When I speak with candidates who are either leaving government roles or actively looking for a new role, I am often asked what programs or courses related to cybersecurity they could take to improve their marketability. A one-size-fits-all answer is a challenge because the operational knowledge needed by someone charged with cybersecurity is similarly broad and complex as the various accountabilities of non-technology security risk roles.
The concept of convergence of both roles whereby a single point of accountability leads the strategy and governance for all security risk initiatives can be an effective approach. While the idea has been out there for quite a while, it is still not widely utilized. There are, however, numerous examples of interdependencies that indicate a need to understand the points of vulnerabilities to best provide a cohesive, coordinated effort to limit and/or mitigate security related risks.
Candidates should gain an understanding of all elements that make up the role of a cybersecurity program leader. If they are considering a career development strategy, they can then decide the path they feel is the best personal fit. There are numerous programs and certifications available that range from an executive overview of cybersecurity to those in which you achieve deep technical competencies.
Cybersecurity functional domains can be broadly categorized in eight areas:
- Emerging Technologies and Market Trends
- Identity and Access Management
- Incident and Crisis Management
- Information and Privacy Protection
- Risk and Compliance Management
- Security Architecture
- Organizational Resiliency Programs & Assessments
- Threat, Intelligence and Vulnerability Management
There are numerous subsets, programs and processes that a CISO has responsibility to develop and execute. Current “Mind Map” models reflect those key topic areas of cybersecurity involvement as:
1. Business Enablement
- Mergers/Acquisitions
- Cloud Computing
- Mobile Technology
2. Selling Programs to Align with Corporate Objectives
3. Governance
4. Security Operations
- Threat Prevention
- Threat Detection
- Incident Management
5. Project Delivery Lifecycle
6. Identity Management
7. Budget
8. Security Architecture
9. Compliance & Audits
10. Legal and Human Resources
11. Risk Management
It is apparent from these top-level overviews that the answer of where to expand your knowledge of cybersecurity to become more marketable in a traditional CSO role has many facets. Like many areas within security management, the level of risks and categories of security issues facing organizations is variable and diverse. The culture, structure and approach implemented by companies to address their various areas of security-related risks also drive their priorities, as does whether these various functions are working cohesively or operating as separate units or geographic silos.
There is not a commonly used “best practice” organizational model of how the cyber and non-cybersecurity risk programs mesh within the enterprise security profession. My observations are that the alignments are constantly changing, and the structure of accountabilities is very fluid. This adds to the dilemma and frustration of those entering the profession and those seeking continued education. Perhaps the best approach is to pick those areas of study that you have a passion for then seek out companies whose culture, vision and expectations are aligned with yours.