How can IT experts make a successful move to a career in information security?
After a tough recession, information security is increasingly a tempting prospect for IT high fliers. We examine how they can make the successful transition. By Jessica Twentyman.
For IT professionals on the trail of rock-solid career prospects, information security is ‘the smartest place to be in 2010'. That's the verdict of US-based analyst house Foote Partners, in a recent assessment of IT workforce trends. Increasing regulation, fear of threats and customer expectations have combined, Foote claims, to create a ‘perfect storm', where the profession can expect ‘steady jobs investment and career safety'.
While the view from the UK is rather less exuberant, many are also pointing to better times ahead for the profession. In its 2010 Market Report on the UK information security jobs market, recruitment company Barclay Simpson makes no bones about the hardship endured by the sector in 2009. “Information security has had a tough recession, with collapsing demand and significant numbers of redundancies. However, as the economy stabilised towards the end of 2009, the number of redundancies significantly reduced and what we hope will be an extended period of rising demand began,” the report said.
It's a situation that Chris Batten, managing director of recruitment company Acumin, is watching closely. A career in information security is still viewed as an attractive option for IT personnel, he says, and that's partly down to the higher salaries that such positions command, in comparison with other technology roles. And in the three months to November 2009, he adds, Acumin reported a slight uplift in salaries for entry-level positions. “That's possibly because companies are opting to take on more junior people and train them up, rather than pay for more experienced personnel,” he speculates.
It's an approach heartily endorsed by the founders of Security Faculty, a specialist provider of training and professional development services for senior security professionals and their teams. Paul Dorey and David Morgan, former information security chiefs at BP and Lloyds TSB respectively, claim that companies that adopt a ‘grow your own' approach to developing security leaders don't just save time and money – they eliminate the risks associated with poor succession planning and are also likely to end up with more committed, well-rounded security leaders.
In his time as a CISO, adds Dorey, he was always keen to ‘flag' high-performers and put them on an executive fast track, but often his efforts were met with bewilderment in other areas of the business. “I'd be asked, ‘Why would you want to develop strong executives and then confine them to IT security?',” he says. Attitudes are beginning to change, however. “As senior executives have become more aware of security threats – and their potential implications for the business – they're coming round to the idea that you need top people in IT security roles.”
So how can security leaders spot their future successors and equip them with the skills they will need to take the reins at some point in the future? The corporate IT team is a good place to start looking, because it's there that CISOs will find people not just with a basic technical grounding, but also some exposure to, and experience of, the impact that security has on their particular domains, says Acumin's Batten. This may well have sparked their interest in pursuing a career in the field. “For example, an application developer may well have developed an interest in penetration testing, while a network engineer understands the importance of protecting the corporate periphery. Either way, information security is simply seen as one of the more ‘sexy' areas of IT,” he adds.
But is a technical grounding really necessary for a would-be infosec professional? David Morgan of Security Faculty says it is a big help. “If you're looking for future CISOs, then they're really going to need an appreciation of the technological principles. Without that, they're at risk of being held back in the role, because they could find themselves ‘snowed' by technicians in the future,” he says.
But technical skills are just the start, adds Dorey. A passion for the subject of security and a demonstrable capacity for lateral thinking are good indicators of suitability, too. And increasingly, security leaders should also be looking for candidates who take an active interest in the world outside the IT department, and in particular, the business world. “I like to know if they read the Financial Times or the Harvard Business Review. I want to know that they're regularly engaging in business conversations with business people,” he says.
The companies that demonstrate the best approach to recruiting and developing information security staff internally do so through a formal framework for talent management within the security organisation, according to Ray Stanton, global head of BT's business continuity, security and governance practice. This, he says, should operate at four different levels. “First, participants need to develop a basic level of understanding of infosec, through training that addresses policies, strategies and alignment with business objectives. Second, they need across-the-board technical training, such as the CISSP qualification from (ISC)2, as well as training in more in-depth areas, such as the auditing qualifications awarded by ISACA – or training in forensics for investigation. Third, they need vendor-specific qualifications in products from the likes of Cisco, Nortel and Juniper Networks. And finally, there's the whole area of broader business skills, where an MSc or, even better, an MBA, will be extremely helpful in bringing them along, both as managers and leaders.”
A good in-house talent programme, Stanton says, will take members of the IT team and transform them into executives capable of “creating value in a range of executive roles, not just information security”. Only a few companies have the resources and capacity to run such programmes, he acknowledges, but CISOs at other organisations would be well advised to take advantage of the “growing professionalisation” of information security that is gradually developing, thanks to the efforts of external industry bodies.
One such organisation is the Institute of Information Security Professionals. The IISP – which describes its purpose as ‘to set the standard for professionalism in information security' – has recently been addressing the challenge of how to attract recruits to information security careers and to develop a training programme and career path that will be recognised across the industry, through a new graduate development programme.
“A leading CISO from the financial services industry recently described to me the challenges he faces in recruiting members for his team,” says Gerry O'Neill, chief executive of the IISP. “He said that candidates turn up for interviews with armfuls of certificates – but that it's really hard to tell whether they can do the job or not. What's needed is a qualification that sits above all that, a competence-based accreditation that indicates how good they are at putting that knowledge into practice.”
The IISP's graduate development programme offers such a framework for graduates to develop practical and transferable information security skills in the early years of their careers and the opportunity to explore potential areas of specialisation. “Just as you would expect an accountant or a GP to have accrued certain skills after their initial training, the IISP seeks to recognise career specialism after this initial training,” says O'Neill.
