Hiring Infosec Professionals: Experts on the Key Traits in 2016 & Beyond
23 Information Security Leaders Reveal the Most Important Traits for InfoSec Pros in 2016
As businesses across all industries, from healthcare to law and government to finance, continue to realize the importance of sound, proactive security practices in the modern threat landscape, InfoSec professionals are becoming more and more in demand. With the ever-growing volume of data created by both consumers and organizations in addition to security perimeters that are all but impossible to define, today's InfoSec professionals are faced with a monumental task.
When hiring for InfoSec positions, companies are looking beyond the standard requisite knowledge and are instead seeking versatile professionals who are up-to-date on the latest security threats and technologies. They are seeking eager individuals with an unquenchable thirst for knowledge. InfoSec professionals must have the ability to lead and work compatibly with geographically dispersed teams composed of members with varied technical aptitudes and knowledge bases.
The bar has been set high, so how do companies determine which characteristics to prioritize when they're hiring InfoSec professionals? For the growing community of InfoSec professionals, knowing the traits and abilities currently in high demand can help to guide their continuing education plans and inform their future career paths. To shed some light on the subject, we asked a panel of Information Security professionals and industry leaders this question:
"What are the most important characteristics of a great InfoSec professional in 2016?"
We've compiled their responses to create this comprehensive guide outlining the most important characteristics for InfoSec professionals. See what our experts had to say below:
Meet Our Panel of Information Security Leaders:
West is CEO of K logix, a data security company that helps organizations build confident, prepared security programs that positively impact company performance. West co-founded K logix about 15 years ago and the company has grown to be one of the leading resources and partners for CISOs.
"When it comes to the most important traits for InfoSec professionals, both today and looking to 2016 and beyond..."
We hear over and over again from CISOs who say that, "Technical capabilities can be taught. We need team members who are creative problem solvers, good communicators and collaborators." The security industry has a negative unemployment rate; there simply are not enough applicants for every job available in the field. That means we have to look to other fields to staff up. Professionals who are analytical and can translate security issues to business professionals in an easy-to-understand manner will be most in demand. These non-traditional hires will round out teams that already have traditional networking and security application backgrounds.
Douglas Landoll (CEO, Lantego) has been a leader in information security for over 25 years and is a specialist in risk assessment and policy development. Mr. Landoll is the author of the best selling Security Risk Assessment Handbook and the upcoming "Information Security Policies, Procedures, and Standards." He holds a CS degree from JMU and an MBA from UT Austin, and received the Distinguished Fellow designation (reserved for the top 1%) from ISSA in 2012.
"There are three key traits companies should look for when hiring InfoSec professionals in 2016..."
Information security professionals are your trusted advisers and implementers for some of the most complex technologies, regulations, and impacts on the business mission - choose wisely. Sure there are lots of hotshots who can troubleshoot a firewall or know how to spell HIPAA, but in hiring an information security specialist you are inviting wisdom or disaster. The most important traits in an information security professional are relevant experience, trustworthiness, and pragmatism.
Experience - When seeking consulting assistance or a member of your team, relevant experience in your industry (especially with regulations) is essential. Understanding regulations and requirements is a lot more than being able to read them - it's knowing how they are interpreted, how they apply, and how auditors treat them.
Trustworthiness - Let's face it: You are trusting the InfoSec professional with your corporate assets or to build an information security strategy. Clearly this is a trust-needy position. Be sure to hire someone trustworthy.
Pragmatic - Implementing information security is not simply installing every security device and applying every control you can think of (or that is required). Organizations must choose and apply security controls on a risk-based approach. The valuable InfoSec professional will understand top-down security, compensating controls selection, and risk-based security programs.
Greg Edwards is the CEO of WatchPoint Data. He is driven to build a superior, global cybersecurity firm to defend businesses from the cybercriminals lurking in the shadows of the Internet.
"There are three key characteristics all successful InfoSec professionals should have in 2016..."
1. They have to think like a hacker. If a candidate doesn't have a built-in hacker mentality, they don't make the cut.
2. They have to have morals. There is a fine line between black hat and white hat hackers. Without ethics, that line is easily crossed.
