Dual Threats: How to Build Expertise, Certifications in Multiple Subjects

Four professionals discuss the value of MBAs, CFAs and other certifications and degrees from beyond the security field. Should you become a 'dual threat'?

The strands that weave together to form the fabric of a satisfying career are often rich and varied. Even threads that appear out of place join to form a cohesive tapestry. This is especially true in security, which (despite its ancient roots) is, in many respects, a new field.

Some CSOs arrive at their posts after following educational paths or early work experiences that appear to contrast with their current profession. Some pursue multiple certifications or complementary degrees to build their knowledge. And this development of multiple areas of expertise can turbocharge a security professional.

Marc Fidanza is a good example of the phenomenon. Fidanza earned a degree in business and accounting as well as a CPA before he got involved in security—almost by accident—in the early days of the profession. Now director of security for Takeda Pharmaceuticals North America in Chicago, he worked in internal audit for American Airlines right out of college. When the airline's audit division was broken up into different groups, Fidanza found himself working on fraud cases involving frequent flyer miles. That was the beginning of his love affair with security.

"It worked well because they had a gap on their team from a financial accounting standpoint. That was a skill set they didn't have," he says. "I was given the opportunity to demonstrate my value. [Having the CPA] definitely opened some doors for me to be placed on the security staff permanently." But the biggest benefit of his background is built-in credibility with the people to whom he has presented plans or budgets. "They are typically very savvy people so it has helped me articulate the security value proposition," he says.

Because the field is evolving and widening in scope, having a diverse background—whether educational or experiential—stands a CSO in good stead. The dizzying array of risks today demands a holistic approach to security, and that meshes well with a CSO who has wide-ranging educational or professional experience.

MBAs Need Apply, for example, aspired to be chief of police in a small town like the one in which he grew up, so he earned an undergraduate degree in criminal justice. Upon graduation, he found there were not many places that needed a sheriff. Working for a small defense contractor in the late 1980s, he started to develop an interest in information security.

David Kent

"It was a nascent field at the time," says Kent, currently vice president of security for $3 billion pharmaceutical giant Genzyme in Cambridge, Mass. He worked in other roles, including a multiyear stint at Bolt, Beranek and Newman at the beginning of the Internet era, before he decided he needed better grounding in business.

"The only way you can apply the discipline of security is to fully understand the environment. I had to go learn business," says Kent. Now, with a graduate degree in business management under his belt, Kent frames proposed solutions in the language of business, underpinned by an understanding of the unique challenges of today's pharmaceutical industry.

He believes having a deeper knowledge of business is critical to CSOs, who now must be aware of the interrelated nature of risk. "It is convenient to divide the world into information security and physical security and supply chain security and whatever else, but you have to protect the enterprise by taking the whole view," says Kent.

Tim Williams's path in life is strikingly similar to Kent's. Global director of security for $44.9 billion manufacturer Caterpillar, Williams had his eye on a career in public law enforcement. After earning an undergraduate degree in criminology, however, he went to work for Procter & Gamble. There, he got in-the-trenches training on how things were done at one of the world's top-performing companies.

"I consider it a gift that I got my start at such a great company," says Williams, who is also president of ASIS International, an association for security professionals. That early experience convinced Williams to go for his MBA. This took several years due to a heavy international travel schedule at Boise-Cascade and Nortel Networks.

The long hours studying at night and on planes were worth it in the end, he says. "I knew that [the MBA] would give me a better basis for management-level positions regardless of what track I took." Indeed, when Caterpillar came knocking, he was able to take a seat at the table with the other top executives. There are other ways to develop broader business perspective than getting an MBA, but it is clearly a sound credential for CSOs—one that garners automatic respect from business leaders.

Earning Multiple Certifications: Not for the LazyChad McDonald spent more than one year of his life earning three certifications: Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA) and Project Management Professional (PMP).

Certifications are another avenue to attaining diverse qualifications to enrich your career, especially for those just starting out. As with degrees while working, earning certifications can require a lot of self-discipline, not to mention an autodidactic nature.

McDonald was thrust into the world of security a few years back when he was working in computer support at Georgia College & State University in Milledgeville. Two students flooded the college's mail server with malicious messages, shutting the system down for several hours. (The students were later prosecuted; one was deported.) The school's IT staff had to scramble to contain the damage and McDonald was called upon to help.

"That incident opened my eyes to the fact that we were at risk and to what we could do to mitigate those risks," says McDonald. Soon, he found himself acting as the college's one-man security shop. On his own accord—out of his own pocket and without taking a prep course—he started spending his weekends studying for the CISSP. After a full year, he took the test and passed.

"It was tough. But I got really interested in all aspects of security. I transformed myself," says McDonald. He then knocked off the CISA and the PMP in another few months.

The certifications are more than so many pieces of paper to McDonald. For one thing, They made him a much more attractive candidate when he was interviewing for a position as CISO for Georgia College.

"They were looking for someone who had not only experience but credentials behind their name. [The certifications] show that I do have the knowledge. They were a door opener," he says. Even better, he will receive an annual bonus for each certification, which has, no doubt, sweetened the memory of those long hours studying.

The Long View

ALL OF the security professionals interviewed here strongly endorse the idea of obtaining multidisciplinary expertise as a way to further one's career. Kent of Genzyme encourages executives working in security—including those on his own staff—to fill the gaps in their knowledge by obtaining education in complementary areas.

"We try to have all the members of our team take a multidisciplinary view of security. The woman who runs our product security just got her master's in information security. That wouldn't seem to be tied to her role in global product security, but it gives her great overlap of knowledge." ##

Copyright © 2008 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline