Huddled over a drink at the Appelmans Brasserie (and Absinthe Bar - plus, they have free Internet access) in Antwerp is a good moment to think about oneís past career. (I recommend a different drink when contemplating future plans.)
My ďrealĒ career in Information Security started less than a decade ago. At the time, I was hired into a role as IT Security Manager on the grounds of technical expertise. I had had little formal training in IT Security or managerial matters, but figured I was up to the technical side of the job and certainly had very concrete ideas on what needed fixing. Although my university degree is in natural sciences, it has provided me with a good foundation for a career in IT. Yet, at some point I felt that formal qualification of my expertise, knowledge and skill was needed. I decided to acquire a security certification, in particular the CISSP (Certified Information Security Systems Professional).
Even though CISM (Certified Information Security Manager) was not yet available at the time, Iím not sure it would have changed anything. I went for the CISSP certification because it offered the best match for my role and it was the most widely accepted. Plus, from what I had heard among my peers, it was on its way to become a de-facto requirement for Information Security practitioners.
When I started studying for the exam I had two main motives:
- I wanted an independent confirmation and assessment of my skills. In my company, I was seen as the key point of reference for questions on IT and Information Security. I felt an obligation to my employer to verify that my skills matched market best practices.
- I saw a need to improve my employability. I was approaching a point in my career where it would be appropriate for someone else to take over my responsibilities, injecting new ideas and new energy, setting some fresh initiatives where I had seen no priority, and maybe coming back on certain compromises.
From technical to managerial
As I quickly learned, technical proficiency alone can be deceptive. This will not come as too much of a surprise to those who have ever had any type of security-related role. It helps to be technically proficient (and for a long time that was a basis I could always fall back on), but acting as a technical expert did not get me ahead of the game in my role. Corporations will function or fail on a managerial level and that is true for the security, risk and compliance field as well.
But what can one do to change the perception of security as a technical problem? It has long been my conviction that in order to induce change in others, it is yourself who has to change. As a personal career decision and in order to be successful in my role, I decided to leave technology alone.
This can be surprisingly hard and to be honest, took me several years and one new employer (Iíll leave it to debate whether Iím quite through with it). It implies repositioning yourself and your role within your organization. It can be even harder to suppress your knowledge of solutions (which may still surpass your peersí and subordinatesí) and accept that from now on you will delegate technical problems in order to gain a comparative (and sometimes a competitive) advantage.