Cybertactix's Enterprise InfoSec Blog

June 7, 2013

The Evolving Requirements for the Role of CISO/CSO

Filed under: Career Skills,Management — cybertactix @ 3:20 PM

If your career strategy is directed towards landing a CISO or CSO role you need to read yesterday’s post ( on Jeff Snyder’s Security Recruiter Blog.   Being a CISO isn’t just about managing the organization responsible for the protection of corporate/customer information; it’s about doing so while being able to contribute to the company’s bottom line AND being able to show the contribution to peers, management and the BoD in terms they understand.


February 16, 2012

Relationships Matter

Filed under: Career Skills — cybertactix @ 10:10 PM

Tonight I got a call from an “old friend” who happens to be a security recruiter.  When I say “old friend” that’s not precisely accurate statement, we’ve never physically met, only spoken on the phone and that has only been for the past couple of years, he just seems like an old friend because we get along so well and I enjoy the phone calls which are a mix of personal and professional items.  When he called tonight we spoke about his health issues and his children and also about what he has been up to professionally.  While we haven’t known each other long we have built a relationship which allows us to be frank with each other.

Part of tonight’s conversation was about relationships and the soft skills that are required to move ahead at the senior levels in a company, the larger the company the greater role soft skills play.  For a security professional a good mix of technology background and security mindset will get you started and certifications will definitely help your career but eventually you will hit the wall and the only way through it is by  having the relationship skills that allow you to open what is otherwise a locked door.  Unfortunately most companies focus all of their training budget and resources on improving technical skills and certifications.  They tend to leave soft skills like relationship building and managing staff aside until you reach a level where they are for all intents and purposes absolutely mandatory.

I recently spoke with another friend who was promoted to a senior (Managing Director) level last year.  He is now heading a security operations unit with a staff of several hundred and was told he has to attend management training.  He shared the pre-class assignment for the first session, a case used by the  Harvard Business School.  It dealt with a senior manager who after two years of running a very profitable division had some time for reflection and was troubled and wondering if he was doing a good job of leadership.  After reading the case study I saw a number of issues with it, most of which were related to how he was (or actually wasn’t involved with the people who reported to him).  What really troubled me though was that this assignment, which dealt with the basic “blocking and tackling” of being a manager (i.e. building a relationship with your staff), was the first real management training that that this Managing Director was getting from his company.  Don’t get me wrong, the company had provided him with training required to do his job, things like how to fill out the staff review forms and deliver the review and associated compensation information, but they hadn’t taught him the basics of building relationships.  Fortunately for him, unlike many technologists, he was a natural at it.

If you are at all concerned about your career you need to be concerned about your soft (non-technology) skills.  Your ability to work collaboratively with your peers (when you reach senior levels those below you will refer to your ability to collaborate as “playing company politics”) and to build relationships are the keys to the executive washroom.  The technical skills that were important in your role as a technologist become less important in your role as a manager where the key skills include the ability to motivate others, and as a senior manager where you need to get others to work with you and not against you.  For many these skills do not come easily, for me it is a constant task to take the initiative to meet others, shake hands, remember names, and smile but it is necessary in order to move forward in my career path.

And if you are thinking about switching jobs the ability to build relationships is a key factor in continued success.  When you are considering switching take an objective look at your position.  How much of your current success in the role is a result of your technical abilities and how much of it is your ability to influence or work collaboratively with others?  How effective will you be in a new role, division or company without the relationships you built in your current role, division or company?  When you are thinking about investing in your future don’t just think about investing in the more tangible things like technical skills and certifications, think about investing in the intangibles, relationships and the soft skills required to build them quickly and effectively.  Relationships matter!

January 9, 2011

Personal InfoSec Certification: Which 1st?

Filed under: Career Skills,Certification,CGEIT,CISA,CISM,CISSP — cybertactix @ 4:38 PM

One of the questions I often see on the groups I am part of on LinkedIn, and a question I am also asked by fellow InfoSec professionals and auditors is “which certification is easier to pass, CISSP, CISM or CISA?”

BLUF (Bottom Line Up Front): It depends… on what your professional background and experience, and or in some cases your lack of experience, are.