3. They have to be a great detective. Cybersecurity has changed from a solely prevention and policy-based approach to prevention and policy plus detection and response. Even with all the best prevention and policies, you have to assume the hacker is already in. An InfoSec pro in 2016 needs to be able to use forensic data to track down, contain, and eliminate threats.
Roberto Arias is a Berlin-based IT Security professional with over a decade of experience in Information Technology in different countries around the world. He's currently the principal consultant of Metaluxo IT Security, a small IT Security agency providing IT Security services to startups and SMEs.
"With the unfortunate increase of hacking activities around the world, InfoSec professionals are more and more needed. Some characteristics we think are key for 2016 include (in no particular order of importance)..."
1. Keeps themselves up-to-date. It may seem perhaps too obvious; however, the speed at which new threats appear necessitates that InfoSec professionals keep up-to-date with the latest advisories, threat vectors, solutions, and mitigation techniques. New regulations will also need to be taken into account in this area.
2. Thinks outside the box. We can no longer rely on our manuals and compliance checklists for IT security. 2016 is probably going to be worse than 2015, and with the speed and complexity of attacks, we need creative professionals more than ever before.
3. Is persuasive with good communications skills. IT security, despite its name, is no longer an IT-only issue. We need good InfoSec professionals that can persuade top management to implement security guidelines. The InfoSec role will also require the ability to communicate effectively to technical people as well as C-level executives. Not an easy feat.
4. Is a team player. InfoSec is catching the attention of law and policymakers. A good InfoSec professional will need to work more and more closely with technical, legal, compliance, and even PR and communications teams.
Symon Perriman is VP of Business Development at 5nine Software, the leading global Hyper-V virtualization security and management provider. Previously, Perriman spent almost eight years at Microsoft as Microsoft's Senior Technical Evangelist and worldwide technical lead covering Hyper-V, Windows Server, System Center, and Azure Pack.
"There are a few key traits and skills common among the most promising InfoSec professionals for 2016..."
To start, it would be beneficial to have an admin background. IT vendors are now offering multiple suites and bundles, and for an InfoSec professional, it is essential to understand which hardware works best with one or another software. This can only be achieved through a few years of being employed in an admin or infrastructure position. Having this background at your disposal will help you make the right decisions in terms of software/hardware, thus benefiting your company.
One of the most important issues in security is compliance. The Health Insurance Portability and Accountability Act (HIPAA), the Federal Trade Commission (FTC) regulations, Fair and Accurate Credit Transactions Act (FACTA), Gramm-Leach-Bliley Act (GLBA) and other national, state, and local data loss laws and regulations place stiff penalties on organizations should they fail to be compliant. So the InfoSec professional should definitely have knowledge of how the compliance regulations work and what maintaining compliance means for the company.
InfoSec professionals are always enhancing their skills and knowledge. They are always aware of the latest industry trends through meeting up with peers at local security groups or larger professional conferences. They spend a great deal of time mastering new techniques through online resources and exchanging ideas in blogs and on social media. For example, cybercrime is such a fast-developing industry that you just have to know the current issues to stay on top of it.
Kevin D. Murray
Kevin D. Murray, CPP, CISM, CFE is a certified, independent security consultant specializing in surveillance detection services (TSCM) and business counterespionage consulting. Murray is also licensed and insured as both a Private Detective and an Electronic Countermeasures Professional. His company, Murray Associates, is an independent security consulting firm providing eavesdropping detection and counterespionage services to business, government, and at-risk individuals. He blogs at Kevin's Security Scrapbook, and authored a number of resources, including "Is My Cell Phone Bugged? Everything you need to know to keep your mobile communications private," the Android app "SpyWarn," and a new professional training course Spycam Detection Training.
"The single most important characteristic for successful InfoSec professionals in 2016 is..."
With this quality, an InfoSec professional will question the status quo, look for loopholes, seek new solutions, follow-up on red flags early on, and look at InfoSec from a holistic viewpoint.
The viewpoint is the most important element. It shapes all other aspects of the job. The inquisitive person will see their job not as an IT defender, but as a defender of information, no matter how it is generated, stored, or transmitted. The great InfoSec professional realizes all the data stored on the computers was available to the adversary long before it ever entered a database.
