Security Career Thoughts

I get a bunch of calls throughout a year from recruiters and practitioners alike.  After having dinner with an old friend last night talking about how various people have managed their careers, I thought I would give my top thoughts on how one managing through the security industry.

For Practitioners 

First, never wait for a role to find you, you must find it. To do that you need to get out in front of the recruiters.  For the majority of security roles I strongly suggest getting in touch with Lee Kushner (  He's been focused on the security industry for over 17 years and has deep roots all round the US.  For CISO types of roles, one has to get in front of executive recruiters like Spencer Stuart or Korn Ferry.  Since the CISO role is so small there are no real executive recruiters completely focused on it.  As a result, being in their database is good.  The worst thing anyone can do is to wait until there's a layoff, life event or something else to start this process.  It takes time to get known by people so starting when things are good can be very beneficial.

 Managing your career is more successful than dumb luck.  I've gotten pretty lucky at some points in my career but a recruiter once told me that the most successful people he's seen actually map their placement.  To do that it's mapping what company, location and position you want and then starting to build the connections to get there.  The vast majority of people don't do this.  That's why they only see a very small portion of positions that recruiters find them or they hear about.  Being proactive in relationships on where you want to be can be significant.

 If no one knows you, you'll never get a call.  I love my industry but one of the most beneficial things I have done in my career is public speaking and writing.  It's through these things that others connect with you and your industry social network grows.  In addition, recruiters, external and in-house, are more able to find you.  A lot of people shy away from speaking their opinions publicly but I've always found that to be increadibly rewarding.  Doing articles for SC or CSO, submitting panel and topics at RSA or even just starting a blog and talking about your thoughts can open so many doors.

For Employers

Get professional help.  Like security job hunters getting a specialized recruiter in this area can save you a ton of money and time.  We all know that finding security people is hard but finding good ones is really hard.  Placing a call to Lee Kushner can help a ton.   I've even talked to CISO's where they know about their attrition problems and keep an ongoing retainer and process to identify candidates all year round.

If you can't find them, grow them.  I've always created in-house training programs for my teams.  Usually, that's a two year program where outside classes, books, job rotations, etc are implemented to grow a team members skills.  Assuming you can find someone with all of the technical, interpersonal and business skills is like catching a unicorn.  If you can grow them you'll not only get the skills of what you want but also higher retention. 

Location, location, location.  I've never been a huge fan of everyone needing to be in the same office.  Where managing remote / home employees is difficult, developing a team in another corporate office can help dramatically in recruiting and retention.  This is especially important as places like Bangalore, San Francisco and others are highly competitive.  Great locations like Austin, Boston, NYC, etc have helped dramatically.

Security Transformation: Compliance

Recently, I've been thinking more about the compliance shift that's undergoing at this moment.  Part of the recent evolution of security is the compliance landscape.  If we take the foundation of this evolution and apply it to compliance we get a very interesting shift. One that is more and more disruptive as I think about it.  This compliance shift will not only effect practitioners to the core of how they manage third parties but dramatically change the compliance and regulatory landscape moving forward.  There are two key areas of this conversation I'll talk about.  The first is the "point in time" model of compliance today.  The second is expected result of the audit itself.

We have managed compliance for the past 30 years in IT as a point in time type of event.  Auditors come in at a particular time of the year and perform their assessments for that period of time.  Perhaps there is a testing of the process controls over a span of time, however, it's still a point in time assessment.  What's starting to happen is the introduction of continuous assessments.  Where it's not just a point in time but the continuous testing over the lifespan of the organization.  With new services, such as SkyHigh, we are seeing the ongoing monitoring and assessment of a particular service.  This includes, among other things, compromises of that service.

This is resonating very well to me and others as practitioners are being forced to deal with vendors in an continuous basis.  Most notably, the impact of a compromise can resonate quite significantly in impact.  This will occur at any time and not necessarily be identified via an audit.  With more of a continuous service assessment we are seeing the value to the practitioner much higher than historical audits have done.  Since my challenges are really ensuring my security of content and transactions in that service I need to integrate all of it into my ongoing risk management process.  To do that I need a continuous monitoring to ensure any change is identified quickly and managed to resolution appropriately.  Historical audits are not suited to do this and has hindered our comfort of cloud services for some time. 

This change in how audits are being done are clearly going to change our view of vendors and our own risk management process.  This will most notably impact the "optional" assessments and certifications we receive (ISO 27002, SSAE16, etc) where they are really to provide clarity to customers on our own performance.  With a continuous model, that clarity becomes more timely and actionable.  This will have two effects.  The first is the disruption of that entire certification / audit performance industry.  The KPMG / PwC's of the world will have a drawdown of that business.  Second, new assessment ratings will arise.  This can be seen as SkyHigh's assessments and ratings gain more traction and relevancy it's this A-F rating system that will become a new standard in industry.  With this, it also changes our concepts of what the value of the audit is. 

This brings me to the second main point.  That is one of a process testing vs. results oriented audits.  Almost all audits test the processes of an organization to comply with best practices.  What these new continuous assessments are really driving is more of a results oriented model.  It's not how the application was developed but that it's vulnerability free.  It's not how the changes are performed but that it hasn't been compromised.  Clear deffinition of what the expected outcome is of a vendor will drive clear assessment criteria.  With this a continuous assessment model can be applied. 

It will be interesting to see what level of disruption this new model will have but I can already see the adoption of many security organizations.  The metamorphasis of their own risk management and threat response programs to these new data feeds has been remarkable.  With the stronger industry adoption I can see it becoming more and more of a cultural shift in how we place our expectations onto cloud providers and monitor the management to them.  Thus dramatically changing the entire audit industry.