“If you do not see the way, you do not see it even as you walk on it.” (Zen Koan)
Huddled over a drink at the Appelmans Brasserie (and Absinthe Bar – plus, they have free Internet access) in Antwerp is a good moment to think about one’s past career. (I recommend a different drink when contemplating future plans.)
My “real” career in Information Security started less than a decade ago. At the time, I was hired into a role as IT Security Manager on the grounds of technical expertise. I had had little formal training in IT Security or managerial matters, but figured I was up to the technical side of the job and certainly had very concrete ideas on what needed fixing. Although my university degree is in natural sciences, it has provided me with a good foundation for a career in IT. Yet, at some point I felt that formal qualification of my expertise, knowledge and skill was needed. I decided to acquire a security certification, in particular the CISSP (Certified Information Security Systems Professional).
Even though CISM (Certified Information Security Manager) was not yet available at the time, I’m not sure it would have changed anything. I went for the CISSP certification because it offered the best match for my role and it was the most widely accepted. Plus, from what I had heard among my peers, it was on its way to become a de-facto requirement for Information Security practitioners.
When I started studying for the exam I had two main motives:
- I wanted an independent confirmation and assessment of my skills. In my company, I was seen as the key point of reference for questions on IT and Information Security. I felt an obligation to my employer to verify that my skills matched market best practices.
- I saw a need to improve my employability. I was approaching a point in my career where it would be appropriate for someone else to take over my responsibilities, injecting new ideas and new energy, setting some fresh initiatives where I had seen no priority, and maybe coming back on certain compromises.
Suffice to say, obtaining the CISSP proved to be straightforward. I mean this as an encouragement to all of you who are contemplating taking the test. Go and do it, as an investment in your own future. As the name implies, the CISSP certification is IT Security focused. Becoming a CISSP will not magically turn someone into a security expert, though. CISSP demonstrates you’ve got the basics of your profession right. That’s a lot, but it isn’t everything. Your experience is what will differentiate you.
From technical to managerial
As I quickly learned, technical proficiency alone can be deceptive. This will not come as too much of a surprise to those who have ever had any type of security-related role. It helps to be technically proficient (and for a long time that was a basis I could always fall back on), but acting as a technical expert did not get me ahead of the game in my role. Corporations will function or fail on a managerial level and that is true for the security, risk and compliance field as well.
But what can one do to change the perception of security as a technical problem? It has long been my conviction that in order to induce change in others, it is yourself who has to change. As a personal career decision and in order to be successful in my role, I decided to leave technology alone.
This can be surprisingly hard and to be honest, took me several years and one new employer (I’ll leave it to debate whether I’m quite through with it). It implies repositioning yourself and your role within your organization. It can be even harder to suppress your knowledge of solutions (which may still surpass your peers’ and subordinates’) and accept that from now on you will delegate technical problems in order to gain a comparative (and sometimes a competitive) advantage.
Focusing on management is certainly worthwhile and it can be fun to learn. Shortly after it became available, I obtained the ISSMP (Information Systems Security Management Professional) concentration on top of my CISSP certification. My motivation for this was different from the first time around. I no longer felt I had to prove anything to myself or others, but I wanted to use the Concentration to position myself within the field and increase the profile of my personal brand.
The public and private sectors put IT Security on top of their agenda these days, and, as a result, the IT and Information Security job market is growing. At some point though, the market will saturate as businesses seek to curb their investments, security services become more standardized and IT as a whole moves to a more service-oriented business model. Is your career strategy ready?
From my own experience, I see a certain logical sequence of actions in career progression:
- Novices probably should aim for at least one type of formal qualification. Be it CISSP or something else, it will be your key to unlock the IT Security market for you, and in the near future may become a formal requirement for the more senior positions. Start networking. If you do have a technical background, aim for managerial courses and possibly mid- to long-term for the proverbial MBA (Master of Business Administration).
- Experienced practitioners need to consider the direction in which they want to develop themselves. Get an advanced degree but stay focused. Are you a jack of all trades and a master of none? I hope not. If you haven’t built a good network by now, it’s high time. It doesn’t matter so much where you get your benchmark from as long as you are in touch with your peer group. It will gain you a reference point and keep you sane.
- Senior IT Security people, you may be on top of your game but do you have an exit strategy for when the market matures? Will you be able to defend your role against younger incumbents? At what level can you function as a line manager or in another staff function?
You have all the qualifications you will need and you will have built a strong network. It will be hard for you to bid good-bye to it all, but brace yourself for moving on. Be prepared to prove your value, your proficiency and your potential definitely at every point.
In a nutshell, build your career plan on your strengths and ambitions. Decide early on whether you want to be a top expert or a good manager and stick to your strategy. Adapt and maintain it with reason, and don’t confuse hedging your bets with keeping all options open. Progress requires focus.
On a related note, make a conscious decision to stay open-minded. More important than climbing the ladder fastest is the ability to grow as a person and take new perspectives.
The hallmark of a true leader is not just the ability to influence, but openness to learn from others. Good luck!