I’m almost halfway through my series on why security professionals fail, but I want to pause and answer a few questions that I’ve received from several respected colleagues from around the globe. The blogs are getting good coverage, and plenty of email queries. I want to especially thank Adam Shostack, author of The New School of Information Security, for his blog recommending the series. I’m looking forward to reading Adam’s book.
Before I go to problem #4, enquiring minds want to know: How do I define security professional? If I’m now the Michigan Chief Technology Officer and Director of Infrastructure, why do I still include myself in this category in my last blog? What credentials are required to get into the security field? And some people have even asked whether this series is referring to their particular technology company or security team.
The last one is the easiest. This is personal advice written to individuals with no one in particular in mind. My observations and recommendations are based on my entire career, starting at NSA, moving to the United Kingdom in the private sector for almost seven years, joining state government in 1997 as a CIO, moving for a few years to the web team at Michigan.gov, seven years as a state CISO and my current role over the past year as an enterprise-wide CTO.
More than that, I see similar career patterns when interacting with technology pros throughout the private sector, InfraGard, federal government, East Coast, West Coast, South Africa, etc. I like to talk to people and ask them if they like their job and why. We can learn a lot from people’s personal stories and how they got to where they are. Also, where do they want to go next? No doubt, I’ve made plenty of mistakes along the way, and many of the lessons I’ve learned have been through personal failures or watching what seems to work and what doesn’t in various security and technology specialties and situations.
At first glance, the basic question may seem rather simplistic. Many experts and organizations define a security professional based upon whether or not they have a CISSP, CISM, Masters Degree in Information Assurance or other credentials. Or, are you in an organization or business unit with security in the title? While these characteristics certainly help, my definition is much broader than that.
Why? I have seen people come and go in the security area. For example: Adam Shostack started his career as a UNIX sysadmin. Likewise, you probably know people who started in security and left, or who still have a different job title but read blogs like this one because their job includes something less that 50% information security. (That is, they wear multiple hats). Others are assigned to a security function against their will or leave a security office despite their love for the field (when a too-tempting opportunity arises). Some come back, others never will.
So how do I define “security professional?” This may sound too postmodern, but my answer: you get to decide. If you think you are a security pro, you probably are a security pro. Some hints: do you read security magazines and books, check up on security settings at home and work or attend seminars and topics on security? Yes, it helps to have certain skills, degrees, experience and other credentials. However, your business card is not the only (nor necessarily the best) indicator. If you’re reading this blog you get two points – just kidding.
Don’t get me wrong. I’m not making a judgment on how good a security pro you are, nor denouncing the benefits of more security training. And yet, I’ve met some excellent security experts who are self taught with non-technical degrees or no degree at all. I’ve also seen people in security organizations (or even agencies like NSA or DHS) who do not refer to themselves as security professionals – even though the magic word is in their agency’s title.
As for me, I told SC Magazine a few years back, I think security is in my blood. No matter what my job title is, I see the Internet world through a strange lens that my teenage kids think is weird. I ask them how long their passwords are. I want to know if they’ve logged out of gmail or who their chatting with online. I check the anti-virus definition dates on their laptops. If you think or act like that, welcome to the club – for better or worse until death do you part.
My daughter once stared at me with a puzzled look and asked: You really care about this security stuff don’t you dad? Security is more than a job to you, isn’t it?
I paused, looked down and smiled. I didn't need to speak. She knew correct the answer.