An Information Security Career: Maximize Your Chances Starting

Now!Allan Wall, Senior Consultant

Sept 16th 2012

MSc Information Security Distance Learning Programme Royal Holloway University of London

ISM Solutions Information Security Management Solutions

1

About Allan– BSc. Biochemistry & Genetics and PGCE– In IT for ~25 years

• Systems and network admin, application support; anti-virus “guru”

• IT Security ~17 years – all aspects• Managed Symantec UK Presales Security Practice for 9

years– CISSP (8 years); Founder Associate Member IISP;

Fellow of the British Computer Society– RHUL Information Security MSc 2009-10

• Guest Lecturer on John Austin’s Malware Module– Active member of ISSA UK

• Director of Academic Liaison; Expert panels; Web Conferences Committee

– Currently Independent Consultant • Mostly helping SME/SMBs with their infosec issues

ISM Solutions Information Security Management Solutions

2

Assumptions!

You want a career, not just a job

You want it to progress in some fashion

You want it to provide sustenance and fulfilment

Always seeking to improve

3

OutlineThree of the (many) success factors:

• Plan your next 5+ years, constant periodic review•Objectives to achieve, Aims to execute on•Get to know yourself

• Gain experience that allows you to show competence (being qualified, proficient, able to perform, accomplish, achieve)

•Evidence based, checkable via references or testimonials•Get it verified if possible (written, certified, recognition)

• Build, maintain, expand and churn your “network”•Some of it will be “who you know”

4

Tool 1 - The CAREER Model

Contemplate

Assess

Research

Explore

Execute

Reflect

CAREER

Source: Dr Randall S Harrison 5

Planning

Visualise a future state and “look back”

3-5 years

How did I get here?

Fill in the route – major then minor milestones

6

Tool 2 – the Personal Development Plan

You can do you this for yourself or with a manager

This belongs to YOU – not your manager!

You chose to share it in order to achieve mutually beneficial goals – it WILL be negotiated

There may be more than one version !

It should be “balanced”

It might change a lot at times (be flexible)7

8

Personal Development Plan A M Bitious Last Updated: Version: 2.0

Timescale Development Area / Objectives "What Knowledge or core skills do I want to develop?"

Development Activity "How will I do this?"

Target Dates "When will I do it?" "Do I need review dates in between?"

Expected Outcome "How will I know I have achieved this?"

Long Term

To meet your career

To be recognised as a high performance technical architect for 80% of the Security Product Suite

Develop a roadmap for tackling portfolio and populate PDP at regular updates

24-30 months from now Job Title Change

objectivesTo attain Grade Level XE6 Pass Grade Competency Assessment 30 months from now Promotion

24-60 months

Medium Term

To meet the changingIncrease ITIL awareness Attend ITIL workshop & self study Next Internal Workshop in 9 months Pass workshop exam; deliver short

overview at team meetingneeds of your role.

Maintain CISSP Attend 40 hours of qualifying security eduction

A N Other Date 18-24 months away Registration of 40 CPE's to July 2***

6-24 monthsProduct-X, Y & Z technical skills Self study & coaching A date 6-18 months from now Demonstrated ability to walk clients

through a Product Demonstrations

Short term

To meet the needs ofProduct-A design, architecture & positioning

Attend standard training course Next one is 4 months time Ability to confidently walk clients through Prod-A technical dicsussion

your present role.Suite-B design, architecture & positioning

Self study & 1-2-1 skills transfer from team

TBA ASAP Ability to confidently walk clients through Suite-B technical dicsussion -demondtrated to product champion

0-12 monthsProduct-Q awareness Attend Product-Q v7 overview

trainingNext session in 8 weeks Ability to position Product-Q security

enhancements in team cross training

NotesYour development SPECIFIC Record - It can be useful to make a dated note of your current status in the objectives or activities in the Plan.objectives should be MEASURABLE Then when looking back you will be fully consious of the improvements made and any outcomeSMART ACHIEVABLE

RELEVANT Defining a developmnent need - "the gap between the skill, ability or knowledge which is needed to meetTIMED the required performance standard and the current status of your competence."

IMPORTANT POINTSSMART

SpecificMeasurableAchievableRelevantTimed

Activities should be real, non-trivial, well articulated

Use it! Refer often. Review often.

….but never underestimate the power of “the gut” to initiate change

What was missing from the example plan? 9

“Hard” v. “Soft” v. Business Skills

Personal “soft” skills - Examples

• Time Management• Presentation skills• Communication skills• Critical Thinking & Problem Solving• Negotiation skills• Influence skills• Change Management• Conflict Management• Management skills• Business Analysis• Project Management skills• Leadership skills

10

Use them or lose them….

For technical people, technical knowledge and skills will “stick” more because they use them

The non-technical and business skills need focus – and the best time is immediately and continually after the training

Apply BOTH sets of knowledge and skills together

Gain experience that allows you to show capabilities•Evidence based, checkable via references or testimonials•Get it verified if possible (written, certified, recognition)

•E.G. See www.sfia.org.uk, or www.iisp.org11

Tool 3 - The Power of Networking

For shy, introverted technical people this can be a challenge!

Ease into peer interaction opportunities that enhance knowledge, skill, and professional growth

• Get useful contacts for getting work opportunities & advice• Perhaps find a Mentor, get coaching• Perhaps become a Mentor• For learning about different professional roles/career paths• Giving YOUR feedback on what you know or have learned• Participating in innovative research, projects & workgroups • Access to specialist recruiters & organisations with employment

opportunities

12

Examples of Networking Organisations

Obviously - RHUL (and other) Alumni organisations and events

Professional Organisation “Chapters” –ISSAIISPISACAISC2

BCS (& specialist groups – ISSG, IRMA, YPISG, Cybercrime Forensics)NEXTSECand quite a few moreetc

13

What can Networking do for Me?

“I believe the greatest benefit of ISSA membership is the networking opportunities – and as ISSA reaches out more and involves other organisations like the BCS – these become potentially even more “lucrative” whether you are looking for work, a mentor, a mentee, to widen your infosec horizons, or the opportunity to ground yourself in comparison to other professionals. I would probably not have done the RHUL MSc if I hadn’t encountered Alumni at ISSA meetings willing to champion it!”

Allan Wall, 2011

14

Examples of Organisations Running Events

Often annual, sometimes more frequent:SANSRSAGartnerForrester ResearchVendor Specific eventsInfosec Europeetc

15

What has Networking done for me?

Significantly enriched my experience in the profession and my feeling of belonging to a professional community

16

Summary

Plan!

Gain Experience!

Network!

17

Thank you

Allan Wall, MSc, FBCS, CISSP, A.Inst.ISPSenior Consultant - ISM Solutions

Director of Academic Liaison - ISSA-UKISSA Web Conferences Committee

Phone: +44(0)7770272799Find me on LinkedIn

ISM Solutions Information Security Management Solutions

18