This article can also be found in the Premium Editorial Download "Information Security magazine: Debunking myths about the advanced persistent threat (APT)."
Download it now to read this article plus other related content.
Traditionally, when a company begins to search for an information security leader such as a CISO, they generally create a job description. Most standard job descriptions contain a detailed list of skills, experiences and certifications needed to be considered for a specific role. The more advanced the position, the more detailed the list. At face value, the resumes of many senior information security professionals are able to match job requirements that are outlined in standard CISO or information security leader positions. However, while it may be easy for many experienced information security professionals to believe they have the credentials to qualify for senior roles, many fall short.
The primary reason is not due to experience or certifications, but due to a blend of tangible and intangible skills that cannot exclusively be found on resumes.
As we look into the future and enterprises ingrain security into the corporate culture, competition for these positions will be increasingly difficult. Information security professionals are going to have to spend more time differentiating themselves from their peers. Instead of being concerned with building their resumes, information security professionals are going to have to focus on the development of their personal skill matrix, to provide them with a better chance to be chosen for these roles.
WHAT IS A SECURITY CAREER SKILL MATRIX?
A skill matrix is defined as the connection and correlation
As it relates to one's skill matrix, your professional success as an information security professional is predicated by two factors: First is the ability to connect and correlate these elements to equal a sum greater than the separate parts. The ability to effectively link these experiences and credentials will generally enable information security professionals to separate themselves from others who share similar experiences, but have not figured out how to maximize and leverage their value.
A good example of this would be information security professionals who goes to back to school to get an advanced degree, and expects to have their career accelerated, on the basis of attaining the certification alone. The knowledge received in the advanced degree is one element of the equation, but the real impact lies in the application of this new knowledge. The real value is in the utilization of these new learned skills to make the information security program more efficient and effective. It is these specific results that would create more professional opportunity and warrant a promotion.
The second would be the ability to articulate and communicate the value and application of your information security skill matrix to others who may be in a position to accelerate your career. These can consist of your current employer, future employers, your peers and your social networks.For example, no one could argue that a CISSP is a meaningful information security certification, however its value increases substantially when you can articulate how you utilize the specific knowledge regularly either in the course of your current position or when interviewing for a new one. The certification may have value to some people just because you have it--for them, it signals your interest and commitment to the profession and your desire to obtain a base level of knowledge within the certification. However, the true value of the certification to your employers (or potential employers) is a direct reflection of what you are able to do for them. Your ability to communicate that value is one of the fundamental differentiators that you have.
FOUR SKILL CATEGORIES FOR YOUR MATRIX
From the inception of the industry, it has been commonly stated that effective information security leaders can be successful if they have an understanding of people, process, and technology. Without question, this is a solid foundation for any information security professional to build his or her career, however as the industry has developed over time, we have a responsibility to evolve with it.
Today's information security leaders are faced with many of the same issues as past leaders, however there is no question that there is increased intensity, scrutiny and visibility on their actions and performance.
The internal and external threats facing corporate information security organizations are much more diverse, the standards and regulations are more complex, the media has made the impact of a security incident much more severe, and executive management is less patient and much less tolerant. As we look to the future, these factors will continue to intensify, making it necessary for information security leaders of the future to develop a greater arsenal of skills that will enable them to effectively lead their organizations as they address the information security and information risk management issues facing them.
Theses skills will fall into four primary categories:
- A greater knowledge of technology's impact on the organization
- Better business acumen specifically as it relates to the business operations that they are attempting to secure
- Leadership in all forms (team leadership, organizational leadership and industry leadership)
- A consistent commitment to their own professional development that will enable them to maximize their talents.
There are many information security professionals who believe that the only way to be effective in the role of information security leader is to be respected by senior executive management (the C-suite) and to be viewed as equal team member. While a statement like this holds a great deal of merit, it could be applied to any other member of the executive team as well. At all levels of an organization, respect among one's peer group is earned and is not an entitlement. As you move closer to the top of the organization, this becomes a greater challenge.
One of the primary reasons information security professionals have fallen short of earning the respect they would like, is because they have been benchmarking their skills against the wrong group of people. Many information security leaders believe that since they are recognized and respected among their security peers, they would automatically be respected by leaders in other corporate functions. But because information security is relatively new and viewed as a cost center and sometimes a business inhibitor, many are reluctant to welcome security leaders as a peer. Also, many other executives do not believe that the information security leader has had to go through the same professional gauntlet, as they had to endure, to rise to the top of their profession.
