I’ve been in some job interviews in recent weeks, and gathering a list of qualities that information security professionals should have. Ingenuity, problem solving skills, knowledge and aptitude, detail oriented, analytical skills, healthy skepticism, team player, autonomous, enthusiam, empathy, having a good heart (these last two deserve their own posts). All of those are highly important, even required. But I think there is one quality that I think leads many of these: integrity.
Security is tough.
You don’t need security without the insecurity, and as such security will always be behind the curve.
You’ll always be fighting against agile bad guys and always behind, but you’ll also always be fighting users who want 100% convenience. And you’ll always be fighting against other pulls for business budgets and money. And always fighting the growing complexity and chaos.
It takes integrity to be in security. And it’s more than just not looking at the CEO’s emails when you have access or passing along trade secrets or posting security holes on social media or keeping quiet about an HR investigation into harassment claims.
Integrity isn’t surprising as an important quality in security, as it is also an important quality for life in general.
It’s also about admitting you don’t know something and the subsequent quest to learn it, rather than faking it and losing credibility.
security is difficult.
These teams need to know what is important to the business and how to balance user access/convenience against security and budgets. That’s a high degree of business acumen that is required.
Security also needs technical chops in all areas, from data management to networking to systems to desktop to programming so that they can provide guidelines and mentoring on how to be more secure. That’s not something where a desktop person can come in and immediately be effective without knowing how network infrastructure or server management is handled or has never spoken to developers before. They also need to back up their theoretical anecdotes with evidence of successful attacks and defenses.
Security also has to know how to handle people, as they are always the weakest link that need to be educated and incentivized (I prefer incented as a word..) to know and do the right thing, from non-technical employees to the deeply technical senior IT members.
Security needs to be objective with technical logic, but subjective and creative to keep up with innovative attackers who find and leverage new issues weekly. It’s even sometimes artful in ways to detect and prevent attacks.
Security needs to be rigid and stick to compliance standards and expectations, but also flexible to the ever-changing world, business, technical solutions, and attackers.
Security needs to be confident in their solutions, but also humble enough to accept subject matter expert feedback and suggestions.
I love this profession, even if it causes me to take an extra drink some Fridays. The challenge is intoxicating even as it is frustrating.