The Security for Business Innovation Council recently stated that IT security teams are no longer just responsible for implementing security controls but must now take in much more business-centric activities. As a result, the council advocates for security professionals to possess a new and broader skill set, but there may be a shortage of security pros that fit the bill. What new skills should organizations look for in security pros...
and what skills should experienced security professionals develop?
The discipline of information security is maturing. Security pros who were once relegated to writing firewall rules in the back room may now find themselves involved in important meetings and giving input about core business processes. Security pros with purely technical expertise may find that they lack the required business skill sets to thrive in this new environment.
There are several key abilities that organizations should look for that security pros can easily learn by building on what they already know about information security.
Security pros with any experience understand the concept of risk. Risk in business is not something that should be completely avoided. More risk usually correlates to more profit. A business without risk is a business without profit. Security pros can take what they understand about risk management and apply that to nontechnical situations. For example, launching a new product increases risk just like launching a new Web service increases risk. It just involves expanded thinking about risk and potential mitigation strategies in the case of the new Web service.
Information security is often more about processes than technology, and many security pros are experts in auditing and designing secure processes. Businesses need to evaluate processes used in their operations to eliminate waste and improve efficiency. This is a great fit for security pros, though some will need retraining to learn how to evaluate processes for efficiency instead of security. Lean and Six Sigma are two popular approaches to process optimization that are useful to security pros looking to expand their knowledge in this area.
Neither Lean nor Six Sigma is beneficial if the security pro does not have strong communication skills. Let's be honest: Many of us got into the field of information technology because of a strong desire to work with machines instead of people. Communication skills may be difficult to improve for those information pros. Public speaking classes could make a huge difference. Classes can help build self-confidence and improve listening skills through experience.
It is easy to lose track of the core technical skills required to practice information security with all of this focus on secondary skills. The truth is that the business simply expects all security pros to possess the necessary technical skills. The secondary skills are what set security pros apart in the eyes of the business. Information security is still a technical field, but it requires nontechnical skills as well.
Security pros are well positioned to add value to their businesses by using their existing skills in new ways. Risk management and process engineering are just two examples of in-demand skills that can be expanded for use by the business. Communication skills are critical for security pros to thrive in this new environment, regardless of their other skill sets. Don't neglect technical skills because the expectations of security pros will grow to include these other skills. Information security is maturing and evolving, so security pros need to evolve as well.
Ask the Expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
Dig deeper on Information Security Jobs and Training
Related Q&A from Joseph Granneman, Security Management
Expert Joseph Granneman offers advice to enterprise security teams on using open source intelligence tools to learn about potential threats.continue reading
(ISC)2's HCISPP certification has many potential benefits for health information privacy and security. Expert Joseph Granneman examines them.continue reading
Conveying complex information security models to business executives isn't easy. Here's how IT pros can improve their communication skills.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.