To complicate things further, information security professionals have to be concerned with the way each career investment affects their personal brands. Pursuing career investments that seem contradictory to long-term career goals can send future employers mixed messages. An example of this would be obtaining a doctorate in a technical area of study but pursuing a job that manages governance, risk and compliance (GRC). While there is no question that a doctorate is a well-respected credential, such a degree is more suitable for those seeking a technical or scientific position. A law degree could be a more appropriate credential for someone seeking GRC positions, considering the relevance of the subject matter.
Always remember that any career investment should be included on your resume, and, at some point during a job search, you may have to explain the logic behind the credentials you've accumulated.
Of the many questions we've answered regarding career investment strategy and selection, we have come up with three specific guidelines that should be able to help provide some assurance as you determine your personal information security career path investment strategy.
Rule 1: All career investments are worthwhile, and are time and money well spent
Plain and simple, investing in your career is a good strategy for advancement, no matter what investment you select. Many times, information security professionals get caught up trying to figure out a magic bullet for success, and believe the pursuit of the one right investment will automatically propel their career to greatness. The reality is that sometimes the desired result of a career investment -- such as a promotion or higher compensation -- may not be realized for some time, if at all. However, a consistent pattern of diverse and well-aligned career investments should allow you to demonstrate your initiative and personal commitment to your professional development in a way that will be recognized and respected by both your current employer and future ones.
Rule 2: You traditionally get what you pay for
When deciding upon information security career investments, many people follow the pack and pursue credentials that are commonplace and widely held. While these investments won't hurt your resume, it is illogical to expect great things and maximum impact from them. The best example of this is the CISSP, the most popular industry certification. While there is no doubt that the CISSP is valuable, well recognized, and requires a breadth of knowledge and experience to achieve, more than 70,182 information security professionals currently hold certifications from (ISC)2, including the CISSP. Considering its popularity, it's hard to believe it still acts as the differentiating credential it once did.
Career investments that are difficult to achieve -- have high barriers to entry and require a significant commitment to complete -- generally will have greater value and more effectively enhance your brand. The best example of this could be an MBA from a top-tier program or an Ivy League school. Generally, senior audiences are business audiences, and such a degree is more widely understood and respected by business and technology leaders.
If the cost or time commitment required for an advanced degree is prohibitive, you can look into taking a leadership training course or seminar from a local university. Granted, it will not have the same level of impact on your career as a degree, but it could represent solid value.
Rule 3: If you do not invest in your own career, do not expect anyone else to
One of the prevailing attitudes of information security professionals over the years has been that it is their employers' responsibility to provide them with necessary resources for career investments. Although there is little debate that having an employer who understands the value of training and certification is a benefit to your career, it is quite possible that your career aspirations will not align with your employer's view of how your career should develop. Quite often, an employer will select a training program geared toward the implementation of a vendor-specific security technology that may pigeonhole you, as opposed to helping you learn a broader and more useful security concept. Still others may not offer any training, due to the overall economic environment and changing business priorities.
By letting your employer dictate and pay for your professional development exclusively, you surrender partial control over your career. Budgeting a certain portion of your compensation every year to your professional development -- utilizing the same discipline that you apply toward saving for your retirement -- enables you to better plan and execute on your career investment strategy. This enables you to map out a disciplined, long-term strategy that you can effectively leverage toward the achievement of your personal career goals.
In the future, a well-executed career investment strategy will become more important, as companies select their information security leaders based on what sets them apart from the crowd. It is important to develop a personal career development strategy that aligns your career objectives, resume, and professional goals and aspirations. Although there are no guarantees, utilizing logical guidelines for the selection of these investments will better position you in the information security employment market of the future.
About the authors:
The columnists, Lee Kushner and Mike Murray, bring with them different perspectives on career related topics. Together Lee and Mike have advised many information security professionals in various stages of their career development and are regular speakers at industry conferences on information security career-related topics. Their blog can be found at www.infosecleaders.com.
Lee Kushner is the President of LJ Kushner and Associates, an executive search firm that has been dedicated to the information security profession since 1999.
Mike Murray is an information security professional and career coach. Mike has held leadership positions in environments that include professional services, security product vendors, and corporate environments.
This was first published in October 2010