This holistic outlook takes into account the genesis of information. It may start out as a phone call, which may be wiretapped; a conference room strategy meeting, which can be bugged; unsecured written information left on desks or unlocked file cabinets, which may be easily photographed; information stored on a photocopier hard drive, which can later be reprinted; or on an unsecured Wi-Fi Appearance Point, or wireless printer, whose transmissions may be intercepted. The list of info-vulnerabilities is long.
In recent years, the rush has been to focus on IT security, and rightly so. But, in doing so, the gap between great InfoSec professionals and tunnel-visioned InfoSec managers has become wide and clear. Great InfoSec professionals, being inquisitive, see and handle the big picture. It isn't just computers. The real task is detecting and plugging any method by which information can leak out. Today's great InfoSec professionals defend accordingly. They are much more successful than their colleagues, who only put out fires.
Brian is the VP of Advisory Services and Information Security Officer for InfoSight, Inc. Brian brings more than thirty years of information technology experience, with his last thirteen years focused on information security and advisory services. Brian has successfully managed the implementation of security programs, risk management and audit programs, policies and procedures, and security awareness programs in the financial and healthcare industries. Brian has provided Information Security Officer Management services to numerous financial institutions and holds numerous industry certifications including CRISC, CISA, and CISM.
"Good InfoSec professionals share a number of key characteristics. The more well rounded an individual is, the better they will be as an InfoSec professional. These important characteristics include..."
- Strong technical knowledge - to understand threats and vulnerabilities and how to address them.
- Strong business knowledge - because a solution to an InfoSec issue is not always technical, and the implementation of a technical solution could impact business operations. By understanding business concepts, the InfoSec professional can work with business subject matter experts to implement a solution that doesn't impact or has minimal impact to the business.
- Experience - knowledge and understanding of past situations can assist in identifying and resolving current situations.
- Regulatory knowledge - InfoSec professionals will need to understand what security regulations are needed for the industry they are working in. Even though there are generic InfoSec concerns, each industry has its own specific concerns and regulations to ensure threats are addressed.
- Risk management and audit knowledge - the InfoSec professional must be able to implement a risk-based approach to InfoSec and be able to interact with the business leaders and auditors to ensure a sound InfoSec environment is implemented and meets or exceeds audit requirements. Without risk management knowledge an InfoSec professional will have a hard time putting together an information security program based on risk, since they wouldn't understand the risk management methodology.
- Strong verbal and written skills - an InfoSec professional is required to communicate constantly with all levels of employees. The InfoSec professional must be able to convey their messages in a technical and non-technical manner and be able to deliver in a way so that their audience understands them.
- Re-education - InfoSec professionals must be willing to constantly re-educate themselves because information security threats constantly evolve. If an InfoSec professional is not willing or able to constantly re-educate himself/herself and stay up to date with the latest trends, then their knowledge will become obsolete.
James Brown is the Chief Architect at JumpCloud, the first Directory-as-a-Service (DaaS) company. James works with the JumpCloud team to define product strategy and set the overall usage and support experience. Previously, he served as StillSecure CEO. James has over 25 years of experience in the network security, IT, telecommunications, and human resources industries.
"The most important characteristics of successful InfoSec professionals in 2016 include..."
1. The ability to balance security versus the needs of the business. Security is always a tradeoff between convenience (low cost) and protection (higher cost). Adding more protection results in less convenience. For example, if you want two factor authentication, you not only need to remember and enter your password, but you also need to get a phone or a fob out and use that as well. A great InfoSec professional must always consider the risks he is trying to address versus the cost to the business. Otherwise, he may make the organization less agile and spend more money protecting something that's not worth that level of investment. This is very common in less experienced InfoSec professionals, many of whom believe security should be increased at all costs.
2. An understanding of layered security. No single layer of protection is sufficient by itself to prevent all types of attacks. If we think about the world of physical security, this is the difference between putting a fence around your property and having a fence plus guards, guard dogs, and alarms. The fence alone is an incredibly valuable way to protect your home, but really determined attackers will just climb over it. The other layers are there to make it incrementally more difficult to overcome. InfoSec is no different; multiple layers can make it immensely more difficult for an attacker to gain access to something.
