Is it best to focus on the technical or business side for a management position?

Is it best to focus on the technical or business side for a management position?

I'm currently a network/system administrator for a financial institution with $300 million asset. Through my continous security initiatives, my work is thinking of promoting me to a "security officer," reporting to the Compliance Officer. Although I've been preparing for the CISSP and recently passed Security+, I don't have any management experience. Taking my background and my company's structure, should I concentrate more on the technical side or business side while preparing for the role? Where can I get the training? Thank you in advance for your advice.


    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Given that the job of security officer is more technical and doesn't involve as much old-line management responsibility (people management or assuming financial responsibility for some revenue-producing or consuming part of a business) I think you're best off sticking more to the technical side of your new planned job role. That said, one of the most important aspects of a security officer's job is to perform a risk assessment that relates to possible threats to company systems, information, people and assets, and to help formulate proposed responses to such threats where warranted. This requires a deep understanding of the value of information and other organizational assets and a sense of the trade-offs necessary to decide how much it's worth spending to protect and/or preserve such assets. Of course, this requires taking a hard-nosed, hard-boiled and value-oriented look at your company and setting limits on how much you could or should spend to protect them. Obviously, this does require some business acumen. But you'll be pleased to hear that by preparing for Security+ and CISSP, you should get exposure to the concepts and tools you'll need to do this kind of work.

Thus, a good class or boot camp on CISSP should help you get ready to handle this part of your job. There are plenty of good books on this part of the field as well. One of my favorites is by fellow SearchSecurity.com site expert Mandy Andress and is entitled "Surviving Security" (Sams, 2001, ISBN: 0672321297; List Price: $15).

For more information on this topic, visit these other SearchSecurity.com resources:
News & Analysis: Does your CSO need to be a techie?
IT Career Expert: Security invades upper-level management
News & Analysis: University CSO provides education, security in nonprofit environment


This was first published in December 2002