An Information Security Career: Maximize Your Chances Starting
Now!Allan Wall, Senior Consultant
Sept 16th 2012
MSc Information Security Distance Learning Programme Royal Holloway University of London
ISM Solutions Information Security Management Solutions
1
About Allan– BSc. Biochemistry & Genetics and PGCE– In IT for ~25 years
• Systems and network admin, application support; anti-virus “guru”
• IT Security ~17 years – all aspects• Managed Symantec UK Presales Security Practice for 9
years– CISSP (8 years); Founder Associate Member IISP;
Fellow of the British Computer Society– RHUL Information Security MSc 2009-10
• Guest Lecturer on John Austin’s Malware Module– Active member of ISSA UK
• Director of Academic Liaison; Expert panels; Web Conferences Committee
– Currently Independent Consultant • Mostly helping SME/SMBs with their infosec issues
ISM Solutions Information Security Management Solutions
2
Assumptions!
You want a career, not just a job
You want it to progress in some fashion
You want it to provide sustenance and fulfilment
Always seeking to improve
3
OutlineThree of the (many) success factors:
• Plan your next 5+ years, constant periodic review•Objectives to achieve, Aims to execute on•Get to know yourself
• Gain experience that allows you to show competence (being qualified, proficient, able to perform, accomplish, achieve)
•Evidence based, checkable via references or testimonials•Get it verified if possible (written, certified, recognition)
• Build, maintain, expand and churn your “network”•Some of it will be “who you know”
4
Tool 1 - The CAREER Model
Contemplate
Assess
Research
Explore
Execute
Reflect
CAREER
Source: Dr Randall S Harrison 5
Planning
Visualise a future state and “look back”
3-5 years
How did I get here?
Fill in the route – major then minor milestones
6
Tool 2 – the Personal Development Plan
You can do you this for yourself or with a manager
This belongs to YOU – not your manager!
You chose to share it in order to achieve mutually beneficial goals – it WILL be negotiated
There may be more than one version !
It should be “balanced”
It might change a lot at times (be flexible)7
8
Personal Development Plan A M Bitious Last Updated: Version: 2.0
Timescale Development Area / Objectives "What Knowledge or core skills do I want to develop?"
Development Activity "How will I do this?"
Target Dates "When will I do it?" "Do I need review dates in between?"
Expected Outcome "How will I know I have achieved this?"
Long Term
To meet your career
To be recognised as a high performance technical architect for 80% of the Security Product Suite
Develop a roadmap for tackling portfolio and populate PDP at regular updates
24-30 months from now Job Title Change
objectivesTo attain Grade Level XE6 Pass Grade Competency Assessment 30 months from now Promotion
24-60 months
Medium Term
To meet the changingIncrease ITIL awareness Attend ITIL workshop & self study Next Internal Workshop in 9 months Pass workshop exam; deliver short
overview at team meetingneeds of your role.
Maintain CISSP Attend 40 hours of qualifying security eduction
A N Other Date 18-24 months away Registration of 40 CPE's to July 2***
6-24 monthsProduct-X, Y & Z technical skills Self study & coaching A date 6-18 months from now Demonstrated ability to walk clients
through a Product Demonstrations
Short term
To meet the needs ofProduct-A design, architecture & positioning
Attend standard training course Next one is 4 months time Ability to confidently walk clients through Prod-A technical dicsussion
your present role.Suite-B design, architecture & positioning
Self study & 1-2-1 skills transfer from team
TBA ASAP Ability to confidently walk clients through Suite-B technical dicsussion -demondtrated to product champion
0-12 monthsProduct-Q awareness Attend Product-Q v7 overview
trainingNext session in 8 weeks Ability to position Product-Q security
enhancements in team cross training
NotesYour development SPECIFIC Record - It can be useful to make a dated note of your current status in the objectives or activities in the Plan.objectives should be MEASURABLE Then when looking back you will be fully consious of the improvements made and any outcomeSMART ACHIEVABLE
RELEVANT Defining a developmnent need - "the gap between the skill, ability or knowledge which is needed to meetTIMED the required performance standard and the current status of your competence."
IMPORTANT POINTSSMART
SpecificMeasurableAchievableRelevantTimed
Activities should be real, non-trivial, well articulated
Use it! Refer often. Review often.
….but never underestimate the power of “the gut” to initiate change
What was missing from the example plan? 9
“Hard” v. “Soft” v. Business Skills
Personal “soft” skills - Examples
• Time Management• Presentation skills• Communication skills• Critical Thinking & Problem Solving• Negotiation skills• Influence skills• Change Management• Conflict Management• Management skills• Business Analysis• Project Management skills• Leadership skills
10
Use them or lose them….
For technical people, technical knowledge and skills will “stick” more because they use them
The non-technical and business skills need focus – and the best time is immediately and continually after the training
Apply BOTH sets of knowledge and skills together
Gain experience that allows you to show capabilities•Evidence based, checkable via references or testimonials•Get it verified if possible (written, certified, recognition)
•E.G. See www.sfia.org.uk, or www.iisp.org11
Tool 3 - The Power of Networking
For shy, introverted technical people this can be a challenge!
Ease into peer interaction opportunities that enhance knowledge, skill, and professional growth
• Get useful contacts for getting work opportunities & advice• Perhaps find a Mentor, get coaching• Perhaps become a Mentor• For learning about different professional roles/career paths• Giving YOUR feedback on what you know or have learned• Participating in innovative research, projects & workgroups • Access to specialist recruiters & organisations with employment
opportunities
12
Examples of Networking Organisations
Obviously - RHUL (and other) Alumni organisations and events
Professional Organisation “Chapters” –ISSAIISPISACAISC2
BCS (& specialist groups – ISSG, IRMA, YPISG, Cybercrime Forensics)NEXTSECand quite a few moreetc
13
What can Networking do for Me?
“I believe the greatest benefit of ISSA membership is the networking opportunities – and as ISSA reaches out more and involves other organisations like the BCS – these become potentially even more “lucrative” whether you are looking for work, a mentor, a mentee, to widen your infosec horizons, or the opportunity to ground yourself in comparison to other professionals. I would probably not have done the RHUL MSc if I hadn’t encountered Alumni at ISSA meetings willing to champion it!”
Allan Wall, 2011
14
Examples of Organisations Running Events
Often annual, sometimes more frequent:SANSRSAGartnerForrester ResearchVendor Specific eventsInfosec Europeetc
15
What has Networking done for me?
Significantly enriched my experience in the profession and my feeling of belonging to a professional community
16
Summary
Plan!
Gain Experience!
Network!
17
Thank you
Allan Wall, MSc, FBCS, CISSP, A.Inst.ISPSenior Consultant - ISM Solutions
Director of Academic Liaison - ISSA-UKISSA Web Conferences Committee
Phone: +44(0)7770272799Find me on LinkedIn
ISM Solutions Information Security Management Solutions
18