3. An understanding of and willingness to address the insider threat. Insider threats can be inadvertent (someone reusing their password in multiple locations), engineered (an external attacker can manipulate those inside your organization to complete some task or provide some information that will allow them to reach an objective), or they can be malicious (someone actively stealing data or otherwise tampering with systems and selling it to the highest bidder). Many InfoSec professionals focus on protecting assets from external attacks, but external attackers make up fewer than half of all high-impact breaches. Insider attacks can be much more damaging to your business, because insiders usually have a far easier time accessing sensitive assets.
Raffi is the founder of Triada Networks, a boutique managed service provider serving independent asset managers. Raffi was the Director of IT infrastructure at INVESCO in NYC and the CTO of Canaras Capital Management. Raffi maintains a CISSP and holds an MBA in Information Systems from Fairleigh Dickenson University and a BS in Computer and Systems Engineering from Rensselaer Polytechnic Institute.
"The top three characteristics of a great InfoSec professional as we head into 2016 include..."
1. The ability to see both the forest and the trees. Most people in technology can either take a narrow view of their particular silo or a high-level, broad perspective, such as that of a technology manager. On the other hand, InfoSec professionals, particularly those who manage teams, should have a broad perspective of the business and the IT function as it relates to that business, and a solid understanding of the individual parts without having to be an expert on that discipline.
2. Innate curiosity. InfoSec professionals should always be asking the question 'why' more so than 'how'. Many get bogged down in asking how something is being done when why something is required is more important. InfoSec professionals have gotten a bad rep when it comes to saying no all the time. However, if we ask 'why' more often to get a better understanding of the business’ goals, then we’ll be able to better tailor and guide our businesses along a more secure path.
3. Understanding of the development lifecycle. By understanding the unique development process of our application teams, we can better serve them and ultimately provide systems that are pragmatically secure. Road blocks aren’t the way to greater security. Newer development processes provide for iterative and quicker improvements in our products, as well as provides us an opportunity to improve the security posture of our systems.
Oscar Moncada is the Director of Technology Operations at Events.com. Prior to joining Events.com, Oscar was a Software Engineer at Digitaria, a JWT Company. Oscar received his Bachelor of Science in Computer Science from Louisiana State University. He also studied Artificial Intelligence at California State University. Oscar is a licensed Solutions Architect - Associate with Amazon Web Services.
"Information security is a pretty broad topic. That said, I believe the most important characteristics InfoSec professionals should possess are..."
- Staying up-to-date on latest trends and events in the security space.
- Involving users and team members involved with changes to security policies and new technologies. Security is a team effort.
- Being proactive.
- Understanding security in the cloud. The cloud allows you to be more flexible with your infrastructure, but it also makes it easy to overlook potential security threats by relying solely on the provider's security layer.
- Implementing and maintaining a solid, and preferably automated, disaster recovery plan.
- Implementing and maintaining a solid security policy and ensuring that everyone in the organization is familiar with it.
Tim Cannon is the vice president of product management and marketing at HealthITJobs.com, a free job search resource for health IT professionals.
"There are several key characteristics InfoSec professionals should have in 2016, including..."
Curiosity and creativity - Information security professionals need to think like a hacker. Curious professionals find threats and possible attacks. They poke around the system and try new things to find vulnerabilities before hackers do.
Effective professionals then use this knowledge to advance and create better security technologies. Creative information security professionals are needed to drive the evolution and innovation of security systems.
Trustworthiness - Information security professionals have access to your employer’s most sensitive information, and it’s their job to protect it. But employees can’t always be trusted.
Information is leaked both intentionally and unintentionally, so employers need to be able to trust information security professionals to keep their data safe. That means professionals need to both set and follow the security rules to prevent breaches and show they can be trusted with sensitive information.
Drive - The technology and systems that information security professionals work with continually evolve, and so do the tactics attackers use. Successful professionals have the drive to stay on top of these changes.
Greg Nichols is the Chief Technology Officer and Senior Vice President of Proxibid
"As more companies face online fraud and security breaches, having a great InfoSec professional on staff is mission critical. When looking to hire their next expert, companies should look for InfoSec professionals who..."
- Are plugged in to a network of peers who engage in Day Zero / Day One awareness of new threats.
- Know how to employ mitigation appropriate for probable threats and in balance with the risk tolerance of the stake holder(s). Resources and time are often lost on possible but improbable scenarios. Most risk tolerance profiles would drive to focus only on the probable scenarios.
