InfoSecurity Professional INSIGHTS
InfoSecurity Professional INSIGHTS is (ISC)²'s bi-monthly e-newsletter, associated with our members-only digital publication, InfoSecurity Professional. Similar to the magazine, it will deliver timely, compelling content written with the professional development of infosecurity practitioners in mind.
While companies recognize identity and access management (IAM) as a strategic function, a recent IDG Research survey focused on IAM finds that many organizations use traditional, largely manual methods (and in many cases, multiple tools) – and struggle to keep up with IAM requirements. Download the latest IDG Market Pulse report to learn how to take an automated, risk-based approach to IAM for more strategic and effective results.
Do You Have What It Takes to Lead in 2018?
By Dr. Richard N. Knepp, CISSP
Every security professional, as part of continuous self-improvement, should periodically take stock of what they will need to become a leader in the future – perhaps the very near future. This is a great time to critically analyze yourself and determine how you need to improve your leadership skills in the coming year, to set yourself up for an outstanding security career in the years and decades ahead.
You have a good idea of what qualifications a security professional should have, but what qualities should a leader have? With respect to your ideal professional development leadership model, ask yourself the following five questions:
- What knowledge, skills and dispositions will be needed by leaders to meet the challenges ahead?
- Why did you select these qualities?
- Of these leadership qualities, which one is the most important?
- Do you already have these knowledge, skills and dispositions qualities?
- If needed, what professional development strategies will you use to obtain these qualities?
Begin with a Self-Analysis
Before we begin to develop your leadership model, let’s define some items that will set up the frame and context of your model. According to the Oxford Learner’s Dictionary:
- Knowledge is defined as the information, understanding and skills that you gain through education or experience.
- Skill is defined as the ability to do something well.
- Disposition is defined as the natural qualities of a person’s character.
- A quality is defined as a distinctive attribute or characteristic possessed by someone or something.
For your leadership model, we will presume that having a skill implies having knowledge and experience with that skill.
Table 1 shows a sampling of possible leadership qualities that will help you make your own leadership model. That table is then the basis for the hypothetical leadership model in Figure 1. Both the table and the model are based on the basic concepts for innovative organizations from The Adult Learner: The Definitive Classic in Adult Education and Human Resource Development by professors M.S. Knowles, E. F. Holton and R.A. Swanson, who have studied adult learners and organizations for decades.
Figure 1 is a graphical example of sample knowledge, skills and dispositions that may be most appropriate for leaders to obtain to meet today’s challenges. The concept behind the example model is that these knowledge, skills and dispositions (qualities) are not only desirable for the leader, but they should be passed on to others with the leader's help.
These are just an example from the many options that are available. Feel free to substitute your desired leadership qualities when building your leadership model. Keep in mind that your answer to question one is your leadership model.
Leadership model items and example qualities
Source: Innovative Organizations; Knowles, Holton, & Swanson, 2011, p. 110
Example Leadership Model (With Most Important Quality in Red)
Reflection and Introspection
What does your leadership model look like? Why did you select the qualities that you did? Which one is the most important? Perhaps your selections are based on past experiences or they are qualities you would like to emulate from a great leader you admire. For questions two and three, our example leadership model emphasizes flexible learning and continuous self-education due to the inherent nature of the change agent skill that’s been deemed most important. If someone were to ask why you selected the leadership qualities you did and which one is the most important, could you provide them with a well-reasoned explanation?
Here is where reflection and introspection play significant roles. You need to really think about what is happening in your industry, your organization and your world that will require specific leadership skills. Then map these to where you are already strong and where you need to improve professionally.
A GAP Analysis
Question 4 asks: Do you have these knowledge, skills and dispositions qualities? If you already possess these leadership qualities, that’s great! If you do not, what strategies will you use to remediate your development needs and obtain your desired leadership qualities? Could you rely on a mentor to assist you with any development needs for question five? Your development strategies can include taking a look at where you are now and what your desired end state will be. Will it require advancement, training or specialized experience? Give yourself a prescribed time period to make this happen. What resources will you need? Consider making a contingency plan or alternative course of action just in case things do not go according to your plans.
