Saturday, April 11, 2015

Think twice before pursuing a career in information security...

...not because its a bad idea. But a little planning and introspection will go a long way towards charting a course that you'll be happy with.

Over the past few years I’ve had the opportunity to do a fair amount of recruiting and hiring, with a focus on engagement and retention over the long term. One of the great things about the job is to see people find the right role fit and really take off.

Broadly speaking, Information Security is a great field to be in. By nature of the work, it offers many of the things that drive employee engagement: job challenge, variety, and opportunities for advancement. But some of these roles can also be high pressure and require long hours. Stakeholders can be difficult at times, and by definition there are limited opportunities for visibility and recognition for the highly sensitive roles. Stress and burnout are common risks.

Recognizing and addressing these issues is a key role of management. But staff, especially new staff, should be aware of these potential pitfalls when charting their career in information security. 

If you decide you want to work in Information Security, check out these guides as they point you toward the technical skills you will need. But also be intentional about where and how you want to work. It will make all the difference in the world.

If you have a role that leverages your strengths, you’ll feel energized by the challenge, even if its high pressure and high stress. And likewise, any role that consistently requires traits and skills where you don’t perform well will be draining and can potentially burn you out.

Nearly identical roles in two different organizations may need very different things from the person they hire. It depends on a number of factors including the maturity of the organization, the culture of the team, the industry they support, and the threat environment they face.

The best candidate for a specific job is the person whose strengths and interests align with the needs of that function, and who’s attitudes, habits, knowledge and skills qualify them for the role.

Below is a high level overview of the kinds of roles that will exist in an effective security organization. It may not be representative of a specific company, or include everything that a security program does. But these elements will be present, and the level of emphasis for each category will depend on the needs of the organization:

Business Information Security Officer (BISO) - This role (not necessarily a title) is a stakeholder-facing representative of the security organization. They ensure that the capabilities of the security organization are integrated within the business. It can also include assessments of internal security projects and external vendors. Information classification, risk assessments, and prioritization of security technology deployments via an information security roadmap can also be included. This is the “sales force” of information security. BISOs learn about business goals, match capabilities to business needs, translate security requirements into business terms, win buy-in, and keep the program moving. Typically this role is more interpersonal than technical.

Security Operations - These are the request-driven functions that involve repeatable processes such as Identity and Access Management, break/fix support and exception management for user-facing security tools such as endpoint protection, device control, or data loss prevention. Firewall/VPN management can also be a Security Operations function. Some requests are simple, others can be complex. The work is process driven, and there’s consistent customer interaction. Its a mix of interpersonal and technical, but once you master the learning curve, the work can become routine. From a delivery perspective, the work is measurable and this makes it a good area for driving process improvement. Many of these responsibilities are also prone to offshoring, which means that retained roles within the organization are often specialized or involve inspection and oversight of offshore resources. Organizations that like to create a ‘pipeline’ of talent can bring in candidates into Security Operations due to the (relatively) short learning curve, and then advance the high aptitude team members that excel.

Governance, Risk and Compliance - GRC analysts help define the policies and standards that ensure internal compliance and external regulatory requirements are met. They assess the current control environment and identify missing capabilities, evaluating the risk to the organization posed by those gaps, enabling senior business leadership to decide which risks to accept and which need to be addressed. These roles are often less technical, although a background in IT Operations is very helpful. 

Cyber defense - On the surface, these are considered the “fun” roles of infosec, such as threat management, vulnerability management, penetration testing, forensic investigations and incident response. All are technical, and sometimes high stress. Long hours are common. Depending on how the roles are structured, processes can also become very routine. Except at the management level, these functions can have less direct end-user contact than BISO or GRC. Skills aside, not everyone has the temperament to really dig in on these kinds of roles and thrive over the long haul. Some organizations mix GRC, Cyber and BISO work within the same role so that the work isn't repetitive. But generally speaking, the larger the organization, the more specialized the responsibility.

Security Engineering and Architecture - in a “plan, build, run” IT model, this function does the plan and build. It can also include application security, data sanitization and other highly technical functions. This team evaluates the limitations of existing capabilities and prepares the case for adding new functionality. Once chosen, they properly size the solution for the environment, and start the process of integrating these capabilities. They also interface with peers across the rest of IT, vendors and professional services organizations to integrate these solutions. Project management discipline is important here, along with defining and also adhering to technical standards. As with cyber defense, these roles are highly technical. Depending on how the work is structured, it can have less contact with business stakeholders than most of the other roles.

Is this everything a security organization does? No - there's a lot more that could be said about Privacy, Disaster Recovery, or other domains of information security. But as a general rule, at minimum, effective organizations contain these functions. 

In Managing Oneself, Peter Drucker opens with these 4 questions:

  • What are my strengths?
  • How do I perform?
  • Where do I belong?
  • What is my contribution?

The more you know about what drives and enables you to make the biggest contribution to an organization, the better prepared you will be to target the right roles for you. 

Two caveats:
  • Sometimes you'll have strengths that aren't needed at the entry level, but they become critical at higher levels of the organization. Be patient, work hard and grow. In basketball they say “let the game come to you.” Its true in InfoSec too. In a healthy organization, talent is a magnet for new work.
  • What if you're not sure which functional area is best for you? You may want to work in a smaller organization, or one that defines security boundaries per region. This gives you the best opportunity to sample multiple responsibilities. Another option is to network within the organization, and volunteer for cross-team projects. Explore within the organization, but don’t job-hop unless you have a good rationale for it.
With this in mind, do all the homework in advance that you can to chart the course that’s best for you. Use LinkedIn, job postings and other details to map out organizations that you're interested in. There you’ll find your best chance for success.

Best of luck!