Let's discuss each of these ideas in turn. The most important skill a senior security officer needs is the ability to work with their peers on the senior team, meaning they have to be more of a businessperson than a technologist. Security officers must assist the employees in charge of the operation in order to understand the impact a security risk can have on the business. This has been a major focus of my research, culminating in the publication of the Pragmatic CSO, which details a new approach for the business of security management.
Talking about hackers and crackers and other attack vectors will go over like a lead balloon. These folks are all about business and want to see what kind of security program is in the works. How do you define success? How are you going to get there? What milestones are you using to ensure progress is being made?
Every VP of operations or general manager runs his or her business according to a plan. They are accountable for all commitments and must frequently report progress in an understandable and meaningful manner.
As such, an ethical hacker certification is not sufficient. Although you know how to think like a hacker, you have little experience as a businessperson, which is imperative when planning a career in security management.
So I'm of the opinion that a certification like CCNA or CCSA won't be very useful in landing a role in security management. I would do a couple of things if I were you. First, I'd learn as much about my business as I could. A good way to do that is to try to find a mentor who understands the business, who can teach you how it works. Finding a well-placed mentor will also give you more visibility in the organization.
I'd make sure I was a clear and effective communicator and writer. Maybe that means joining ToastMasters and/or taking a writing course. Communication is one of the most important skills a CSO has, so invest in making sure you can do that effectively.
For more information:
This was first published in July 2007