Taking security up a notch
- By Paula Shaki Trimble
- Nov 05, 2000
Every Thursday night, Dara Murray can be found donning her bowling shoes
and shirt for a game with her local league at Shady Grove Lanes in Maryland.
She has been attached to those lanes ever since she met her husband,
Gary, there in 1990 while bowling on an opposing team.
The bowling alley may be the one place where Murray's competitive streak
doesn't emerge. It's her escape from work, where she is known to be aggressive,
hard-working and enthusiastic.
That approach to work has taken Murray up the ladder during her 15 years
with the federal government, to where she is the new director of the Security
Programs Staff in the National Science Foundation's Division of Information
Murray spends her days at NSF tucked away in her office studiously doing
her research, writing and rewriting and hoping for good grades.
NSF's mission is to support the top research at the nation's colleges
and universities, where grades are a common measure of performance. Murray's
job is not academic, but it does require her to educate NSF's workers and
raise the agency's computer security grade from a B-minus to an A.
"We consider ourselves an 'A' organization," said Linda Massaro, NSF's
chief information officer. "We have a lot of the pieces, but we haven't
brought them together yet. [Murray's] got to find out why we got the grade
that we did."
Doing so might be easier than her last information security job, at
the Justice Department, where the farewell gift from her colleagues was
a golf shirt with an F taped to the back. The letter refers to the F that
Justice received on its computer security report card from Rep. Stephen
Horn (R-Calif.) in September.
Although NSF's B-minus computer security grade was the highest rating
Horn gave other than the B to the Social Security Administration, improvement
remains a daunting task for Murray, who started her job Sept. 22.
The first barrier Murray faces will be convincing people at NSF that
the security measures she will recommend are necessary. Right now, she is
updating and creating policies for remote access and for firewall management.
She also wants to use more sophisticated intrusion- detection systems and
more stringent encryption and to see how NSF could be a leader in public-key
"I need to implement policy, which may not be well-received here," Murray
said. "It will take me time to understand the corporate culture. I come
from an agency where everybody carries guns."
At NSF, the campus-like environment means more openness than at her
two previous workplaces: Justice and the Nuclear Regulatory Commission.
Because Murray knows that nobody likes security, "I have to be more gentle
instead of going like gangbusters."
The first way to do that is to raise awareness about information security,
Murray said. Recipients of NSF grants at academic institutions are the agency's
business partners, but some NSF grantees' computers were involved in widespread
denial-of-service attacks this year. Murray said she needs to find an effective
yet diplomatic way of teaching grantees what security measures to implement
so that can't happen again, particularly since NSF's proposal and grant
system, FastLane, is now completely online.
"You cannot police it, but you can educate," said Murray, whose Virginia
license plate reads PC COP. "We're doing things right at NSF; we have the
right bells and whistles and firewalls." But more needs to be done, she
Murray, 36, has developed information security training programs for
attorneys and the blind and has developed certification and accreditation
programs for Attorney General Janet Reno. But entering the computer field
was never her top preference, she said.
Murray dreams of teaching computer science at a university, living at
the beach — she has a beach house in West Ocean City, Md. — working at a
hospital and spending as much time as possible with her 5-year-old daughter,
"I didn't want to get into computers," she said. Computer programming
turned her off when she was taking classes at Montgomery College, where
she had to learn the Cobol programming language on index cards because
the personal computers had not been delivered. "If you dropped those cards,
it was over," she said.
During college, she also volunteered at Shady Grove Hospital in Maryland
in the outpatient clinic. She hopes one day to volunteer at a hospital again
and has made her love of music a hobby — she plays electric guitar and is
a 1960s and 1970s rock trivia expert. But with some persuading from her
father and brother, who both worked for the Nuclear Regulatory Commission,
she tried an entry-level programming job there in 1987.
In 1989, a friend who was a computer security specialist at NRC left
to join the National Institute of Standards and Technology at the Commerce
Department, and Murray seized the opportunity to learn about security, which
interested her more than programming.
Dan Pitton worked with Murray on the Justice Department's Information
Management Security Staff until taking a job at the Energy Department in
September. Murray was a "legend in the halls," Pitton said, and didn't hesitate
to share her ideas with senior managers such as Attorney General Janet Reno
or Stephen Colgate, Justice's CIO and assistant attorney general for administration.
"Sometimes they are met favorably, and sometimes she's thrown out of the
office," Pitton added.
Murray pushed for the certification and accreditation of more than 60
systems at Justice. "She's the kind of person that you don't need to tell
her what the agenda is," Pitton said.
Most of the time, Murray leaves her career-focused personality at work,
said her husband, Gary, an information systems director for Interactive
Systems Inc., an IT firm in Arlington, Va.
"It's hard to keep up with her," he said. "The people she works with
probably think she's cold, hard, "get the job done.' They don't see her
when she comes home. She really does have a soft side."