There are many such stories. He is a smart person, but there is a co-worker who can't move forward and hesitate or panic. CISOs also know these people. There was an outstanding employee that CISO remembers. This employee loved to let others know how smart he was and how he deserved better treatment. Another CISO remembered a talented employee who only handled exactly what they requested and did nothing more. Both haven't worked very long. In the end, the boss judged that there were too many moral flaws and sent it out.
These are just two examples of how CISOs and career management professionals talk about how to ruin a career. Some actions, such as illegal access to computer systems, are overwhelmingly obvious reasons for dismissal, but countless other reasons just block the possibility of getting promoted.
Obviously unethical and illegal behavior is not covered here. This is a fact that any expert knows. It also introduces the 12 common nature of problems that security leaders say can block your cybersecurity career and how to avoid that fate.
We believe security is our end goal
"The biggest problem I've seen is thinking that security is everything and the end goal," said James Carder, CSO at security technology company LogRhythm. “I do not know that I have to make business possible because I work with this attitude.” These people need to know that they need to collaborate with their business associates to understand the company's goals and to help them, not interfere with the company's goals.
“Security is something that has a lot of standards, regulations, and frameworks, but it's often a crappy implementation,” said Rus Kirby, CISO at software company ForgeRock. "We are trying to implement them in terms of standards, not business context."
Invite isolation
Likewise, Kirby points out that security professionals are so focused on their own purposes that they otherwise alienate themselves from other departments they would like to work within in search of solutions. Kirby cited the security team trying to change the password length of an application from 8 to 20 characters. The IT application team objected, saying what they would do with 12 characters, but changing beyond that would take too much time and money. The security team has earned a reputation for bad relationships and irrationality by doing things without stepping back from the original requirements.
"If the security team had a better relationship, or if they had heard the story better, they would have identified the problem, made a compromise, and the roadmap of the application would have revealed that no matter how long passwords can be applied within a year," Kirby said, "But their resolute and very strict attitude gave the impression that the security team is something to avoid, otherwise they missed many of the opportunities they could have as a security team."
Pretend to be too handsome
There is no doubt that the security field attracts a lot of talented people. But no one thinks there are smart people in the security field alone, and you shouldn't behave like that. It's a common problem, says Lize Stewart, performance executive at professional services firm EisnerAmper. Stewart taught young employees that pride can be a problem as long as they have the potential. The employee sighed when people didn't understand what he was saying. He immediately criticized and mainly used negative words, and although he was a highly skilled employee, he became someone he would not trust. Stuart stressed that the people who work with him shouldn't make others feel stupid.
Stewart says there are limits to being smart. “A lot of people think that technical competence will give you a promotion, but it is not. Such cases are very rare. "I don't know if Steve Jobs was so successful, but Jobs is very exceptional."
Too timid
On the other hand, some security officers, especially new employees, lack confidence. Katie Casali, director of career services at Carnegie Mellon University, said, "He thinks he's not good enough and doesn't have enough talent."
“These people don't know how to speak up or disagree with their boss or coworker. "You can solve problems or mitigate risks, but you can't." He also advised that time and experience will help confidence, but if you have a mentor to encourage you, it will be much better.
Unable to control emotions
Most of the work-life these days is stressful, but security teams have the added burden of being an endless target of external threats. Everyone feels that it is a security team. But a colleague who is completely ruined by feelings of hopelessness does not help. Stuart pointed out that "a person who screams and complains this way is likely to ruin their reputation and career." Because you will be considered emotionally immature.
In addition, people who do this are reluctant to be part of a team and are more likely to be unable to participate in core projects that benefit their careers. "You must have the ability to control your emotions," Stuart added. "When you feel good, you can accept it even if your emotions are high, but when dealing with troublesome problems, it is difficult to accept."
