Lee Kushner, president of
LJ Kushner and Associates
Information security is quickly becoming a popular profession. As our industry continues to grow, more and more professionals are choosing traditional certifications as a way to signal to their employers that they are qualified professionals. However, as the number of certified professionals continue to grow, their market value can't help but become diluted and diminished.
Where these traditional certifications used to be a key differentiator, they have quickly become a mere baseline for inclusion. To emphasize this point, when companies are searching for key information security leaders, it is more than likely that all of the candidates for these roles have at least one recognized information security certification. In addition, these certified candidates are also competing against a talent pool whose work experience and external brand may be more powerful than any combination of letters that reside after their name.
Information security certifications definitely have value in today's employment market, however, they are no longer a prime factor in the acceleration of a career. Many professionals have fallen into this trap by thinking that their industry certifications alone will enable them to surpass their peers as they strive to become leaders. In both today's marketplace and the marketplace of the future, it will be increasingly important for information security professionals to differentiate themselves from their peers – who are, effectively, the competition.
The one sure way to do this is to execute on meaningful and strategic career investments. A career investment can be defined as any additional undertaking that will help you acquire knowledge, build credentials and gather skills that you can demonstrate and use in your work, and during an interview. Traditional investments like reading books and earning certifications are quite commonplace, while things like advanced degrees, leadership training and presentation skills are a bit more unique. The key thing to keep in mind is that by demonstrating a consistent investment in both your personal and professional development, you send a very powerful message to your current employer (when applying for a promotion) or future employer (when competing for an external role).
Any investment in yourself and your career is generally money well spent. Plain and simple, you can never go wrong by getting smarter. When deciding on any career investment, the pursuit of knowledge or skill should be the main driver – the acceleration of your career should hopefully be a byproduct of that knowledge. People who invest in themselves because they think the achievement of the investment will equate to career success (money, promotions and more) are often disappointed.
You always get what you pay for – there are no shortcuts. There are generally two costs to career investments: time and money. Generally speaking, the greater your personal commitment to achieving the investment, the more valuable the investment should be to your career. It is logical that if you commit two years to attending an executive MBA program that has a high standard for admission, you should receive more external value than if you take a technical course that is sponsored by an information security product vendor.
It is very important to understand that the brand of the investment is extremely important as well. When you let others know you have accomplished something, you would like them to be impressed. For example, think if you were in a position to hire someone and you could only interview one person. Who would you select: A candidate who received their MBA from an online degree program, or a candidate with an MBA from an Ivy League school? Both investments have value, but the branding is considerably different and definitely speaks for itself.
If you do not invest in yourself, do not expect anyone else to. Many times, information security professionals fall into a trap by only participating in career investments for which their company will pay. This is a bad strategy because the company's motivations to develop your skills are more than likely different from your personal ones. Your career aspirations may (and most likely will) take you outside of your current employer and the internal information security career opportunities they provide.
You should chart your own path and determine a certain percentage of your annual income (somewhere between one and five percent) for your professional development. We use these same strategies for other aspects of our lives – gym memberships for heath, accounting fees for taxes, investment fees for financial advisers. We should apply the same logic for our careers, considering how linked our careers are to both our financial and emotional health.
As information security professionals, we should be encouraged by the opportunities that lie ahead in our profession. However, in order to maximize our success and achieve our career goals, we must be proactive in our approach and make investments in ourselves and our future.
You know the routine: You're sitting for a moment alone with your thoughts and doing some soul searching about your job. You're happy there, you like the people and clients you work with, feel you're paid well enough, but you want (need) to further satisfy your career goals.You could do what most people do: nothing. It is a safe route, but in the long run, you haven't advanced your career and, possibly, stagnated while your peers are beginning to pass you by.
You could find a new job that pays more, but then there is the risk of not liking the position or, worse, your new employer not liking you. Now you are looking for another new position in under a year (literally taking a step or two backward).Or, you could walk into your boss and demand to be recognized, both monetarily and promotion-wise. However, that course of action will likely invite your employer to look to fill your position with someone that will not complain.
