Have either of you noticed any interesting or unique trends in the security career landscape over the last year or so? Information security is becoming an increasingly popular profession. There are more certified information security professionals than ever, and the numbers are growing by the day. Competition is going to increase dramatically for the roles that people truly want, and it is going to become more important for security...
professionals to differentiate themselves and build meaningful skills that can demonstrate their value.
I think it is important to realize that certification is not equivalent to skill.
What do you think information security professionals should be attuned to, both in the job market as they're looking for jobs, and in order to advance their careers?
I think there is an important move away from the technology of security and toward an organizational- and people-centric way of looking at security. Right now in the industry, everybody is talking about security awareness training, the threat posed by social networks and things of that sort. With that trend, security pros no longer just need to understand the packets going across the network, as much as they need to understand the way people interact with those technologies and how those technologies affect people in order to make their organizations more secure. Is there anything specific that you see, such as a specific career path or specific certifications, which could significantly help people to advance their careers?
Your question is the biggest problem that we are facing in the industry. Many people view certification as a key component to determining somebody's success as a security pro. The truth of the matter is that the more certified security professionals there are, the lesser the value of the certification. If 10 people have a certain credential, it's important; if 100,000 people have that same credential, it decreases in its importance by the same factor, if not more. The problem is that there is no magic bullet. Information security professionals are going to have to think about the combination of their skills, their experience, their personal qualities, their career investments, you name it. It is going to be the accumulation of those things and the correlation of those things that probably will have the greatest impact on their success as information security professionals and their abilities to achieve meaningful career goals.
Murray: I think it is important to realize that certification is not equivalent to skill. Regardless of what the certification is, the credential does not mean that you are going to be a successful professional any more than a degree means that you are going to be successful. It is an indication that you have done a certain amount of work and a certain amount of preparation for a test, but it is not the same thing as the skills themselves.
If you do not know where you want to go, you are probably not going to get there, so I think the number one thing is having a written career plan.
PresidentLJ Kushner and Associates
Are information security professionals asking you different questions than they were a year ago?
I do not think they are. People are still asking the question you just asked. In fact, everyone is asking the question you just asked. I think until we realize that a successful career is not built on certification, that the great CISOs (Chief Information Security Officers) who are going to be on that panel at RSA aren't great CISOs because of any certification they have, until that happens I don't think that we, as an industry, are really going to evolve.
Kushner: I do not think that they are asking different questions per se. I think that they are realizing, more and more, that taking ownership of their careers is their responsibility, and it is not going to happen on its own. Maybe they are not asking different questions, but more people are asking more questions. How would you recommend that one take ownership of his or her career?
I think the first thing they should do is build a career plan. If you do not know where you want to go, you are probably not going to get there, so I think the number one thing is having a written career plan. Take some time to work on your career, not just in your career. Then, they need to figure out what they need to do in order to get to where they want to go. That means they should consider building technical skills, tactical skills, communication skills, gaining different experiences and making career investments. They have to understand that the gap between where they are and where they want to be, and then actually take action on [closing that gap].
Murray: And when you know that, only then are you really prepared to start saying 'If I know I want to be a CISO, these are the things that I don't have right now, these are the skill sets I haven't learned [that I will need]. I haven't learned how to write a budget; I haven't learned how to manage people effectively; I haven't learned what organizational risk tolerance is all about. So, what plan can I make to go out and get those things? Where can I learn them? Who knows those things and who can teach them to me?'