It's not news that the economy is struggling, but how can infosec pros position themselves to make it through the current economic storm and come out stronger on the other side? Sara Santarelli gives her advice on how to advance your information security career and what to do if you lose your information security job.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
What is your best advice for infosec pros on how to weather the economic storm and advance their information security career?
Sara Santarelli: It is a very difficult time right now and I know talking to my peers everybody that seems to be struggling with this issue, and what I'd like to say is do your homework. I know in times when it gets a little tight I think you have got a couple options in front of you. One can be just to sit back and complain, "Oh my gosh, what am I going to do? I can't get the money!" The other thing can be to really step back a second and go back to the basics; understand a couple of key elements if I might, where are your assets? Yea, I know that kind of sounds like a one on one per security, but you would be surprised how many folks I talk to that are not quite sure were there assets are, and once you know where they are what's on them? You know it's really important in tight economic times that if you only have, let's say ten bucks to spend today, that you spend it in the most cost effective place where you can get the biggest bang for the buck. So if you know where that server is, for instance, that has your PCI data on it, number one, you know that's a target, and you know that people want to get inside your network to find that data because they can sell it on the black market. So take that money, understand were the assets are and spend were it makes the most sense to do so.
Is compliance a good reason to use when trying to convince executives to spend money on security?
Compliance is something that is certainly very important. You know, executives are required to sign off for things like Sarbanes Oxley; we have auditors that are coming in for PCI, many of our customers want to audit us to make sure our security controls are in place, but I'd like to suggest that security today is moving beyond just compliance. It's about information risk management, looking at the business end-to-end in full context. Certainly compliance is one of does elements, but I would argue that we need to move beyond just compliance and step up and build our security programs in an age of risk management for end-to-end view of risk business.
What's your advice for a pro that has lost his/her information security job?
It's funny you asked this question because I just had a meeting with a fellow that recently lost his position last week and he kind of reached out from a networking position, and it may surprise you what I told him. I said there's two things I would offer to him to do during this time: You know jobs come and go, but your dreams, your passion it lives on with you your whole life, and the first thing I said was, live your passion. You know I think we get so caught up in the moment: "Oh my gosh! You know I just have to spend my all my time day and night looking for a job." A lot of this right now, due to the economic conditions, is a bit outside your control. So, you know, carpe diem; grab the day, do the best you can to keep your passion alive. You don't want to get bitter; you want to make sure you are in a very positive situation. And number two, do your homework and study, because I got to tell you this information security, network security business we are in is a rocket ship -- it changes every day and every night, so make sure your studying and you're doing your homework, you're keeping does skills hot, and there's a lot of ways you can do it. One suggestion that I gave this individual is broad industries all over, you know the recession is hitting some harder than other s but everyone is feeling some impact. There are a lot of opportunities to volunteer, particularly in the areas of education. Our education systems really need people who are good, skilled and talented security professionals and they can't always afford them, so if you got your passion and your trying to seize the moment and not worry so much, but yet at the same time doing your homework and helping other organizations that can perhaps need some influx of security knowledge and expertise, I think you are going to be okay.