Lee Kushner and Mike Murray
Published: 01 May 2011
Whatever the profession, people are obsessed with job titles. A job title serves as a signal to colleagues, industry...
peers, friends or your mother-in-law -- and provides a sense of status, accomplishment and respect. However, in the information security industry, your job title is probably the most insignificant component in the development and advancement of your career.
Now, we can hear the objections already. Here’s what you’re thinking:
- You worked hard for your title.
- Your title may signify a promotion or recognition of your information security contributions.
- Your title helps you get things done internally in your current work environment.
- You believe people listen to and respect your opinions based on your title.
- You have more than likely changed jobs once in your career in order to get a more prominent title.
- You may have even turned down an otherwise perfect career opportunity because you did not think the title was not reflective of your perspective of your skill.
We also know that in the world of information security career progression, the people making the decisions about selecting their information security leaders are more concerned with what you have accomplished as opposed to what you are called.
The battle for a suitable information security job title may be over before it is even fought. The primary reason is that companies’ human resources functions create and assign titles that are utilized throughout an organization, independent of function. The purpose is to maintain standards and consistency for career progression criteria and compensation throughout the enterprise. It creates order and structure, which is required in larger entities to carry out broader programs. For example, the same internal title can apply to people with similar experiences in accounting, sales, and information security. In addition, security-specific titles such as information security architect and senior security engineer are unlikely to exist formally, and are often replaced by general titles, such as manager or analyst.
Information security professionals also need to understand that titles are not transferable from company to company. Plain and simple, different companies assign different titles for the same function and level of responsibility. In one organization, the direct reports to a CISO may be titled senior director, where other organizations the title of senior director may not even exist. In addition, when you cut across industries, specific job titles carry different responsibilities. For example, in a retail or technology company, there may be a select number of vice presidents, but in a banking environment, vice president titles are abundant. When assessing a new opportunity, it’s more important to understand the responsibilities associated with the specific job title, than to mislead yourself by applying preconceived notions and branding that you have assigned to the title associated with your new role.
What will be surprising to most, is that the one place where titles have the least significance and relevance is the title of CISO. We need to accept that all CISOs are not created equal. There is a distinct difference between the job responsibilities of a CISO at a multinational financial institution, than the CISO at a regional bank. In many cases, the title of CISO is one that is an external facing title, assigned to the top ranking information security professional, as opposed to by the corporate definition’s and responsibilities assigned to the other officers of the company. Like in other subordinate roles, leadership of information security functions require different skills and come with different responsibilities, depending on industry, organization size, budgets, and business problems. Many believe the CISO title is transferable, and its designation serves as an automatic qualifier for other CISO opportunities. This is simply not the case.
When companies search for a CISO, their main selection criteria is relevant work experience that can transfer quickly to their environment. As the companies go through their vetting and selection processes, they are trying to eliminate as much risk as possible when deciding on a person for that role. The best way for them to place their mind at ease is to find someone who has solved the same problems, and can demonstrate that skill; initially on their resume and subsequently during an interview process. If an information security professional is capable of doing this, it is more than likely they will have the opportunity for consideration. A corresponding job title could be a differentiator, but if you are a strong communicator, the lack of a corresponding title will not be an impediment.
For example, if a company is trying to formalize an application security function, the primary skill they would search for would be proven leadership experience, subject matter knowledge in application security, and experience in a similar sized work environment. Information security professionals who hold job functionalities that include senior security engineer, lead software developer, security consultant, or leader of application security would all be viable. The company would then need to conduct an interview process where they could compare skills, assess value, and determine cultural fit to arrive at their selection.
The key to driving your information security career is the continued development of your professional skill matrix, not the accumulation of fancy titles. It’s your job to uncover situations and opportunities that will enable you to leverage your current professional strengths. By doing this successfully, you should be able to create opportunities that will enhance your work experiences and provide you with the ability to accelerate your career. Through the repetition of this success, solving complex problems and making measurable impacts to your employer, one day you will achieve a title that will make your mother-in-law proud.
Lee Kushner is the president of LJ Kushner and Associates an information security recruitment firm and co-founder of InfoSecLeaders.com, an information security career content website.
Mike Murray has spent his entire career in information security and currently leads the delivery arm of MAD Security. He is co-founder of InfoSecLeaders.com where he writes and talks about the skills and strategies for building a long-term career in information security.