This article can also be found in the Premium Editorial Download "Information Security magazine: Exclusive: Security salary and careers guide."
Download it now to read this article plus other related content.
|Rallying the Troops|
Former FBI agent says understanding motivation is key
Name: Tim McKnight
Title: Northrop Grumman CISO & Business Group Director
Key career move: Leaving the FBI for Cisco
Tim McKnight got his start in information security at the Federal Bureau of Invest-igation as a special agent protecting the nation's critical infrastructure from cyber-threats. His work as a G-man proved to be invaluable training for his current job as CISO of defense contractor Northrop Grumman--not just because of the investigative and security skills he developed, but also the people skills. In his 10 years at the FBI, he learned how to communicate clearly, build strong teams and lead effectively.
"Understanding motivations--what gets people going, what gets them out of bed in the morning--definitely helps to build relationships in the company, which leads to making the security programs successful," McKnight says.
Communication and leadership skills are essential for a CISO, who must be able to bounce between the data center and the boardroom, and translate security needs into business terms, he says. The main challenge for any CISO is getting past the old image of being the "gloom-and-doom, sky-is-falling guy."
After leaving the FBI, McKnight moved to the private sector and became steeped in how an IT organization in a large corporation operates. At Cisco Systems, he launched a team that conducted security assessments of companies Cisco acquired. He then worked as IT security director for defense and aerospace firm BAE Systems North America.
At the bureau, McKnight felt like a pioneer in an exciting world of information protection. Today, he thrives on the challenges of information security and forging ahead into uncharted territory.
"With the constant change in security and business needs, I continue to feel like a pioneer," he says.
Given this apparent premium on business skills, which would you rather your security staff have: an MBA or a CISSP? (See "Moving On Up")
Certification debates are sticky. Many argue that certifications are diluted and have lost their luster, especially with larger enterprises; others value them because they demonstrate a level of competency. One thing not up for debate: Security certification holders earn more money.
According to SANS, if you have an ISACA certification like the CISM and CISA, or (ISC)2's CISSP, you're among the highest paid security professionals. Those with ISACA's management and auditing certifications average $98,571 in annual salary; a CISSP or SSCP earns $95,155, on average. According to the survey, these wages exceed the $79,430 average annual salary for those professionals with vendor-specific certifications from Cisco Systems or Microsoft, for example. Foote Partners, meanwhile, looked at salaries associated with 109 certifications, and has determined that holders of the CISA, CISM, CISSP, SSCP, CCSP and SANS's GIAC certifications are among the highest paid professionals in the field.
While non-certified administrators got, on average, bigger raises in 2005, their base pay was lower. According to Foote Partners, compensation for certified professionals has leveled off because of a slowdown in demand for entry-level and intermediate security employees. However, the company predicts that hiring and salaries for certified security pros will increase for several reasons: The prevalent belief is that security is a cost of remaining competitive; additional global projects require complex security; criminally motivated breaches are on the rise; and federal and industry regulations are calling the shots.
While some infosecurity managers, like BT Radianz's Hession, argue against discounting non-certified job candidates simply "because they're not a career security person," certification bodies insist that certifications are perhaps more important factors in hiring security professionals than in any other IT segment.
"You're talking about someone with access to everything in an organization. You want to rely on what a competent organization said about what a candidate can do," says Corey Schou, vice chairman of (ISC)2's board of directors. "If a security professional goes through a certification program, it's worth paying them more; they have more skin in the game. We're talking about, in some cases, people getting $120,000 a year--you want to make sure you're buying good quality. We provide the due diligence model. They're not just walking in saying they're good; someone has sworn they're good."
This was first published in July 2006