Fence or hot tub?
What's It Like To Work In InfoSec?
Caroline Wong, Forbes Technology Council
The topic of cybersecurity has exploded in recent years. As professionals, consumers and individuals, we use technology every day. The software that we use is constantly under attack. We see daily news headlines reporting major breaches that involve our personal information.
In response to this growing need, the demand for cybersecurity professionals is accelerating. The latest research by (ISC)2 (via SecurityWeek) notes that this talent shortage is approaching 3 million globally.
Business leaders and security leaders don’t always see eye to eye.
I like to compare the business decision to invest in cybersecurity to a homeowner’s decision to spend money on a fence or a hot tub. Sometimes you know you need a fence, but you really want a hot tub. You can imagine sipping on your favorite beverage and watching the sunset from your hot tub, and when you think of the fence, well …
So how can business leaders and security leaders get on the same page?
I recommend that security leaders directly ask business leaders about their top priorities and goals for the year. It’s extremely important at this point to listen and learn. Based on this information, security leaders can identify risks that might prevent business objectives from being accomplished and plan accordingly.
For example, a top business priority for a company might be to release a new software platform that enables their clients to manage business workflows online. In this case, both security leaders and business leaders will want to reduce the probability that attackers can stop critical software from functioning. Once they’ve reached this agreement, a security action plan can be funded and delivered.
3. We need diversity.
At this point, it’s a given that diversity improves business outcomes. In fact, according to a study from the Boston Consulting Group (via Forbes), “Companies that have more diverse management teams have 19% higher revenue due to innovation.” This certainly applies to cybersecurity. The people who attack software are diverse, and the people who protect software should be diverse, too.
Pentesting, for example, requires individuals to work as a team while they systematically review an application’s features and components. If these individuals all think the same way, they are likely to discover the same security issues. If, however, they think differently, they are likely to discover different issues, resulting in greater insight into an application’s security.
How can security teams create an environment that embraces diversity?
Hiring managers must strategize beyond simply seeking candidates with X number of years of cybersecurity experience. The most effective security leaders interview new candidates with an intention to discover personas (breaker, builder, trickster, etc.) and transferable skills that can be put to use in a well-rounded team.
4. There’s no standard path in cybersecurity.
I’m frequently asked for my advice on “the best way” to enter the cybersecurity field. The truth is, there is no best way. I host a podcast called Humans of InfoSec, and the whole point of the show is to shine a light on the individuals that make up this field. It’s intended to demonstrate, among other things, that the most successful information security professionals are, just like the rest of us — simply human. Each episode explores the career path of a different cybersecurity expert, and not a single person’s story matches another’s.
If you’re new to the industry or want to get started, I recommend watching online recordings of conference talks (for example, BSidesSF). These videos can introduce you to relevant topics and role models who can inspire your future learning paths.
What’s next for the industry?
It’s a great time to be in cybersecurity. The industry talent shortage means that options exist for professionals who possess and are developing skills in the field. It also means that finding the right people to help you build your cybersecurity program can be challenging.
The people who are going to attack your software aren’t just using technology to do it. They’re also using their smarts, analysis and creativity. We need on-demand human effort to build and defend the software that powers our organizations.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. .