The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program

The ISSO's Career Development Program

Some questions you may want to ask yourself about an InfoSec career:

• What InfoSec-related career do I want to get into?

• Why?

• What are the qualifications (education and experience) for the entry level, and other security positions?

• What are the positions (specialization) within that profession?

• Are there any that I would like to specialize in?

• Why?

• What are the other positions within the InfoSec profession that I may want to specialize in?

• Can I list them in order of priority, including their education and experience requirements?

The ISSO profession should be researched to obtain the answers to the above questions by:

• Interviewing various ISSO professionals in different types of businesses, nonprofit entities, and government agencies;

• Researching the ISSO profession and its various specialties through the Internet;

• Discussing the profession with representatives from the American Society for Industrial Security (ASIS); High Technology Crime Investigation Association (HTCIA); Association of Certified Fraud Examiners (ACFE); Information Systems Security Association (ISSA); and various training institutes and universities that teach InfoSec-related courses; and

• Reading job descriptions for ISSO positions in the trade journals and newspapers and through interviews with recruiters.

Based on this research, you as an ISSO professional can establish a career development plan beginning at a high level with subsections for education and experience for each position. Let's consider an example. The IWC ISSO knew that one cannot plan for today's job now but one must look at trends in the world, business, high technology, crime, InfoSec, and general security in order to prepare now for tomorrow's InfoSec job. The ISSO wanted to work up the InfoSec professional ladder and have experience and education in as many specialties as possible. The ISSO thought that such an approach would be interesting and would provide a chance to learn as much about InfoSec as possible. Also, the ISSO would become most knowledgeable about the various aspects of the profession and also gain a competitive advantage over others when applying for InfoSec positions. However, the ISSO also set two limits:

• Experiences and education must be relevant to eventually becoming an ISSO.

• Time learning through education, training, and gaining experiences must be scheduled so that the intermediary milestones and ultimate goal could be met.

The ISSO also included the goal of supervisory and management experience as well as experience in the worlds of finance, marketing, sales, accounting, investigations, communications, technology, international travel, and human resources. The ISSO, at age 20, set a goal of gradually gaining increased responsibility, experience, and education in security jobs that would prepare the ISSO for a highly paid ISSO position in an international corporation.

Based on the ISSO's research, the ISSO came up with the idea of a "four parallel lines" approach to career development (See Figure 15.1). The ISSO reasoned that there were four main items that should be integrated into the career development plan:

• Money—How much do I want and when to meet my goals?

• Position—What InfoSec positions pay me the money I want to meet my goals based on my timeline of goals?

• Education—What are the education requirements for each position I want to get?

• Experience—What are the experience requirements for each position I want to get?

Figure 15.1: The four parallel lines approach to career development from the beginning including Individual Retirement Account (IRA) funds and Social Security funds (SS).

The ISSO's goal was to be the most qualified person for each position in the ISSO's career development plan. The ISSO knew that one could not plan for other events such as office politics and any issues related to hiring based on gender or ethnic origin. Other than those issues and in spite of any of those issues, the ISSO wanted to be the best of the best—always.

The ISSO looked at the various corporate InfoSec-related positions and trends indicating what future positions' qualifications might be, and began documenting the education and experience required for each position and their pay range. The ISSO also decided that working in a variety of businesses in various locations would broaden the ISSO's background and would be an additional asset to any firm. The ISSO's goal was to quit working for a corporation as their ISSO at age 55. At age 55, the ISSO would start an InfoSec consulting business and run that until age 62 or 65. At that time, the ISSO would retire with Social Security and other investments as additional incomes.

Also during the ISSO's research, the ISSO found that to be the best ISSO professional required one to have knowledge, education, and experience in areas other than InfoSec, including:

• Business

• Investigations

• Technology

• Dealing with people

• Communications skills

• Management

• Writing

• Project planning

• Public speaking

• Major foreign language or languages

First, and foremost, the ISSO knew that today and into the distant future, the consummate ISSO professional must be technologically savvy. The 21st-century ISSO professional must of course know how to use and protect information technology. ISSO professionals will find themselves working with professionals from many other disciplines to develop and implement methods and InfoSec processes. To be effective, the ISSO professional must possess facilitator skills, team-building skills, and process management skills—and of course also time management skills. The continued emphasis from the business and financial community on cost-effectiveness will drive the ISSO professional to become a more highly skilled generalist as opposed to a specialist, as one climbs the InfoSec career ladder. In addition, financial and accounting skills are a great benefit.

The ISSO also continued to update the career development plan, including preparing now for owning and managing an InfoSec-consulting firm after leaving IWC. In addition, the ISSO knew that learning and gaining new ISSO-related experiences was a lifelong process, as the working environment continues to change too fast to let anyone safely remain complacent with a know-it-all attitude.