- Can help stake holders understand that you can't prevent 100% of intrusions, breaches, and losses. You can simply minimize them through proactive measures and have a plan for response, accountability, and gap mitigation.
- Are diligent to implement the full appropriate security protocols and processes necessary for the environment, with the least possible impact to productivity.
- This seems like a given, but still needs to be on the list: must be up-to-date on the latest trends and strategies. Not only perimeter defense, but must also be able to detect/respond when a breach has occurred.
Paul Kubler, CISSP, CCNA, Sec+, ACE, EnCE is a Cyber Security and Digital Forensics Examiner at LIFARS LLC, an international cybersecurity and digital forensics firm. He's a former employee at Boeing, in the Global Network Architecture division, the nation's largest private cyberattack target. He previously worked at the Flushing Bank in Network and Systems Infrastructure, protecting valuable financial data at various levels within the network and system. Paul has also performed forensic investigations into mobile devices, aiding in the prosecution of criminals.
With several years of experience in cybersecurity and digital forensics, he conducted a wide range of investigations, including data breached through computer intrusions, theft of intellectual property, and computer hacking. He has worked on hardening the systems and deploying protection over an international organization. He has also created business networks with a defense in depth strategy and implemented firewalls on these networks.
"A great InfoSec professional requires a few additional skills beyond a normal professional..."
These are more than just being a sociable communicator and adept businessperson, both of which are necessary for an effective InfoSec career, unless you enjoy having small budgets every quarter. In addition, InfoSec professionals must always be learning, as it is an ever-changing field that can leave people behind if they do not stay up-to-date. New technologies bring new rewards and new risks, so a professional needs to stay on their toes and be curious and investigative. Another important quality is being intuitive by being able to guess and derive what the future of the InfoSec world will be and drive initiatives based on these predictions. Predicting the near future is a great skill and can guide the success of an individual.
Jen Martinson is the General Manager and Editor-in-Chief of Secure Thoughts, a website that specializes in internet and data security which employs numerous internet security experts. She has been working with internet security solutions for years now and loves sharing her knowledge with others.
"The most important characteristic that any InfoSec professional needs today is..."
A thirst to keep learning. You aren’t going to find any worthy professionals who stopped learning when they found out all there is to know about Windows 95. There are new exploits coming out constantly to match new technology, and most of them aren’t going to give any warning. Look for people who say they are checking the news every day, reading industry journals, and attending security conferences. They will not only be prepared for the threats of yesterday but the threats of tomorrow, which are the true concerns of any major company.
Another necessary characteristic is detail-orientation, ideally complimented by a strong memory and a lot of patience. Just as burglars will try to pick a lock before smashing in a window, hackers will attempt to find the "quietest" route. The most dangerous hacks and exploits are the ones you don’t know about, and a good professional will be able to notice even the slightest changes in a system or find the slightest bit of misplaced data. The best people will notice the subtle changes.
Any good InfoSec professional will also have foresight. The best people will be able to anticipate the security needs of a team several months or, in the best of circumstances, a year down the line, setting the groundwork for an easy transition into new security procedures and tools. Integrating new rules and procedures is best done from the get-go, and being proactive is far more efficient than being reactive.
Finally, an uncommon and invaluable skill for an InfoSec professional to have is the ability to read people and determine how they could be a security benefit or risk. There are numerous studies that conclude that most major leaks are not caused by hard work on the part of cybercriminals but human error (or malice) on the part of an employee. The best InfoSec professionals will be able to identify people that are the biggest risks and comprise a method to help them adapt. They will also ideally be in constant communication with both employees and management in order to have a clear picture of the company’s environment.
Nick Santora is the CEO of Curricula, a cyber security company focused on the design, management, and delivery of of cyber security awareness training.
"One of the most important characteristics of a great InfoSec professional today is..."
Being able to explain complex technology concepts to non-technical people. What I mean here is decision makers in the organization including executives and board members. This skill requires the InfoSec professional to be knowledgeable not only in current technology trends but to truly understand them well enough to easily explain these concepts. Executives don't need to truly understand the technology; they need an overview of why the investment is needed, what problem it is solving, and an understanding of the associated risks. They are relying on the InfoSec professional to figure out all of the technical implementation details. Having the technical knowledge just doesn't cut it anymore; you need to be able to explain your expertise at a level that can influence company-wide decisions.
