Navigating the Path From Information Security Practitioner to Professional 

Download Article Article in Digital Form

“I am an information security practitioner, not an information security professional.” There is a profound difference between the two. A practitioner is defined as “one who practices something, especially an occupation, profession or technique.” A professional is defined as “a skilled practitioner; an expert.”1 The principal differentiators between the two terms are the degree of experience and knowledge. In an ideal situation, practitioners would progress from one level to another after acquiring specific expertise in each successive position or assignment. Unfortunately, developing core competencies is often not a linear process. It may require some proactive effort on the part of the practitioner to gain the necessary expertise for the desired career objectives.

To pursue a career in information security, practitioners need to acquire core competencies in specific areas. The core competencies required for a profession make up its competency model. It is the competency model and its pursuit that distinguish between a novice and an expert within a profession. The acquisition of core competencies is necessary to advance to the next level. This seems fundamental, but may be more difficult to accomplish because of increasing specialization within the information security profession.

An information security practitioner must acquire core competencies to develop a holistic perspective to effectively manage security within today’s global and highly interconnected world. Core competencies develop at different career stages and include not just technical knowledge, but other skills required to become proficient within a profession. New information security specializations require not only strong competencies in core areas to manage the increasingly complex architectures, but acquisition of new competencies to remain relevant.

The Core Competency Map

A map is an excellent model for career development. It provides mechanisms for setting a course and adjusting it as necessary due to unanticipated circumstances. There are four steps in a hypothetical core competency map (figure 1).

Figure 1

This process is reiterative for two reasons. The first is that information security exists within a dynamic technology environment; skills must be renewed to avoid career obsolescence. For example, many of the career options that are in demand today, such as cloud security engineer, did not exist a few years ago. The second reason is that the practitioner also exists within a dynamic environment. Career direction may need to evolve to accommodate changes in personal circumstances, interests or ambitions. Over the last few years, many practitioners have found it necessary to refine their careers.2

Step 1: Determine Current Career Path

The process starts with determining one’s current career location. The basic premise is that people need to know where they are now to figure out how to get to the desired destination. Evaluating competency levels is critical. For newcomers to the security profession, this may be clear-cut; however, for individuals who are experienced or those making a career shift, this may require some time to determine the current mastery of specific core competencies.

Step 2: Decide on a Medium-To Long-Term Career Goal

Individuals should devote some time and thought to determining where they see themselves going over the next five to 10 years by considering tough questions about interests, personal temperament and career challenges desired. This step often requires research to evaluate career options, including:

  • Information interviews
  • Labor projections
  • Job trend predictions
  • Survey of job postings to determine common position requirements

Step 3: Develop a Plan

This step has two tasks. The first step is to determine one’s existing skill set and experience. The next is to develop a strategy to acquire the necessary proficiencies to prepare for a desired career objective. The objective is to be prepared to assume career opportunities when they emerge. To quote Benjamin Disraeli, “One secret of success in life is for a [person] to be ready for [his/her] opportunity when it comes.”3

Task 1: Assess Proficiency
This involves making a determination of competency levels against the proficiencies necessary to move to the next career step. The discrepancy between existing skills and knowledge level and the suggested proficiency level represents a gap in competency within an area. A simple approach might be to gauge proficiency using years of experience based on four categories:4

  • Entry-level practitioner—Three or less years of information security experience
  • Mid-level practitioner—Four to seven years of information security experience
  • Senior-level practitioner—Eight to 10 years of information security experience
  • Executive/expert professional—10-plus years of information security experience

These levels indicate the amount of skill or experience a practitioner has pertinent to a specific domain and represent an increase in responsibilities from the entry-level practitioner to the executive/expert professional.5 The information security proficiency realms are identified in figure 2.

