Chapter 14. A Diverse Path to Better Security Professionals

Catherine J. Ullman

Like many InfoSec professionals of my generation, my background is not in computer science. I wound up in my first technical support role after discovering that my original, nontechnical career path was unsuitable for me. A good friend suggested I explore technology. Twenty years later I find myself firmly entrenched in the security field. In retrospect, a letter of recommendation from a former supervisor containing the statement, “Cathy is very good with computers” was very telling. As a result, I would argue that there is no specific path one should take to get into computer security. What matters more is obtaining some key skills on that journey, which are not necessarily technical in nature. Let us explore them now.

First, communication skills are essential for success in this field. Security professionals, whether entry level or advanced, are often asked to explain technical ideas to people who are not technical. Furthermore, it is not uncommon to be asked to communicate ideas to people at different levels within an organization. The ability to express one’s thoughts effectively and efficiently, either while speaking or in writing, is a must. Effective communication involves listening (or reading carefully), not just speaking/writing. This step provides feedback so that both parties know whether they are being understood. Patience is key. Efficient communication means choosing one’s words carefully, based on what must be conveyed. Frame the conversation for the audience, i.e., focus on what matters to them and speak/write to them at a level they can understand and relate to. In particular, avoid acronyms and “geek speak” when communicating with non-IT people. The more you learn about technology in this field, the easier it is to take for granted what you know that others do not.

A second fundamental skill for being an effective security professional is the desire to learn combined with tenacity. Security is an ever-changing field, which is in part of what can make it exciting as well as challenging. Having the desire to learn and the tenacity to obtain the required knowledge can be especially useful for obtaining a particular technical skillset, but can also be useful in nontechnical situations. Being willing to jump directly into a challenge until one not only completely understands the problem at hand, but follows it through until it is solved, is crucial.

Finally, and perhaps most importantly, all good security people must exhibit compassion and empathy. Because all aspects of security involve encouraging positive behavioral change, security should be seen as a people problem more than one of technology. In order to properly motivate this change in someone, it is critical to understand both where they are coming from and what is important to them. Furthermore, having empathy and compassion for everyone helps remove the “us versus them” mentality, allowing security to be seen as part of the solution organization-wide, rather than an impediment.

Information security is an enormous field, encompassing many different areas such as governance risk and compliance, security operations, and training and awareness Although some of these areas require significant technical abilities, not all roles do. What they do seem to have in common, however, is a need for strong communication skills, a desire to learn coupled with tenacity, as well as compassion and empathy. Whatever path one takes to obtain these skills is the right one. Companies produce the best products when they are innovative and innovation comes from the diversity of its teams. Security teams are no exception. Thus, focusing on these skills, rather than people coming through a particular path, just might kill two birds with one stone.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.206.13.112