Historically, he says, too many senior individuals within the industry have “fallen into” this area of work, with no formal career path mapped out for them. “We aim to change this, evolving a natural career path for following generations to pursue,” he says. Participants in the programme initiate their own personal development logbook, which maps their experience against the IISP skills framework, with each area signed off by their boss. Within two to three years, that should give them a ready-made body of evidence to apply for associate membership of the Institute, and, from there, to progress onto full membership level, stages which give them the right to use the IISP post-nominals of ‘A. Inst. ISP' and ‘M. Inst. ISP' respectively. And prior to joining the graduate development programme, students are also able to join the Institute at a much-discounted rate of £20: “The price of a round of drinks in the student union – but they could get their first job out of it,” according to O'Neill.
Developing at every level
It's not just entry-level security professionals who are in need of careers development guidance. Among middle managers and even at the most senior levels, knowledge gaps frequently prevent otherwise accomplished and ambitious people from achieving their full potential, says Security Faculty's Morgan. “Because security executives take on such a broad range of activities these days, it's hardly surprising that even those with 20 years' experience may not be fully equipped to be a CISO. Better ways are needed of accelerating the development of these individuals,” he says.
Until such ways are adopted, IS professionals will need to “forge their own paths and shape their own destinies”, independent of their employer, Morgan says. It's a point echoed by BT's Stanton. “I hear people complaining all the time that their companies do too little to develop them. My advice would be to take more control over their own career. If they can't demonstrate the innovation, creativity and entrepreneurship to do that, then maybe they're not cut out for a CISO role in any case.”
What makes a good infosec candidate?
There's a real skill to spotting potential recruits for the information security team and it can take years of experience to refine that skill. We talked to Paul Dorey and David Morgan of specialist training and professional development company Security Faculty – both former CISOs with over 40 years of experience between them. What do they look for from candidates?
Dorey: “You can always see the ‘spark' in people who are truly passionate about information security. If they express an interest, but there's no spark, then you need to question their motivation and suitability for the role.”
Morgan: “What I want is someone who brings something new to the table in meetings, someone who can take a problem and see a whole other angle on it that others may have missed.”
Morgan: “An information security manager needs to be sufficiently up to speed that they don't get slapped down by the CIO. But at the same time, they shouldn't be too seduced by technical-speak.”
Dorey: “Can they talk to the business about security issues, at a level that the business will understand? Are they capable of understanding the business's objectives, and creating security solutions that don't get in the way, but still give an adequate degree of protection?”
Tolerance for ambiguity
Morgan: “Perfect security is never possible, so a good information security professional has to be able to take a pragmatic approach to ‘grey areas' and deal with ambiguity. There's no place for perfectionism on the IT security team – you want someone who is prepared to strive for progressive improvements.”
Morgan: “There's rarely any praise for getting things right in IT security, and a huge amount of criticism when things go wrong. If someone needs approval and praise, then they need to consider another career.”
Dorey: “How do they react to crisis situations? The further they progress in their information security careers, the more likely they will be responsible for orchestrating crisis-management efforts. Will they be able to cope?”
Dorey: “Can they get inside the mind of an attacker? Are they fascinated by what they find when they get inside?”
Dorey: “A good information security professional isn't frustrated by a challenge – they approach it with an insatiable intellectual curiosity and determination. The job's never going to be routine – and it's not right for someone who likes absolute clarity and working to strict goals.”
Following the paper trail
Until recently, rapid growth in demand for IS staff meant that practical experience took precedence over paperwork when it came to making recruitment decisions. These days, relevant academic and professional qualifications can be a real advantage for candidates and employers alike, by giving clearer indications of levels of knowledge and achievement.
Many universities, including Birmingham, Glamorgan, Greenwich, Royal Holloway and Westminster, now offer MScs in information security and these are “highly recommended” for would-be security professionals, says Chris Batten, managing director of information security recruitment specialist, Acumin. “These postgraduate degrees rate highly among the CISOs and CIOs we work with when it comes to considering applicants for entry-level positions,” Batten adds.
In terms of professional qualifications, some of the most popular include:
CISMP (Certificate in Information Security Management Principles)
This qualification, awarded by the British Computer Society, is an entry-level certificate for IT professionals planning a move into information security. It's also useful for IT professionals wanting to enhance or refresh their knowledge.
More information: www.bcs.org
CISSP (Certified Information Systems Security Professional)
“This is considered a bare minimum by many of our clients, especially those in financial services,” says Acumin's Batten. Awarded by (ISC)2, CISSP aims to provide a globally recognised standard of achievement. The CISSP is considered ideal for managers working towards positions as CISOs, CSOs or Senior Security Engineers. (ISC)2 also offers the lower-level SSCP, aimed at IS technicians with implementation experience.
More information: www.isc2.org
CISM (Certified Information Security Manager)
The CISM programme, administered by the Information Systems Audit and Control Association (ISACA), is intended for experienced information security managers who design, oversee and/or assess information security systems. It aims to provide assurance that holders have the required experience to provide effective security management and consulting services.
More information: www.isaca.org
GIAC (Global Information Assurance Certification)
GIAC offers certification for over 20 job-specific responsibilities – including intrusion detection, incident handling and hacker techniques – and covers four IT security job disciplines: security administration; security management; IT audit; software security.
More information: www.giac.org