7 Things Every Security Professional Should Know

To be considered a respected Information Security Professional nowadays requires more than just knowing the bits or bytes, or the controls required by a given framework by heart. Being successful in your Information Security career requires you to have a deep understanding of the business needs (and how to enable, not disrupt them), sharp communication skills and a swift ability to sell yourself.

The following tips presented in this article should broaden your field of sight about the way you conduct your career (even if you are unemployed), and will definitely give you the edge when the message they transmit are absorbed and put into practice.

1. Learn to communicate effectively

Have you felt a project manager staring at you while you explain a security concept or a solution as if you were talking Greek and Latin to him? Information Security is only effective if it can be communicated clearly to the audience. You must always keep in mind the level of technicality that must be communicated to the recipient. There is no point using technical words or acronyms to either a project manager or a senior manager who doesn’t understand a word of security. However, if you were to communicate the business benefits in monetary terms or how the current procedures and processes could be managed effectively or even the number of man days reduced by implementing a solution, that would be more effective than proving your technical knowledge. In case you are unemployed, being a good communicator can make the difference between landing a job or not.

2. Learn to say ‘may be’ rather than ‘no’

As a security professionals I’m sure many of us had this perceived outlook that any request or suggestion to implement a solution should always be looked at with a negative sense. Mainly the idea is to say ‘No’ if it doesn’t fulfill the requirements of the security standard. But now I personally feel this is a wrong perception. We as security professionals shouldn’t be perceived by our organization or clients as party poppers or bottlenecks. Rather say we will review the request and maybe it could be implemented differently and securely.

3. Social networking sites are not just  extensions of instant messengers

With the advent of web2.0, social networking sites have taken off quite well. Sites like facebook, orkut, linkedin, twitter and so on are breaking records of number of users by the day or even minutes. But how can social networking sites be useful to security professionals? There are a number of advantages like security groups, discussions, brand awareness, research, etc. This is the era of interactively sharing information with like minded people. So, try using social networking sites smartly rather than plain old chatting.

Pages: 1 2

Filed Under: ArticlesFeaturedFrom me to youFront PageJob MarketMy career


RSSComments (17)

Leave a Reply | Trackback URL

  1. Job Portal says:

    Can I simply just say what a relief to uncover someone who genuinely understands what
    they’re discussing over the internet. You actually realize how to bring an issue to light and make
    it important. More people need to check this out and understand this side
    of your story. It’s surprising you are not more popular because you certainly possess the gift.

  2. KK says:

    Excellent Article for InfoSec Guys

  3. […] would like to share with you: Got myself a job in 3 days (using some of my tricks listed here and here), found a neat flat to live close to the beach (which we’re really looking fwd), got married […]

  4. […] outros dois posts que eu recomendo. São do blog My Information Security Job: 7 Things Every Security Professional Should Know e How to Start Your Information Security […]

  5. A few more items I would add to your list:

    1. Learn to listen
    This is a very important part of your point about “Learn to communicate effectively”. By listening you’ll be able to understand the business needs and balance those against the security needs.

    2. Understand that information security is more then IT security
    Safeguards, for protecting information, can be administrative, physical, or logical (i.e. APL). This relates to two important points: a) not all the information you’re trying to protect is in electronic systems, and b) holes in you administrative or physical safeguards can easily negate all the efforts you’ve put into the logical safeguards (i.e. your IT security systems).

    3. Be able to answer the question “why” or “so what”
    This relates back to my first point above … if you know the business needs you’ll be able to easily explain why you’re recommending a particular safeguard. If you recommend something that has nothing to do with a real life threat/vulnerability then you’ll get the “so what” question.

    4. The answer to “may be” has to be risk based
    It is always the business managers that get to say “no” or “maybe” or “yes” not the technical staff. Businesses can “accept risk” as well as “mitigate” it! The technical job is to help the business with a threat risk assessment (threats, vulnerabilities, likelihoods, impacts, risks, recommended safeguards, costs of implementation). Then the “enterprise risk management” steps in and decides how to “handle” that risk: ignore (not recommended), accept (cost of doing business), transfer (buy insurance against the risk), avoid (get out of that business or avoid that activity), transform (turn it around, if the world gives you lemons make lemonade).

    Take the time to see the big picture, IT isn’t there for its own sake, there is a business out there that you’re supporting, learn everything you can about that business and how you can help to drive its success!!!

  6. […] I faced when transitioning from a technical security career to a managerial one is that the skill sets involved are VERY different, especially if you are to become an Information Security professional (as […]

  7. […] outros dois posts que eu recomendo, são do blog My Information Security Job . São 7 Things Every Security Professional Should Know e How to Start Your Information Security Career? […]

  8. […] article-listing est signé Adriano sur My Information Security Job. Il recense les 7 « choses qu’un homme sécurité devrait faire ». A commencer par communiquer, […]

  9. […] postsThe 10 Coolest Information Security CareersHow to Start Your Information Security Career?7 Things Every Security Professional Should KnowInformation Security Career Tips by a Guru: Interview with Peter H. GregoryInterview with InfoSec […]

  10. Christopher Wren says:


    Hi there…. I have to agree with you and you also have to tailor the content to your audience. There is nothing more annoying to read a self appointed SME, regurgitate the same old theories and thought processes that are on every other blog.

    For a blog to be essential to a InfoSec practitioner it has to expand their marketability, either due to the additional understanding of the subject or in the additional InfoSec opportunities that come your way.

    If you are looking at revenue streams from your blog or getting other writing opportunities, then you are becoming a blogger for a living and not an InfoSec practitioner. This is still a valid career move, just not a career move within InfoSec.

  11. In response to Chris’ point on blogging. I don’t see it as a career booster however it does give you occasion to think more thoroughly about some of the issues we security professionals have to deal with. There is a different thought process required when you seek to broadcast or publicize your thoughts regarding a certain subject. It is similar to teaching. I teach college level security courses and it keeps me on my toes and my edges sharp. I have to always take a step back and present the bigger, more complete picture in my classes whereas at work, I may be more focused on a specific security concern or project.

  12. […] 6. Blogging is serious business 7. Don’t be afraid of starting a business Read the full article here. Once you've homed on these skills, check out the 10 coolest Information Security Careers.. […]

  13. […] 6. Blogging is serious business 7. Don’t be afraid of starting a business Read the full article here. Source: My Information Security […]

  14. Christopher Wren says:

    What does the blog bring to your career?

    You also have to be very careful with information and the content of your blog as it may pigeon hole you and have a knock-on effect to the opportunities that come your way.

    If I look at the style and content of your writing, it appears to be written from the view point of IT Security and not Information Security.

    There is very little that touches risk, compliance, governance, assurance or the wider discipline of Information Security or Information Assurance.

  15. Social comments and analytics for this post…

    This post was mentioned on Twitter by B4BStrategies: 7 things security professionals should know, go to https://www.myinfosecjob.com/2010/01/7-things-every-security-professional-should-know

  16. […] postsWhat Could Have Been Done Differently in 2009?Interview with InfoSec Industry Insider – Part 2How To Answer Tough Interview […]

  17. Girish says:

    It was a Nice read. Generates good vibes to start a new year. Looking forward to the 10 valuable advices.