Today’s security professional: ninja, priest, or business shark?
How can we ensure that the people who work in cyber security have all the skills they need?
I often get asked what types of skills does a security professional need. After all, the field is becoming more complex, the attackers more cunning, and the threats more persistent.
This is a good question, and not an easy one to answer. How can we ensure that the people who work in cyber security have all the skills they need? Should we have a university degree programme? Develop some kind of apprenticeship system? Only hire people with relevant certifications? Have in-depth understanding on human behaviour?
I am all for keeping yourself up-to-date through continuous learning and education. In the fast moving world of cyber security, understanding the processes and human behaviour, as well as having what is generally referred to as a T-shaped competence in the field are all necessary ingredients.
Things change so rapidly that you just simply can’t survive in the business without the hunger to learn new things (even if it is not directly in your field of speciality) and keep up with the developments in the field.
While education, degrees, and certifications are important, they are only a part of the solution. In today’s world, the business requirements are much more complex than just knowing how to configure the nuts and bolts of security infrastructure.
What makes a security star?
People have many misconceptions about what makes a good security pro. A common way of seeing him/her is as a stealthy ninja who has studied for several years in a remote monastery to master her art and who is then launched out into the wild to use her skills to tackle any attacker.
Not far from this view is seeing security people as high priests of an ancient tradition. They are greatly valued and even revered, but nobody really understands a word they are saying. The lingo of security pros admittedly can sound quite like Latin to the rest of us.
A more modern way is to see the security guys and gals as business enablers – people who do everything in their power and beyond to keep the business running and the assets secure, making security itself a competitive asset eventually.
This is, in my opinion, quite an apt description of a good security person. Besides having the technological skills, they understand the needs of the business and are able to translate security concepts in an understandable way to different stakeholders in the company – talk the language that the counterparty understands.
Security is too important to be left to professionals only
As soon as you begin to consider yourself an expert in security, however, there’s a danger that you develop tunnel vision.
When you’re a hammer, every problem looks like a nail. You might be able to make a system super secure, but hinder any meaningful or agile business activities in the process. And if you want to keep the business running, you just have to have visibility and understanding about what constitutes the right level of security when it comes to your line of business.
We shouldn’t think of security as something that is the responsibility of only certain trained professionals. Security is a set of processes and controls that every employee from entry-level interns up to the CEO must be aware of and educated on. In other words, security must be embedded into the very culture of the company. Only then can we have an environment where business can flourish in a secure way.
If you want to see the next security pro, take a look in the mirror.
Do you know how to avoid ransomware attacks? Check out our latest white paper.