Hackers Undercover_

At a table equipped with two computers, Rick Redman plies his trade. The intense, lanky 23-year-old is hunting for holes in a corporate network.

"That's juicy," Redman says, pointing to a list of IP addresses that pops up on the computer screen.

He seeks clues that will reveal operating systems, firewalls or user names. Any one of these could become a key for breaking into the system. "I'm thinking purely as a hacker," he says.

But Redman is no malicious hacker. He's a security engineer at Metases, where he's paid to tinker with clients' networks and uncover their vulnerabilities.

Standing guard: Rick Redman is the man behind the network, a security engineer whose job it is to uncover a system's vulnerabilities.

Metases, a start-up based in an Atlanta suburb, is one of a rising number of companies offering information security services. With cybercrime increasingly making news headlines, services such as vulnerability assessments, integration of firewalls and other security components, and subscription-based managed security are in high demand.

That demand is spawning a lucrative market. IT security services will generate up to $7.5 billion worldwide this year and grow at a per-year compound rate of 40 percent, predicts research firm GartnerGroup.

"It's definitely growing, both in demand and in supply," says John Pescatore, an analyst at GartnerGroup. "We're seeing a lot of user demand and an enormous number of companies starting in this space."

Metases, an affiliate of research firm The Meta Group, differentiates itself by offering end-to-end security services, from assessment and implementation to managed services, says Jeff Johnson, Metases president and CEO.

Metases' 75 clients run the gamut from financial institutions and retailers to health-care providers and government agencies. An average contract hovers in the $125,000 range. And the firm's staff keeps expanding, totaling 65 employees at last count.

Johnson, 36, describes Metases as "vendor-independent." He derides what he describes as the "audit mentality" of the Big Five accounting firms with security practices and the "hacker mentality" of some start-ups.

"Most other security guys are vulnerability guys who have switched their black [hacker] hats for white hats," Johnson says, explaining that many ex-hackers have become security consultants.

Johnson's resume includes seven years in U.S. Navy intelligence, followed by stints at Internet Security Systems and Trident Data Systems, where he worked on an information warfare program for the U.S. Air Force.

Metases was founded in early 1999 based on a business plan devised by Johnson and Craig Robinson, the firm's executive vice president and COO. Their vision was to simplify the security process using the Internet by documenting the best security practices and then providing them to clients over the Web. Tying security into a company's e-commerce strategy also is key, Johnson says.

The Metases office is decorated with movie posters, including one that's titled,appropriately enough,"Virus." But Johnson, Redman and others on the staff don't spend much time at the office. Instead, they live the consultant's life, spending a lot of their time on the road visiting their clients.

Andre Mintz, vice president of global business strategies at Metases, figures he spends about 70 percent of his time in the field. He travels worldwide, meeting with Fortune 100 and top Global 2000 clients, designing and selling security solutions.

At 35, Mintz says he considers himself a veteran in the field. "Most people in our business are Rick [Redman's] age, just out of school," he says.

Mintz comes to the information security business with a diverse background that includes stints as a stockbroker and a police officer (he says he left the police force when he realized he could earn more money elsewhere and not get shot). Before getting a job at Metases, Mintz worked at hosting firm Digex, where he says he helped pioneer the concept of managed security.

Meetings with prospective clients begin with a knowledge test of what and whom you know, Mintz says. Once some sort of connection is established, the client will pose technical questions about any number of areas, such as databases, Unix or the Novell platform.

"The thing that makes the security professional different from other IT professionals is that you have to know something about everything," Mintz says.

Some clients,influenced by media reports of computer crimes or by upper management pushing a security plan,are ready to "pull the trigger immediately," Mintz says. Others, though, are hit with sticker shock, he says.

"They don't understand how much security costs. I have to provide a clear [return on investment] statement. It's the same problem an insurance agent has. I have to identify the probability that something will happen and the downstream effect," Mintz says.

To devise a security plan for a client, Mintz takes Redman's technical assessment of a network and combines it with his own interviews and observations.

He assesses a company's "pain threshold," or how much security risk it can endure before the business would shut down. Once completed, a security plan can be 500 pages long. Metases then either implements the plan or recommends how the client can enact it.

Mintz says he enjoys the challenge of the fast-paced IT security business, despite the lack of sleep it affords him.

For Redman, who came to Metases a year ago fresh out of Purdue University, the chance to poke around other people's networks and get paid for it is sweet.

He admits to wreaking some mischief on a friend's computer as a teenager in Kentucky, where he and his buddies tried guessing passwords before the Internet was a household word.

But when a 15-year-old hacked into one of his Unix machines at college and then tried to steal passwords, it served as an awakening, Redman says.

"I don't like the idea of people breaking into other people's computers," he says. "I care now."