How do you rise in the security ranks? Don't speak geek; use the language of business.
Imagine this: You're lost in a foreign country. When you ask for help, everyone answers in their native tongue. You're frustrated and anxious because you can't get the information you need. You're hoping someone will come along who speaks English to lead you in the right direction.
This is how a CEO or CFO feels when your way of addressing a business problem is to spit out tech-speak. "Many CEOs and CFOs are threatened by technology and are not comfortable with technical terms," explains Richard M. Entrup, CIO for Byram Healthcare Centers, a company that specializes in delivering medical supplies to home patients. "If you're sitting in an executive staff or board meeting, you can't be a techie. You're also not going to gain the necessary support and cooperation, or make your case, unless the value proposition impacts the business."
These days, your security know-how is a given. What it really takes to move up the corporate ladder is the ability to translate security technology into business need--whether that means adequately defining risk or helping pass an audit.
These are the key findings from Information Security's exclusive research into what it takes to land (and succeed at) a security manager's job. We surveyed nearly 100 C-suite executives and upper-level corporate managers to get a sense of what they want out of their organization's top security pros.
Bottom line: Working effectively with the powers that be is tantamount to nearly every other skill. More than 85 percent of C-level executives believes a security officer's ability to get upper management to buy into key security projects and earn their respect is extremely or very important to his or her career success.
Walk the Walk, Talk the Talk
It all starts with really knowing your business. More than 80 percent of the executives we surveyed believes that understanding a business's unique challenges is very important.
"CISOs are people who can be incredibly tech- and detail-oriented, but they have to step back and look at the larger picture," says Ruth Harenchar, CIO for legal services firm Hobart West Group.
The big picture includes the abilities to balance risk against business needs and make good judgment calls, explains Jeff Huegel, CSO of USi, an application service provider of enterprise and e-business solutions. "If you want to enter the executive ranks, you need to understand business strategies, financial bottom lines and decision making around the businesses' organizational purposes," he says.
Security is not cut and dried. The keys to being a successful security executive are balancing the risks and accurately communicating and portraying some risks as more serious than others, says Harenchar.
While security may be your expertise (and comfort zone), it is important to realize that, when an executive makes a business decision, it is only one piece of the puzzle.
"Security isn't the linchpin; it's just another facet to understand," says Peter Gregory, a senior security specialist with more than 20 years of experience. "Security experts aren't the only ones bringing information to the table--legal, R&D and sales, among others, have their say, too. A good security professional wants business leaders to make an informed decision."
"During my tenure as CISO, I saw bright people that were much better technically at security than I was," explains Ken Tyminski, consultant and former CISO for a large financial services firm. "But they didn't always understand how to evaluate business risks, and often focused on having the best security technology rather than addressing the business risk."
Perceived shortcomings in security professionals, say our survey respondents, are seeing things as black or white and squelching projects outright. As one senior-level executive put it, "You need to lead the way, not get in the way."
You have to be business savvy and be able to sit down with anyone in the company to understand their problem and their needs, says Huegel. "Most of the time you will be talking to people who don't know the fundamentals of security technology," he says.
Want to build your (personal) networks?
Developing strong professional relationships often helps you land a new job. The following organizations are good places to get together with other security pros.
Information Systems Audit and Control Association (ISACA)
A professional organization for information governance, control, security and audit professionals that has more than 50,000 members.
Institute of Electrical and Electronics Engineers (IEEE)
A professional association with more than 365,000 members promoting the engineering process and knowledge about electric and information technologies.
Information Systems Security Association (ISSA)
A not-for-profit international organization of information security professionals and practitioners.
An association of businesses, academic institutions, and state and local law enforcement agencies dedicated to sharing information and intelligence to prevent attacks against the U.S. InfraGard chapters are geographically linked with FBI field office territories.
Get Your Hands Dirty
On-the-job training beats any certification or diploma hands down, according to our research. Ninety percent of those surveyed believe that practical experience is the most important characteristic when evaluating candidates for a security job.
The ability to prove that you have secured networks against external attacks and internal threats is also one of the top considerations. "Security people aren't made in universities, they are made in the workplace," says Gregory.
However, when asked to choose a candidate with a security certification or an MBA, nearly three-quarters of the C-level executives surveyed feel that a CISSP certification is more important. Certifications are a convenient and useful way to eliminate unqualified applicants, says Gregory. Adds Hobart West's Harenchar: "I won't talk to anyone who doesn't have a CISSP. I realize certifications aren't perfect, but they are a reasonable indicator."
No certification under your belt? Executives recommend that you position your skill set in line with what's required to earn one. "If [job candidates] don't have a certification, they should explain their job functions and put in their résumé 'CISSP-equivalent,'" says Craig Zachmann, e-information manager for Riverbank Business Center, a bank based in St. Paul, Minn.
"As an executive recruiter, I look for speaker's presentations, publications and industry participation," says Tracy Lenzner, CEO of LenznerGroup.
And an MBA? It's icing on the cake, says USi's Huegel.
|Easy climb to the top|
Want to move up the corporate ladder? Here are some skills that you will need to enter the C-suite.
These days, another must-have component to any infosecurity résumé is compliance experience. Eighty-eight percent of those surveyed think that surviving an audit and meeting regulatory demands are extremely important or very important skills to have.
"Security is all about compliance. It's difficult to find companies that are not directly or indirectly asked to comply with some regulation that touches the technology in their business," says Gregory. "You need to understand auditing and put compliance high up on your résumé."
"It's a differentiator," says one security executive at a large healthcare solutions company. "It takes true grit to go through a compliance effort. It's a stressful process."
While compliance is a sought-after skill, be careful when you sprinkle your résumé with acronyms and security lingo, say executives. Filling up on buzzwords can be a red flag.
"You need to ascertain whether candidates have been reinventing themselves or are really doing something in security," says one executive at a healthcare solutions firm. "If they have the buzzwords in there, there had better be descriptors to back it up."
A sure-fire way to poke holes in a résumé is to ask job candidates to describe the acronyms. "I tend to pick the most obscure and least popular platform or acronym to wire in on. If you can't speak to it from hands-on experience, don't put it on your résumé--you might get called on it. This is where things start falling apart during an interview," says Byram Healthcare's Entrup.
Do you want to end your job search before it begins? Brag about your glory days as a black hat. Hiring managers value a security manager's personal integrity above all else; 93 percent cite it as extremely important.
"If you were to boast that you've been a hacker or cracker, I would say, 'Have a nice day,'" says Gregory. There are other ways to get those skills. Hacking contests can prove your worth, but if it is unethical, we're not interested, says one security executive.
More information from SearchSecurity.com
Do you have what it takes to be an information security manager? Find out in this excerpt from Charles Cresson Wood's Information Security Roles and Responsibilities Made Easy, Version 2.
Security practitioners in the trenches sound off on what newcomers need to know.
Experts weigh in on what it takes to move beyond a cubicle to the C-suite.
"You've got to be discreet, willing to take a stand and be someone a CIO can really can count on," says Hobart West's Harenchar. She adds, "Security is not for the faint of heart."