In just a few years, information security has developed from being a sideline of the IT department to a fully-fledged profession in its own right. And with that development have come a whole host of qualifications and certifications covering most aspects of security, from the very technical to the strategic and managerial.
So how should a newcomer to the industry plan his or her career? What are the keys to success, and what are just a waste of time, effort and money? Are qualifications worth having?
To answer these questions IT Security Guru gathered together four successful professionals with four very different career paths to discuss the subject and provide advice.
Chairing the discussion was Ray Stanton, who runs the professional services unit for BT, and who by his own admission has no formal qualifications in information security despite having been heavily involved in the industry for many years.
However, he recognised that for anyone starting out today in information security, formal qualifications were essential in signalling serious intent to future employers. “If you want to be a success in your career, you can’t leave it to accident. You have to plan,” he said.
One example of good planning came from Avtar Sembhi, who is now global head of information risk, intelligence and response for HSBC. Having begun a career in manufacturing, he had initially stumbled into security, becoming an AV administrator. But realising he wanted to earn more money, he realised he needed to learn some more solid skills.
Moving to Deloitte for the next 10 years, he explained how he learned many of the people skills and relationship management principles that have become essential to him in his later career. He said being a management consultant taught him how to deal with people, understand their needs, and deliver a service in a credible and consistent fashion.
As for formal qualifications, he felt that a good track record counted for more, but conceded that “certificates show a commitment to the industry.”
Formal qualifications received greater support from the two other members of the panel: John Colley, former managing director of (ISC)2, and Sarb Sembhi, a consultant who plays an active role in ISACA.
Given their roles in professional bodies, both took a more positive approach to certification, arguing that formal qualifications becoming ever more important in employment decisions, especially for headhunters seeking suitable candidates. “Certificates show you have the skills and are serious about your career,” said Sarb Sembhi.
However, all agreed that qualifications alone were not enough. “Certifications are good to get at the start of your career, but you also need to get your hands dirty, actually doing the job,” said Avtar Sembhi. “Make sure you get a good technical grounding, get the certifications, and then get some management experience.”
Top Tips For Success
- Learn the basics, get you hands dirty
- Decide what drives you – technical or management
- Get business/management experience (and study for an MBA if CISO status is your ambition)
- Get a mentor
- Plan your CV. Don’t leave it to accident.
The panel of experts were speaking at the IT Security Guru CISO Debate, which took place in June.