Manage Learn to apply best practices and optimize your operations.

Strategies for landing a security management position

In this SearchSecurity.com Q&A, identity management and access control expert Mike Rothman unveils the best practices for landing a role in the security management field.

I am a Certified Ethical Hacker (CEH), but cannot get a job as a security officer. I also have a Masters Computer Diploma. What strategy should I pursue to land a security management position? Should I get a CCNA or CCSA certificate?
Management is not a technical skill, so you might be moving in the wrong direction. Having technical competence is actually a small part of being a security officer. The role I call "CSO Next" requires a new set of skills -- presenting, selling and ultimately understanding the ramifications of security to your business.

Let's discuss each of these ideas in turn. The most important skill a senior security officer needs is the ability to work with their peers on the senior team, meaning they have to be more of a businessperson than a technologist. Security officers must assist the employees in charge of the operation in order to understand the impact a security risk can have on the business. This has been a major focus of my research, culminating in the publication of the Pragmatic CSO, which details a new approach for the business of security management.

Talking about hackers and crackers and other attack vectors will go over like a lead balloon. These folks are all about business and want to see what kind of security program is in the works. How do you define success? How are you going to get there? What milestones are you using to ensure progress is being made?

Every VP of operations or general manager runs his or her business according to a plan. They are accountable for all commitments and must frequently report progress in an understandable and meaningful manner.

As such, an ethical hacker certification is not sufficient. Although you know how to think like a hacker, you have little experience as a businessperson, which is imperative when planning a career in security management.

So I'm of the opinion that a certification like CCNA or CCSA won't be very useful in landing a role in security management. I would do a couple of things if I were you. First, I'd learn as much about my business as I could. A good way to do that is to try to find a mentor who understands the business, who can teach you how it works. Finding a well-placed mentor will also give you more visibility in the organization.

I'd make sure I was a clear and effective communicator and writer. Maybe that means joining ToastMasters and/or taking a writing course. Communication is one of the most important skills a CSO has, so invest in making sure you can do that effectively.

For more information:

  • Determine if your information security career is on the right track.
  • Security practitioners reveal what they believe those embarking on an information security career should know about the IT industry.
  • This was last published in July 2007

    Dig Deeper on Information security certifications, training and jobs

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.