Career Advice Tuesday – “Common Traits of Future Information Security Leaders”

January 11, 2011

Dear Infosecleaders:

Firstly I’d like to say that I’ve thoroughly enjoyed reading over your blog entries, and secondly I’d like to ask for some HELP!

As the year 2011 is getting underway, I’ve decided to make the New Year one of career planning and goal achievement.   My dilemma is that I am but a young grasshopper.  I have completed a 4 year IT degree at a University, my CCNA, ITIL certification and 2 years of level 1-3 Support/administration experience. I also have greater than 8 years leadership experience.

Like most here I have great ambition and drive, however I am completely stumped as to how I should progress from here. I wish to pursue a future in IT Security which will ultimately lead to a CISO position, however I am very unsure as how to achieve this.

I guess essentially what I’m asking is if you could start over how would you plan out your career path? What certifications would you benefit most from and which the least.  Now I know there is no right or wrong answer, but from your personal experience and from the experience of those that you have recruited (Lee), what would produce the best result?

Thank you so very much for your help!

“Young Grasshopper”

Dear “Young Grasshopper”:

You ask an interesting question regarding embarking on a plan for Information Security leadership.  I (Lee) recognize that your question centers on the career path to becoming a CISO – but I will answer it a bit more broadly for the audience, since becoming a CISO is only one desired career destination.

I spent some time thinking through all of the Information Security professionals that I have helped throughout their careers – from the time that they were “Young Grasshoppers” (as I once was) – to where they are now, established security leaders (CEO’s, CISO’s, CTO’s, Partner/ Business Owners, Information Security Subject Matter Experts). 

From my reflection I can provide you with the following conclusions (they are not in any specific order – and no one had all of the traits, but most shared a significant number of them):

1)      They were passionate about their profession – and were voracious learners. 

2)      They found themselves in organizations where they were surrounded by others who had similar motivations, aspirations, and intelligence.  They found ways to learn from others whom they could professionally respect.

3)      They were not afraid to command attention and differentiate from their peer group through achievement.

4)      They understood how their company’s measured success – whether it was through customer satisfaction, new technology development, business generation, industry visibility, etc.   They were able to communicate their value.

5)      They were equally comfortable in environments where they were “little fish” in bigger ponds (where they absorbed the broader skills of more experienced professionals – information security and business people) and they enjoyed being “big fish” in little ponds – where they were able to leverage their expertise for additional exposure and career acceleration.

6)      They were not afraid of failure, and had confidence in their own abilities.   Long and short, they were not afraid of getting fired – or recognizing quickly that an opportunity (job) was not right for them.

7)      Money and title were secondary, the opportunity to learn, grow, and develop were paramount.

8)      They kept great relationships with people that they met along the way.  Many times those relationships were very helpful in contributing to their success, later in their careers.

9)      They were significantly more proud of their accomplishments than their certifications.  In fact, many cared very little about certifications or viewed  certification as validation of their talents.

10)   They understood that both their internal and external brands were equally important, and performed and acted in ways that enhanced their standing in both their company and th Information Security industry.

I am not sure if I fully answered the specifics of your question, and would welcome a follow up if you would like to speak about your career – individually (just e-mail at  

I would like to let you know that I appreciate the question and it provided me the opportunity to reflect.  In the future, I may blog about each of these items separately and elaborate on the answers.

Thank you – hope that this helps,
Lee (and Mike)

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Planning, Security Industry, Uncategorized 


Comments are closed.