Julian Weinberger, CISSP, is Director of Systems Engineering, at NCP engineering, based in Mountain View, California. Julian is an information security expert with expertise in the areas of SSL-VPN, IPsec, PKI, and firewalls. At NCP engineering, he develops IT network security solutions and business strategies.
"While security professionals are required to have broad knowledge of IT, they are also required to have technical expertise in..."
Network and application security, identity management, cryptography, and threat detection and prevention. They also need to be able to interpret compliance regulations and implement policies. Intelligence, curiosity, problem-solving ability, and dedication to the profession are all necessary for a career in information security.
What may be surprising is it's also necessary for security professionals to have social skills and the ability to communicate effectively with management, coworkers, and users. If managers, coworkers, or users don´t understand why security is required and important to the entire enterprise, the environment might not be as secure as expected.
When communicating with business leaders and executive staff about information security, it's important to do it in terms they understand: how does it affect the business? Keep in mind that they approve the budget for headcount and the network and security infrastructure. The importance of security needs to be explained in the context of what the potential risks are to the business and what impact they can have on the company's bottom line.
Users need to understand that they play a key role in maintaining a secure environment. Educating them on how the enterprise could be put at risk and jeopardized when they try to get around security methods and policies needs to be an ongoing effort and investment. Once management and users have a clear understanding of the importance of security, it makes working in the security field much easier. This understanding can only be achieved when security professionals develop and cultivate good social skills and communication.
Summary: A security professional or expert is required to have both strong technical and communication skills. Having both skillsets is what separates the good security professionals from the mediocre ones.
J. Trevor Hughes
J. Trevor Hughes is president and CEO of the International Association of Privacy Professionals (IAPP). In this role, Hughes leads the world's largest association of privacy professionals. He is an experienced attorney in privacy, technology, and marketing law. He has provided testimony before the U.S. Congress Commerce Committee, Senate Commerce Committee, Federal Trade Commission, and more on privacy, surveillance, spam, and privacy-sensitive technologies.
"InfoSecurity is a dynamic field and there are many characteristics a true professional must possess to succeed, but - particularly in 2016 - it's paramount for InfoSec professionals to understand..."
The ever-changing landscape of privacy. InfoSec professionals should know the differences between privacy and security, but also possess a deep understanding of how and why they need to work together, rather than separately. Without proper knowledge of privacy laws, best practices, or risks, organizations are naturally more vulnerable to data breaches. It's important to remember that it's not if you'll be the victim of a breach, but when. By having a professional with these skills on staff, you can greatly improve your organization's recovery process after an attack. With regulators calling for data privacy to be factored into products and services, organizations with privacy controls instilled in their technology are ahead of the curve - and the risks. Thus, professionals who possess the skills to develop, engineer, and manage IT to meet increasing privacy needs are valuable.
Keith is the Co-Founder and Director of Detection Operations at Red Canary. Keith runs Red Canary’s Security Operations Center and leads a group of expert analysts that monitor a continuous stream of potential attacks detected in customers’ environments. Keith is a known expert in offensive cyber computing and defensive IT security from his background as Director of Commercial Security at Kyrus and Executive Director of Information Technology at ManTech.
"To succeed in 2016, InfoSec professionals should have..."
Investigative Mentality - A successful Information Security professional has the ability and desire to think like an investigator: a healthy level of skepticism and curiosity, an inclination for taking things apart to see how they work, a willingness to keep digging deeper, and an ability to think outside of established procedures and documented processes. This attribute is essential for keeping pace with the rapidly evolving threats that defenders are facing.
Continual Quest for Knowledge - The Information Security industry is ballooning - especially with the Internet of Things. There are more and more devices to protect and even more attack vectors, vulnerabilities, security products, and security best practices. A successful Information Security professional is always seeking outlets to expand their knowledge base - conferences, mentors, competitions, threat intel groups, and breaking news and research.
Technical Expertise (Experience/Time) - This almost goes without saying but should be mentioned. The above skills are drastically less effective without a knowledge base that covers multiple disciplines: a very deep understanding of computer functions, IT infrastructure, and network and endpoint security. These individuals are rare - and that is what makes them great. Their expertise allows them to pull back and see the "big picture" or jump into the minute details. This knowledge is the foundation of a truly great Information Security professional.
