Comments

Davi OttenheimerJanuary 30, 2006 3:05 PM

Some of their analysis might need further scrutiny.

For example, what's to say "People who hold certifications from ISC2 and ISACA earn more than those who hold other certifications" should not be interpreted instead as "people who earn more tend to get certifications from ISACA and ISC2"?

Davi OttenheimerJanuary 30, 2006 3:43 PM

Here's another oddity from page 4:

When asked about "the single worst thing your employer does that makes working no fun at all", 20.2% cited "problems in management and leadership including lack of vision and micromanagement".

But then 10% said they had "no opinion" and 21% said "not important" when asked whether "strategic business planning" is a critical skill necessary for advancement.

So 20% expect better strategic thinking from higher-ups yet 30% say it shouldn't be expected of them (in order to advance in their career)? The only thing that was ranked less important appears to be industry participation.

David DonahueJanuary 30, 2006 4:02 PM

As a security and IT solutions architecture consultant, I'm very rarely asked for my opinion on strategic planning issues. I'm expected to back the strategic thinking of my customers and provide technology solutions that fit within their existing thinking.

When one of my customers has flawed strategic plans, I get annoyed because i have to propose less than optimal (my opinion) solutions to remain compatible with their vision.

It is not my role to second guess the sr. management of my customers. I will offer an opinion if asked or if i think the error is bad enough, but pushing it more than very mildly and carefully is a good way to be unemployed.

For me, then it would not help my career to have these skills in abundance, but I would be annoyed by my customer's management not having them.

Many security professionals are highly specialized and in the same boat I think. They will not have access to the data and knowledge to make good strategic judgements and as such would not be able to effectively use strategic thinking skills even if they had them.

The survey results seem thus quite reasonable to me, I might have answered the questions that way myself.

Pat CahalanJanuary 30, 2006 5:27 PM

@ Davi

It's one thing to want to work for someone who is a good manager, and another thing to want to become management yourself.

A great many security consultants may want to continue working below the management level, ergo may not consider strategic planning to be part of their proper job.

On the other hand, I don't think anyone wants to work for someone who lacks strategic planning skills.

Filias CupioJanuary 30, 2006 8:29 PM

An off-topic note: There's some interesting speculation about NSA data-mining telephone call in the latest "I, Cringley" column (http://www.pbs.org/cringely/pulpit/pulpit20060126.html) . (Don't worry - the Pixar/Disney bit is only the first third of the column.)

I'll not comment further in this blog entry/thread, for fear of derailing the conversation from its proper topic.

cyphertubeJanuary 31, 2006 9:01 AM

Slightly off-topic:

But since I was working on a security audit with consultants here at work until our company president killed the audit (for dubious reasons), I got really interested in it.

If I want to make a real transition over into InfoSec, with some time on my hands, but not a whole lot of cash, any recommendations to do so?

FrancoisJanuary 31, 2006 9:53 AM

@cyphertube: "But since I was working on a security audit with consultants here at work until our company president killed the audit (for dubious reasons), I got really interested in it."

Not sure what the regulations are for your employer, but certain businesses are required to maintain a certain level of confidentiality and accountability. Could be a lot of reasons for derailing the audit, but the president could also be protecting a vested interest in shady dealings. Unfortunately, until something actually goes terribly and visibly wrong, there's not much you can do about it. However, if you work in a sensitive or regulated area, it might be worth looking into.

jmasseyJanuary 31, 2006 12:47 PM

@Davi, first comment:
That's a definite consideration when looking at the pay vs. cert listings, considering requirements. (ISC)² CISSP requires 4 years experience in infosec or 3 years + bachelor or 2 years + master degree. Microsoft or CompTIA, on the other hand, require a credit card and photo ID.

Pat CahalanJanuary 31, 2006 2:05 PM

@ cyphertube

> If I want to make a real transition over into InfoSec, with some time on
> my hands, but not a whole lot of cash, any recommendations to do so?

If you can't make an in-house switch to a job that has primarily security duties, and you can't afford to go to grad school and get an IS/IT degree with a thesis or dissertation in security, picking up some certifications is probably not a bad way to start. It's either that, or enlist.

People looking to hire security specialists probably want to see some "body of work" to indicate you know something about security.

cyphertubeJanuary 31, 2006 2:47 PM

@Francois: I don't think it's a matter of shady dealings, but more of a matter of not necessarily wanting people to see how broken some things are.

@Pat Calahan: Certs are where I'd have to go. Enlisting is right out, as I'm permanently DQ'd (medical).

FrancoisJanuary 31, 2006 3:39 PM

@cyphertube:
I'm a novice in Information Security and still sort of trying to get my foot in the door. Unfortunately I tend to stick my foot in my mouth a lot, instead of shutting up and listening. Although I'm making plenty of mistakes, here's how I'm trying to do it.

First thing: read all of Bruce's books. Seriously. There are a lot of misinformed people out there, so stick with the ones who know. Plus, some of Bruce's work is very accessible for those who don't have an extensive security background. Everyone needs a lot more of that.

Second: network. You're doing that here. Do it more. Get every chance you can to get involved in local security groups, forums, meet law enforcement or military folks, whatever you can do. At the very least, you might get a little inside information or experience. You might get a reference, job referral, or some volunteer experience.

Third: do what you can with what you've got. I've been able to convince my boss and the company of a need for stronger in-house security and skill sets. Whenever there's a chance, I try to discover security issues, learn as much I can, and apply it. It's a bit tough with nobody to mentor, catch mistakes, provide simple explanations, etc. But make the best of what you've got. My company created a volunteer IT Security office and offered it to me. It takes second place to regular work, but it's something.

Last, I'd say do everything you can at home, for friends, family, and on a volunteer basis. If you set up Smoothwall and Snort for your mom, well, that counts for something, and you can list it as consulting. Any experience is better than none.

Opportunity will knock, one day. Just be ready for it.

Davi OttenheimerFebruary 1, 2006 12:57 AM

"When one of my customers has flawed strategic plans, I get annoyed because i have to propose less than optimal (my opinion) solutions to remain compatible with their vision."

Actually, that seems like a perfect example of strategic business management on your part...

I agree that you shouldn't pester someone, as that's unlikely to be constructive, but I don't think that means strategic thinking is a hindrance or unnecessary for your own advancement. You're touching on how you handle disagreements about strategy, rather than a problem like micromanagement or the lack of vision.

ProbitasFebruary 1, 2006 12:42 PM

"When one of my customers has flawed strategic plans, I get annoyed because i have to propose less than optimal (my opinion) solutions to remain compatible with their vision."

All types of security involve trade offs, even job security.

DanFebruary 5, 2006 9:58 AM

Interesting in a lot of ways, and good support for asking for a pay raise (for those of us who are under the national average).

In conversations with other bloggers though, the big quesiton is certificate or degree, this pretty much so that in all other ways but salary that the certificate helps, the degree opens up the door to a higher salary, and hopefully a more challenging work environment (you can only do so many audits until they get old and dull).

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..