Chapter 15

A Career as a Cyber Security Officer

Abstract

The cyber security officer professionals of the twenty-first century must possess many skills that differ from those possessed by some current and past cyber security officer professionals. In this chapter, the discussion will center on what are the necessary skills that a cyber security officer and professional cyber security staff should possess to be successful, as well as how to establish and maintain a cyber security career development program.2

Keywords

Advisory services; Assessment services; Augmentation services; Cold calling potential customers; Cyber security consultant; Cyber security office; Education; Security implementation

A man must serve his time to every trade save censure—critics all are ready made.1

Lord Byron

Chapter Objective
The cyber security officer professionals of the twenty-first century must possess many skills that differ from those possessed by some current and past cyber security officer professionals. In this chapter, the discussion will center on what are the necessary skills that a cyber security officer and professional cyber security staff should possess to be successful, as well as how to establish and maintain a cyber security career development program.2

Introduction

Changes that have occurred over the years in the duties and responsibilities of the cyber security officer professional include a working environment that involves increasing:
• Complexity;
• Rapidity of change;
• Technology dependence;
• Technology drivenness;
• Sophistication of the workforce;
• Competitiveness in the business world;
• Instant communication;
• Information available to more people than ever before;
• Incidents of corporate fraud, waste, and abuse;
• Threats to, and vulnerabilities of, corporate information-related assets; and
• Competition for high-level cyber security positions.
Since this twenty-first century environment means more competition for cyber security positions, those who want to succeed in this career field must gain more experience and have more education than ever before—or at least more than the other cyber security professionals they are competing against.
The corporate culture, cyber security duties, responsibilities, and positions vary almost as much as the number of corporations. Many outsource much of their cyber security service and support functions, while others find it more cost-effective to use employees. No matter what type of corporation—or government agency for that matter—that you work for, the main goal is still to protect the information and information systems assets of the company (or government agency).
Corporations want to hire cyber security professionals who can do that successfully at least impact to cost and schedules.
pro·fes·sion·al [prō féshən’l, prōféshnəl, prə féshən’l] adjective
very competent: showing a high degree of skill or competence
noun (plural pro·fes·sion·als)
member of a profession: somebody whose occupation requires extensive education or specialized training
somebody very competent: somebody who shows a high degree of skill or competence3

3 Encarta® World English Dictionary © & (P) 1999 Microsoft Corporation. All rights reserved. Developed for Microsoft by Bloomsbury Publishing Plc.

If you consider yourself a cyber security professional and want to be the world’s best, then you need a career development program.

The Cyber Security Officer’s Career Development Program

Some questions you may want to ask yourself about a cyber security officer career are:
• What cyber security-related career do I want to get into?
• Why?
• What are the qualifications (education and experience) for the entry level and other security positions?
• What are the positions (specializations) within that profession?
• Are there any that I would like to specialize in?
• Why?
• What are the other positions within the cyber security profession that I may want to specialize in?
• Can I list them in order of priority, including their education and experience requirements?
The cyber security officer profession should be researched to obtain the answers to the above questions by:
• Interviewing various cyber security officer professionals in different types of businesses, nonprofit entities, and government agencies;
• Researching the cyber security officer profession and its various specialties through the Internet;
• Discussing the profession with representatives from the American Society for Industrial Security, High Technology Crime Investigation Association, Association of Certified Fraud Examiners, Information Systems Security Association, and various training institutes and universities that teach cyber security-related courses; and
• Reading job descriptions for cyber security officer positions in the trade journals and newspapers and through interviews with recruiters.
Based on this research, you as a cyber security professional can establish a career development plan beginning at a high level with subsections for education and experience for each position.
The future cyber security officer might also set two limits:
• Experience and education must be relevant to eventually becoming a cyber security officer.
• Time learning through education, training, and gaining experience must be scheduled so that the intermediary milestones and ultimate goal can be met.
The cyber security officer should also include the goal of supervisory and management experience as well as experience in the worlds of finance, marketing, sales, accounting, investigations, communications, technology, international travel, and human resources. The cyber security officer should set a goal of gradually gaining increased responsibility, experience, and education in security jobs that would prepare the cyber security officer for a highly paid cyber security officer position in an international corporation.
Based on the research, you may come up with the idea of a “four parallel lines” approach to career development. These are items that should be integrated into the career development plan:
• Money—How much do I want, and by when, to meet my goals?
• Position—What cyber security positions pay me the money I want to meet my goals based on my timeline of goals?
• Education—What are the education requirements for each position I want to get?
• Experience—What are the experience requirements for each position I want to get?
The cyber security officer’s goal should be to be the most qualified person for each position in the cyber security officer’s profession.
Also during research, the cyber security officer may find that to be the best cyber security professional requires one to have knowledge, education, and experience in areas other than cyber security, including:
• Business
• Investigations
• Technology
• Dealing with people
• Communications skills
• Management
• Writing
• Project planning
• Public speaking
• Major foreign language or languages

