How do you explain your job to non-technical people?
My primary function is to conduct risk analysis on institutions' critical assets (technology, people and process) and present those high-risk areas to management with possible controls, recommendations and consequences.
It's up to the management to make the tradeoffs — between risk versus cost versus convenience — to pursue its vision, mission and goals.
Of what in your position are you most proud?
I believe that tight integration between people, process and technology leads to better information security. The process of getting the commitment from key stakeholders on this idea and mobilizing the stakeholders towards a common goal gives me fulfillment.
What would you use an IT security magic wand for?
Make management realize the need for their support; raise users' security awareness level; and make security vendors work together to converge on standards and make them articulate the business proposition better.
What is your IT security dream job?
The key criteria for my dream job: A job where management makes decisions on facts and not on emotions and politics; a job that provides enough freedom with appropriate authority and accountability; a job that encourages risk taking and learning from mistakes; a job that has budget for adequate security.
How did you get interested in IT security?
I always liked jobs where I worked for IT but had the opportunity to interface with other business groups. Information security was a natural fit in that regard because my job has not only a liaison role among parts of the organization, but there is an opportunity to influence and nurture the organizational culture towards creating a safer computing environment.
SKILLS IN DEMAND
Threat modeling, often associated with application and system development, is going corporate. Increasingly, organizations whose business is based on information assets are leveraging threat modeling techniques to understand and forecast their technology related risks.
Corporate threat modeling may be in its infancy, but expect to see a strong demand for security pros who have the ability to apply threat modeling/risk forecasting methodologies in the enterprise.
Will this continue?
Compensation levels are undefined due to lack of precedent, but strategic hiring for these roles is on the increase.
Source: Jeff Combs, Alta Associates, Inc.