What it takes to become a data security strategist

By the time John Kronick became a data security strategist a few years ago, he’d already been in the security industry for 20 years. But he didn’t come to security from IT.

“I came up through accounting and finance and auditing,” he said. “And then security, and then security strategy, and then security consulting.”

Kronick holds a bachelor’s degree and an MBA in accounting and finance. He has worked at Gartner, Purdue Pharma, GE IT Solutions, Citigroup and Estee Lauder before landing at Accenture, where he was responsible for data security strategy.

“As part of that role, I helped one of the states optimize their data storage and data security functions,” he said. “There were 34 business units within the state that had a need for ready access to data, but still secure that data. What I had to do was help them formulate the processes and the policy to protect that data.”

Meanwhile, the data still had to be available for the various functions and applications that needed it.

He also looked at the lifecycle of that data, he said. “Many companies create data but don’t follow up to make sure whether the data is still needed and whether it should be deleted.”

CSO

The industry has changed dramatically since he first started, he said. “In the early days of cybersecurity consulting, there wasn’t really a data security strategist,” he said. “There was a security consultant. But as more and more data became at risk, it became clear that there needed to be a role that maps data and the uses of the data and how to protect that data.”

Today, Kronick said, the data security issue is top of mind. He is currently the director of cybersecurity solutions at El Segundo, Calif.-based cyber risk consulting firm PCM, Inc., and the topic comes up whenever he consults with a client. “Everywhere I go now, it’s part of everything that I do,” he said.

Kronick also hires people for the job, and today there are many more options for people looking to enter the field. “One way is to get a good education in information security,” he said. “You can get a degree these days as an undergraduate, or a masters degree, so that you understand the various domains of security.”

In addition, he recommended getting certifications, including Certified Information Systems Security Professional (CISSP) and Certified Information Privacy Professional (CIPP). “And it wouldn’t hurt to have a background in audit,” he added. Relevant certifications are Certified Information Systems Auditor (CISA), and Certified Information Security Manager (CISM).

“All those certifications would help the strategist understand the interaction between business and pure security and how that interaction requires designed security concepts, processes and strategies,” he said. “If you don’t have a data security strategist, you’ll end up with many point solutions that may not be effective or efficient for the company, and it may leave gaps in securing data.”

Companies hiring for these jobs are typically larger enterprises, consulting companies, and accounting firms. Telecoms and cloud providers that handle a lot of data are also hiring.

It’s a growing profession, Kronick said, and is likely to benefit from the growth of artificial intelligence. “The advance of AI will create more data, and require more data analytics,” he said. “It will have a significant impact on the role of the data strategy.” The job won’t be automated away, he said. Instead, data strategists will have a lot more data to think about.

Salaries are higher for these jobs than for their non-IT equivalents. The median salary for an information security engineer, according to Glassdoor, is $105,000, while that of an information architect is $93,515.

At larger companies, salaries can go even higher. “The area I network for, data security strategists earn $130,000 to $150,000,” said Joseph Binns, senior recruiter at Woburn, Mass.-based Randstad Technologies.

Binns typically works for Fortune 100 companies, and looks for people with five to ten years of experience in the security field. He said that 80 percent of the people he recruits are already data security strategists, and are looking to work with a larger company.

Smaller companies may hire interns and grow their own talent. And sometimes people can jump over from related fields, such as compliance. “It’s not going to be as a big a pay cut because you already have a significant body of knowledge,” he said.

Let us know what you think by leaving a comment on our Facebook page.