My back ground is technical, I provided support for a number of years to banking trading floors, not the open outcry trading pits of the commodities exchanges or the NYSE, rather row upon row of traders with a phone in their hand bent over screens that are constantly flickering as the commodities or stocks they follow change prices and their own “books” (records of the financial positions they hold) are updated to show current value.  In order to keep all of this running (downtime can quickly result in large losses) I had to become a jack of all trades in technology (voice, market data, personal computers and desktop workstations, servers of all types, mainframe communications, and multiple network medias and protocols).  Much of my knowledge was picked up on-the-fly from rubbing shoulders with people, usually vendors or consultants, who specialized in each of these areas interspersed with occasional whirlwind classroom training sessions.

As things got more complicated more staff were needed to keep all of this running and because of my breadth of knowledge I found myself “managing” the help desk for a large trading floor.  Due to an audit finding I was suddenly “promoted” to Information Security Officer and in charge of re-building an InfoSec program that had been un-monitored for several years.  As a result I got a crash course in information security which was an eye opening experience.  Once the program was on track I turned over BAU to an unwilling associate (her words of “I don’t know anything about information security” were met with a “Steve will teach you” response from management) when the Continuity of Business expert was stricken with a sudden (and ultimately fatal) illness.  When management decided that we needed to have certified staff to show the regulators that we took InfoSec seriously, this experience combined with my technical knowledge gave me the necessary background to be able to pass the Certified Information Security Systems Professional (CISSP) exam.  Over a year prior to taking the exam I took a one week (40 hour course) CISSP exam prep course to help me focus on the elements the exam was likely to cover but seeing as this was the first exam I had written in quite a few years I was hesitant to take the exam.  

As part of changes being put in place to meet greater demands from regulators and the marketplace I became more involved in developing compliance monitoring processes and ultimately in helping to develop risk based models for governance.  Moving from a model of “OMG there’s a vulnerability, we have to fix it” we began to focus on “what is the risk and what will it cost to fix it/should we fix it/what are the compensating controls?”.  This is the essence of risk management, and this along with a corporate focus on becoming partners with the businesses we supported and understanding/working to meet their requirements gave me the basis of the knowledge I needed to pass the Certified Information Security Manager (CISM) exam.  Two months prior to taking the exam I took a one week (40 hour course) CISM exam prep course to help me focus on the elements the exam was likely to cover.

As a result of all this experience I qualified to be grandfathered into my CGEIT (Certified in the Governance of Enterprise Infrastructure Technology).  The Grandfathering process didn’t require me to take an exam but it did require that I provide ISACA with an essay on my significant experience across the various areas covered by the CGEIT knowledge base.

In December of 2009 I took my Certified Information Systems Auditor (CISA) exam. In preparation for this, starting two months before the exam, I took a 40 hour (5 weekends) course with my local ISACA chapter.  In addition to the course I called on my experience as an Information Security Officer, a role in which I had to detect, assess, report and provide guidance on remediating broken/ineffective processes and technology, then start all over once the remediation action was taken, in essence auditing without calling it an audit.  Because of my experiences it wasn’t difficult for me to master the material, although it did require me to stop and change my mindset somewhat to see all the questions from the point of view of an auditor.

While all of my experience in technology and InfoSec was a huge benefit in taking these exams it was also a hindrance.  All of my experience was colored by the corporate environment in which I work, by our policies, our standards and our culture.  These were all things which the certifying body can’t take into account when scoring my answers.  The thing to remember when taking any of these exams is that no matter what you think the answer is, the only one that counts is what the certifying body says it is.  During my preparation for the CISA exam I was in a a class with a number of seasoned and experienced auditors, some of whom had taken the exam previously but not achieved the passing score.  One told the story of how, when her company mandated that staff take training and attempt the exam, several interns still in college with no audit experience, decided to study for and take the exam.  The result, a number of the experienced auditors failed but the interns passed.  Why? Because the auditors answers were colored by their own experiences while the interns answers were straight out of the material provided by ISACA without the benefit of any practical, real world experiences.

So before you ask which certification is easiest, perhaps you should ask “which is most appropriate to my current or future role?”, chances are that is the certification that will be easiest for you.

WordPress Tags: InfoSec,Certification,CISSP,CISM,CISA,CGEIT,ISACA

music note While writing this, I was listening to "Michael Tozzi’s".

Blog at