Career Advice Tuesday – How do you Plan Your Career?

February 8, 2011

Hi Lee & Mike,

I’ve decided to make 2011 a year of Career planning and Goal achieving. My dilemma is that I am but a young grasshopper.

I have completed a 4 year IT degree at a University, my CCNA, ITIL certification and 2 years of level 1-3 Support/administration experience. I also have >8 years leadership experience.

Like most here I have great ambition and drive, however I am completely stumped as to how I should progress from here. I wish to pursue a future in IT Security which will ultimately lead to a CISO position, however I am very unsure as how to achieve this.

I guess essentially what I’m asking is if you could start over how would you plan out your career path? What certifications would you benefit most from and which the least.

I know there is no right or wrong answer, but from your experience, what would produce the best result?

Thank you so very much for your help!

Young Grasshopper.

Ahh, Grasshopper…

I had to pick today to answer your question, as it fits perfectly with my topic next week at RSA.  I’ve spent a lot of time pondering this type of question as RSA approaches, and I have much advice to give  (My first advice is to come to my talk at RSA next week.)

Here’s the thing about career planning – it’s a relatively simple process.  The difficult parts are two: first, choosing what you want out of the numerous possible choices of things that you could do.  And, second, realizing that your career plan won’t survive intact through the years, and that you’ll have to be flexible while using it to keep your eye on the ultimate goal.

The good news is that you’ve already done the first (and often hardest) step of the plan – you’ve chosen that your ultimate end goal is to be a CISO (like 37% of your peers, according to our 2008 research survey).

In our experience, there’s no “one path” to becoming a CISO.  Unlike becoming a CFO (which usually involves starting in accounting, etc.), CISOs start in varied fields – some of them even start their careers outside of the information security landscape (but with a broad background in other forms of risk management) and learn the information security skills as they go.  If you want to see what these varied paths look like, I encourage you to go on LinkedIn and look up various CISOs to understand how they ended up where they are. (And, if you’re going to be at RSA, this is where Lee’s talk is going to come in – he’ll be talking about the skill profile of the future CISO.)

Because of the varied paths taken, this is where you have to play to your strengths as well as your interests.  Try and imagine a path to arrive at the skillset of a CISO that takes in to account what you love to do.  You intuit that having a broad background of the fundamentals of computing will help you be a well-rounded security professional – I agree with that approach.  However, a CISO is much more a business-focused role than a technical one, so start to plan out how you’re going to arrive at the business skills that you need – the CISO spends orders of magnitude more time writing budgets, staffing plans and powerpoint presentations than they do writing code.

To answer your final question, Grasshopper… it’s not about certification, especially at the CISO level.  It’s about having all of the skills and having a long history of demonstrating them.  And, were I to restart my career path, it would look very different than yours – you and I have different aptitudes, different things we wouldn’t accept (dealbreakers), and different ways of interacting with the world.

My career path would be instructive to you only in the way that a travel book is instructive to someone who visits a country: you might think “Oh, I want to go there”, but our experiences of “there” would be totally different.

I hope that we are lucky enough to see you at RSA next week.


Posted by mmurray | Filed Under Career Advice Tuesday, Planning 


Comments are closed.