Career Advice Tuesday – “Is This A Good Career Plan?”

March 23, 2010

Dear Infosecleaders:

I just finished reading your article on career planning and I have decided to begin to formulate my career plan.  I would really like to become a CISO one day.  I currently have 10 years of information security experience working in government environments.  I also just recently passed my CISSP exam and am in the final stages of completing my bachelors degree in Information Security.

I have taken the time to map out my short, mid, and long term career goals :

Short term – obtain CISM, finish bachelors, gain more IA knowledge
Mid term – obtain Masters in InfoSec, get management role
Long term – obtain Doctorate in InfoSec, get CISO role – somewhere

Does that sound like a reasonable career path?  In your experience, where should I tweak that plan to give myself a better chance of success?


“Is this a good plan, Stan”

Dear Stan:
First of all, let me congratulate you on first on passing the CISSP, and next beginning to think about your overall career plan and career goals.   Let me point out a couple of items that may be of some guidance to you as you continue through your career planning exercise:

You seem to be placing a great deal of emphasis on formal education and certification as the main ingredients to achieving career success.

I applaud you for getting completing your bachelors in information security, and I believe that in today’s world that a bachelors degree is critical component of your career foundation, but the Masters and Doctorate in Information Security may not be the best way to spend your career investment dollars to provide you with the best chance of fulfilling your long term career goal   Advanced degrees can be important, if you utilize them to build skills outside of your core competency.  For example, instead of a Masters in Information Security, you may want to think about pursuing a Masters degree in a more general business discipline – like Management, Finance, Marketing, or something else that will enhance your current career and help you develop skills beyond information security.
What I would do, would be to find a CISO that you respect, and ask them about what educational knowledge is important in their current role. You could also ask them, if there is certain knowledge that they wish they possessed, that would make their job easier.   Either of these answers should point you in the right direction in determining your best choices for the focus of your advanced education.
Also, regarding your intended pursuit of a Doctorate, I am not quite sure how critical that would be in attaining a CISO role.  A Ph.D garners a great deal of respect in research, educational,  and technical environments, but it also comes with different prejudices in business settings.  I am not saying that this is a bad idea, but you also have to think about the effect that a Ph. D. would have on your personal brand and if you would like to be associated wtih the message that it conveys to others.

The other item that I need to point out to you, is that what you have created is not a career plan, it is a high level outline.

The outline that you have provided is a good start to a plan, but it is quite vague.  Yes, your outline has goals, and has some investment milestones, but that is where it ends.  To build a proper information security career plan, you really need to invest the time to dig into the details on the skills, commitment, and sacrifices necessary to attain your ultimate career goal.   It is clear that your recognize that certification and education are important components to your career, but so do your competitors for the CISO role.   Information security career planning is about figuring out the specific skills necessary to attaining your long term career goal, and figuring out how to acquire them through experience, career investments, networking, and personal development.
My advice to you would be to block off an entire day to develop your career plan.  I would tell you to utilize a personal day or a vacation day to do so – considering the importance of this exercise.  Find a place where you can think clearly, without interuptions, and spend some time focusing on yourself, your skills, your interests, and your goals.   If you can come away with a detailed framework for your career, you can spend the next couple of weeks figuring out the best way for you to achieve your desired success.
It is very easy to say “I want to be a CISO”, however, it is much more difficult to put in the work to become one.
Hope this helps,
Lee and Mike

Posted by lee | Filed Under Uncategorized 


Comments are closed.