Information Security Career Trends: Barbara Massa of McAfee
What's ahead for information security professionals in 2010?

Barbara Massa, VP of Global Talent Acquisition at McAfee, Inc. speaks to the results of the new Information Security Today Career Trends Survey, discussing:

How the results speak to the maturity of the information security profession;
The survey's message to CISOs;
The value of recruitment and retention in the year ahead.

Massa joined McAfee in June, 2009. For the 10 years prior to joining McAfee, Barbara led the Talent Acquisition function at EMC and Documentum respectively (Documentum was acquired by EMC in December of 2003.) Barbara's prior work includes leadership positions in the recruiting organization at Cadence Design Systems and at an external recruiting firm.

TOM FIELD: What are the top career trends for information security professionals in 2010? Hi, this is Tom Field, Editorial Director with Information Security Media Group. I'm here today talking about the results of the new Information Security Today Career Trends Survey, and I'm talking with a sponsor of that survey, Barbara Massa, Vice President of Global Talent Acquisition with McAfee. Barbara, it's a pleasure to talk to you again.

BARBARA MASSA: Thank you so much. It's a pleasure to be here.

FIELD: So, I've got to ask you: What is your initial reaction to the survey results that have come in?

MASSA: First and foremost, we were really, really pleased to get an opportunity to participate in the survey. I was really encouraged by the professional development aspect of the results. You know, I think the fact that people recognize the importance of developing skills for these new disciplines, and that companies are willing to provide the funding to do so was a really big step in the right direction. I mean, that was a big takeaway and reaction that I had. And I think, then, secondly, one of the other aspects was the balancing of the risk management and the fraud and forensics aspect. That question that was around the greatest need for future information security professionals -- that was a really interesting area, as I read through this, and the fact that those two areas are almost equalizing with one another, I thought, was very interesting. So, at a high level, those were my two big reactions and takeaways.

FIELD: Barbara, one thing that struck me is that the information security profession really isn't all that old. And yet, as we looked at the results here, you could almost see the evolution or growth, of the profession, which makes me ask you: How do you see these results speaking to what we might call the maturity of the information security profession?

MASSA: That's a great one, and one that certainly I and our Global Recruiting and Talent Acquisition Organization talk about often. You know, the notion of this skill and career discipline area, just as you said -- a few short years ago, information security, even as a definition, really held a different connotation. I think it led to more of the notion of compliance and making sure that you were bringing your company into risk management and compliance and audit aspects. And the fact that now, from a career perspective, there is so much more to an information security professional. You've got fraud and forensics, and you've got, still, the risk management piece of this. You've got application security. There are so many other pieces that now go into this really broad definition of information security. And I think when you even look at the role of the CISO itself, the Chief Information Security Officer. Let's face it: That role, in and of itself, truly didn't exist as an executive leadership position even in as short a time as two to four years ago. So, the fact that you've now got an executive with a firm seat at the table, and now you've got this really much more heavily segmented information security career discipline, as a whole. That really spoke to it. And, you just look at the number of categories of how we define information security, and that shows you the progression of where we started and where we are now. So, it's really, really interesting stuff.

FIELD: I'm glad you mentioned the CISO, because leadership was a significant part of this survey, and I thought it was interesting to see what the respondents said about leadership. So, from your perspective, what's the message for CISO's or for those who aspire to be CISO's sometime soon.

MASSA: I'm certainly not qualified to speak to how they evaluate their threat landscapes for their respective businesses, etc. But in terms of human capital and making sure that they are getting the best and brightest talent to help them meet their ever-growing security issues, I really felt like it was pretty simple. And at the end of the day, it keeps them learning. You know, hire people with a passion for ongoing development and learning, creative problem-solving abilities, and make sure you arm them with the tools, the training and the development required to keep pace in this industry. Again, drawing that parallel back to the evolution, look at the pace with which this career discipline moves from a couple of areas of expertise to now probably eight to 10, even 15 areas of expertise just within the category of information security. So, the fact that CISO's recognized the importance of the ongoing development - and, oh, guess what? - you know, the people that are in these professional disciplines also recognize that, in order to keep pace, I have got to stay ahead of the curve with my development and learning activities. I think that's the big takeaway for the people that sit in these CISO chairs. I kind of put it simply, right? You don't want a shop of mechanics who only know how to fix cars made 10 years ago. You want people who understand current cars on the road, complexities with new technologies, have an eye on new trends, electric vehicles, alternative power mechanisms. It certainly can't be everyone, but those are the types of people they are going to need to run their organizations effectively and usher in the new eras to come.

FIELD: Well, you make a great point there. That's an excellent analogy. One of the things that I have fun with, with a survey like this, is just seeing the patterns that emerge. And it struck me that, no matter what you asked about, whether it was academics or certifications, or priorities in businesses, that there were three topics that kept coming up, from the information security professionals. They talked about risk management, fraud and forensics and application security. It struck me that the topics really weren't surprising. But, what do you think about the point that the professionals themselves kept recognizing these priorities over and over.