Education

There are two different approaches that some cyber security officers have used:
• They began with a technical education such as a degree or degrees in computer science, mathematics, or telecommunications. Because of their degree, or probably some related cyber security experience, they were chosen or volunteered to be the company’s cyber security officer.
• They began with a general degree such as business, security, criminal justice, or liberal arts and eventually, somehow, found themselves in the cyber security officer position. And once in that position, they liked it and decided to stay in the cyber security officer profession.
In today’s environment, a college degree with a major in computer science or telecommunications is one of the best ways to start a cyber security officer career. An alternative is to major in cyber security. As colleges and universities see the demand for such subjects, they will offer more cyber security courses and programs. As the need for cyber security grows, more universities and colleges will begin to offer majors in cyber security.
An alternative to a college or university is a technical school that offers cyber security-related specialized programs in various aspects of the computer and telecommunications functions. This training usually offers hands-on experience and may provide a faster avenue into the cyber security profession. Also, many colleges and universities offer certificates in a specialized cyber security officer-related field such as local area networks and telecommunications. These courses can also be applied to the degree program, but check the college or university to be sure. Those who choose the technical training path should still pursue a college degree that will enhance promotion opportunities in the cyber security officer profession.
Education, whether technical or academic, provides the future cyber security officer with an opportunity for more cyber security officer positions.
In today’s marketplace, the need for experience coupled with advanced degrees and certifications has increased. It has increased to the point at which all your education, experience, and certifications only get you through the first resume filtering process. It is the interview that will get you the job.
What else can one do to prepare for such a position and also maintain a working knowledge of all that is associated with and needed to be a cyber security officer? These include knowledge gained through:
• Conferences and training classes;
• Networking with others in the profession;
• Using trade journals and magazines to learn more;
• Experience, which is always a good trainer;
• Certifications—knowledge gained studying for certifications; and
• Joining associations and attending their meetings, where information can be gained.

How to Market Yourself as a Cyber Security Officer

Work is a responsibility most adults assume, a burden at times, a complication, but also a challenge that, like children, requires enormous energy and that holds the potential for qualitative, as well as quantitative, rewards.
Melinda M. Marshall4

Sometimes a cyber security officer will have some conflicts when it comes to seeking out a new position instead of staying a “loyal company employee.” There should not be any such conflict, because in today’s business world, it seems that it is seldom that the corporation is loyal to the employees, so why should the employees be loyal to the corporation?
If you are happy doing what you are doing and would like to do the same thing for the rest of your life in the same company, then do it. However, one word of caution—in today’s corporate world, no position seems to last forever, and it appears that today’s corporations do not want their employees to stay forever. So, it is always better to be prepared by having a backup plan in the event you are notified that your services are no longer wanted.
Also remember that it is easier to find a job if you already have a job. So, the best time to find out your worth as a cyber security officer is to look for advancement opportunities or lateral opportunities for other cyber security positions while you are still employed. If nothing else, the employment interviews will keep you in practice and help you fine-tune your interview skills and your personal portfolio.

