Securing your IT Security career

Philip Lieberman of Lieberman Software, shares his tips to looking good and getting promoted in today's competitive, cutting-edge world of IT security.

  • Monday, 23rd September 2013 Posted 11 years ago in by Phil Alsop

While UK and US unemployment figures are falling slightly, times are still difficult for many workers, and few are changing roles. This makes it harder to not just secure a new position, but climb the corporate ladder where you are.


For those in the IT security department, here are five things you can do to make yourself stand out from the competition, and help make sure that you will be the one considered for any new opportunities that arise.


1. Defend your data
It might seem obvious but do your job – brilliantly! It seems like hardly a day goes by without someone failing to do just that and an organisation’s data breach makes headlines.


Make sure that you have comprehensive and effective multiple layers of protection in place. Take a step back regularly to ask yourself if you’re doing things the best possible way and not just the way it’s always been done.


Remember, ensuring that the perimeter is secure is not enough. All employees must be fully trained and understand what is expected of them. Make sure managers are not allowing bad practices - such as password sharing. ‘Super users’ with heightened privileges should be audited and delegated through a privileged identity management system to regulate who can access those powerful logins that grant access to an organisation’s most sensitive data.


2. Failure is not an option
Senior management will assume your organisation will pass its IT security audits, and may not even notice when they do. However, if it doesn’t, there’s nowhere to hide. Don’t be the reason management has to waste time planning remedial action.


Start preparing now to make sure that your audit is passed first time, every time by moving from point-in-time compliance to a continuous compliance strategy. This relieves the pressure of preparing for an audit since every day is audit day.


But it’s not just about box ticking. It is valuable to embrace the findings of the auditors and show how their services can benefit the organisation and help make it more secure. Getting the auditors on your side, and willing to promote your adoption of best practices, can help raise your profile in the executive corridor.


3. Spend wisely
IT security is a strategic asset and it’s up to you to make others understand this, especially next time you need to secure additional resources.
In an era where every penny counts, quantify what you are delivering. It is essential that any security implementation takes into account the cost/benefit analysis required by the CFO to show that you are using the company’s monies wisely; and that you are making effective decisions to protect the corporation as a whole. Show a keen understanding of the potential losses versus the costs of mitigating the losses in advance and be able to present a business case that makes sense and has a compelling ROI compared to the status quo.


4. Share your expertise
Knowledge is power so don’t hide yours. Consider publishing an internal IT security bulletin with handy hints on password management, how to spot dangerous emails, etc. Host a series of lunchtime seminars to educate staff, such as staying secure online and similar topics, which could be useful to employees at home as well as at work. If staff find your seminars useful they are more likely to value you.


Share your knowledge about current threats, perhaps via an intranet page, drawing attention to current phishing e-mails, or the problems of shared privileged account passwords and the remedies.


5. If your company looks good – so do you!
Some departments get company wide recognition for their endeavours - the sales team for example with its self-promoters. And, then there are those that don’t – typically the IT department. You can change that.


Instead of taking the blame when things go wrong, shout about what’s going right. Organisations run public relations (PR) campaigns to get themselves known in the big wide world and you should do the same within your own organisation. If you’ve deployed software to make things safer, tell people. If you’ve prevented a malware outbreak broadcast the success. Use the company newsletter, round robins, e-mails and conversations with the ‘big boss’ to promote IT’s activities.


Don’t forget about your own personal PR campaign. It is important to build your profile outside of the organisation too, so make sure that you use LinkedIn and other business networking sites and consider securing speaking opportunities at external seminars.


To move up, you need to be seen as a leader, and that includes making your boss look like a leader too. Keep them up to date about any IT security traps and major events inside of your company, as well as industry trends, so they are able to respond to any questions they get asked. Maintain an IT security calendar for your boss so that (s)he knows when big events are occurring and is not caught out by management asking about them.
Everything you do, regardless of your current position on the corporate ladder, should be done in the interests of the organisation and its staff. To get to the top you need drive and enthusiasm. To stay there you need integrity. Good luck!