Essential Skills for InfoSec Pros
Experts Review Today's Key RequirementsIn a recent presentation at the ISC² Congress in Chicago, information security specialist J.J. Thompson, CEO of Rook Consulting, painted a portrait of the "renaissance security professional," spelling out the the growing number of skills that security leaders now need.
See Also: New OnDemand: How CISOs Can Ace Cyber Risk Reporting to the Board and the SEC
As security moves out of back-office operations to a more prominent role supporting the business, technology knowledge and skills remain important, but knowledge of other areas, such as business, psychology, marketing and finance, is also critical, Thompson says. That's because today's security leaders need to be able to communicate well with senior executives and department heads and understand business requirements. They must be able to frame security concerns in terms of business risks, he stresses.
For example, making brief, to-the-point and jargon-free presentations and reports will go a long way toward sending a clear message to relevant stakeholders, Thompson says. "We are not supposed to be in marketing, but we are actually in the marketing business," he says.
New Skills Set
Other security leaders endorse Thompson's security leader portrait.
Malcolm Harkins, CISO of Intel, uses the imagery of a "Z-shaped individual" to describe the skills needed by today's security professionals.
The top bar of the letter "Z" represents a broad technology background, and the bottom bar represents a broad understanding of business, he says. In-depth knowledge of security controls and rules are necessary to bridge the gap between the two areas, forming the letter "Z," he explains.
The business skills are necessary to understand the organization's operations, processes and requirements, Harkins says. This may be industry-specific knowledge, such as understanding healthcare or banking regulations, or general knowledge, such as basic accounting principles, strategic planning and risk assessment.
"To have a seat at the table and have influence, you need to grow your business acumen," Harkins says.
Know the Business
Learning basic accounting and financial concepts, such as capital expenses, operating expenses and depreciation, can help security professionals develop a better understanding of financial risks, Thompson says.
Financial knowledge can also help security professionals justify security investments to business managers. For example, if a security leader presents a manager with precise details on the costs of new security controls, and then demonstrates what the total costs of a breach would be, that "connected dialogue" will help the manager assess the risks and determine priorities, he says.
"You don't need a CFO's finance skills to be able to talk to a CFO, but you need to understand the financial risks," says Nick Levay, CSO of Bit9, an endpoint and server protection company.
Security professionals who are familiar with the financial, regulatory and even physical risks an organization faces can present better explanations of how security programs help mitigate those risks, he adds.
Communication Is Key
Security leaders also have to be able to clearly articulate their goals without getting bogged down with technical terms or jargon, Thompson says.
And Harkins warns against using scare tactics to win financial support for security investments. "It's not about saying 'if we don't do this, our company will fail,' but giving people choices using actual scenarios," he says.
Levay puts it this way: "You want to have the people reach a consensus, and not cram security down their throats."
Seasoned security practitioners can develop new skills by reading books, attending conferences or enrolling in an executive education program, Thompson suggests.
Harkins recommends asking others in the organizations to share insights. For example, he suggests approaching the CFO to learn more about how the company's finances are managed.
Most professionals will respond favorably to requests to share their knowledge, Levay says. "Just don't waste anyone's time or schedule requests during crunch periods."