By Brent Conran
The increased risk of cyber-attacks is driving a demand for cyber-security professionals. The U.S. Bureau of Labor Statistics expects employment of information security analysts to grow by 37 percent by 2022, a rate far greater than the average growth rate for all other jobs.
Yet, while today’s need for cyber-security professionals may outweigh supply, it’s important to remember that several IT skills and personality traits are transferable.
Let’s start with on-the-job expertise. These four IT positions provide useful knowledge and skills for those who want to change fields
Telecommunications: Network architects are essential to the security infrastructure. Individuals with experience in creating and working with cloud networks—and who understand business processes and network-aware devices—will make the greatest contribution. Good network administrators with experience in LAN, WAN or wireless networks can grow into cross-disciplined security architects or security operations experts.
Programming: Experience working with secure life cycle development, along with an understanding of coding practices and code review, can translate into all aspects of security analysis—from basic event management to forensics and incident response.
Cloud Storage: As data moves into public and private clouds, professionals who have an understanding of how the cloud is being used from a variety of aspects—such as service planning, architecture and data flow through each layer in the cloud network—may be equipped to handle security and compliance controls.
Database: As we begin to take advantage of big data to analyze historical trends and correlations in our networks and beyond, we need people with a blend of knowledge about database technology, coupled with analytic, statistical and mathematical skills to sort through data elements and find valuable relationships.
Security Pros Need Soft Skills
Cyber-security professionals obviously need a baseline of technology skills, but on its own, tech savvy is not enough. People in security also need to have soft skills and some distinctive personality traits. These include the following:
Inquisitive minds: Workers who display detective-like thought processes that enable them to analyze how to do and use things differently than intended are often the best analysts, researchers and operational specialists.
Knowledge of psychology, sociology and organizational behavior: With so many vulnerabilities created by human error, it is critical to be well-trained in business processes; be able to think the way users think; and be able to predict how users might deviate from best practices—inadvertently or not.
Open-minded nature: The threat landscape changes rapidly. We may need to tear down infrastructure tomorrow that we built today. Cyber-professionals must be able to adapt quickly to situational changes.
Integrity: We often deal with sensitive information and events that unfold quickly. Our teams require the ability to be discrete, as well as a willingness to provide an honest assessment of a situation—even when the answer is, “I don’t know.”
One of the best cyber-security professionals I ever hired had run a dog shelter. In his interview, he admitted that he didn’t know the answers to all my questions. He was able to learn the technology quickly, but his integrity is what made him a valued member of the team.
Communication: Effective communication is critical in all areas of information security, at all levels of the business—from executives to end users. Cyber-security professionals need to be able to obtain and supply information that’s critical to the incident. They must be diplomatic in all instances, and they must listen, adapt and remain in control of the conversation.
Staying Up to Date
You can never learn this job. In an industry that went from mainframe to distributed computing and now to mobility, the relevant technology disciplines that were good just three years ago are no longer good. Security professionals must look into the future, and their thought processes must constantly evolve.
I recommend a mix of internal and external training, plus attending at least one conference each year. A resource such as ISACA’s Cybersecurity Nexus gathers many of these resources and relies on people in the industry to make sure the content reflects the latest trends and issues.
Internal training ensures that employees align with the business. Conferences and external training opportunities are an important means of staying current with new technologies and attack vectors.
I’m also a big believer in certifications. They ensure that employees have a solid knowledge base. Sometimes, going through the process is nearly as important as achieving the certification because people discover what they know and what they need to learn.
IT security is the most exciting job in IT. I tell people entering the field that they should sleep now because they never will again. The next generation of cyber-leaders must understand how security and privacy can enable the business. These individuals will need a wide range of technical and business skills—ranging from complex cloud networking to understanding the labyrinth of legal precedence.
As we seek to protect privacy with the rapid introduction of new devices in the Internet of things, coupled with the demand for innovation in cyber-security solutions, CIOs and CSOs alike may find security professionals in some unlikely places.
Brent Conran is a founding member of the ISACA Cybersecurity Task Force and the chief security officer at McAfee.