My entry into the information security (cyber) domain was abrupt. After 12 years within the information technology industry, my employer selected me to specialize in cyber network defense. It sounded cool and I honestly believed it was a strategic opportunity that would turbocharge my career. Since that day, my life has changed dramatically.
Over the next four months my peers and I received the best training money could buy. We were required to assimilate knowledge at the speed of water from a fire hose. Then (to our frustration) they expected us to be able to apply that knowledge in various capture the flag and laboratory exercises. Completing such a difficult course felt exhilarating and empowering; I was ready to conquer cyber miscreants, and I would be unstoppable.
[ ALSO ON CSO: How to be a successful CISO without a 'real' cybersecurity budget ]
Reality set in and I realized I had a long way to go. I had a lot of knowledge but was inexperienced in real world application. Furthermore, staying current in terms of skills and present trends seemed like a futile effort. With some of the most desirable and challenging certifications after my name, I was officially burned out. I had no idea how I could remain relevant and useful within my new specialty.
After stepping away and taking some time to think strategically, the solution has presented itself. The answer lies in identifying market needs, organizational needs, and strategically tailoring a continuing education program that supports both the individual and the organization. To maximize your impact within the information security domain consider these four ideas.
1. Do you understand the business?
In their latest report (State of Cybersecurity: Implications for 2015), Cyber Security Nexus conducted a survey. Seventy-two percent of respondents identified the "ability to understand business" as a skills gap. In my mind, this is very significant because it means we (information security professionals) don't speak the organizational language. Perhaps this is why (in a recent BlackHat survey) spending priorities did not align with the top three concerns of security professionals. It is imperative we view our security efforts as means to the desired business end.
2. Are your skills up to par?
46 percent of the security professionals surveyed indicated a technical skills gap as their second concern. Good security training is expensive and often requires time off, travel, and hotel accommodations as well. Taking random classes without a clear plan is a terrible idea. If you understand the organization's risk profile and the associated technical skills needed to mitigate those risks you can build a much more effective training program.
3. Are you communicating effectively?
I wish I had a dollar for every time I brilliantly explained something and the receivers were just too dumb to catch on. Please excuse my sarcasm but I thought this way early on in my career. After much frustration (it seemed like there was a plethora of dumb people) I finally realized my lack of ability was the problem. Not my lack of technical skill but my lack of ability to communicate with users, leaders, and clients. Our success depends on influencing diverse groups of people to take action or adopt a particular opinion. Each group is stakeholders with their interests and agendas. Effective communication is tailored specifically to the receiver.
4. Are you willing to put your money where your mouth is?
Quality security training is not cheap, and the effort required to pass quality industry certification exams is significant. Not to mention the time, effort, and money needed to maintain them as well. In a recent survey almost 19 percent of security professionals reported their organization spent no more than $100,000 on continuing education, 212 said their organization paid no greater than $20,000, and 23 percent reported spending between $1,000 and $5,000. I believe the onus lies with the individual and the organization to develop and fund an effective continuing education plan.
Whether you're a solo practitioner or the CISO for a large conglomerate; maintaining a relevant and reliable stable of professionals is the underpinning of your success. A one size fits all solution does not address the particular needs of your organization. If you want to turbocharge the impact of your information security personnel begin crafting a strategy specific to your organization.
This article is published as part of the IDG Contributor Network. Want to Join?