How to get promoted in IT security

Not only has landing a job become more difficult; it’s also getting harder to get promoted once you have the job. Here are some tips to getting ahead in today’s competitive, cutting-edge world of IT security.

1. Make your company look good

Raise the profile of IT security within the company
Some departments within your company will have a higher profile than others. This is often just because of the nature of the departments’ personnel. The sales team is a good example because they tend to be extroverts and geared at self-promotion. Make sure that the job the IT security department is doing is publicised within the company. This means that simple things, such as the new software which has been deployed to make the company safer or any new staff who are being hired with particularly good backgrounds or who have been poached from “big brand companies’, should be publicised in the staff newsletter, round robins, e-mails and by talking to the big boss when you happen to bump into him.

Make it harder for information to leak out of the company
It was the case until only recently that information within most enterprises was kept within silos. The advantage was that information was on a “need-to-know basis’. It became apparent, however, that a drawback was that information was being withheld from other departments that needed it. As a result, silos have dissolved in many organizations and new flat management structures enable information to flow across the entire enterprise.

However, with so much sensitive data accessible to so many people, suddenly you face a greater risk of damaging breaches and are vulnerable to greater data losses when a breach does occur. That’s why it’s essential to maintain silos for your organization’s most sensitive data, yet ensure that you can give access to those who need it.

Keep your company out of the news
It seems like hardly a day goes by without a data breach making the news — be sure that your company is not making the headlines for all the wrong reasons by doing everything within your power to protect your data.

Always remember that proper IT security involves multiple layers of protection. Ensuring that the perimeter is secure is not enough. You will have to make sure that all employees are fully trained and that their managers are not allowing bad practices such as sharing passwords. “Super users’ with heightened privileges should be audited and delegated through a privileged identity management system to regulate who can access those powerful logins that grant access to an organization’s most sensitive data.

Make sure your company passes its IT security audit
Senior management may simply assume that the organisation will pass its IT security audits. Failing to do so will take up management’s time in planning remedial action, not to mention untold hours of additional work for IT staff.

Start preparing in advance to make sure that your audit is passed first time every time with flying colours. Meanwhile publish internally the details of all data breaches and gaffes you find by those in your industry. Never gloat about competitors’ missteps, but rather make sure that the staff follow your simple rules and that management knows you’re establishing the right processes for the benefit of the organisation. Your validation of continuous compliance can be the IT audit – organised by you!

Make sure the organisation is compliant with all relevant and updated government, federal and international laws
This is becoming more and more important, particularly as organisations such as the European Union Commission plan to hit enterprises that suffer data losses with huge fines. The IT security landscape will soon be one where breaches are not purely just a PR disaster, but a financial disaster as well. Your job, as well as your promotion, depends upon steering clear of this elephant trap.

Be aware of your internal PR
Run your own internal PR campaign . This is not as bizarre as it sounds. If organisations have to run PR campaigns to get themselves known in the big wide world then you should do the same to get noticed within your own organisation. This means capitalising on every time you speak at a seminar, an internal event, a sales conference or a presentation in front of the company.

Also, keep your boss up-to-date about IT security trends with clippings and snippets from recognised news outlets — make sure you do this as they happen.

Talk to the marketing and public relations people in your organisation, learn from them and make sure they are aware of you and what you are doing. They may ask to use you as a spokesperson, but tactically you may want to put forward your boss as a spokesperson. It is important to build your profile outside of the organisation so make sure that you use LinkedIn and other business networking sites.

2. Make your boss look great

Keep to your budget
Budgets used to be more flexible. Today, in this era of extreme bean counting when accountants rule the world, budgets are absolutes. Quantify what you are delivering – how is IT security making a difference to the bottom line of the company. If IT security isn’t seen as a strategic asset then you could face a battle for resources. More importantly, you will not be seen as a leader who has taken these questions into account.

If you can communicate how the IT security staff is delivering hard value your boss will look good to the bean counters and shareholders. There are no exceptions to this rule.

Make sure your boss is recognised as a leader as opposed to a manager
To get ahead, one has to be seen as a leader. What better way to get ahead than to help your boss look like a leader too? After all, she may take you in her wake as she goes up the organisation. Make sure your boss knows if there are any IT security traps in the organisation, for example software and hardware default passwords left unchanged.

Maintain an IT security calendar for your boss so that she knows when big events are occurring and is not caught out by her management when asked about them.

Help your boss to make IT security a board level issue
To most corporate boards, IT security is purely a function such as HR or payroll. Making them realise that IT security is an enabler of a fit business will require you to arm your boss with the necessary articles from the trade and national press which highlight the business benefits of IT security, particularly those processes which keep the organisation innovating and seen as a leader.

3. Think like a CFO
IT is an expense, but the benefits may include the reduction of real risks.

It is essential that any security implementation takes into account the cost/benefit analysis required by the CFO to show that you are using the companies monies efficiently; and you are also making effective decisions to protect the corporation as a whole. You must show a keen understanding of the potential losses vs. the costs of mitigating the losses in advance and be able to present a business case that makes sense and has a compelling ROI compared to the status quo.

Also, consider switching the company from a point in time compliance to a new continuous compliance strategy. By doing so there is no longer a need to prepare for an audit since every day is audit day.

Try to embrace the findings of the auditors and show how their expensive services can be used to make the company more secure. Getting the auditors on your side and willing to promote you and your organization’s adoption of best practices, can provide top corporate level visibility. Auditors can be your friends if they know what they are doing and can point out not only problems, but also solutions that are practical. Remember that the next person the auditor speaks with will be the C-level execs as well as the CEO.

4. Improve the education of your organisation’s staff
Consider doing an internal IT security bulletin for all staff with handy hints on password management, how to spot dangerous emails, etc. Ensure that management and the board know you are behind this.

Do a series of lunchtime seminars to educate the staff on IT security. These can be done on staying secure online and similar topics that could be useful to employees at home, as well as at work. If staff find your seminars useful at home they are more likely to value you.

Share your knowledge about IT security with the staff when problems arise — you could set up an intranet page which draws attention to current phishing e-mails, or the problems of shared privileged account passwords and the remedies.

Finally there is no substitute for real integrity in any profession. Those who get to the top are those who a) have drive and enthusiasm and b) do everything with integrity and in the interests of the organisation and its staff without compromising or taking shortcuts.