Reliable Network - Information Security professionals must be connected with their peers if they hope to be great at their profession. It is virtually impossible to succeed without the knowledge, wisdom, and experiences of a community. Threat information sharing, tips, and support circulate within these communities and a great InfoSec professional has identified the groups that provide the intelligence they need to succeed in their job.
Dr. Timothy C. Summers
Dr. Timothy C. Summers is the CEO of Summers & Company, LLC and specializes in organizational design and cyber strategy. He is the world's leading expert on hackers and is responsible for developing the field of hacker cognitive psychology.
"Recently, nine of my colleagues and I were selected by CompTIA, an InfoSec certification/governing body, to help them address this very question. Based on the inputs from this diverse group of hackers/InfoSec professionals, we came to the conclusion that the characteristics most needed in 2015 (and beyond) are..."
1. On-the-Fly Technical Knowledge: It is expected that most professionals in the field have the basics down. This includes understanding the most generally used technologies but also having the technical prowess to learn new technologies on-the-fly. We reached consensus that the InfoSec professional must be able to develop a functioning understanding of new technologies whether they are familiar or not. They must have the ability to adapt.
2. Community Involvement: The days of the lonely InfoSec professional are over. We need more CISOs and other InfoSec professionals to be involved with the development and creation of new knowledge. Tomorrow's InfoSec professional will be involved with steering the development of new security technologies through sharing their ideas and experiences. This includes cross-pollinating with other industries and the InfoSec professionals working in those fields. This cross-pollination could occur via conferences, speaking engagements and other intellectual capital sharing forums. The days of stove-piped InfoSec professionals is over.
3. Management Acumen: As the organizational landscape becomes more complex and overwhelmed with technological solutions, InfoSec professionals are progressively becoming leaders within their departments. This is requiring them to be ever more management friendly. In the past, one could be an InfoSec professional and hide from management; however, the InfoSec professionals of today are required to interact with management and provide presentations regarding return on investment. As this happens more and more, we've seen the InfoSec professional go from the stereotypical introvert to the extroverted introvert. It is more important now than ever for the InfoSec professional to be able to communicate with non-InfoSec professionals about the impact of security.
Chris Camejo, director of threat and vulnerability for NTT Com Security (formerly Integralis), comes from a technical assessment background, having personally coordinated and conducted numerous large-scale, multi-discipline penetration tests spanning multiple countries for global clients. As part of NTT Com Security’s threat intelligence capabilities, he follows the latest tactics and techniques of attackers and has conducted presentations on this topic at Computerworld Security Summit and with the United States Secret Service San Francisco Electronic Crimes Task Force and has assisted in research for a presentation at Black Hat Briefings. Chris has been working with NTT Com Security since 2001.
"The most important trait for InfoSec professionals in 2016 is..."
A solid understanding of risk management. As a former penetration tester, I am very aware of the types of attacks that are being used "in the wild" to compromise organizations. Unfortunately it seems that many individuals within the information security field, especially people like developers and system administrators who may not consider themselves to be part of InfoSec despite the enormous responsibilities they hold, don’t seem to keep up on these techniques. This results in individuals underestimating and overlooking certain risks to their systems while squandering limited resources implementing "best practices" that may not address any particular threat that they would expect to deal with. Every information security professional, including those that have indirect information security responsibilities, should be able to articulate what it is they’re trying to protect and what they’re trying to protect it from.
Joan Pepin is the VP of Security and CISO for Sumo Logic. A recognized expert in security policy, lifecycle management, and compliance, Joan is the inventor of SecureWorks' Anomaly Detection Engine and Event Linking technologies. She brings over 17 years of experience to her role at Sumo Logic from a wide variety of industries such as healthcare, manufacturing, defense, ISPs, and MSSPs. Prior to Sumo Logic, Joan spent nine years with the Guardent/Verisign/Secureworks organization where she helped establish key initiatives around policy management, security metrics, and incident response. She holds a patent for developing methodology to assess whether a communication contains an attack. She holds an undergraduate degree from the University of Massachusetts, Amherst.
"When thinking about the key qualities that make a successful InfoSecurity professional..."
