Kerry Anderson, CISA, CISM, CRISC, CGEIT, CCSK, CFE, CISSP, CSSLP, ISSAP, ISSMP
“I am an information security practitioner, not an information security professional.” There is a profound difference between the two. A practitioner is defined as “one who practices something, especially an occupation, profession or technique.” A professional is defined as “a skilled practitioner; an expert.”1 The principal differentiators between the two terms are the degree of experience and knowledge. In an ideal situation, practitioners would progress from one level to another after acquiring specific expertise in each successive position or assignment. Unfortunately, developing core competencies is often not a linear process. It may require some proactive effort on the part of the practitioner to gain the necessary expertise for the desired career objectives.
To pursue a career in information security, practitioners need to acquire core competencies in specific areas. The core competencies required for a profession make up its competency model. It is the competency model and its pursuit that distinguish between a novice and an expert within a profession. The acquisition of core competencies is necessary to advance to the next level. This seems fundamental, but may be more difficult to accomplish because of increasing specialization within the information security profession.
An information security practitioner must acquire core competencies to develop a holistic perspective to effectively manage security within today’s global and highly interconnected world. Core competencies develop at different career stages and include not just technical knowledge, but other skills required to become proficient within a profession. New information security specializations require not only strong competencies in core areas to manage the increasingly complex architectures, but acquisition of new competencies to remain relevant.
A map is an excellent model for career development. It provides mechanisms for setting a course and adjusting it as necessary due to unanticipated circumstances. There are four steps in a hypothetical core competency map (figure 1).
This process is reiterative for two reasons. The first is that information security exists within a dynamic technology environment; skills must be renewed to avoid career obsolescence. For example, many of the career options that are in demand today, such as cloud security engineer, did not exist a few years ago. The second reason is that the practitioner also exists within a dynamic environment. Career direction may need to evolve to accommodate changes in personal circumstances, interests or ambitions. Over the last few years, many practitioners have found it necessary to refine their careers.2
The process starts with determining one’s current career location. The basic premise is that people need to know where they are now to figure out how to get to the desired destination. Evaluating competency levels is critical. For newcomers to the security profession, this may be clear-cut; however, for individuals who are experienced or those making a career shift, this may require some time to determine the current mastery of specific core competencies.
Individuals should devote some time and thought to determining where they see themselves going over the next five to 10 years by considering tough questions about interests, personal temperament and career challenges desired. This step often requires research to evaluate career options, including:
This step has two tasks. The first step is to determine one’s existing skill set and experience. The next is to develop a strategy to acquire the necessary proficiencies to prepare for a desired career objective. The objective is to be prepared to assume career opportunities when they emerge. To quote Benjamin Disraeli, “One secret of success in life is for a [person] to be ready for [his/her] opportunity when it comes.”3
Task 1: Assess ProficiencyThis involves making a determination of competency levels against the proficiencies necessary to move to the next career step. The discrepancy between existing skills and knowledge level and the suggested proficiency level represents a gap in competency within an area. A simple approach might be to gauge proficiency using years of experience based on four categories:4
These levels indicate the amount of skill or experience a practitioner has pertinent to a specific domain and represent an increase in responsibilities from the entry-level practitioner to the executive/expert professional.5 The information security proficiency realms are identified in figure 2.
Task 2: Strategize How to Create a Proficiency Acquisition PlanThe objective of this task is developing a strategy to acquire the necessary mastery in each proficiency realm to overcome core competency gaps that would prevent the individual from achieving the desired job role. This allows practitioners to concentrate on professional development activities that best suit their career objectives. It is important to understand that there is no right way to pursue desired skills, experience or knowledge. Developing a personalized plan is dependent upon the experience, training and education of the individual involved. Depending on the job level, career track, specialization and position objective of the individual creating the plan, different proficiency acquisition strategies might provide the appropriate vehicle for professional development. Any plan should:
There are different channels to closing the identified gaps between current and desired proficiency levels. The decision on how to close the gap is based on the individual’s needs and other attributes for the various development alternatives, which include:
Gaining specific expertise, especially in highly technical domains, may require a combination of multiple options to acquire a specific proficiency. Some alternative ways to close the proficiency gap include:
It is critical to assess progress. It is easy to get off course or to lose momentum as the workplace might carry us in unwanted directions. There are a few red flags to career path stagnation including the following:
While the economic downturn has negatively affected career development for many with more limited options for professional development due to reduced training budgets, it is essential, even in tough job markets, to remain relevant and current in a chosen endeavor, even if it is just by reading books or attending low-cost training opportunities. On a regular basis, such as every six months or annually, review progress against the plan and revise as necessary. Core competency development plans need to remain a vital and living document.
