You must be logged in to post a comment to this blog.
ISACA > Journal > Journal Author Blog > Posts > What Does It Take to Make a Good Information Security Professional?
What Does It Take to Make a Good Information Security Professional?
Jason Andress, Ph.D., CISM, CISSP, GPEN, ISSAP
 
I was having a discussion with someone the other day on what it takes to be a good information security professional. Looking at the problem from a high level, we might say that it takes a certain amount of technical aptitude, a moderate level of computing and networking knowledge, and, if we measure against other industries, what might be considered to be an unhealthy level of curiosity. To fill more advanced positions, we might look for specific security knowledge, but often security professionals cross over from other computing and network-related areas and have a background in areas such as development, system administration and networking.
 
One of the other main factors that I often find lacking in such discussions, however, is drive. The burning need to be learning, digging at a problem, building new things, sharing with others, taking things apart, and generally staying in motion and continuing to develop. The vast majority of the really skilled security professionals that I know are firmly in this group. These are the folks that I see presenting at conferences, working on open source security tools, and spending their own time and money to go to school. They do these things not because anyone necessarily demanded that they do these things, but because they saw a need, they love what they do, or they just wanted to improve themselves and their skills. These are the people with whom I want to work.
 
As a metaphor for the security professional, I would point you to the shark. Certain sharks, like the great white, will suffocate and die if they stop swimming. These sharks need to continually force water through their gills in order to breathe, so they really can never stop moving. So to all you security folks out there, keep swimming.
 
Read Jason Andress’ recent Journal Online article:
Building Information Security Professionals,” ISACA Journal, volume 1, 2014

Comments

Interesting

I must agree with your points. Continues learning with the zeal to break new ground is a great ingredient of success in any career especially in IT Security. Just as the saying goes - the day a man stop learning he starts to die.
Gadnus at 2/11/2014 2:18 PM

All Good Points, but missed one

Jason, I agree with all of your points here, aptitude, technical skill, drive and curiosity are all key to making a good information security practitioner.  However, I think you missed one key element to being an information security professional: relationship management, or knowing how to relate to their customer's needs. 

Many information security professionals work in industries that don't sell information security as their primary product. Example: Joe is an information security manager in the IT department for Acme Widget company.  Joe has to gain not only a strong understanding of information security, (technology, threats, trends, standards, appropriate mitigation activities, etc...), he also has to understand what's important to Acme Widget Company in getting their widgets out to market.  Joe has to manage relationships with the operations managers, the marketing team, the C-Staff, etc, all of whom don't see information security as their number one (or even number 2) priority.  Many will give lip-service that "sure, security is important" but only until it keeps them from getting their product to market. 

A good information security professional has to have relationship management skills to effectively understand "business needs" with "security imperatives" and be able to respond to almost any request that could impact information security with, "Yes, we can do that, and here's the tradeoff." Keeping a good relationship with the aforementioned business partners lets an information security professional deliver robust security solutions while being seen as a true enabler and not "the security guy" or worse, a security zealot. 
davidgcarpenter at 2/12/2014 4:45 PM

All Good Points, but missed one

Good point David, and likely a topic that could fuel another entire article. As security professionals, we all need to understand that security is there to support the business and not the other way around. We need to do our absolute best not to say no to the people that we provide services to, but to find a way to influence them in the direction of better security practices. Saying no will only have them doing things without consulting us at all since "security always says no".
Jason Andress at 2/19/2014 11:32 AM

Interesting

Thank you for the feedback Gadnus.
Jason Andress at 2/19/2014 11:33 AM

Re: What Does It Take to Make a Good Information Security Professional?

I truly believe that a good Information Security professional has to be an all-round player who can view as a holistic Enterprise Risk Mgmt. and can deal with different angles just not one Information Secuirty function.  If s/he has technical, business, risk, audit, international skills, people skills, leadership skills, and different requlatory/vertical experience, that will be great.  I dealt with CISOs with numerous background in the past.  When I dealt with a CISO who only has a cybersecurity backgrond, his mindseting was Cybersecurity was prior to Enterprise Security.  I believe that Cybersecurity should be a part of Enterprise Security.  AM
amurana at 2/24/2014 6:15 PM

To be a truly competent professional, you need also to be ethical

On the way to acquire education qualifications and professional status, we are taught, required to be technically efficient, to meet the contract, to be economically viable, and to deliver a good job. This your article succeeds to cover, and I agree. But I think, as I pointed in my article about Computer Ethics (Vol 2, posted 4/3/2014), trust by and fairness to clients and employer are just as important, if not more, as technical competence and economic acumen. And there can no trust and fairness if you don't adhere to ethical principles in conducting an audit. I'd say a true professional must be well equipped with the required esoteric knowledge and skills as well as a real appreciation of ethical principles and the willingness to follow these principles.

Wanbil Lee
Wanbil622 at 4/3/2014 11:56 AM

Skills

Interesting article.  I think the characteristics listed here could be good qualities for any IT professional since they are relatively general.

You also mentioned "One of the other main factors that I often find lacking in such discussions, however, is drive. The burning need to be learning, digging at a problem, building new things, sharing with others, taking things apart, and generally staying in motion and continuing to develop."

I think this is the key take away of the article because it is so essential to keep learning throughout one's career. 
JasonY at 6/5/2014 6:41 AM