If information security professionals hope to be effective at the C-level, they are going to have to demonstrate the same mastery of these skills and display the same level of competence as their peers on the executive team. The best way to convince them that you, the information security leader, deserves their respect and attention will be to develop the technical skills of a CIO, the business acumen of a COO, the leadership skills of a CEO, and underscore it with a demonstrated commitment to professional development that is consistent with the new peer group.
KEEP THOSE TECHNOLOGY CHOPS
Many information security professionals enter their careers with a strong foundation in technology. Whether this talent is gleaned from their home grown computer labs or from computer science curricula at universities, this level of core understanding has long been a building block for a successful career. As technology has evolved over the past decade, it has created the need for information security professionals to acquire a broader understanding of networks, applications, wireless technologies, operating systems and software development. Many information security professionals have utilized these experiences to learn more about integrated information security concepts, including identity and access management, securing the software development lifecycle, data protection, security event management, and many others. Although these skills enable information security professionals to display their knowledge of the security ecosystem, they are limiting when you compare them to security concerns affecting the business.
The information security leader of the future is going to be entering his or her role at a crossroads, where the work force will be much more computer savvy and have higher expectations for availability, flexibility and access.
Information security professionals are going to have to be able to exhibit to their employers their understanding of broader technological trends that could have an increasing impact on the company's ability to do business and reach their customers in a secure manner. For example, in today's business environment, many organizations view cloud computing as a viable technology strategy, however the security implications have limited its acceptance and adaptation.
Information security leaders of the future are going to be required to have a deeper understanding of these technologies and also be able to help foreshadow their impact on the enterprises that they are chartered to secure. It will be important for information security leaders to leverage their knowledge of these broader technologies in order to inspire the necessary confidence in leading their organizations into the future.
UNDERSTANDING SECURITY'S ROLE IN THE BUSINESS
If you were to define the core responsibility of an information security leader in one catchphrase, the response would be "to secure the business." Although this is the correct answer to the question, the answer becomes quite broad and only proves to be effective when the information security leader has the requisite knowledge of the company's products, services, and industry in order to do so.
Most information security leaders of today believe that they do this well, however many business executives would disagree with that statement. The reason for this, is that business leaders have such intricate knowledge of how their company operates that information security leaders generally do not measure up to their expectations.
This presents the biggest challenge for tomorrow's information security leader. As a group, you are going to have to become more atuned to the company's business. If we work in financial services, we are going to have to think like bankers. If we work in healthcare, we are going to have to think like doctors.
We will ultimately need to become better educated on the business issues that our organizations face, and be better prepared to address them within the context of our role and the solutions that we offer. We will need to read the same articles, attend the same conferences, and join the same social networks as the business leaders do. As we do this, we will become more knowledgeable of the business that we are trying to secure. This knowledge will provide us with the necessary confidence to have more meaningful conversations and make more impactful suggestions to our counterparts. As we demonstrate our effectiveness, our peers will include us more in key business decisions and our opinions will become more valued.
Through this new developed trust, we will be able to become more effective in our information security leadership roles. We will gain better knowledge on specific threats facing our businesses and understanding of the impact of regulations facing our industry. We will increasingly learn more about our business ecosystem (partners, suppliers and customers) and the security concerns that are associated with these relationships. In addition, as our companies begin to increasingly integrate technology into their sales and marketing strategies, we will become a resident expert in understanding the security and privacy implications of deploying these tactics.
In the future, we will no longer be able to think like information security professionals who understand business, but we will have to think like business people, who understand security.
EFFECTIVE LEADERSHIP IN ALL FORMS
While many people refer to the highest ranking information security professional in an organizations as either the CISO or CSO, this is not necessarily accurate. The "officer" title in a traditional corporate function comes with inherent duties, responsibilities and obligations. Although many information security professionals have elected to assume a title that ends with the word officer, their positions may not be recognized in the same fashion as others who hold this similar title.
Independent of the official title that accompanies the highest ranking information security professional, the one thing that remains constant is the fact that they are the leaders of the information security function, and the success of the company's information security program can be directly correlated to their effectiveness as leaders. For this reason, information security professionals are going to have to develop their leadership skills and demonstrate them on a regular basis to all that they encounter.