What does one make of the colleague with limited skills despite 20-plus years of experience? Some might say, “He has one year of experience repeated 20 times.”16
Core competencies do not remain static, especially in technically focused fields like information security. One must never be finished learning. In his classic book The Seven Habits of Highly Effective People, Stephen Covey describes a habit called “sharpening the saw,” which means to continually learn new things and acquire different experiences.17 It is similar to the Japanese Kaizen improvement philosophy, which describes improvement or change for the better with focus upon continuous improvement of processes. Stephen Covey once said, “Begin with the end in mind.”18 This idea remains true. Information security practitioners and professionals always have the prerogative to adjust their desired career destination, and the core competency model described here can assist in altering the route to that end.
1 Merriam-Webster Dictionary, www.merriam-webster.com2 Newman, Rick; Rebounders: How Winners Pivot From Setback to Success, 20123 BrainyQuote, www.brainyquote.com/quotes/quotes/b/benjamindi130016.html. Benjamin Disraeli (1804-81) was a British statesman.4 These levels are based on the author’s survey of job postings for information security positions.5 This model was adapted from the ARMA Records and Information Management Core Competencies (2008), as well as the author’s survey of job postings for information security positions.6 Vijayan, Jaikumar; “Salary Premiums for Security Certifications Increasing, Study Shows,” ComputerWorld, 9 July 2007, www.computerworld.com/s/article/9026624/Salary_premiums_for_security_certifications_increasing_study_shows7 Muller, Randy; “15 Top Paying IT Certifications for 2012,” Global Knowledge, January 2012, www.globalknowledge.ca/articles/generic.asp?pageid=3159&country=Canada 8 Gupta, Upasana; “Top 5 Certifications for 2012,” GovInfoSecurity.com, 2 December 2011, www.govinfosecurity.com/top-5-certifications-for-2012-a-4291/op-19 Based on the author’s own survey of position postings over the last few years10 Bedell, Crystal; “The Renaissance Security Professional: Skills for the 21st Century,” (ISC)2 11 Gartner, “Gartner Warns of a Looming IT Talent Shortage,” 2008, www.gartner.com/it/page.jsp?id=60000912 Kark, Khalid; Bill Nagel; The Evolving Security Organization, Forrester, 26 July 200713 The author has attended more than 50 security-focused events, including five CISO summits, at which the topic of professional development and advanced degrees were discussed.14 National Security Agency, “National Centers of Academic Excellence,” www.nsa.gov/ia/academic_outreach/nat_cae/index.shtml15 Tracy, Brian; “One Hour Makes All the Difference,” www.briantracy.com/blog/personal-success/one-hour-makes-all-the-difference/16 This quote is from the author’s brother. The author found several references to similar quotes, including the recent book Geeks, Geezers, and Googlization: How to Manage the Unprecedented Convergence of the Wired, the Tired, and Technology in the Workplace by Ira S. Wolfe.17 Covey, Stephen; The Seven Habits of Highly Effective People, Free Press, 198918 Op cit, Covey
Kerry Anderson, CISA, CISM, CRISC, CGEIT, CCSK, CFE, CISSP, CSSLP, ISSAP, ISSMP, is an information security and electronic records management consultant with more than 15 years of experience in information security. Anderson has spoken at numerous events and authored articles for industry journals. She is an adjunct professor in Clark University’s Cyber Security Graduate Program (Worcester, Massachusetts, USA).
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2013 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.