother, who both worked for the Nuclear Regulatory Commission,

she tried an entry-level programming job there in 1987.

In 1989, a friend who was a computer security specialist at NRC left

to join the National Institute of Standards and Technology at the Commerce

Department, and Murray seized the opportunity to learn about security, which

interested her more than programming.

Dan Pitton worked with Murray on the Justice Department's Information

Management Security Staff until taking a job at the Energy Department in

September. Murray was a "legend in the halls," Pitton said, and didn't hesitate

to share her ideas with senior managers such as Attorney General Janet Reno

or Stephen Colgate, Justice's CIO and assistant attorney general for administration.

"Sometimes they are met favorably, and sometimes she's thrown out of the

office," Pitton added.

Murray pushed for the certification and accreditation of more than 60

systems at Justice. "She's the kind of person that you don't need to tell

her what the agenda is," Pitton said.

Most of the time, Murray leaves her career-focused personality at work,

said her husband, Gary, an information systems director for Interactive

Systems Inc., an IT firm in Arlington, Va.

"It's hard to keep up with her," he said. "The people she works with

probably think she's cold, hard, "get the job done.' They don't see her

when she comes home. She really does have a soft side."