Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Three hazards to avoid in planning a career in information security

Building a career plan just might lead security professionals headfirst into some dubious challenges.

As you develop your information security career plan, you are going to be challenged to honestly assess your skills and figure out ways to develop your weak points. As you do so, you are going to be forced to make decisions that may accelerate or hinder your pursuit. It's important to make sure that you avoid some potential planning hazards that could divert you from achieving your desired career goal. Let's look at three.


In order to achieve your career goal you are most likely going to have to pursue opportunities outside your current work environment to gain valuable experience or build new skills. When you refer back to your career plan, you should already have an idea of what skills are important to develop. Keep in mind, the primary goal of switching positions is the skills, not the other things that many information security professionals expect to come with a new position: more money and a flashier title. Many fail to recognize the opportunity for skill development a new position will provide, or decide to accept an inferior position that diverts them from their initial purpose for switching roles.

It is true that additional money will make your life easier, and having a flashier title will impress your mother-in-law, but at the end of the day these are irrelevant to long-term goals. For example, in many cases when a company offers pay that is outside of the market for your skills, there is likely an urgency to complete a specific task. They are hiring you exclusively for your current skills, and may not have an interest in enabling you to build skills that are important to you.

If you are entertaining such an opportunity, it is critical to ask the new employer questions about your career path and personal development during the interview process to help you determine if your expectations align with your new employers'.

Titles are generally more important internally because they are not standardized across industries. Titles could be significant if you are changing positions within the same industry, such as financial services. Many financial services firms have standard titles, and have similar skill requirements associated with them. For example if you were a vice president of information security at one firm, you would not want to accept a role in another financial services firm as an associate. Conversely, you should not have any issue in accepting a position in a non-financial services firm that has a title of manager, director, or senior director.

Always keep in mind, when you are looking for your next role, your future manager is more likely to care more about what you accomplished than your title.


In addition to developing information security skills within our work environments, we have to select meaningful career investments to augment our professional development, such as advanced degrees, certifications and technical and non-technical career development. Any meaningful career investment traditionally costs a good amount of money and requires a great deal of time.

It's natural to want a quick return on our investments and our expectation is that our employer will place a value on a credential and recognize the achievement with either a promotion or an increase in responsibility. Unfortunately, many organizations do not recognize the value in a way that aligns with the information security professional's expectations. In these cases, job satisfaction will most likely decrease and it may cause you to begin looking for another position. This is a huge mistake.

It is important to think logically about the situation and gain perspective. When you make the decision to pursue a major career investment, the purpose should be for your long-term benefit, not the immediate impact.

A significant career investment (such as a master's degree) is something you will carry throughout your career, and the benefit that you will receive from this knowledge will show up in your daily performance. It would be logical for your company to evaluate your performance and measure your impact to the information security function after you have achieved this credential. Hopefully, you will be able to demonstrate to your employer specific aspects of your professional development that will inspire them to advance your career and provide you with the type of responsibility that you want in order to get you closer to your career goal.

Keep in mind, that it's not wrong to expect a return, however it is critical to manage the expectation of the time it takes to create this impact.


In assessing current skills and abilities, it is very easy to figure out what we are good at and what comes naturally to us. It is equally difficult to come to grips with our weaknesses. However, when determining your strategies for planning your information security career, it is more important to face our deficiencies so that we can eliminate obstacles.

One key strategy is to attempt to leave your comfort zone and place yourself in situations that will force you to develop new skills. Granted, this is much more challenging than sticking to what you do best; however in order to achieve great things, you have to be prepared to accept great challenges.

For example, if I knew that my skills are in technical areas and I struggled with presentations and public communications, I would find opportunities within the context of my position to develop presentation skills. One step you could take would be to start a lunch-and-learn program to present information security topics to your technical team on topics in an informal setting with your peers. After you felt comfortable with this, as part of a security awareness program you could volunteer to speak in front of internal diverse groups in a more formal matter. If you continued to improve and felt comfortable, you could apply to present on a similar topic at a local chapter meeting at ISSA, OWASP or ISACA.

Depending on your commitment and aggressiveness, this process may last between six and 18 months. However, at the end you will have addressed this deficiency, and hopefully transformed it into a personal strength.


Your written career plan should be utilized as a valuable guide as you make decisions regarding the direction of your career. Keep in mind that when you are called upon to make these decisions, you are not going to be correct all the time. In making these decisions, you should not expect perfection, and you should not second guess yourself if these decisions do not turn out the way that you plan. As you are faced with these choices, utilize your internal compass as a guide and focus on your desired outcome. Whatever decisions you make, right or wrong, maximize the impact that they will have on your career. If you do so, you should avoid any pitfall or hazard that could come your way.

Lee Kushner is the president of LJ Kushner and Associates an information security recruitment firm and co-founder of, an information security career content website.

Mike Murray has spent his entire career in information security and currently leads the delivery arm of MAD Security. He is co-founder of where he writes and talks about the skills and strategies for building a long-term career in information security.

Send comments on this column to

Article 6 of 7

Dig Deeper on Information security certifications, training and jobs

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All