Only talk about technology
CompTIA's Chief Technology Evangelist James Steinzer remembers when he talked about technology at his first board meeting. And I remember the scene where the director's eyes were closed. It's a beginner's mistake, and Steiner got out of the crisis by quickly switching to more business-related terms. However, many security experts don't know or try to turn technology stories into business languages like this. Steiner added that this prevents him from being promoted to the board, to top management, or even to the manager.
“When you say technical things, you ignore the person's story. "Because your career doesn't improve, and no one listens to you, you have to deal with the low-level issues you raise."
I know only myself
Experts in any field develop by helping others work, become trusted partners with colleagues, and build relationships with the entire organization. Some people say networking is easy, but some roles require some kind of collaboration that helps the workplace relationships converge. Relationship building is important to both successful security programs and personal career development, but the role of security does not happen very often. As a result, security professionals must create more opportunities for themselves.
Senior executive consultant Kimberly Rossi suggests letting colleagues know that he is interested in the relationship. You should deliberately go to ask questions, acknowledge the success of others, and even hold meetings to learn about other tasks. "If you want to have influence beyond the security department, you must do this," Rossi stressed.
Failure to secure broad capabilities
Security professionals' value lies in their skills and qualifications, and that's why they need to understand how they fit their capabilities into the organization's overall technology stack and goals, understanding of security threats, and the ability to withstand risks. What's more, security professionals must rely on this precise understanding to succeed in higher positions as they progress. However, many security professionals fail to develop broader competencies such as business, management, and leadership skills.
“Security professionals often run into the problem of focusing too much on technical competence and not developing enough soft skills such as writing or presentation,” said Will Mendez, general manager of consulting firm CyZen. Cybersecurity is about talking about solutions to problems, threats and risks, and how to mitigate them. If we can't communicate the results or values of these things to the right stakeholders, whether they are customers or management, what will be the use of technology capabilities?”
Not moving
Carder often meets security professionals who remain in the same position for long periods of time. The treatment isn't bad, but I can't help but wonder if the person is not getting promoted anymore. “If you look at that person's career, you know that if someone stays in one position for a long time, there's a good reason. That's a bad sign.” He added that he wants to promote people who take on new roles, learn new skills, and expand their knowledge. "I want a security expert with potential for growth."
Do not go beyond security
Jenai Marinkovic, a de facto CTO and CISO at Tyro Security and cybersecurity expert at ISACA, once received a nasty message from a mentor. He pointed out that he couldn't effectively communicate or collaborate with business units because he didn't understand the business perspective. The mentor suggested that Marikovic would expand his horizons through experiences outside of security. Marinkovic has worked as CTO of several startups to learn how to become effective business leaders. So, for three years, I took on a role outside of security. "I wouldn't have been where I am," said Marinkovic.
Confusing risk and vulnerability
Many security experts think of the security team's priorities and objectives in terms of cybersecurity threats and identify vulnerabilities that must be addressed. Don't look at it from a more subtle, risk-focused, business-centric perspective. Lisa Core, director of security at ZenDesk, introduced her real-world experience, pointing out that Core once approved the changes via email, not a ticketing solution, by a business associate. The boss then rectified the core's misreaction, saying the real risk wasn't out-of-process approval.
"Many security professionals tend to see problems with black and white logic," said Core. If there's a vulnerability here, and if someone can exploit it, you'll have to fix it right now. I cannot see beyond black and white. Security professionals need to think more broadly about vulnerabilities. In order to understand that it is 'not or no,' you have to learn to live with danger.”
Not strategic
Marinkovic is a tactical thinker, most of the security experts he knows, working according to a set of plans to address specific problems and requirements. "We put tactical plans together in what we call strategic planning," said Marinkovic. This approach not only does not satisfy the long-term needs of the organization but can also hinder career development. The CEO and the board of directors hope that the security officer will work with them to devise a future, what role security will play, how it will help, and further suggest ways to differentiate it. Rather than announcing a 12-month security plan, security experts who think this way are promoted.
0 Comments