I think there's a lifecycle that comes into play. First off, curiosity is key - a good security person wants to understand how an entire product and system works. They think about this in a holistic way rather than as siloed, discreet functions that operate in black boxes. Curiosity leads to becoming self-taught. It leads to an understanding all of the steps and use cases of a system, not only at a high level but also at a granular level, and becoming an expert on one very specialized piece of technology overnight. This in turn leads to a good working memory in order to keep the ocean of details (IP addresses, timestamps, kill-chains, etc.) organized in their head, particularly during the middle of a security incident. Lastly, they need the ability to compartmentalize and work well under stress. As you mature and progress out of the trenches on the path to becoming an executive, you need to adapt and be able to take these same skills and apply them in different ways. Take curiosity to learn how the business works inside out and use your working memory and grace under pressure to learn how to talk to customers, your CEO, or the board when faced with a potential security incident.
David leads Whispering Bell’s commercial expansion into the information and technical security sector. He is focused on building strategic alliances, identifying new technologies, and implementing large-scale cyber security projects. He brings with him 14 years of entrepreneurial experience, having founded and sold his own IT consulting company before joining Whispering Bell in 2009.
"The most important characteristics for successful InfoSec professionals in 2016 include..."
I remember when I started in this business in the late 90s. I was asked to interview a Russian candidate for a job, and one of the first questions I asked her was, "If you had an important Unix server, how would you make sure it's secure?" I was expecting a detailed answer around hardening of the operating system, firewalls, IDS, etc. Her answer was simple: "I would switch it off, dig a big hole and bury it in concrete, and even then I wouldn’t tell you it's secure!" I hired her and have never regretted it since.
For me, the most important trait of a successful InfoSec professional is the same as it has always been: extreme paranoia and a great mistrust of vendors who promise the earth.
On a more practical note, the InfoSec professional's job role has changed dramatically since the 90s, when only in the large multinationals would you find a dedicated resource who was looking after IT security, normally under the IT Director. It was a position usually filled by a graduate and not very well paid. In the early 2000s, the role elevated slightly, with companies moving the role under Finance (if they had been hit by a virus or hack that had affected them with financial loss) or under physical security. During these days, the InfoSec professional simply needed to make sure that an antivirus solution was rolled out properly and that they patched the machines when vendors pushed things out. Normally if you had a good networking person running your security, you were going to be in good shape.
Towards 2010 things started to become scary. The job role in the multinationals had changed from IT security manager to CISO, and they now had a team, so they were not as technically inclined as before. These professionals needed to spend a lot of their time looking at legal compliance issues and obtaining and maintaining security certifications for their companies, while also being able to brief the board. The final run toward 2016 has now been more about admitting that it is nearly impossible to defend yourself against a determined attacker and preparing yourself for that day when it does hit. As the market is proving, the majority of CISOs of the multinationals are now in ex-government intelligence services, whose purposes are not to firefight and protect the networks on a day-to-day basis, but to better understand who is trying to attack them and why. The reasoning behind this is to try and prevent the attack before it even reaches one's network. All of this basically brings you full circle; the most important characteristic of an InfoSec professional in 2016 is paranoia and the ability to have a better crystal ball than the rest!
Murielle Marie Ungricht is a mentor, coach, writer, and business strategist. She has been running her own web agency for more than a decade with Sam, the CTO of Lumturio. She has 9 years of experience managing the development and maintenance of Drupal sites. She is a soulful entrepreneur, passionate about women’s causes and women's empowerment.
"There are a few important traits and characteristics companies should look for in InfoSec professionals in 2016..."
1. Having established relationships with the industry community. With an increasing number of attacks, having trusted sources that can inform of the latest threats is priceless. Communities such as Drupal's constantly share best practices and keep members in the know about the latest vulnerabilities discovered in the system. Knowing how to quickly access this information can protect the company from emerging threats.
2. Being able to connect the dots. Cyber security issues are often hidden. Knowing where the threads might be and recognizing them is key. It's a bit like being a cyber security detective.
3. Always taking the human factor into account. The easiest way in is still the most-used entry point and that is very often the result of human error or simply being human.
4. Possessing knowledge. With an avid love for staying up-to-date on what is going on in the world, a cyber security specialist will be able to recognize patterns that might lead to vulnerabilities. They will also be able to figure out potential issues based on even trivial news pieces.