When information security professionals begin to look at their leadership skills, they are going to be evaluated on how they assemble their organization and creates a culture that attracts high caliber professionals to their team.
Once this group is in place, they will then be judged on how effective they can be in the management of their teams and the development of their talent. In doing this, information security leaders are going to have to make a more conscious effort in learning well established management and team building techniques that will create an information security team that is viewed similarly to the more effective business units within the company.
In addition to refining their internal leadership skills, information security leaders are going to have to strive to be effective leaders outside their own business unit. This will require that they learn to communicate their successes and their wins to the other leaders within the business.
If this sounds like the dreaded "politics," it's because it is. All non-trivial projects require that we interact with others, and politics is the word we give to that interaction. Information security leaders need to understand how to work with others, work with organizational structures and gain momentum within the organization due to the successes of their projects and the way that they communicate them. In essence, the information security leader of the future will be an effective marketer, simultaneously building consensus and momentum that will spur the acceptance of his or her information security program throughout the corporate enterprise.
In addition to refining their internal leadership skills, information security leaders are going to have to strive to be effective leaders outside their own business unit. Considering the visibility the profession demands, it will be a key that information security professionals become better at business communication in all of its forms. Information security leaders will need to hone their public speaking, writing and presentation skills, in order to effectively create the internal brand of their information security program. In essence, information security leaders of the future will be effective marketers, simultaneously building consensus and momentum that will spur the acceptance of their information security program throughout the corporate enterprise.
DEMONSTRATED COMMITMENT TO PROFESSIONAL DEVELOPMENT
When many information security professionals think about their own professional development, the first things that come to mind are industry certifications and member organizations. While attaining a CISSP, CISM or a SANS certification are notable accomplishments, they alone do not serve as effective differentiators when it comes to being an information security leader. These certifications hold a great deal of weight within the industry, but once you move into the levels of senior management, they do not hold much relevance.
Information security leaders of the future are going to need to strive to attain similar levels of education and credentials that are held by their peers at the C level. Among corporate leaders, many have elected to continue their professional development by gaining advanced degrees from top flight academic institutions, as either full time students or as part of executive MBA programs.
Information security professionals are going to need to seek out these programs and take similar courses of study. For example, if you were to make an investment in an advanced degree, it would be much more valuable and practical to attain a degree in a subject matter associated with broader business skills, than to attain a master's degree in information security.
When you think of the business leaders in your organization, many have MBAs but very few have a master's of information security. Achieving a master's degree that is similar to your corporate peers will automatically place you in the same alumni networks and these recognized credentials should enable you to garner immediate respect when interacting with other business leaders within your organization.
Although degrees are important, they are only one component of professional development. Just as with other executives, information security leaders are going to need to make regular investments in their career that will enable them to refine their strengths and develop their weaknesses. Making annual investments in their careers will enable them to develop skills that will help build confidence in their overall ability to lead the security organization. In many cases, it is this confidence that will provide information security leaders with the necessary mental toughness to manage through difficult situations, inspire others and drive change throughout their organizations and their teams.
The information security profession is challenging in its own right. Combine the challenge of the profession with the responsibilities that encompass effective leadership and it becomes more daunting. However, the greater the challenge, the greater the reward.
The information security profession attracts people from many different disciplines and backgrounds. Independent of their evolution, most information security professionals aspire to positions of leadership, and the responsibilities and rewards that accompany them. Due to this increasing competition, attaining information security leadership roles will become increasingly more difficult.
In the future, it will become increasingly important for information security professionals to make regular investments in their professional development. These investments will be critical in helping them to build a skill matrix that will differentiate them from their information security peers, gain acceptance with other executive team members, and elevate the information security profession to the place that it rightfully deserves in the corporate pecking order.
Lee Kushner is the president of LJ Kushner and Associates an information security recruitment firm and co-founder of InfoSecLeaders.com, an information security career content website.
Mike Murray has spent his entire career in information security and currently leads the delivery arm of MAD Security. He is co-founder of InfoSecLeaders.com where he writes and talks about the skills and strategies for building a long-term career in information security.
Send comments on this article to firstname.lastname@example.org
This was first published in July 2010