Interviewing for the Cyber Security Officer Position

Congratulations! Your resume has finally made it through the filtering process and you are being asked to appear for an interview. You will probably find that cyber security officer positions are very competitive, with talented cyber security officer professionals competing against you for each of those positions. So, you must be prepared. As with most job interviews these days, you will probably be subjected to a series of interviews consisting of members of the human resources department, information systems organization, auditors, and security personnel.
Don’t be nervous, but this interview is what will put you back on the road to cyber security officer job hunting or offer you the challenges of the new cyber security officer position. So, you must be prepared!
There are many books on the market telling you how to interview for a position. They offer advice on everything from how to dress to how to answer the “mother of all interview questions”—What are your salary expectations?
It is not the purpose of this book to help you answer those common interview questions. It is assumed that you will have read those books, and that you have prepared and practiced for the upcoming interview. The purpose of this section is to show you how you may be able to separate yourself from your cyber security officer competition.
You have probably already interviewed more times than you care to admit. In all those interviews, you probably, like your peers, walked in wearing dark, conservative business attire, neatly groomed, and prepared to answer any question thrown at you. The question is, what separated you from your competitors? What was it that would make the interviewers remember you and choose you above the rest?
You probably answered most questions in the most politically correct way, for example, “What is your major weakness?” Answer: “My major weakness is that I have very little patience for those who don’t live up to their commitments. When someone agrees to complete a project by a specific date, I expect that date to be met unless the project leader comes to me in advance of the deadline and explains the reason that date can’t be met. I believe in a team effort, and all of us, as vital members of that team, must work together to provide the service and support needed to assist the company in meeting its goals.”
Will that answer to that question be considered a weakness or strength by the interviewers? Probably a strength, but that is how the game is played.
Many interviewees have “been there and done that” but still didn’t get the position. Why? Maybe because our answers “float” in the interview room air. They hang there mingling with those of the other candidates before us and will be mingling again with the candidates that come after us.
The only real, lasting evidence of the interview is what was written down by the interviewers and what impressions you, the prospective cyber security officer, left in their minds! Many of the interviewers are “screeners,” human resource people who have no clue as to what cyber security is all about. They are there because we do teaming today.
We operate by consensus. So, getting selected may be much more difficult.
So, you need one thing—one thing that will leave a lasting impression on the interviewers. One thing that will show them you have the talents, the applied education (that’s education that you gained in college and other places and something that you can actually use in the business world!), the experience, and the game plan. You’ve done it! You’ve been successful in building a cyber security program before, and you will be successful again. You can prove that you can do it because you have your cyber security officer portfolio!
The next question that the reader may ask is, “What the heck is my cyber security officer portfolio?” You probably have seen movies in which the models show up at the model studio or movie studio and present a folder containing photographs of themselves in various poses. No, sorry—your photo will probably not help you get the cyber security officer position—but think about it. They took with them to their interview physical evidence in the form of photographs, meant to prove that he or she was the best person for the position.
What you must do is develop your own portfolio to take with you and leave with the interviewers—proof that you’ve been there, done that. You are the best person for the position. It’s all there in the portfolio.
Your cyber security officer portfolio is something you should begin building as soon as you begin your first cyber security officer job or before. It should contain an index and identified sections that include letters of reference, letters of appreciation, copies of award certificates, project plans, metric charts you use for measuring the success of your cyber security programs, and, probably most important, your cyber security philosophy and cyber security plan outline that you will implement as soon as you are hired.
The cyber security plan is probably the most important document in your portfolio and should be the first page after your index. All the other documents are just proof that what you plan to do, you’ve done before.
In the case of someone who has never been a cyber security officer, the prospective cyber security officer can build his or her cyber security plan and cyber security portfolio from the information provided in this book. Build it for an imaginary corporation.
