Dear InfoSec Leaders:
I am a consultant for one of the leading security vendor's GRC products. I help customers set up their compliance programs with the GRC product as the backbone. I've been doing this for about four years, and I now feel it’s time for a change. My career goal is to become a CISO, however, I have two very different job opportunities and would like your thoughts as to which one aligns more closely with my goal.
The first is a product manager with the same vendor for the same product. The position will give me immense exposure to senior security management professionals across all of the vendor's customers. It will also help me gain a better understating of infosec pros' GRC efforts and pain points. The second position is a security architect with a large retailer. This team has been recently formed in the organization and could possibly give me exposure across different security areas beyond GRC. Both these positions have pros and cons: for example, I’m not sure if staying with a vendor is a good career move or if the other side of the table is a better option. As you can tell, I have a lot of questions and very few convincing answers. I’m not sure if I should specialize in the GRC space (via the vendor) or gain exposure (via the security architect position) to promote a more holistic view of security.
I’d appreciate any words of wisdom you can send my way.
“Fork in the Road”
Before we start, please understand the advice we are giving on choosing between job offers is based exclusively on the information you have provided to us in your note, and we do not have any additional background.
Based on your career goal to become a CISO, we believe that, of the two security career opportunities, it would be best for you to leave the product arena and accept the job as an information security architect with the large retailer that has recently formed its security team. Our answer is based on the following reasons, in order to coincide with your long-term career goal.
- The group is newly formed. The first thing that comes to mind when we hear this is "opportunity." Newly formed information security functions generally provide environments for information security professionals to leverage their current areas of expertise (in your case, GRC) and to develop broader skills in other areas. The biggest mistake many infosec pros make when entering into a organization in this state, however, is to limit their contributions to their job description: an opportunity like the one you described could provide you with the framework to push yourself to develop new areas of expertise, as opposed to limiting yourself to the world of GRC.
- Retail experience should be valuable in the future. Due to the importance of PCI DSS, many retailers and e-tailers are placing increased emphasis on and dedicating additional resources to information security programs. Currently, many retailers are not requiring retail IT experience for security employment; however this will most likely change in the next few years. As information security becomes more important to the retail industry business culture, having this industry knowledge as part of your skill matrix could become a differentiating factor when looking at the next step in your career.
- Product management experience is not required to become a CISO. There is no doubt that working as a product manager will help you develop skills that could be advantageous as a CISO, including customer skills, presentation skills, sales skills, market knowledge and subject matter expertise. However, when making a transition to a CISO career path, you will encounter people in the hiring process who will have built-in prejudices against hiring candidates for higher-up positions who come from the product/vendor side. To directly transition from product management to security officer, you would have to find yourself a forward-thinking CISO who would value this experience, and believe the skills as a product manager would directly translate to their environment. It's likely, however, that if you remain a product manager, you will eventually have to make the transition to an internal infosec role, (such as an architect), so why delay? You have the opportunity in front of you: now is the time to determine if transitioning to a corporate information security function is right for you.
Again, our advice is based exclusively on the information you have provided from your note, and on our general understanding of the industry.
Good luck in making your decision.
Lee and Mike
This was first published in August 2011