Know Thy Business
At the top of the infosecurity profession, an MBA may trump the CISSP. It's now all about protecting corporate image, not just networks.
You entered IT security because you love the technology, right? Coding at 13 and perhaps an innocent hack at 14? Graduating from school, you landed a job where you actually got paid to do what you loved.
And you got really good at it. So good, you climbed that corporate ladder. Only now, that dream job has but all vanished as you move farther away from what made you enter this market in the first place.
Today, your job is less about bits and bytes and more about business. Coding? Adios. Finding bugs and vulnerabilities? Au revoir.
Suddenly, you're the brand guy, the compliance go-to and, of course, the security guru. You're protect- ing the company's crown jewels, fighting incidents to protect the brand and adhering to the endless regulations so your CEO won't go to the Big House.
Now's the time to gain the power and influence you deserve. If you don't earn your seat at the table, your company's assets will be in jeopardy. Furthermore, as security evolves to be an attribute of the organization--rather than a separate department--you'll be out of a job tomorrow if you don't position yourself today.
Just ask the attendees of our recent Information Security Decisions conference. Some security professionals are hoping to flunk their next compliance audit. Why? They've been so successful at maintaining data integrity that their budgets are being slashed under the assumption that more resources aren't needed to meet or maintain regulations.
So, how do you get to know your business' business better? For the time being, forget about CISSP, CISM or any other security certifications--you need to bone up on business administration.
In order to gain legitimacy in your company, it is imperative that you understand how the place runs. How does the company generate revenue? What are its profit margins? How does it differentiate itself from its competitors? What does its supply chain look like? What are its competitors doing better? Ask questions. If nothing else, Google your company and research its strengths and weaknesses. If there is a trade publication in its market, see what it has to say about the company.
If you work at a multinational company, you may need to understand a variety of business models. Based on your background research, figure out how security can help the company meet its objectives, or simply speak the language and frame the conversation in terms boardroom executives understand. Brush up on their jargon. We have tech-speak--what is theirs? Learning it is essential to doing your job. As Burton Group principal analyst Fred Cohen notes, your job isn't to make everything secure; your job is to convince and influence others.
So how can you win friends and influence people? Through sales and marketing. Learn some basic tools in each field. Set up appointments with departments you believe are important allies. Ask them to talk about their needs and their difficulties.
Let's be real. We all need a shoulder to cry on. By simply listening and putting yourself in different shoes, you may gain a valuable partner. While it all seems like common sense, the pressure, the deadlines and the personalities can cloud rational thinking. Take a deep breath and get to know your customers. By getting their buy-in, you can make your job much easier and, ultimately, keep it.