The next question that may arise is, “If I never worked there, how do I know what I should do if I get hired?” Again, go back to doing some research. Remember that if you really want this job, you have to work at least as hard to get it as you will once you do get it.
Your first stop should be the Internet. Find out about the company. Some information that you should know is:
• When was it started?
• What are its products?
• How is the company stock doing?
• Where are their offices located, etc.?
You should also stop by the company and pick up an application, any company brochures available, their benefits pamphlets, etc.
You should study the information, complete the application, and place it in your portfolio. After all, if they decide to hire you, you’d have to fill one out anyway. You should go into the interview knowing as much if not more about the company as the people interviewing you. This is invaluable, especially if you are interviewing for a senior-level position. These interviews will undoubtedly include members of the executive management. Your ability to talk about their company in business terms with an understanding of the company will undoubtedly impress them and indicate that you are business-oriented.
All your answers to the interviewers’ questions should be directed to something in your portfolio. For example, if they ask you how you would deal with downsizing in your department and what impact that would have on your ability to adequately protect the company’s information and its related systems, how would you answer?
You should be able to direct them to a process chart, a metric, something that indicates that you have done it before, or that you have a business-oriented approach to dealing with the issue.
If you have not done it before, write down how you could, and would, perform these functions, assess the cyber security program, etc.
The portfolio can work for any new cyber security officer in any company. The following is a sample portfolio outline, which can be used as a guide by a new or experienced cyber security officer. In this case, it is the cyber security officer applying for the cyber security officer position. It’s up to you to fill in the details. Many of the ideas of what to put in your cyber security portfolio will be found in this book.
You will note that the prospective cyber security officer applying for the corporate position has done the research necessary to tailor a cyber security program for the corporation. The beauty of building this type of portfolio is that it seems specific, and yet it’s generic.
The cyber security officer should also practice interviewing skills. The resume or personal contacts may get you the interview, but the interview will get you the job. Before any interviews, and during the interview, you must do the following:
• Learn all you can about the potential employer;
• Read and learn from books, magazines, and the like about interviews and proper clothing to wear;
• Prepare answers to typical questions that will be asked, and practice answering them without seeming as though the answers were rehearsed;
• Develop and maintain an updated work portfolio;
• During the interview always refer to “we” or “us” instead of “I” and “you” as much as possible, so it seems as if you already have the job and are just briefing fellow employees; and
• Refer interviewers to your portfolio in answering their questions.
The following is a fictional scenario of one individual’s cyber security job hunt:
The cyber security officer established a career development plan as a formal project plan with an objective, goals, milestones, and tasks. The project plan helped the cyber security officer focus on career progression, and also that focus made it easier not to get sidetracked and waste time on matters that did not lend themselves to meeting the project plan milestones. The cyber security officer continually updated the plan. At the end of each calendar year, the cyber security officer would analyze the progress in meeting the plan goals and objective. Regardless of whether the plan progressed ahead of schedule or behind schedule, the reasons for the change were noted and lessons learned. Then the updated plan would be used for the next year.
Over the years, the cyber security officer developed a portfolio. In the portfolio, the cyber security officer maintained a plan that would be continually updated and used during all interviews, with extra copies available for the interviewers, and the cyber security officer successfully used it for the corporation.
When others went through the interview process answering the interviewers’ questions, their responses were lost in the air like smoke; however, this cyber security officer’s thoughts, experience, education, plan for a cyber security program, and other information relevant to meeting the corporation’s needs were down on paper and could be referred to by the interviewers.
This portfolio also indicated a person who was organized and came in with an action plan. Furthermore, since this cyber security officer researched the corporation prior to being interviewed, the cyber security officer was intimately familiar with the corporation and even offered some information about the corporation that was new to some of the interviewers.

