"If you do not see the way, you do not see it even as you walk on it." (Zen Koan)

Huddled over a drink at the Appelmans Brasserie (and Absinthe Bar - plus, they have free Internet access) in Antwerp is a good moment to think about one’s past career. (I recommend a different drink when contemplating future plans.)

My “real” career in Information Security started less than a decade ago. At the time, I was hired into a role as IT Security Manager on the grounds of technical expertise. I had had little formal training in IT Security or managerial matters, but figured I was up to the technical side of the job and certainly had very concrete ideas on what needed fixing. Although my university degree is in natural sciences, it has provided me with a good foundation for a career in IT. Yet, at some point I felt that formal qualification of my expertise, knowledge and skill was needed. I decided to acquire a security certification, in particular the CISSP (Certified Information Security Systems Professional).


Even though CISM (Certified Information Security Manager) was not yet available at the time, I’m not sure it would have changed anything. I went for the CISSP certification because it offered the best match for my role and it was the most widely accepted. Plus, from what I had heard among my peers, it was on its way to become a de-facto requirement for Information Security practitioners.

When I started studying for the exam I had two main motives:

• I wanted an independent confirmation and assessment of my skills. In my company, I was seen as the key point of reference for questions on IT and Information Security. I felt an obligation to my employer to verify that my skills matched market best practices.
• I saw a need to improve my employability. I was approaching a point in my career where it would be appropriate for someone else to take over my responsibilities, injecting new ideas and new energy, setting some fresh initiatives where I had seen no priority, and maybe coming back on certain compromises.

Suffice to say, obtaining the CISSP proved to be straightforward. I mean this as an encouragement to all of you who are contemplating taking the test. Go and do it, as an investment in your own future. As the name implies, the CISSP certification is IT Security focused. Becoming a CISSP will not magically turn someone into a security expert, though. CISSP demonstrates you’ve got the basics of your profession right. That’s a lot, but it isn’t everything. Your experience is what will differentiate you.

From technical to managerial