November 23, 2010, 3:17 PM — What makes a good information security professional? I think it's starting at the bottom and working your way up, occupying various positions along the way and obtaining skills in every one of them. It's understanding the business and having the ability to influence others. It's having a breadth of knowledge in various business sectors.
At issue: Our manager has a new job, in which he will be heading up information security at a SaaS provider.
Action plan: Get up to speed quickly, and make connections with all the departments that can affect the company's security.
I've been thinking about all of this because I've taken a new position, leaving a company I worked at for more than five years. Did I hate my job? No. Did the company make me do risky things? Never. Did I hate my boss, or the people I worked with? Not at all. Was I kept from succeeding? No, in fact, there were no negatives driving me to leave.
Admittedly, my new job comes with a promotion and a pay raise, but that's not what clinched it for me. It was a chance for a new challenge, to work in a different technology sector and to build something -- all those things that go into making a good security pro.
I gave two weeks' notice and spent that time closing some open items, such as the Sarbanes-Oxley review and a firewall rule audit, and I created a transition plan. I think one thing a good security manager does is make sure that his successor steps into a mature environment, with a clear understanding of the burning issues. I created a spreadsheet listing significant areas of the company's security profile, prioritizing them, providing the names of the best contacts for each issue, and describing the details.
Today was my third day on the new job. My main goal in these first days is to map out the company's current security landscape. I'll then spend the next few weeks assessing it and prioritizing actions. Meanwhile, of course, there are all those things that anyone encounters in a new job: learning names and terminology, understanding a new business model and becoming familiar with the products and services that the company sells.
Upon arrival at my new company, I found that my predecessor had in turn left me with an eight-page transition plan. I've only gotten through two pages so far, but already I know that some burning issues will need to be addressed quickly. The first is hiring a security analyst to take charge of an event-monitoring project that is under way. If I don't do it before the end of the year, I'll lose the budget.
New Security Horizons