This feature first appeared in the Spring 2016 issue of Certification Magazine. Click here to get your own print or digital copy.
If you're looking for a career path that allows you to exercise both leadership and technical skills, technology management may be an appropriate path for you. In particular, technology professionals with a security background will find that information security management offers the combination of a challenging work environment with a potentially lucrative career in a high-demand field. Succeeding as an information security manager requires a unique blend of technical, leadership and social skills but offers tremendous rewards to those who make the cut.
Organizations around the world struggle constantly with security challenges, and one need look no further than the evening news to see the evidence. Major security breaches have rocked both the public and private sectors in recent years and members of Congress find themselves grappling with thorny legislative issues that seek to balance national security interests with those of information security. As organizations attempt to thrive in this murky environment, they require strong leadership for their information security and compliance functions.
As with many technical disciplines, employers often find it challenging to attract highly qualified talent to their information security management positions. There is a relatively small pool of qualified individuals, who are in great demand. This combination of circumstances offers great opportunity to those seeking a career in security leadership.
Life as an Information Security Manager
Information security managers perform a wide range of duties in the modern workplace. Part of the role is strategic: a security manager often serves as the primary security voice in an organization and acts as both a subject matter expert and consultant to other business and technology functions.
Security managers also have tactical and operational roles. Their teams respond to real-time security incidents and often manage production security systems, such as firewalls, intrusion prevention systems and data loss prevention products.
In addition to these security-focused responsibilities, information security managers also play a leadership role within the IT function. They manage teams, helping to set goals, conduct performance reviews and measure progress. They're also the security team's cheerleader, helping boost its reputation among the rest of the IT organization and motivating performance within the team itself.
Security managers also often have financial responsibilities, managing some or all of the organization's security budget. Finally, security managers are relationship builders, bringing together technologists, business leaders and external stakeholders, including vendors and law enforcement personnel.
Security managers come from a wide variety of backgrounds and there are many different paths to this type of leadership role. Certainly, many security managers begin their careers in the trenches of information security, working as security engineers, consultants and analysts before growing into management and leadership positions.
Other security managers come from other technical disciplines, perhaps bringing management experience from networking, system engineering, databases or a related field. Successful candidates for security leadership positions often have either a solid security background but very little direct management experience, or a solid technology management background with very little past involvement in security.
In either case, it's important to show a demonstrated track record in one area and solid potential in the other. That's where certifications may come into play.
Five Key Certifications for Security Managers
Technical certifications serve as a gateway for IT professionals seeking to broaden their skills and demonstrate talent in new areas to both current and potential employers. Security certifications abound, ranging from entry-level security credentials to deeply technical certifications reserved for highly skilled security practitioners. Let's take a look at five security certifications that are most suitable for those seeking to transition to an information security management role.
The security industry has long considered the Certified Information Systems Security Professional (CISSP) certification as the crown jewel of security certifications. In fact, many security professionals compare the CISSP to the Certified Public Accountant (CPA) credential used in the financial sector. The curriculum covers eight domains of information security and emphasizes breadth of knowledge rather than depth.
The CISSP is difficult to earn and requires both passing a grueling six-hour, 250-question exam and demonstrating five years of information security work experience. Individuals seeking a security management role will find themselves at a great advantage if they possess the CISSP certification, but earning the credential requires work experience, so it's only possible for those currently in a security role who wish to transition to a security management role.
Technologists and managers transitioning from other technical fields who don't have the requisite background experience for the CISSP exam may wish to instead consider the Security+ certification from CompTIA. This credential covers much of the same material as the CISSP but does not delve into as much detail.
Successful candidates must pass a 90-question multiple choice examination to earn Security+ certification but there is no requirement for prior work experience. Job candidates who wish to demonstrate knowledge and interest in the security field may use this credential as a stepping stone to the CISSP that helps show they are serious candidates for a transition to information security.
Moving on from the more general security certifications, there are also a couple of credentials out there specifically focused on information security management. The first of these, the Certified Information Security Manager (CISM) credential is the most widely known certification in the space. Earning the CISM requires passing a 200-question exam during a four-hour time period.
Unlike most certification exams, the CISM exam is only offered on specific dates three times a year, in June, September and December. Like the CISSP, the CISM is designed for those with work experience in the field and requires that candidates have five years of information security experience, with at least three years of security management experience. That's not too helpful for those seeking their first management role.
The SANS Institute offers a somewhat less popular certification focused on security management called the GIAC Security Leadership (GSLC). The SANS Global Information Assurance Certification (GIAC) program is best-known for offering highly specialized technical certification programs that serve as the gold standard for advanced security certifications. GSLC offers a good crossover point for those with a technical security background seeking to move into security management.
Earning the GSLC requires passing a 150-question proctored examination over a four-hour period. The minimum passing score for the exam is 68 percent, and successful candidates will then be GSLC certified for a four-year period. Unlike the CISM, anyone may take the GSLC exam, making it an ideal credential for those not currently working as information security managers. The curriculum covers much of the same material as the CISM, including information security principles, control mechanisms, cryptography, disaster recovery, incident handling and management/leadership.
Security managers also find themselves spending quite a bit of their time managing projects. For this reason, candidates for security management roles may wish to also pursue certification as a project manager.
The premier credential in this field, the Project Management Professional (PMP) certification requires both passing the 200-question PMP exam and possessing at least three years of project management experience. The good news is that this is not a security-specific certification, so that project management experience may come from any type of project.
Security management is a challenging and lucrative career where qualified candidates find themselves in high demand. By combining a solid record of work experience with professional education and certifications, technologists from any discipline can position themselves well to transition into this exciting field.