Understanding the business can get you promoted

Information security is following the same trend that befell IT workers
a few years ago, says John P. Pironti, chief information risk
strategist at Getronics: business knowledge is essential if you ever
want to move into senior management.

“Security is 25 per cent technology, 75 per cent people, process and
policy. If you understand that, then you understand technology is not
the interesting part of the equation,” he says.

In a recent survey of 1,400 Certified Information Security Managers,
upward mobility was linked to taking on more business responsibilities;
40.6 per cent of respondents said they intend to step into an executive
management role as their next career move. Of those, 27.1 per cent
expected to be in a CISO role. The survey was conducted by ISACA in 83
countries.

It used to be enough to have technical knowledge, says Pironti, who
holds a CISM, as well as five other security designations. When the
Internet became an essential business tool a decade ago, it came with a
new set of security challenges. Anyone with a technical background who
could address those challenges could survive on his own merits.

Those days are mostly behind us, says Pironti. Business decision-makers
are looking for ROI in every department, including IT security. And
budgets are beginning to shrink, particularly as more money is funneled
into meeting regulatory compliance requirements.

The message is, “step up to the plate and act like a business unit,” says Pironti.

One way to become recognized as more of a business leader is to speak
the language, says Mark Seward, director of product management for
Qualys.

“You can help yourself quite a bit by understanding a few things about business,” he says.

A powerful weapon in the IT arsenal is data, he says. There’s all kinds
of information at the security manager’s disposal; he just has to know
who the right person is to receive it. Information about who’s
accessing certain databases, how many breaches the company experienced
in the past year, how many potential malware cases were repelled, and
how many hours helpdesk has spent educating employees about IT
practices is all useful.

“There are all kinds of implied metrics in these aspects of business,’
says Seward. Data should be contextually specific and measureable over
time with simple graphics. If you aren’t sure what a certain department
requires, go to them directly.

“The best way to discover what people need is to ask them. They’ll
probably thank you that you even bothered to ask,” he says, adding that
if you can impress upon them the value of IT security as a business
unit, you become more integral to operations and also help justify your
budget.

Pironti agrees that one of the major issues facing IT security is
perception. It may be to the profession’s advantage to veer away from
“security” and move towards “risk management.”

“I think leadership is more open to the conversation of risk management than they are of security at this point,” says Pironti.

“Security tends to have a connotation that you’re going to prevent me
from being successful in some way — prevent me from doing something I
want to do — whereas risk management has a positive business concept
associated with it. It’s empowering organizations to make decisions
again versus the IT guy saying what I can and can’t do.”

It’s about trying to coax diehards away from using purely technical
solutions to address security issues, he says. Security professionals
may have be innovative in ways they’re not used to, and shift their
mindset.

Pironti suggests that people who are concerned about career mobility
may want to step away from IT for a while in order to broaden their
horizons and make themselves more valuable to their current company or
a future employer. They may even have to accept a more junior role in
the short term to achieve long term goals.

If you don’t have some kind of business background, “you’re going to have an uphill battle,” he says.

There is a downside, however. Business managers tend to get buried in
administrative work. Pironti says he misses the days when IT was king,
but the landscape has changed and it’s time to pick up new tools.