Today's information security professionals need to learn more swiftly, communicate more effectively, know more about the business, and match the capabilities of an ever-improving set of adversaries. But, it doesn't seem too long ago that all it took to survive in the field was a dose of strong technical acumen and a shot of creativity to protect the network, solve most problems, and fend off attacks.
Not so today. The role of the security professional has evolved beyond that of mere technical savvy, and now includes consultant, educator, investigator, and defender of the data.
To understand the traits and habits that matter the most, we reached out to a number of security professionals by phone, email, and social media, who are successful in their respective areas in the field.
If there's one thing that screamed out from the interviews it was this: security knowledge alone is only the beginning of the skills and habits one needs to succeed.
Effective Habit 1: Communications. As Branden Williams, EVP of Strategy at Sysnet Global Solutions, put it, it's the ability to translate "l33tsp34k to a P&L." Interpersonal communications is critical for security and forensics professionals for a variety of reasons; the most powerful one being self-interest. "Good communicators earn more promotions and more jobs than do bad communicators. You could be the best technician in the world, but if you can't hold up your end of a conversation about what you're doing with business people, you're not going to be asked back to the table," says Brian Martin, founder of Allentown, PA-based Digital Trust, LLC.
Communications is, broadly speaking, a challenge among many flavors of IT professionals—not just security. "My assumption has always been it's because we spent our school years learning things and not worrying about other people. There's also a tendency for people with communications issues to focus on technical challenges as a way to compensate. Whether it's language, arts, or science, the people who are very good at it have, in a lot of cases, neglected their interpersonal skills," says Martin.
Effective Habit 2: Business Acumen. Increasingly, knowing the business and how to wrangle through political challenges is just as important as technical acumen. For CSOs, it is arguably more important in terms of being able to persuade business leaders to obtain the resources you need to succeed and compromise with business leadership and the organization when necessary.
"In order to be an effective CISO, you must first understand how your organization makes money, and know the real world threats that influence sustained success. There are no magic bullets and no checklists you can implement to reduce your unique risk profile," says Boris Sverdlik, manager of product and platform security at Tagged.
One factor that is necessary for long-term success is compromise, which, essentially, means being able to help the enterprise meet its goals while keeping risks within acceptable tolerance levels. "Part of why I think compromise is such an important skill for a CISO or security professional is that many of us are trained to say 'no' on new initiatives without trying to make a pathway to get to 'yes,'" says Williams.
Williams recalled a recent conversation with a CISO at a large company in which he proclaimed to "unequivocally" ban BYOD from his organization. What the CISO didn't appear to understand was that it was happening anyway, explains Williams, behind his and the IT department's backs. "People found ways to bring certain work items to their personal devices through cloud sharing applications such as Dropbox and Evernote. The business he supported clearly had a need for some of these services, but his stubbornness ultimately led his users to work around him," he says.
Effective Habit 3: Creativity. It's no secret that the adversary is quite creative and these intelligent, dynamic, creative, and motivated attacker and security pros need those same skills to match.
In addition to defense, creativity also helps solve technical problems. For example, Williams relays the time when a client was exploring a mobile point-of-sale system to be used for sales from outside their primary place of business. "The CISO never outright said 'no,' but instead worked through the requirements of the business, found acceptable solutions that met the company's security goals, passed on some of the cost of this to the business owner, and was able to get a solution working," says Williams.
This is one example of how creative security professionals can improve their relationships with other business stakeholders and lower risk more effectively.
Effective Habit 4: Root Cause Analysis Skills/Problem Solving. According to Digital Trust's Martin, root cause analysis and troubleshooting skills are necessary because it's impossible to train for the unknown, and there will be plenty of unknowns to analyze in the typical security career.
"Nobody can know everything about everything, and there is always something new, different, or strange that comes along," he says. This is why for his practice, Martin seeks candidates who, in addition to possessing good levels of competence in security, have savvy problem solving skills. "They won't know how to solve a new problem immediately, but they'll figure it out pretty fast. This is essentially the heart of hacking; figuring new stuff out. Without the ability to think on your feet and figure previously un-encountered stuff out, how will they respond to a mysterious change in a box configuration, or the latest zero-day," he asks.
Interestingly, when attempting to get to the root cause of problems and incidents, communication and business acumen skills noted come into play and improve outcomes. "Diplomacy also can be effective in crisis or reactionary scenarios," says K. C. Yerrid, Senior Security Consultant at FishNet Security. "Consider the barriers to determining root cause for an incident. By utilizing diplomacy, personal motivations to distort the truth and protect job security or ego may be reduced, resulting in a more efficient resolution and shifting the goal of the root cause from a personal witch-hunt to a bona fide process improvement mechanism," says Yerrid.
Effective Habit 5: Proficient Consumer of Knowledge. Another critical trait mentioned among those we queried is quenching the constant desire to learn new things. Kelly Lum, Technical Information Security Officer at Citi says it's about keeping on top of news and changing developments in their field whether it be policy developments, new exploitation techniques and bug classes, emerging tech, and other trends.
The need for an attitude of life-long learning is clear on the surface. In the past five years alone, technology has changed tremendously and so has the industry's general understanding of the adversaries it faces. To keep abreast of the latest technologies, exploits, and attack trends, it's important to hit the books, blogs, social media, and news sites daily, and obtain certifications and attend a conference or two every year.
Tagged's Sverdlik says he is also sure to hit a number of resources every day. "I personally read Reddit, a full disclosure mailing list, and several others every day just to stay on top of trends and correlate them back to my organization," he says.
Effective Habit 6: Actively Engage with Business Stakeholders. Effective security pros are always looking for ways to engage with business stakeholders, whether it's business leadership or IT and operations teams. "Without engagement up front, during requirements definition, security will be hard-pressed to be proactive," says Tadd Axon, IT Architect at Oakville, Ontario-based Softchoice. "Engaging with infrastructure and development teams at the beginning (actually becoming a stakeholder in a project, rather than just a gatekeeper), and during the building and testing of a given system gives all parties a better understanding of the business objectives and technical, organizational, and other reasons as to why [certain] choices are made to ensure functionality," he says.
This level of early and persistent engagement enables security to properly argue against certain courses of action and to more coherently offer alternatives," says Axon.
Effective Habit 7: Being a Student of Offense and Defense. When it comes to information security, a good offense often means an effective defense. "To understand your risk profile, you should begin to look at your organization from an adversarial perspective; this requires a thorough understanding of offensive [attack] techniques. When we speak about offense, we are referring to techniques used by adversaries to exploit weaknesses in your organization be it for financial gain, competitive advantage or, worse yet, to tarnish your reputation," says Sverdlik.
While CISOs aren't generally required to conduct penetration tests or reverse engineer applications, they do need to understand the basics of how today's attackers operate. "Many of the breaches today aren't sophisticated, they employ techniques that have been used time and time again; however, they are successful because many security professionals abide by a generic checklist, which may or may not reduce risk. In my experience, the best way to understand how attackers think is to use the wealth of information available today," he says.
While these seven habits are certainty not all inclusive, security and IT pros believe they're essential to success. Even though security talent is hard to come by, there's still no room for complacency, no matter how deep one's technical skills. "The way the world is shrinking, if you aren't motivated and capable, you're not long for the work force. That's why these skills are so essential, because only A and B level players are going to make the grade. There's no room in a competitive environment for average or below," says Digital Trust's Martin.