Do you say to yourself: “I know I need to get to the next level, but now what?” So how does one take the lead advancing their career? Remember these three things:Goals: Set goals of where you want to be in the industry and make a roadmap to get there. Next, you need the drive to get yourself to these goals. This is key. Drive is the motor and, like a car, without the drive you'll go nowhere.
Mastery: It is extremely important to be great at something as opposed to be OK at a bunch of things. My father used to say, “The best in all fields make all the money, so be the best at something and you'll be successful.” In Outliers, Malcolm Gladwell points out that the magic number that has consistently pointed to true expertise in any field is 10,000 hours (which translates into five years).What this means is pick an area that you like, whether it is ethical hacking, computer forensics or e-discovery, and become the master of it. You'll be happier and you'll be successful.
Get noticed: If you want to get noticed in the wrong way, whine and moan and wave your hands a lot. If you do that you'll be noticed as you are being walked to the human resources department for the exit interview. However, if you want to get noticed the right way, be the one who comes up with the best ideas and knows how to implement them, or the one who does not wait to have problems solved but actively researches the fixes and gets them solved without involving the Fifth Fleet. I recently asked Wayne Lee, the managing principal at Verizon Business Solutions, which are the most important “soft skills” of his most successful people, and he said “creative thinking” and “being a proactive go-getter,” adding that “technology comes and goes, but it is about the people with these skills that make or break a company.”Additionally, be in the leading edge of technology. Our industry is not as ageist as many others. Employers only care about what vital information you have in your brain that you can inpart on their organization. It doesn't matter if it comes out of the mouth of a 25-year-old or a 55-year-old. Stay current on the hottest needs.
Finally, you need a champion in your company to help you on your career path. Ask them what it will take to move up in the company. Unfortunately, it is not likely the person directly in front of you. It is not in their best interest to make you successful, since it may cost them their job. Identify someone at least two levels up, gain their trust and let them mentor you.
Staying ahead in an industry of accelerating change is a challenge. My top three suggestions are as follows: First, everyone knows the saying, “Perception is reality.” To be successful in times of change, you must be perceived as adaptable and creative. Although I believe the term “change agent” is overused, many of our executive-level searches specifically are seeking professionals who can manage through influence and create more collaborative approaches to risk management.
Of course, perception alone is not really enough. You have to actually evaluate your own current skills and ability to adapt and support change.Secondly, your ability to help the teams you manage buy into and take ownership of driving changes is extremely important. It is imperative for your personal career growth that your organization recognizes you as someone who can not only lead change but can motivate their teams to embrace change and influence others.
So how do you acquire these types of skills? A candidate that I'm currently working with who is a vice president within an information security organization recognized that although he is technically extremely proficient and well regarded within his company, he felt he lacked some of the executive management skills required for him to achieve a “C” level position in his next role. He took the initiative and hired an executive coach who provided guidance in ways to communicate and manage upward and downward. He gained insight and perspective into some alternative approaches and ways of thinking about himself, his team and his company.One of the most important changes that I see in the information security industry is the transformation of the role from a back office technical function to a business enablement function. If you want to stay ahead of the curve, you absolutely have to begin understanding how to link effective risk management frameworks to your company's business values. To be a successful information security officer in the future, you'll have to learn how to communicate business value. That means you have to think about how to identify key stakeholders, communicate your vision tactics and tangible milestones and keep your business partners engaged for the long haul.
Finally, the last key to staying ahead of the curve is to strengthen your network and ensure that your résumé is up to date. Updating your résumé gives you a chance to evaluate not only your personal accomplishments, but your company's ability to continue to offer you more challenging and responsible roles. It also enables you to be prepared for any outside opportunities offered to you. Remember when writing your résumé to not only highlight your mastery of technologies but also to show accomplishments that tie to broader business goals. Giving future employers insight to your broader capabilities will allow them to consider you for more varied and responsible roles.Don't wait until you decide to change jobs to look at your personal network. Networking is a build-it-before-you-need-it model. In conjunction with updating your résumé, take the time to evaluate the strength of your network. Assess the organizations you belong to and the degree to which you actually participate. Being a member alone is not enough. Get on a panel, write an article or be on a board. The best way to learn from the brightest people in the industry is to become an active member in organizations and groups that meet your personal and professional interests.