Career Insights from Stephen Northcutt, CEO of SANS


I get a lot of enquiries from wannabes who, as they put it, want to “break into security“. I presume they see it as more interesting than the work they are doing.

They come in all varieties, from high-school kids asking about what degree they should take to people with no actual work experience asking if they should take a CISSP or CISM.

The luminaries of our profession, be they CISSPs or people like Marcus Ranum and Bruce Schneier who lack such certifications, all came up the same way that Stephen Northcut did and many of us here did – the long way. And gained the practical experience and understanding of the issues along the way.

Northcut ends up saying

The biggest gap isn’t courseware or technology, it is management

Its too easy to interpret that as management being separate from InfoSec, that its management’s responsibility hire or train the Infosec people that are needed. But such would be a short-sighted view that
delegates InfoSec professionals to technical roles.

No, it is important that InfoSec professionals have (or learn) management skills.

Some engineering schools take the view that if you are choosing engineering as a profession then in a few years you will have a supervisory or a managerial role, and hence decide to teach some management fundamentals at the undergrad level. These may vary but when you look at them they seem like a mini-MBA course:

  • management accounting and budgeting
  • project planning and work breakdown
  • teamwork skills
  • report writing and presentation

In the long run, it is the development of those skills which enables a “engineer” to communicate and deliver and so have more influence and control over his career and work he does. technical skills may be
great, but unless you can show senior management why they are relevant and why they are of value to the organization you are not going to have a chance to exercise and develop them.

Sadly many are so set in the geek mentality and the “geeks vs suits” career-limiting outlook they don’t see how essential these skills are to Getting Things Done.

The real question though is “Mandarin or Cantonese?”

Enhanced by Zemanta

About the author

Security Evangelist

Leave a Reply