When the cyber storm alert flashes, does your pulse race? Are you ready to do battle on the front lines with nameless, faceless cyber demons like something out of a sci-fi flick?
Is the data center your castle? Are you captain of the guard? Do you double-check every door, window, drawbridge and portcullis? Do you ensure no tailgating at doors, and patrol for sticky notes with passwords?
People have personalities and personalities drive passions. This is where the oft-cited “sock drawer test” comes into play. Is yours neat and tidy? Is each sock without holes or defects? Do you have different socks for different days, all in a row? Or, are your socks a bit of a jumble, but always with multiple back-ups of each type for whatever the day might demand? Alternatively, are you more concerned about how the drawer fits into the chest, chest design and the position of the chest in the room for smooth traffic patterns?
When I present at conferences about career paths, these are the questions I ask security managers to help them find their passion and, thus, career path.
Professionals who are detail oriented—with well-organized sock drawers—are perfect for “captain of the guard” compliance roles. However, those with multiple back-up socks (although a bit jumbled) might feel terribly bored in that type of role. Instead, they want to grab the right socks for the challenge and head out to fight the cyber threat.
Other professionals have “been there, done that” with their sock drawer. They want a new challenge—they want to “tackle other drawers,” i.e., learn about managing risk in other functions within IT. Moreover, they want to understand how the whole chest of drawers fits into the layout of the room to make it easier to achieve the room’s overall objectives.
There are many paths to career success, once you understand your passion.
For the “do battle” (back-up socks) personality, your path lies along deeper and deeper knowledge of the enemy’s attack plans and your defenses. Every new virus and botnet approach is a growth opportunity for you. You might also stretch your external threat knowledge to internal malicious actors, including organized crime attacks. To grow, you’ll find it helpful to attend technical educational programs.
For the guard (neatly organized socks) personality, your path lies more along broader knowledge of types of compliance and readiness. For example, you’ll want to learn about “full stack” controls, beyond just database controls, or about release or change management controls. Learning about the breadth of the COBIT framework can help here. Or, you might move into the business controls and compliance space, learning about industry regulation compliance, entirely outside of IT.
For the bigger-picture (chest of drawers personality), you might expand into broader IT-related business risk management. Then, your path will require seeking job assignments in business analysis and process improvement, finance, project management and other areas of IT. In each area, you’ll learn to manage the IT-related risks to business objectives. To help you grow into this role, you’ll want to learn to study the richness of the Risk IT framework.
Each of these paths (and others) is needed for an IT organization to enable profitable revenue. Your personality will feel more or less comfortable with the required trade-offs. For example, many IT security professionals want to move up to become CISO and then head of IT risk, reporting to the CIO (or sometimes a chief risk officer). Yet, they don’t want to give up being “hands on,” battling with the latest technology, and they really don’t want to learn finance. What path best suits you? Take a close look at your sock drawer and plan your next steps.
Brian Barnier, CGEIT, CRISC
Principal Analyst and Advisor, ValueBridge Advisors