Becoming a Cyber Security Consultant

If you wish to succeed, consult three old people.

Chinese Proverb

To be in any type of profession working for oneself takes a special type of personality to succeed. After all, there is no one to continue to pay you when you are on vacation, no benefits that you don’t have to pay for, and if you decide to just hang around the office and not work, you won’t get paid for that, either. There is no safety net, no paid time off when sick. No work—no pay. For the independent consultant, the old saying “time is money” is certainly true. In addition, there is a constant need to maintain contacts (potential customers) and keep up with high technology, and of course there is the almost constant travel.
Some cyber security officers and managers may have the connections and believe that they are well thought of as cyber security professionals, called upon to lecture at conferences, assist clients with their cyber security needs, and the like. However, those that do so as a member of a large firm, such as a large accounting–consulting firm, believe that it is they who are the ones that draw clients to them for help, when in fact it is usually not that at all. It is usually the large corporate name that brings these clients to the cyber security person.
Some cyber security managers and technicians don’t realize this fact. Then when they decide to go out on their own as cyber security consultants, they find that what they thought was a great client base on which to build their business trade turns out to be the client base of their former employer, and they aren’t switching to your firm. Furthermore, there are legal and ethical matters relating to “stealing” clients away from a former employer. When the shock of this fact hits them, they find themselves scrambling for clients.
Some advice for those who may be ready to take the cyber security consulting plunge: Be sure that you objectively inventory your skills and potential client base, and also have at least two years of your current salary (including funds for equivalent benefits) safely in the bank. That emergency fund will provide a year or more of income as you grow your business. If nothing else, it will provide a good emergency fund for some lean times or for the times when you will want to take a break for a week or two and go on vacation. After all, you have to pay for your own days off now. Oh, and don’t forget insurances such as “errors and omissions,” also known as professional liability insurance, general liability, and worker’s compensation.
Some clients require proof of some or all of these policies before you set foot in the door. With all that said, if you have the education, experience, business sense, and personality to handle being out on your own, it does offer its own rewards.
These rewards include setting your own schedule and hours, being your own boss, vacationing whenever you like, doing it your way—but wait a minute, that’s not completely true.
Your hours will be set by your workload and your clients. You will be able to do the work pretty much your way, but doing only the work that meets the clients’ needs. And vacations can be cut short by an urgent client need. You really can’t afford to postpone an urgent client request, as you risk losing the client to a competitor. Payments from clients may be slow in coming and they may be shocked by their bill for services rendered, causing you to negotiate or get your lawyer to negotiate for you. That means additional costs if you can’t get your lawyer’s costs ported over to the clients. However, one thing is certain: When such issues arise, you may eventually get your money, but you will probably never do business with that client again. How many clients can you afford to lose?
Being a cyber security consultant looks great on paper and it may do your ego good, but after a while the real world takes over. It’s a tough life and not for the faint at heart. So, before you think about it, be sure you have a good business plan and one that is done objectively. Also, be sure you can support yourself and your family without work for extended periods of time. Yes, it sounds great, but maybe that salary, those working conditions, and that boss weren’t all that bad?
However, you have successfully worked your career plan and have developed the education and experience over the years that have given you the confidence to think about going out on your own as a cyber security consultant. You have had articles published in magazines, have lectured internationally, and have developed a reputation as a professional cyber security officer. So, you think you are about ready for this career move. If so, you need a plan.
If you decide to become an independent cyber security consultant, the first thing you should do is develop a business plan—before you resign from your current job. Developing the plan may ultimately make you decide that you don’t want to or can’t make it as an independent cyber security consultant. There are many sample business plans available in books and as software programs that can help you get started.
Regardless of how you proceed to develop your cyber security business consulting plan, you must be objective. If you are to assume anything, assume the worst. That way, you will be prepared for the worst-case scenario and will be able to successfully deal with it. Your plan should be looked at as a project plan and, as a minimum, should address the following:
• Your business goals and objectives;
• Why you want to start this business;
• Your education and experience skills and whether they will fit your consulting business—be realistic;
• How much money you will need to begin;
• How much money you have;
• How you will get the money you don’t have but need;
• How you will financially survive when business is slow;
• If you have a family or significant other, whether they will support you;
• If not, whether you might have to decide your relationship–business priorities;
• Whether you are willing to travel the majority of your time—after all, you must go to clients and not them to you;
• What steps you will take to begin the business and the cost for each line item or task;
• Whether you will incorporate your business;
• Whether you know the marketplace—your competitors;
• Whether you offer better services at lower prices;
• Your competitors’ strengths and weaknesses;
• Your strengths and weaknesses;
• A complete competitive analysis;
• A complete market scope;
• Whether you should have a logo and business motto, and if so, what they will be and why;
• Whether you should get a lawyer to assist you;
• Whether you will have copyrighted material, trademarks, and/or trade secrets and, if so, how you will handle those processes;
• Whether you have standard invoices, proposals, confidentiality agreements, contracts, and billing and general business processes and forms in place and ready for use;
• Whether you have trusted cyber security specialists available to support your contracts as subcontractors (after all, you can’t be experienced in everything);
• How you will obtain business;
• How much you will charge for what work; and
• Whether you are aware of the laws and regulations that affect you doing business.
These are but a few of the many questions that you should answer before making the plunge into the cyber security consulting services business. Remember also the guiding principles that you should employ:
• Confidentiality;
• Objectivity;
• Professionalism;
• Respect;
• Integrity;
• Honesty;
• Quality;
• Efficiency; and
• Client focus (“we”).
Once you have your business plan in place and have decided to become an independent cyber security consultant, your plan should provide you with a step-by-step approach to getting started.5 Let’s break down the cyber security consulting business into sections:
• Engagement setup
• Engagement process
• Assessment services
• Advisory services
• Security implementation
• Augmentation
• Legal issues
• International aspects

