- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
CSO - Today's information security professionals need to learn more swiftly, communicate more effectively, know more about the business, and match the capabilities of an ever-improving set of adversaries. But, it doesn't seem too long ago that all it took to survive in the field was a dose of strong technical acumen and a shot of creativity to protect the network, solve most problems, and fend off attacks.
Not so today. The role of the security professional has evolved beyond that of mere technical savvy, and now includes consultant, educator, investigator, and defender of the data.
To understand the traits and habits that matter the most, we reached out to a number of security professionals by phone, email, and social media, who are successful in their respective areas in the field.
If there's one thing that screamed out from the interviews it was this: security knowledge alone is only the beginning of the skills and habits one needs to succeed.
Effective Habit 1: Communications. As Branden Williams, EVP of Strategy at Sysnet Global Solutions, put it, it's the ability to translate "l33tsp34k to a P&L." Interpersonal communications is critical for security and forensics professionals for a variety of reasons; the most powerful one being self-interest. "Good communicators earn more promotions and more jobs than do bad communicators. You could be the best technician in the world, but if you can't hold up your end of a conversation about what you're doing with business people, you're not going to be asked back to the table," says Brian Martin, founder of Allentown, PA-based Digital Trust, LLC.
Communications is, broadly speaking, a challenge among many flavors of IT professionals--not just security. "My assumption has always been it's because we spent our school years learning things and not worrying about other people. There's also a tendency for people with communications issues to focus on technical challenges as a way to compensate. Whether it's language, arts, or science, the people who are very good at it have, in a lot of cases, neglected their interpersonal skills," says Martin.
Effective Habit 2: Business Acumen. Increasingly, knowing the business and how to wrangle through political challenges is just as important as technical acumen. For CSOs, it is arguably more important in terms of being able to persuade business leaders to obtain the resources you need to succeed and compromise with business leadership and the organization when necessary.
"In order to be an effective CISO, you must first understand how your organization makes money, and know the real world threats that influence sustained success. There are no magic bullets and no checklists you can implement to reduce your unique risk profile," says Boris Sverdlik, manager of product and platform security at Tagged.
One factor that is necessary for long-term success is compromise, which, essentially, means being able to help the enterprise meet its goals while keeping risks within acceptable tolerance levels. "Part of why I think compromise is such an important skill for a CISO or security professional is that many of us are trained to say 'no' on new initiatives without trying to make a pathway to get to 'yes,'" says Williams.
Williams recalled a recent conversation with a CISO at a large company in which he proclaimed to "unequivocally" ban BYOD from his organization. What the CISO didn't appear to understand was that it was happening anyway, explains Williams, behind his and the IT department's backs. "People found ways to bring certain work items to their personal devices through cloud sharing applications such as Dropbox and Evernote. The business he supported clearly had a need for some of these services, but his stubbornness ultimately led his users to work around him," he says.
Effective Habit 3: Creativity. It's no secret that the adversary is quite creative and these intelligent, dynamic, creative, and motivated attacker and security pros need those same skills to match.
In addition to defense, creativity also helps solve technical problems. For example, Williams relays the time when a client was exploring a mobile point-of-sale system to be used for sales from outside their primary place of business. "The CISO never outright said 'no,' but instead worked through the requirements of the business, found acceptable solutions that met the company's security goals, passed on some of the cost of this to the business owner, and was able to get a solution working," says Williams.
This is one example of how creative security professionals can improve their relationships with other business stakeholders and lower risk more effectively.
Effective Habit 4: Root Cause Analysis Skills/Problem Solving. According to Digital Trust's Martin, root cause analysis and troubleshooting skills are necessary because it's impossible to train for the unknown, and there will be plenty of unknowns to analyze in the typical security career.
"Nobody can know everything about everything, and there is always something new, different, or strange that comes along," he says. This is why for his practice, Martin seeks candidates who, in addition to possessing good levels of competence in security, have savvy problem solving skills. "They won't know how to solve a new problem immediately, but they'll figure it out pretty fast. This is essentially the heart of hacking; figuring new stuff out. Without the ability to think on your feet and figure previously un-encountered stuff out, how will they respond to a mysterious change in a box configuration, or the latest zero-day," he asks.
Interestingly, when attempting to get to the root cause of problems and incidents, communication and business acumen skills noted come into play and improve outcomes. "Diplomacy also can be effective in crisis or reactionary scenarios," says K. C. Yerrid, Senior Security Consultant at FishNet Security. "Consider the barriers to determining root cause for an incident. By utilizing diplomacy, personal motivations to distort the truth and protect job security or ego may be reduced, resulting in a more efficient resolution and shifting the goal of the root cause from a personal witch-hunt to a bona fide process improvement mechanism," says Yerrid.