What do you do when everything’s changing? How do you know which certifications to get or what tools to learn? How do you make sure your career stays strong when no one can forecast what security will really look like 10 years from now?
Security is highly connected to needs of your business. And, security practices have to serve an organization’s evolving strategy, or the security team will become a business limiter, preventing the rest of the organization from changing as fast as you have to.
But the ability of a security group to pivot isn’t entirely within your control. Security is often a reflection of organizational culture. Companies that are good at change have security groups that are good at change - and companies that are stuck doing what they’ve always done have security groups that reflect that as well.
That doesn’t mean security leaders should just accept their organizations’ status quo. Security can help the larger organization adapt and change if security leaders are able to step up and lead the way. You don’t need to be a CISO or even a SOC manager. Any security professional who’s willing to think like a leader can become a leader and drive change.
Innovate and experiment
To change something, build a new model that makes the existing model obsolete.― R. Buckminster Fuller
Innovative security professionals are ordinary people who schedule time to think about innovation. If you want to encourage innovation on your team, build freedom to think into your culture. Formalize it, if you must; take a tip from design thinking teams and schedule team brainstorming sessions, or just communicate that everybody is expected to seek out problems and float new solutions on a regular basis.
However, innovators don’t just think. They experiment. They are willing to “waste” time in the right way, taking chances on experiments that may not pan out. And as the worlds of SecOps and DevOps connect, there is more opportunity for experimentation than ever. Security is becoming code, so the integration and orchestration aspects of security are rich areas for security people to flex their inner developers. And every security person I’ve ever met has an inner developer. Security professionals are builders - they’re creative. They have what it takes to drive innovation.
Listen and learn
They always say time changes things, but you actually have to change them yourself.Andy Warhol
To lead change, you need to understand your organization’s goals and potential-the positive potential to access new markets or deliver new products, as well as the negative potential to succumb to competitive stresses or fall behind on technological advancements. You don’t have to figure all that out on your own, though. The knowledge is already contained inside your organization.
The successful security professional is a good listener. Take advantage of that skill: get out of your office and talk to co-workers outside of the security world. Find out what they understand about security and what they think of their work experience, learn which departments they interact with and what tools they use. Ask them how well existing security measures help them and how they hold them back. There’s always a reward for helping people do things faster or better, but first you have to find out exactly what it is that people are doing.
These conversations will help you get connected to the business and discover what you can enable. Maybe your organization is working on a new app, a connected car, or an IoT sensor. Whatever it is, you have to understand why that thing is valuable to customers in the real world and what threat-related risks come with it. The fun and exciting puzzle you get to solve is how to assemble the right controls to enable the experience and generate customer value securely. Ask yourself how you can ensure people have confidence in your solution and can use it safely - and the answer isn’t necessarily another security product. You’re more creative than that.
Destiny is not a matter of chance; it is a matter of choice. It is not a thing to be waited for, it is a thing to be achieved.William Jennings Bryan
How can you make yourself valuable as things change in uncertain ways? Build durable and transferable competencies. Learning a specific technology or tool will help you in the short run, but in the long run, you need skills that will transfer onto a myriad of environments. For instance, you can learn to understand systems of interrelated things, like apps or networks. These are important competencies.
To gain more competencies, think about incorporating rotations into your career. The more diverse your experience both inside and outside of the security arena, the better. Lots of people have started off in other disciplines and then brought their knowledge to security, where they have been welcomed for their specialized skills. Those who have started off in security can reverse that path, moving in and out of security roles to gain capabilities in related areas.
So if you’re looking to future-proof your career, consider managing a SOC, working in risk and compliance, or whatever else interests you. The experience you have, the more choices you’ll have as the business environment evolves to exploit the next generation of digital transformation, artificial intelligence, automation, and other emerging technologies.
If you’re a manager, you should be thinking about how you can create these types of rotations for your team. Cross-training will make the team stronger as a whole and will also help you recruit people who have energy and curiosity, two traits that are hard to find and harder to keep.
Continual curiosity is your asset
Security professionals have always had to deal with change, but right now, everything is changing all at once. The drive toward digital transformation, the adoption of IoT, and the marriage of artificial intelligence and big data are affecting everybody.
Security professionals need to constantly ask themselves how they can enable the business and accelerate improvements. The days when a security career was strictly technical are fading away; today, you can benefit by learning about business, understanding DevOps, and staying up to date on what’s happening in university and corporate labs.
Some security professionals can spend their careers thinking tactically, fending off one threat after another, and that’s their choice. You can make a different choice if you want. Play the long game and focus on where you and your organization need to be beyond the next emergency. The key is to always look outwards. From that point of view, you have the ability to unlock new experiences and shrink the world.