MASSA: Absolutely. It's a great point. And I think that it really underscored simply the importance of those priorities, right? I mean, you always look at when leaders and executives highlight and outline priorities, but if there is a disconnect, and the professionals that are in those disciplines don't align or don't see, or don't agree, or, or simply aren't on the same page with those same sets of priorities, you're not going to move in a positive direction forward. So, I think that my very simple, takeaway was that it clearly underscored the importance of those three main areas. And, you know, when you are in this industry, you can get lost in the amount of information and trending data that comes at you daily. Right? Our e-mail boxes fill up, we've all got RSS feeds throwing stuff at us by the minute. So, the fact that those priority areas were identified by CISO's, the information security leaders, it's just confirmation that the people that are in these jobs have a good alignment with the priorities. And I think that drawing back to sort of what we talked about at the outset of the conversation, the fact that now the notion of risk management, kind of more of that audit and compliance, I think that that came in at about 60�or that was about 70 percent -- but what I would term as the more proactive measures -- fraud, forensics and that sort of work -- that's almost now equalized. So, you know, the whole notion of being very proactive against the threat landscape versus the reactive measures, that was a real standout to me there. That now we are looking at almost an equal priority level, which was a very good sign.

FIELD: In a survey like this, I always look for the items that surprise me. And I guess, at the outset, I had always listened to people that said in tough economic times, the first thing that gets cut is a training budget. And yet, what we found in the survey is even in the toughest times that many of us have seen in many years, organizations are still paying for professional development. What does this say to you, in terms of recruitment and retention at these organizations?

MASSA: Really, really positive indicator. I think we'd all agree that, globally, we are certainly in the most challenging economic timeframe we've ever faced, right, certainly in our own career landscape. And with budgets getting tighter and tighter and tighter, and security being more and more and more important, it was encouraging that the recognition by the leaders of these organizations and institutions recognize that we've got to make sure that we do the absolute most with the people that we've got. Right? And, this is such an important discipline, and important issue for the organization or institution, keeping our information secure, our organization secure, our customer secure, etc. That the people who hold the keys to your success -- our success, your company's success, ultimately your customer's success -- feel supported in their endeavor for learning. And so, it was a good confirmation that organizations have, in fact, recognized the importance of that. Because, at the end of the day, you have a much, much higher retention rate, and it's no secret that a highly engaged workforce is the most productive and highly retained workforce you can get. In order to get highly engaged employees, you've got to feel valued and supported, recognized and ultimately see a path for ongoing professional development. It's really easy to say, but it's complex to ensure you pull it off right. And when companies do pull it off right, you've got a highly engaged employee -- those are the people that are going to stay with you much longer. And having companies ensure that funding for those learning and professional development initiatives was a really positive indicator. And I think they will certainly bear the results of that good fortune as we kind of come out of this economic downturn, when more and more opportunities are out there and available. Companies that have taken the time to invest in their employee population, and given them those good learning and growth opportunities, those people are not going to be as inclined to go look for that next best thing. If they've got it right there, within their own walls, and they feel valued, and are highly engaged, they're not going to think about going anywhere else.

FIELD: Well, that's an excellent point, and I hope that's one of the points that we uncover in next year's survey.

MASSA: I hope so, too, that would be excellent.

FIELD: Barbara, I've got one last question for you, and it turns out, ironically, it's the last question that we asked of the respondents in the survey, and that is: What do you see is the biggest information security career challenges in the year ahead, 2010?

MASSA: Great question. And this is actually one that, in my role here at McAfee, I have an opportunity to talk to many, many, many new people coming in to the organization, and lots of folks across our customer and partner landscape, and certainly our own employee population. And, you know, first and foremost it is simply keeping pace. The fact that resources have been more constrained across the board, more is on everyone's individual plate, we've clearly seen, as a result of these survey results, that keeping their educational and professional development is critical to their continuing on in this career discipline, and staying marketable and in demand, and insuring they are meeting their employer's needs, etc. And really the biggest career challenge is managing it all -- finding enough time in your day and in your week to prioritize learning activities and development activities, balancing that with your day to day deliverables and initiatives. Again, it's one of those things that on paper is easy to say, but we all know how busy we get in a day. So, that's really what, as I talk to people in my role, they certainly echo as their biggest challenge ahead. Just keeping pace and keeping that development moving as fast as the threat landscape does.

FIELD: Barbara, great insight. I appreciate your time and your analysis of this today. I know there is a lot to talk about here, but I think that we've captured some key points.

MASSA: Great. Well, it's been our pleasure to participate, and I look forward to ongoing discussions.

FIELD: We've been talking about the Information Security Today Career Trends Survey. We've been talking with the sponsor of the survey, Barbara Massa, with McAfee. For Information Security Media Group, I'm Tom Field. Thank you very much.

Around the Network