Sports have simple black-and-white ranking systems, which make them easy to enjoy and understand. One needs only turn to the sports page on any day of the week to see that the Yankees are in first place, that Florida is ranked atop the Top 25 college football teams and that Peyton Manning leads the league in touchdown passes.
But when it comes to getting a job or a promotion, these are the types of highlights that managers look for. So, absent a concrete ranking system, information security pros have to find ways to stand out. This is what's called creating a personal brand.
The paradox of branding is that we're all known for something, regardless of whether we take control of that brand or not. Just for a second, think about what you know the following people for:
- HD Moore
- Bruce Schneier
- Dan Kaminsky
- Kevin Mitnick
Each of those guys is known for something, whether it's exploits, cybercrime investigation, social engineering hacks or just being a general security guru. And, in most cases, they made an effort to become known that way, and it makes them top of mind when searching out a particular skill set. If one was looking to hire a social engineer, for example, there's no doubt that Kevin Mitnick's name would at least come to mind. This is the advantage of creating a personal brand.
Your brand requires three components: your experience/qualifications, your public demonstrations, and your network. Of the three, most security professionals focus on the first and exclude the second and third.
Experience and qualifications
All information security pros understand the need for qualifications. That's the reason that the information security certification industry is a multi-million dollar per year business. And many in the industry spend a huge amount of time upgrading skills, taking training classes and working to ensure that their resumes illustrate just how qualified they are.
Unfortunately, resumes are a self-produced description of a person's skills. In order to become known for something, you can't just say that you're good -- you have to prove it. Many security professionals hope that certifications will provide an indication of their competence (and, indeed, that's the idea that certification vendors market to us). As most of us have learned through experience, however, just having a CISSP or CEH or SANS certification does not an information security professional make.
Thus, the second major step in creating a strong personal brand is to demonstrate your skills. For many in the industry, this takes the form of public demonstrations, such as speaking at a conference or writing a paper, article or blog. We all get to know those who speak repeatedly at conferences (and, indeed, the professionals mentioned earlier are all people who built their brands through this method).
Not everyone is a great writer or speaker, however, especially in the security and technology industries. And most who advise on personal branding leave people who aren't comfortable in front of an audience, or who don't enjoy writing long articles, out in the cold. But there are other ways to stand out.
We all know of someone in our network who is incredibly skilled but doesn't do a good job when writing or speaking. How did they demonstrate their skill? Most often, they have worked to help solve a problem, or offered one-on-one advice. Or they provided an intelligent opinion on a topic that you cared about.
This is the most effective alternative method of creating a brand -- getting yourself known by members of the industry for your skill. Getting out there can take many forms: attending local meetings (e.g. ISSA, CitySec), participating in bulletin boards like the Ethical Hacker Network, the Security Catalyst Forums or ITKnowledgeExchange's Security section, or spending time talking to other security professionals on social networks like Twitter, LinkedIn or Facebook. (Note: See last month's column for some ideas on using social networks to build your career.)
When it comes to brand-building, it is essential to build a network of people who share your profession and have similar or complementary skills. If your goal is to be a penetration tester, spending time talking and "hanging out" with the best penetration testers in the world will make you more effective.
The concept of spending time with people who are known for what you are known for implies the idea of focus: when selecting a brand, strive to be known for something. Think back to the names we suggested earlier: each of them is known for a single thing, whether it is Mitnick for being a social engineer, Kaminsky for being a network (or DNS) hacker and Schneier for being a security philosopher.
In order to figure out what group you want to "hang out" with, you have to decide what group you want to belong to. And that will allow you to brand effectively.
While we don't have the "Top 25" ranking, our industry functions on the same principles. If a manager is looking for a great security professional, they ask the great security professionals for a reference. This is where branding comes in. Certainly, you need to spend time polishing and honing your skills. But, beyond that, you need to demonstrate those qualities to an audience, and spend time with others who are known for having those skills.
About the authors:
The columnists, Lee Kushner and Mike Murray, bring with them different perspectives on career related topics. Together Lee and Mike have advised many information security professionals in various stages of their career development and are regular speakers at industry conferences on information security career-related topics. Their blog can be found at www.infosecleaders.com.
Lee Kushner is the President of LJ Kushner and Associates, an executive search firm that has been dedicated to the information security profession since 1999.
Mike Murray is an information security professional and career coach. Mike has held leadership positions in environments that include professional services, security product vendors, and corporate environments.
This was first published in October 2009