Figure 2

Task 2: Strategize How to Create a Proficiency Acquisition Plan
The objective of this task is developing a strategy to acquire the necessary mastery in each proficiency realm to overcome core competency gaps that would prevent the individual from achieving the desired job role. This allows practitioners to concentrate on professional development activities that best suit their career objectives. It is important to understand that there is no right way to pursue desired skills, experience or knowledge. Developing a personalized plan is dependent upon the experience, training and education of the individual involved. Depending on the job level, career track, specialization and position objective of the individual creating the plan, different proficiency acquisition strategies might provide the appropriate vehicle for professional development. Any plan should:

  • Identify proficiency gaps between current core competency levels and those essential to attaining the next progressive rung on the individual’s career ladder
  • Provide a communication vehicle for career-planning discussions
  • Offer different options for acquiring the required skills and experience

There are different channels to closing the identified gaps between current and desired proficiency levels. The decision on how to close the gap is based on the individual’s needs and other attributes for the various development alternatives, which include:

  • Costs of the development option
  • Depth of proficiency desired (basic familiarity or different levels of expertise)
  • Time frame to complete
  • Availability of reimbursement or financial assistance from the employer
  • Work schedule
  • Travel to participate in development option

Gaining specific expertise, especially in highly technical domains, may require a combination of multiple options to acquire a specific proficiency. Some alternative ways to close the proficiency gap include:

  • Professional certification—Studies have shown a continuing trend toward higher salaries for certified IT security professionals.6 Different studies have shown various security-related certifications as being among the highest paying IT certifications.7, 8 The requirement or preference for certified practitioners is frequently found in position postings.9 It is no accident that certification appears to be the top development choice for many practitioners, specifically the Certified Information Systems Auditor (CISA) and Certified Information Systems Security Professional (CISSP). Practitioners may want to do a broader survey of available certifications beyond the best-known options and consider more focused certifications based on their career objectives and experience. Certifications in governance, secure development, forensics and fraud are just a few of the alternative certification focus areas currently available that offer practitioners an opportunity to focus on specific career paths. Some certifications offer growth path by providing additional concentrations on top of the basic certification to allow practitioners to distinguish themselves in a particular security practice area.Some practitioners are electing to combine certifications, such as vendor and traditional security certifications, to differentiate themselves as a “renaissance security professional.”10 Coined by J.J. Thompson, this term describes information professionals who have attained a set of well-rounded skills that include a variety of business and technical knowledge and experience. Diane Morello, a Gartner vice president, called this a “hybrid professional.”11 According to Morello, the hybrid professional emerged because the “intersection of business models and IT requires people with varied experience, professional versatility, multidiscipline knowledge and technology understanding.” According to Forrester’s white paper, “The Evolving Security Organization,” the hybrid professional role allows information security practitioners to emerge from the siloed role to become business facilitators.12
  • Advanced academic options—At a number of chief information security officer (CISO) summits,13 participants have discussed advanced academic degrees as a professional development option. In 2003, the US National Security Agency (NSA) and Department of Homeland Security (DHS) jointly created a program to promote advanced academic degrees with a focus on information security.14 Over the last decade, the number and variety of these programs has flourished; however, practitioners should examine the different academic degree programs based upon their career aspirations. These programs offer a specific focus area or provide a generalized approach to the field of study. Another option to pursue is obtaining graduate degrees in business, finance or law to define a unique career path. The downside to academic alternatives is that they require a substantial commitment of both time and finances to pursue. Based on an informal survey of position postings, the requirement for graduate degrees is becoming a more common requirement or preference by employers for more senior jobs.
  • Self-study—Many professional organizations and educational providers offer a myriad of self-study courses and materials. A lot of material is available online at a reasonable cost or free. In addition to these web-based programs, books remains a popular way for practitioners to acquire knowledge. The downside to this option may be documenting this approach to employers. Motivational speaker, Brian Tracy, recommends that professionals devote one hour a day to reading.15
  • Enhancing people skills—Information security associates need people skills as a core competency to maintain career momentum and avoid a resume-generating event (RGE). People skills complement technical skills and build credibility with business counterparts. In speaking with senior information security professionals over the last 10 years, a common theme is the need for technically proficient practitioners to develop stronger communication skills, such as selling, negotiation and presenting. While there are many professional courses aimed at these objectives, some practitioners acquire these skills by getting outside of their comfort zones, such as presenting at conferences or teaching courses (internally and externally). Other options include sales training or public speaking groups.
  • On-the-job experience and mentoring—Not all skills come from a book or classroom—sometimes there is no substitute for real-world experience. One of the best strategies for gaining the necessary proficiency is finding a mentor or subject matter expert (SME) to initially shadow and then work closely with to assume a larger part of the tasks required to do an assignment. A good example of this is learning to perform vendor security risk assessments. The apprentice may start out just accompanying a skilled auditor or risk assessor. In future engagements, apprentices may assume different tasks until they are ready to fly solo, with the mentor evaluating their professional competency. This strategy is equally applicable to information security professionals looking to refresh their skills or become acquainted with another way of approaching an assignment. Another excellent option is to assume a mentoring role for another practitioner.