Engagement Setup

To begin, you need an “entry into the business” strategy. You must have established and continue to refine your information network (trusted contacts within your business arena who can tell you what is going on where, etc.). You must also use other sources to find your potential customers—or clients, as some like to call them. Such other sources include referrals and marketing through brochures, pamphlets, lectures, books, articles, and your business website. It also includes “cold calling” potential customers and explaining to them what services you offer.
Once you have made contact with a potential client, you must clearly and precisely communicate your services; you must “find their pain” and explain how you can help solve their problems. Try to make this a question-and-answer session in which a dialog takes place. You should also use the opportunity to explain your experience by citing examples of your past services to clients, without providing specific names, of course.
Assuming the meeting went well and they ask you for a proposal, you should provide one in the most expeditious manner possible and be sure that you understand: Each client requires a different approach depending on the size of the client—small, medium, or large organization—as the scale, tactics, and strategy will vary with each. In the proposal you should be precise; include a project schedule with logistics requirements, roles, and responsibilities (for both you and your client); and address liability issues. Other matters to consider are:
• Understand who you are dealing with and be sure to get to the right level of authority to make decisions that affect your work;
• Identify their needs as specifically as possible;
• Understand their budget (size and cycle);
• Get the “big picture”;
• Be sure you have a clear understanding of their expectations and your deliverables, before leaving the potential client;
• Determine any time factors that they want to consider; and
• If needed, exchange encryption keys so correspondence can be done in private.
As part of your engagement setup, you should have a specific written proposal prepared, as well as one in the standard format you have developed. Both should be on your notebook computer so that they can be modified immediately to fit the situation. If you believe your specific written proposal is just right for your potential client, be sure to have several hard copies available to present to the potential client. The proposal, as a minimum, should include:
• Proposal structure,
• Work to be performed,
• Project schedule,
• Timing and fees,
• Roles and responsibilities,
• Assumptions and caveats,
• Legal issues.

Engagement Process

Once you begin, remember to document everything to include:
• Time and dates,
• Whom you spoke to,
• What was said,
• Any action items resulting from the conversations,
• Tasks you completed and their time and date,
• Notable events that occurred, and
• All other matters that can be used to support your activities, position, time spent, and the like.
More than one consultant has found that they performed work based on conversations with a client’s employee and then found that the client balked in making payments for that work, since they considered it unauthorized—the person had no authority to direct a consultant to perform that function. It is imperative that you and the client both have a clear understanding of what is agreed to, when it will be accomplished, proof that it was accomplished, and the fees relative to completing the work.
Notes help when discussing the work performed and especially in dealing with the billing process. An excellent technique to use during the engagement management process is to monitor the progress of the engagement on a daily basis. Constantly communicate with the client the progress (or lack of it) and delineate why there are delays. If there are delays due to a fault on the part of the client, inform the client of the impact to the engagement and give choices such as:
• Ask for additional funding,
• Abbreviate certain tasks, or
• Eliminate certain tasks.
This technique helps avoid unpleasant surprises and misunderstandings. It’s a “we” mentality. You approach your counterpart project manager and say “Joe, we’ve got a problem. The project is behind because of this, this, and this. How do you think we can fix this?” If the project is screwed up, Joe has just as much to lose politically as you do monetarily. If there is a debate as to why things aren’t going well, the events are fresh in everyone’s minds and it’s easy to sort out and correct or compensate. A common mistake is to wait until near the end of the engagement when things are way behind schedule and inform the client, thinking that somehow everything might work out.
This will end up in a best-case scenario as souring the client relationship and worst case, in court arguing over who did what when.
If there are delays due to your own performance or lack of planning, work extra hours and accept the loss. Do whatever you have to do to meet the objectives of the proposal, and don’t complain about it. Make careful notes as to why you miscalculated or undermanaged the engagement, and use that knowledge when writing your next proposal.

