Comments on: 7 Things Every Security Professional Should Know

By: We’re back! — My Information Security Job

We’re back! — My Information Security Job — Wed, 12 May 2010 11:18:51 +0000

[...] would like to share with you: Got myself a job in 3 days (using some of my tricks listed here and here), found a neat flat to live close to the beach (which we’re really looking fwd), got married [...]

By: Como se tornar um profissional de Segurança da informação | Profissionais TI - Pra quem respira informação

Mon, 22 Mar 2010 10:18:15 +0000

[...] outros dois posts que eu recomendo. São do blog My Information Security Job: 7 Things Every Security Professional Should Know e How to Start Your Information Security [...]

By: Donald Johnston

Donald Johnston — Sat, 13 Mar 2010 01:51:35 +0000

A few more items I would add to your list:

1. Learn to listen
This is a very important part of your point about “Learn to communicate effectively”. By listening you’ll be able to understand the business needs and balance those against the security needs.

2. Understand that information security is more then IT security
Safeguards, for protecting information, can be administrative, physical, or logical (i.e. APL). This relates to two important points: a) not all the information you’re trying to protect is in electronic systems, and b) holes in you administrative or physical safeguards can easily negate all the efforts you’ve put into the logical safeguards (i.e. your IT security systems).

3. Be able to answer the question “why” or “so what”
This relates back to my first point above … if you know the business needs you’ll be able to easily explain why you’re recommending a particular safeguard. If you recommend something that has nothing to do with a real life threat/vulnerability then you’ll get the “so what” question.

4. The answer to “may be” has to be risk based
It is always the business managers that get to say “no” or “maybe” or “yes” not the technical staff. Businesses can “accept risk” as well as “mitigate” it! The technical job is to help the business with a threat risk assessment (threats, vulnerabilities, likelihoods, impacts, risks, recommended safeguards, costs of implementation). Then the “enterprise risk management” steps in and decides how to “handle” that risk: ignore (not recommended), accept (cost of doing business), transfer (buy insurance against the risk), avoid (get out of that business or avoid that activity), transform (turn it around, if the world gives you lemons make lemonade).

Take the time to see the big picture, IT isn’t there for its own sake, there is a business out there that you’re supporting, learn everything you can about that business and how you can help to drive its success!!!

By: The Transition From a Technical Position to a Management Role — My Information Security Job

Wed, 10 Mar 2010 09:07:41 +0000

[...] I faced when transitioning from a technical security career to a managerial one is that the skill sets involved are VERY different, especially if you are to become an Information Security professional (as [...]

By: llsantana.org » Como se tornar um profissional de Segurança da informação

llsantana.org » Como se tornar um profissional de Segurança da informação — Fri, 26 Feb 2010 20:22:47 +0000

[...] outros dois posts que eu recomendo, são do blog My Information Security Job . São 7 Things Every Security Professional Should Know e How to Start Your Information Security Career? [...]

By: 5 échecs de la sécurité, 7 règles pour RSSI - CNIS mag

5 échecs de la sécurité, 7 règles pour RSSI - CNIS mag — Wed, 17 Feb 2010 10:08:24 +0000

[...] article-listing est signé Adriano sur My Information Security Job. Il recense les 7 « choses qu’un homme sécurité devrait faire ». A commencer par communiquer, [...]

By: What's the right information security certification for me? — My Information Security Job

Wed, 17 Feb 2010 07:37:41 +0000

[...] postsThe 10 Coolest Information Security CareersHow to Start Your Information Security Career?7 Things Every Security Professional Should KnowInformation Security Career Tips by a Guru: Interview with Peter H. GregoryInterview with InfoSec [...]

By: Christopher Wren

Christopher Wren — Tue, 16 Feb 2010 15:29:42 +0000

@William

Hi there…. I have to agree with you and you also have to tailor the content to your audience. There is nothing more annoying to read a self appointed SME, regurgitate the same old theories and thought processes that are on every other blog.

For a blog to be essential to a InfoSec practitioner it has to expand their marketability, either due to the additional understanding of the subject or in the additional InfoSec opportunities that come your way.

If you are looking at revenue streams from your blog or getting other writing opportunities, then you are becoming a blogger for a living and not an InfoSec practitioner. This is still a valid career move, just not a career move within InfoSec.

By: William McBorrough

William McBorrough — Tue, 16 Feb 2010 00:20:26 +0000

In response to Chris’ point on blogging. I don’t see it as a career booster however it does give you occasion to think more thoroughly about some of the issues we security professionals have to deal with. There is a different thought process required when you seek to broadcast or publicize your thoughts regarding a certain subject. It is similar to teaching. I teach college level security courses and it keeps me on my toes and my edges sharp. I have to always take a step back and present the bigger, more complete picture in my classes whereas at work, I may be more focused on a specific security concern or project.

By: 7 Things Every Security Professional Should Know - Malta Info Security

7 Things Every Security Professional Should Know - Malta Info Security — Mon, 15 Feb 2010 13:22:34 +0000

[...] 6. Blogging is serious business 7. Don’t be afraid of starting a business Read the full article here. Once you've homed on these skills, check out the 10 coolest Information Security Careers.. [...]