Step 4: Do Regular Status Checks

It is critical to assess progress. It is easy to get off course or to lose momentum as the workplace might carry us in unwanted directions. There are a few red flags to career path stagnation including the following:

  • No further development of skills and abilities
  • Being rarely selected for new teams or projects
  • Losing that joie de vivre for the job
  • Not engaging in any career development activity in more than a year
  • Calculating days until retirement

While the economic downturn has negatively affected career development for many with more limited options for professional development due to reduced training budgets, it is essential, even in tough job markets, to remain relevant and current in a chosen endeavor, even if it is just by reading books or attending low-cost training opportunities. On a regular basis, such as every six months or annually, review progress against the plan and revise as necessary. Core competency development plans need to remain a vital and living document.


What does one make of the colleague with limited skills despite 20-plus years of experience? Some might say, “He has one year of experience repeated 20 times.”16

Core competencies do not remain static, especially in technically focused fields like information security. One must never be finished learning. In his classic book The Seven Habits of Highly Effective People, Stephen Covey describes a habit called “sharpening the saw,” which means to continually learn new things and acquire different experiences.17 It is similar to the Japanese Kaizen improvement philosophy, which describes improvement or change for the better with focus upon continuous improvement of processes. Stephen Covey once said, “Begin with the end in mind.”18 This idea remains true. Information security practitioners and professionals always have the prerogative to adjust their desired career destination, and the core competency model described here can assist in altering the route to that end.


1 Merriam-Webster Dictionary,
2 Newman, Rick; Rebounders: How Winners Pivot From Setback to Success, 2012
3 BrainyQuote, Benjamin Disraeli (1804-81) was a British statesman.
4 These levels are based on the author’s survey of job postings for information security positions.
5 This model was adapted from the ARMA Records and Information Management Core Competencies (2008), as well as the author’s survey of job postings for information security positions.
6 Vijayan, Jaikumar; “Salary Premiums for Security Certifications Increasing, Study Shows,” ComputerWorld, 9 July 2007,
7 Muller, Randy; “15 Top Paying IT Certifications for 2012,” Global Knowledge, January 2012,
8 Gupta, Upasana; “Top 5 Certifications for 2012,”, 2 December 2011,
9 Based on the author’s own survey of position postings over the last few years
10 Bedell, Crystal; “The Renaissance Security Professional: Skills for the 21st Century,” (ISC)2
11 Gartner, “Gartner Warns of a Looming IT Talent Shortage,” 2008,
12 Kark, Khalid; Bill Nagel; The Evolving Security Organization, Forrester, 26 July 2007
13 The author has attended more than 50 security-focused events, including five CISO summits, at which the topic of professional development and advanced degrees were discussed.
14 National Security Agency, “National Centers of Academic Excellence,”
15 Tracy, Brian; “One Hour Makes All the Difference,”
16 This quote is from the author’s brother. The author found several references to similar quotes, including the recent book Geeks, Geezers, and Googlization: How to Manage the Unprecedented Convergence of the Wired, the Tired, and Technology in the Workplace by Ira S. Wolfe.
17 Covey, Stephen; The Seven Habits of Highly Effective People, Free Press, 1989
18 Op cit, Covey

Kerry Anderson, CISA, CISM, CRISC, CGEIT, CCSK, CFE, CISSP, CSSLP, ISSAP, ISSMP, is an information security and electronic records management consultant with more than 15 years of experience in information security. Anderson has spoken at numerous events and authored articles for industry journals. She is an adjunct professor in Clark University’s Cyber Security Graduate Program (Worcester, Massachusetts, USA).

Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2013 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.