While UK unemployment figures seem to be falling slightly, times are still difficult and few are opting to change. This makes both securing a new position and subsequently climbing the corporate ladder very difficult indeed.
Listed below are five things all IT security departments can do to stand out from the competition, and help make sure that you will be the one considered for any new opportunities that arise in the information security sector.
1. Defend your data
This may seem a point that goes without mentioning, but continue to do your job as well as you possibly can. It appears like hardly a day goes by without a major new data breach - often due to an individual error - making headlines.
Ensuring you have multiple and comprehensive layers of protection in place is also basic but necessary. Take a step back regularly to review your performance, making sure you're employing the most effective, rather than most commonly used, methods.
Securing your perimeter alone is no longer good enough. All employees must be fully-trained and understand what is expected of them. Also make sure that bad practices - such as password sharing – are banned. 'Super users' with heightened privileges should be inspected regularly through a specialised identity management system, since they will have access to your organisation's most sensitive data.
2. Nail an audit strategy
Senior management will assume your organisation will pass its IT security audits, and might not even notice when this achievement is reached. However, if you don't pass, there's nowhere to hide. Don't be the reason management has to spend time planning remedial action.
Start preparing as early as possible to make sure that your audit is passed first time, every time, by switching from point-in-time compliance to a continuous compliance strategy. This will also relieve the pressures of preparing for an audit, since every day will be treated like one.
But it's not just about box ticking. It is valuable to embrace the findings of the auditors and show how their services can benefit your organisation and help make it more secure. Getting the auditors on board and willing to promote your adoption of best practices can even help raise your profile in the executive corridor.
3. Get business-savvy
IT security is a strategic asset, and it's up to you to make others understand this, especially when you need to secure additional resources.
In an era where every penny counts, it is wise to quantify what you are delivering. Any security implementation must take into account the cost/benefit analysis required by the CFO to show that you are using the company's cash wisely, and that you are making effective decisions to protect the corporation as a whole.
Show a keen understanding of the potential losses versus the costs of mitigating the losses and be prepared to present a business case that makes sense, with a more compelling return on investment compared to the status quo.
4. Share your expertise
Knowledge is power, so don't be afraid to demonstrate your know-how. Consider publishing an internal IT security bulletin with handy hints on subjects such as password management and how to spot dangerous emails. Host a series of lunchtime seminars to educate staff, such as staying secure online and similar topics which could be useful to employees at home as well as at work. If staff find your seminars useful, they are more likely to value you.
Share your knowledge about current threats, perhaps via an intranet page, drawing attention to current phishing e-mails, or the problems of shared privileged account passwords and subsequent remedies.
5. Be vocal about your work
Some departments get company-wide recognition for their endeavours - the sales team for example, with its self-promoters. And, then there are those that don't – typically the IT department. You can change that.
Instead of only taking the blame when things go wrong, shout about what's going right. Organisations run PR campaigns to get themselves known in the big wide world and you should do the same within your own organisation. If you've deployed software to make things safer, tell people. If you've prevented a malware outbreak, broadcast the success. Use the company newsletter, round robins, emails, and conversations with the 'big boss' to promote IT's activities.
Don't forget about your own personal PR campaign. It is important to build your profile outside the organisation too, so make sure that you use LinkedIn and other business networking sites and consider securing speaking opportunities at external seminars.
To move up, you need to be seen as a leader, and that includes making your boss look like a leader too. Keep people up to date about any IT security traps and major events within your company, as well as industry trends, so they are able to respond to any questions they're asked. Maintain an IT security calendar for your boss so he knows when big events are occurring and is not caught out when management asks about them.
Everything you do, regardless of your current position on the corporate ladder, should be done in the interests of the organisation and its staff. To get to the top you need drive and enthusiasm. To stay there you need integrity.
Philip Lieberman is president of security management company Lieberman Software.