Information security is different today than it was just five years ago.
And how you go about having a successful career as an IT security
professional is different, as well.
Kevin Beaver, an information security consultant with Atlanta, Ga.-based
Principle Logic, LLC, says the industry has shifted so much in the last
several years that even the way people perceive success has changed.
Today, it’s no longer all about the technology. It’s just as much about
using IT to create customer loyalty and to out-wit competitors.
Today, the successful IT professional also is a savvy business person.
”It used to be more about what protocols you know, what firewalls are
you expert on, what encryption algorithms do you understand,” Beaver,
who will be speaking at the RSA Conference in San Jose this week, told
Datamation. ”Now the bigger focus is on IT governance and the
business side of security. That’s where the value is.
”And it’s obviously affecting how people set their goals, how they sell
security to upper management, and the continuing education that they
receive,” he adds.
With IT professionals increasingly being expected to join business teams
and work on business projects, knowing the technology is becoming a
smaller and smaller part of the job. Beaver says it’s a mistake to focus
solely on the technology, and it’s a mistake that can drag down a
”I think the successful security professional will focus more on the
career side than on the technical side,” says Beaver. ”Technology is
just a small component of the career now. It’s more about the business
side of things — risk management; policies; being able to tie business
goals and security goals together; having metrics to make sure that
security projects are successful in terms of what the business needs.”
Beavers offers up a set of tips to the IT professional looking to build a
strong career. Some of the elements to success are:
technical skills, include communication skills, relationships with
others, time management and people management skills. ”I still see a lot
of security people pigeon-holing themselves,” Beaver tells
Datamation. ”They know the techie stuff but they’re not focusing
on what will actually give them a successful career. They fall into the
trap of not having time to focus on the soft skills.”
But the big question is how do IT professionals find the time to bone up
on relationship building and communication skills when they have
countless fires to put out on the network.
Beaver says the trick is to simply carve the time into your schedule,
whether it’s scheduling a lunch meeting with a business-savvy mentor or
taking a class on the weekends. If it’s tough to find the time to do it,
simply worker harder at making the time.
”They’re just fighting fires and catching every ball that’s thrown their
way,” says Beaver. ”They should be spending a certain amount of time
working on soft skills. It needs to be done continuously. Listen to audio
books, go to training. Do something weekly or quarterly. Take some time
off to do it, or study before or after work. I know that’s the kind of
stuff that has helped me.”
be working in, so people need to make sure they have a specialty —
preferably a very marketable specialty. Beaver advices people to pick up
their heads and take a serious look at the industry. Don’t just look at
what technologies are hot right now, or what skills are in demand now.
What is coming down the road? Study the field and try to get your skills
out in front of what’s coming.
”You could be managing policies, performing audits and being a forensics
investigator,” he adds. ”I see a lot of people trying to become experts
in every area related to security and it’s not really possible. It’s such
a complex field and it has too many areas to specialize in. You can’t be
everything to everybody. Pick one area and focus on it, whether it be
audits or forensics.”
But how do you make sure that what you specialize in isn’t about to
become antiquated? How do you make sure you’re not specializing yourself
right out of a job?
Planning. Beaver says it all comes down to planning ahead.
stuff,” says Beaver. ”Keep up with the trends and make sure you know
where they’re headed. Be proactive so you don’t get stuck in an area that
is no longer needed. You have to focus on the longer term.”
professionals know the laws and the regulations that apply to information
security and to the particular industry they’re working in. Understand
human resource issues, especially as they relate to employee privacy and
monitoring. Data retention has a lot of legal issues, as well, he points
”Know corporate security policies, contracts and service-level
agreements,” Beaver says. ”The risk is that you’re either left behind,
or you’re not going to know what your competitors, your coworkers and
your peers are learning. Upper management will see them as more
effective. You need to be able to offer business value.
”And if you don’t know the legal side, you could be putting yourself or
your organization at risk,” he adds. ”If you’re retaining data
incorrectly or monitoring employees incorrectly, you’re putting a lot at
Overall, Beaver recommends that people think long-term. While someone may
be very focused and efficient when it comes to dealing with daily crises,
they’re not doing any favors for their careers.
”If you focus solely on putting out fires, you’re going to get burned
out,” he notes. ”Your skill sets are going to become stale because
you’re only focusing on the stuff that’s already in place and you’re not
exploring new technologies and new methodologies. Look up and see what
else is going on.”