There's always a pivotal moment in a person's career when they realize they need to become more proactive.
That moment came for Todd Bell in the months following the 9-11 terrorist attacks on the World Trade Center and the Pentagon and the simultaneous dotcom implosion. Bell had been making good money for several startups during the tech boom and not long after 9-11 found himself on a low-level job at Hewlett-Packard just to pay the bills and keep food on the table for his family.
Equipped with only an undergraduate degree in business information systems, Bell knew he needed to offer prospective employers more. In the next two years he earned a Certified Information Systems Security Professional certification from (ISC)2, as well as a Project Management Professional Certification from the Project Management Institute.
But he didn't stop there. By 2004, Bell also completed a master's in business administration (M.B.A.) from Regis University in Denver.
“I hate to say it, but the M.B.A. opened more doors than any other qualification,” he admits. “However, with the CISSP and PMP I tripled my salary and then within a few years of getting my M.B.A. I doubled my salary again. There's no question that the M.B.A. put the CISSP and project management certifications in a different light and made me more valuable.”
Today, Bell works at California-based cybersecurity advisory company Intersec Worldwide as vice president of enterprise security, earning the top end in salary for a CISO, which is well into the six figures. He often works as a CISO for three months to a year, setting up and rebuilding teams and helping them revise their security program.
Bell's experience maps well to what analysts, vendors and officials from the certification organizations told SC Magazine about developing a career as an IT security professional. Certifications and extra courses are important – they will land you a higher-paying, hands-on security position – but nailing down that executive-level job requires taking some extra steps.
“What companies tell us they need today are multidimensional security people who can translate technology risk into business risk and speak a language that can be digested by the people who control the funding and resources for IT security,” says Bill Reynolds, a research director at Foote Partners, which publishes IT skills demand and pay benchmark research drawing from 2,700 employers. “In the past, it's been hard to justify spending on IT security. But now managers understand that a security incident can cost them market share, which is why people who can communicate the need for IT security are extremely valuable today.”
Robert Stroud (right), recently elected the international president of ISACA and vice president of strategy and innovation at CA Technologies, agrees with Reynolds that it takes more than security knowledge alone to be effective today.
“We need people who can look for unusual and unplanned behaviors, not just people who can technically perform monitoring,” he says. “And we also need people who understand data analytics and the business outcomes of exposures to security incidents. Security professionals today have to presume that security incidents will occur.”