Manage Learn to apply best practices and optimize your operations.

Career management 101 for information security pros

Eight questions to help information security professionals determine if their career is on the right track.

It is your responsibility to manage your career as effectively as possible. You have to be able to continually assess your career to determine if the path you are on will enable you to accomplish your long-term ambitions. Here is a list of questions that, as an information security professional, you should ask yourself and answer honestly to insure that your career is progressing on the path that you desire.

Question 1: What are my long term plans?
You should have some goals in mind when you assess your current position. Career planning is important. If you have a long-term career goal in mind, your current position should be helping you develop skills that will make you qualified for the position you would ultimately like to have.

To many information security professionals, the pinnacle position is the role of CISO. CISOs are required to have many skills. Some of them include leadership, people management, a broad understanding of technical information security issues and industry-specific knowledge of the particular business that they are protecting. If you aspire to be a CISO, you should plan on acquiring well-rounded skills like these.

Question 2: What are my strengths and weaknesses? We all like to believe that we are strong in all aspects of our career and that we do not have any weaknesses. Unfortunately, that's not realistic. We should be honest with ourselves about these items so we can make decisions to either focus on reinforcing our strengths or developing our weaknesses. Keep in mind long-term career goals when making these decisions.

You can define your strengths and weaknesses in either technical terms or business terms. They can range from technical knowledge on a specific information security topic to the ability to communicate information security requirements to non-technical business leaders.

As your career develops and job responsibilities increase, obviously it becomes more important to broaden your information security knowledge. Broadening your skills in many areas is more effective then making them deep in one particular area.

Question 3: What skills do I need to develop?
It is important to keep in mind what is happening around you in the information security industry. It is your responsibility to understand the trends within in the industry and the skills that are going to be in higher demand. It is important to figure out a way to get involved in these types of initiatives so that you make yourself more desirable to your current employer or prospective ones. You should also consider which of skills will enable to you to best position yourself for your long-term career goal.

Question 4: Have I acquired a new skill during the past year?
When companies are looking to promote individuals or hire from within their organization or to acquire key talent from outside, they search for people who have skills that can address their most pressing issues. It is important to venture outside your comfort zone and accept new challenges. This type of exposure will often lead to increased opportunity.

One of the best things about our industry is that it is in a constant state of evolution. The skills that were in demand five years ago are more commoditized in today's employment market. It is very possible to accelerate your career by leveraging expert knowledge in one particular area. Some of the skills that are in the highest demand today include application security, identity and access management and regulatory compliance.

Question 5: What are my most significant career accomplishments and will I soon achieve another one?
Your career accomplishments should be easily defined, articulated and measured. As you progress in your career, your accomplishments should become less personal and wider ranging. For instance, early on you learned how to administer a firewall. You then demonstrated an ability to design enterprise-wide network security architecture.

When you are evaluating your job and your responsibilities, you should consider if you are in position to add to your list of accomplishments. Your current position should enable you to reinforce older skills as you develop new ones.

Question 6: Have I been promoted over the past three years?
Companies are always looking to find rising stars, whether they are internal or external. A history of success is a key indicator when companies are evaluating talent. If you have been recognized for your contributions, it will always bode well when you are considered for the next opportunity. If you have not been promoted, you should figure out the reasons why and if you will have the chance for more responsibility in the future.

Promotions do not necessarily always come in the form of title changes. Many people get too caught up in their job titles. For example, your title may be information security manager and you may initially have responsibility for one function and three people. During your tenure, if you still hold the title of information security manager, but you then supervise a team of 10 people, are responsible for three functions, and have received a pay increase, you have effectively been promoted. Three years is a good timetable for advancement. In most cases, if you have not been promoted by then, it may never be in the cards for you in your current situation.

Question 7: What investments have I made in my own career?
You owe it to yourself to invest in your own career. Many people only receive education, training or acquire certifications when their company is footing the bill. You should not rely on your current employer to manage your career for you. If there are certain areas that you want to pursue for your own betterment, then take the initiative to do this on your own; do not wait for your employer's invitation.

Investment in your own career does not only mean adding additional information security certifications. When you make the choice to invest in your career, do not feel limited to the information security. Granted, industry certifications are well recognized and clearly illustrate a desire to develop your skills, however it is important to look outside your comfort zone. Try to identify areas that will give you exposure to other business functions. Skills that could be useful include public speaking, project management, budgeting and resource management. For some infosec professionals, taking a course in project management would be as effective as adding another set of certification initials to their title. Sometimes it is these so-called softer skills that can make the difference between you and another person for a particular position.

Question 8: Am I being impatient?
The one constant in everyone's career is time. The more time that you are able to focus on your position, the more proficient you will be at mastering the skills and organizational challenges that you may face. The more time that you can invest in a particular opportunity, the more good things should materialize from that particular situation.

Many people are afraid that they may be missing out on a new opportunity. Some choose to manage their careers on the principle that the grass is greener elsewhere. This may provide immediate gratification, but it could result in long-term problems. It is important to get the most that you can out of a position before you consider looking for another one. Sometimes the best career move is staying put.

About the author
Lee J. Kushner is founder and CEO of LJ Kushner and Associates, a full-service information security recruitment firm. Email him at [email protected].

This was last published in June 2006

Dig Deeper on Information security certifications, training and jobs