Assessment Services

You may want to break your services into various groups. One group may be “assessment services.” This should have been decided as part of your business plan. These services include such things as penetration testing and security tests and evaluations of software and systems and it may include supporting documentation analyses. Also included may be technical security countermeasures, audits, and risk assessments.

Advisory Services

Advisory services, also previously considered as part of your business plan, include the following:
• Technical design review;
• Policies, procedures, and guidelines;
• Security change management;
• Systems and network security; and
• Security architecture.

Security Implementation

The services to be considered, based on your expertise, of course, include ensuring that products to be installed on systems don’t make the systems and networks more vulnerable and any security software meets the needs of the business and operates as advertised. Again, be sure to document everything.

Augmentation

Augmentation services may include such things as termination surveillance and assisting in client investigations of employees, such as computer forensic services. You may also be requested to respond to incidents. If so, this should be addressed in your contract and also the billing for such responses—which often seem to happen after midnight.

Legal Issues

Legal issues may arise as to your authority in conducting or assisting in high technology crime investigations; as well as issues related to your contract. It is imperative, to avoid legal problems later, that all matters be clearly and concisely stated in the contract. The worst thing you would want is conflicts in contract interpretations, delayed payments, or refusal to pay what you billed the client, not to mention the problem of your reputation, which will follow you (good and bad) from client to client.
Above all, never begin an engagement without a signed contract. Make certain that the person signing it has the legal right to do so for the organization (usually an officer or director).

International Aspects

More and more cyber security consultants are working all over the world and with foreign clients. In dealing with such clients, it is important to:
• Avoid slang and colloquial terms,
• Learn as much of the foreign language and culture as possible,
• Make positive comments on the food and architecture,
• Use local hand gestures and volume of speech,
• Understand the foreign governments where you will be working,
• Understand the latest terrorist threats in the region,
• Explain cyber security terms in local context,
• Don’t complain about their country or culture or brag about yours, and
• Avoid political discussions or, if you are dragged into a conversation, remain neutral.

Questions

• Do you have a career development plan?
• Do you keep it current?
• Do you document all your experiences and education?
• Do you keep your resume current?
• Do you have your interview techniques down so your answers seem natural?
• Do you keep a general list of questions to ask during the interview so that you come across as interested in that job and that corporation?
• Do you have a plan to continue to keep up with changes in your profession?
• Do you want to eventually be a consultant?
• If so, are you preparing for that time?
• Do you have a business plan?
• Are you prepared for “feast or famine” times?
• Do you have what it takes to be a consultant?

Summary

Having and keeping current a career development plan, keeping up with changes in the profession, and always being prepared for that next job so that you can compete at the highest possible level take planning and hard work. However, if done right, it is worth the effort as it can lead to your success.

1 Encarta Book of Quotations, © & (P) 1999, Microsoft Corporation. All rights reserved. Developed for Microsoft by Bloomsbury Publishing Plc.; Lord Byron (1788–1824), English poet. “English Bards and Scotch Reviewers” (1809).

2 Some of the information noted in this chapter was excerpted from another Butterworth–Heinemann book, The Manager’s Handbook for Corporate Security: How to Develop and Manage a Successful Assets Protection Program, published in 2003, and coauthored by Gerald L. Kovacich and Edward P. Halibozek.

5 Some of the information provided in this chapter was provided by Steve Lutz, President, WaySecure, a very successful international security consultant and Cyber security specialist for decades.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.133.134.58