Today's information security professionals need to learn more swiftly, communicate more effectively, know more about the business, and match the capabilities of an ever-improving set of adversaries. But, it doesn't seem too long ago that all it took to survive in the field was a dose of strong technical acumen and a shot of creativity to protect the network, solve most problems, and fend off attacks.
Not so today. The role of the security professional has evolved beyond that of mere technical savvy, and now includes consultant, educator, investigator, and defender of the data.
To understand the traits and habits that matter the most, we reached out to a number of security professionals by phone, email, and social media, who are successful in their respective areas in the field.
If there's one thing that screamed out from the interviews it was this: security knowledge alone is only the beginning of the skills and habits one needs to succeed.
Effective Habit 1: Communications. As Branden Williams, EVP of Strategy at Sysnet Global Solutions, put it, it's the ability to translate "l33tsp34k to a P&L." Interpersonal communications is critical for security and forensics professionals for a variety of reasons; the most powerful one being self-interest. "Good communicators earn more promotions and more jobs than do bad communicators. You could be the best technician in the world, but if you can't hold up your end of a conversation about what you're doing with business people, you're not going to be asked back to the table," says Brian Martin, founder of Allentown, PA-based Digital Trust, LLC.
Communications is, broadly speaking, a challenge among many flavors of IT professionals--not just security. "My assumption has always been it's because we spent our school years learning things and not worrying about other people. There's also a tendency for people with communications issues to focus on technical challenges as a way to compensate. Whether it's language, arts, or science, the people who are very good at it have, in a lot of cases, neglected their interpersonal skills," says Martin.
Effective Habit 2: Business Acumen. Increasingly, knowing the business and how to wrangle through political challenges is just as important as technical acumen. For CSOs, it is arguably more important in terms of being able to persuade business leaders to obtain the resources you need to succeed and compromise with business leadership and the organization when necessary.
"In order to be an effective CISO, you must first understand how your organization makes money, and know the real world threats that influence sustained success. There are no magic bullets and no checklists you can implement to reduce your unique risk profile," says Boris Sverdlik, manager of product and platform security at Tagged.