Creating a personal brand in information security

Sports have simple black-and-white ranking systems, which make them easy to enjoy and understand. One needs only turn to the sports page on any day of the week to see that the Yankees are in first place, that Florida is ranked atop the Top 25 college football teams and that Peyton Manning leads the league in touchdown passes.

Unfortunately it's not that easy for information security professionals. Currently, there are more than 65,000 CISSP-certified information security professionals. And, given the resume of any of those 65,000, there's nowhere to turn to see who's No. 1 and who's No. 46,738. There's no way to rank which penetration tester scored the largest number of hacks in the last month.

But when it comes to getting a job or a promotion, these are the types of highlights that managers look for. So, absent a concrete ranking system, information security pros have to find ways to stand out. This is what's called creating a personal brand.

The paradox...

BROWSE BY TAG Information Security Career Advisor,   Information Security Jobs and Training,   Information Security Careers, Training and Certifications,   Security Industry Certifications,   VIEW ALL TAGS

RELATED CONTENT Information Security Career Advisor Stay or jump ship? How to be happy with your infosec job Entering 2010: The economy and the state of information security Straight from the inbox: Your infosec career questions answered How to prepare for an information security job interview Top social networking sites to boost your information security career An introduction to Information Security Career Advisor How to prepare for a layoff or 'career incident' SearchSecurity.com guide to information security certifications Guide to vendor-specific information security certifications The vendor-neutral information security certification landscape Information Security Jobs and Training Stay or jump ship? How to be happy with your infosec job How to advance in your infosec career in the current economic storm Schneier-Ranum face-off, part 4: Cybersecurity coordinator Entering 2010: The economy and the state of information security Information security book excerpts and reviews Security School Course Catalog from SearchSecurity.com RSA security conference 2010: news, interviews and updates Straight from the inbox: Your infosec career questions answered Despite recession, information security certification pay continues to climb Bruce Schneier on outsourcing, awareness training Security Industry Certifications Compliance strategy: How to become an internal IT auditor Straight from the inbox: Your infosec career questions answered Despite recession, information security certification pay continues to climb Some IT security certifications are overvalued, analyst says Q2 2009 data shows IT security certification pay still climbing An introduction to Information Security Career Advisor Security jobs survey finds fewer budget cuts, lower security salaries IT security skills and certification pay Despite recession, pay climbs for top IT security certifications How do I transition to a career in IT security?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Cisco Certified Security Professional (CCSP)  (SearchSecurity.com) CSO  (SearchSecurity.com) security clearance  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

of branding is that we're all known for something, regardless of whether we take control of that brand or not. Just for a second, think about what you know the following people for:

• HD Moore
• Bruce Schneier
• Dan Kaminsky
• Kevin Mitnick

Each of those guys is known for something, whether it's exploits, cybercrime investigation, social engineering hacks or just being a general security guru. And, in most cases, they made an effort to become known that way, and it makes them top of mind when searching out a particular skill set. If one was looking to hire a social engineer, for example, there's no doubt that Kevin Mitnick's name would at least come to mind. This is the advantage of creating a personal brand.

Your brand requires three components: your experience/qualifications, your public demonstrations, and your network. Of the three, most security professionals focus on the first and exclude the second and third.

Experience and qualifications
All information security pros understand the need for qualifications. That's the reason that the information security certification industry is a multi-million dollar per year business. And many in the industry spend a huge amount of time upgrading skills, taking training classes and working to ensure that their resumes illustrate just how qualified they are.

Unfortunately, resumes are a self-produced description of a person's skills. In order to become known for something, you can't just say that you're good -- you have to prove it. Many security professionals hope that certifications will provide an indication of their competence (and, indeed, that's the idea that certification vendors market to us). As most of us have learned through experience, however, just having a CISSP or CEH or SANS certification does not an information security professional make.

Demonstrating security skills and expanding your network
Thus, the second major step in creating a strong personal brand is to demonstrate your skills. For many in the industry, this takes the form of public demonstrations, such as speaking at a conference or writing a paper, article or blog. We all get to know those who speak repeatedly at conferences (and, indeed, the professionals mentioned earlier are all people who built their brands through this method).

Not everyone is a great writer or speaker, however, especially in the security and technology industries. And most who advise on personal branding leave people who aren't comfortable in front of an audience, or who don't enjoy writing long articles, out in the cold. But there are other ways to stand out.

We all know of someone in our network who is incredibly skilled but doesn't do a good job when writing or speaking. How did they demonstrate their skill? Most often, they have worked to help solve a problem, or offered one-on-one advice. Or they provided an intelligent opinion on a topic that you cared about.

This is the most effective alternative method of creating a brand -- getting yourself known by members of the industry for your skill. Getting out there can take many forms: attending local meetings (e.g. ISSA, CitySec), participating in bulletin boards like the Ethical Hacker Network, the Security Catalyst Forums or ITKnowledgeExchange's Security section, or spending time talking to other security professionals on social networks like Twitter, LinkedIn or Facebook. (Note: See last month's column for some ideas on using social networks to build your career.)

When it comes to brand-building, it is essential to build a network of people who share your profession and have similar or complementary skills. If your goal is to be a penetration tester, spending time talking and "hanging out" with the best penetration testers in the world will make you more effective.

The concept of spending time with people who are known for what you are known for implies the idea of focus: when selecting a brand, strive to be known for something. Think back to the names we suggested earlier: each of them is known for a single thing, whether it is Mitnick for being a social engineer, Kaminsky for being a network (or DNS) hacker and Schneier for being a security philosopher.

In order to figure out what group you want to "hang out" with, you have to decide what group you want to belong to. And that will allow you to brand effectively.

While we don't have the "Top 25" ranking, our industry functions on the same principles. If a manager is looking for a great security professional, they ask the great security professionals for a reference. This is where branding comes in. Certainly, you need to spend time polishing and honing your skills. But, beyond that, you need to demonstrate those qualities to an audience, and spend time with others who are known for having those skills.

About the authors:
The columnists, Lee Kushner and Mike Murray, bring with them different perspectives on career related topics. Together Lee and Mike have advised many information security professionals in various stages of their career development and are regular speakers at industry conferences on information security career-related topics. Their blog can be found at www.infosecleaders.com.

Lee Kushner is the President of LJ Kushner and Associates, an executive search firm that has been dedicated to the information security profession since 1999.

Mike Murray is an information security professional and career coach. Mike has held leadership positions in environments that include professional services, security product vendors, and corporate environments.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.