Through critical self-analysis, you have created your own leadership model based on the knowledge, skills and dispositions you believe any good leader must have for professional development. You have also reflected on why you chose these leadership qualities, which one was the most important and if you possess these leadership qualities. If needed, you created some development strategies to help you obtain the desired leadership qualities. As part of continuous self-improvement and critical self-analysis, reassess your leadership model in five years. Has anything changed? Why or why not?
Something I once read by George Couros in a 2013 piece titled “5 Characteristics of a Change Agent” is worth remembering. “The best leaders may have all of these qualities but also empower others to be those ‘change agents’ as well to build a culture of leadership and learning.”
Now is the time to reflect and plan for how to be that security leader who empowers others so that, as an organization and an industry, we have what it takes to successfully stop threats and harden our networks in 2018 and well beyond.
Dr. Richard N. Knepp, CISSP, is a senior enterprise architect at the Marine Corps Logistics Command.
5 MINUTES WITH RONALD RICOHERMOSO
An excerpt of this Q&A appears in the current issue of InfoSecurity Professional Magazine.
Ronald Ricohermoso, SSCP, is an information security operations analyst at Ingram Micro in the Philippines, which is experiencing the same workforce shortage as elsewhere. He’s been an (ISC)2 member for the past four years.
You began specializing in networking, what made you decide to focus on information security?
I got interested in this field because I think there is no dull moment in information security. Every day there are new threats that change the ballgame, as they say. It is a very exciting field where you are required to learn new things and solve different issues all the time.
What made you decide to pursue the SSCP?
I first passed Security+ and was satisfied with what I learned. It gave me the essential knowledge to do my job in information security. I was also interested in getting the CISSP, but I lacked the five-year minimum experience qualification. So, I decided to take the SSCP exam.
You have a B.S. in computer science. How has it helped you in your current position as a security analyst at Ingram Micro?
My college degree provided me the basic knowledge to work as an IT professional. I think I discovered how to "learn by myself" by getting available information from as many sources as possible and using it to solve problems.
Is there a cybersecurity workforce shortage in the Philippines?
Yes, there is. I should say there is a shortage not only in our country but in the industry globally. In modern countries like in the United States, there are college degrees focused on information security. Here, we don’t have such degrees. But I can see a change in the curriculum for a B.S. in IT and in computer science lately where schools are adding information security subjects. So, we're slowly adding more professionals to fill that workforce shortage.
What impact does it have on analysts like you?
It's hard considering all the work that needs to be done daily and the lack of people doing it. It’s easy getting data from vulnerability scanners, but you need to also ensure that vulnerabilities get remediated in time. It's easy to get info and alerts from your SIEM or IDS, but you also need people to make sure it works properly. Your responsibility is not only to be compliant, but also to ensure you rise above standards. We need trained people to do that.
What is unique about working in information security in the Philippines?
Information security is an emerging industry in our country. This is due to the BPO industry that encouraged companies to invest here. Before, if you want to get into cybersecurity, you have to work in local banks or, more generally, the financial industry. Now we have a lot of companies who are creating their own global information security teams or hiring MSSPs worldwide.
What is unique here is working on a global scale. You get to learn different laws and cultures and support different time zones. Maybe I'm referring to my specific work setup, but working in information security here will get you to be assigned to different time zones. You may even be assigned to graveyard shifts like other industries.
What did you want for a career when you were 10? And how did you end up where you are now?
When I was a kid, I wanted to be an astronaut and liked studying science and technology in grade school. I like to break things and figure out how to put them back together. I guess I got into this field because I've always wanted to work with technology.
What do you find is the most difficult “soft skill” to master for your current position?
As an analyst, you have to communicate often to different departments with different skill levels. It can also be very hard if you support different time zones, different cultures, different laws and different languages. We have technology right now to handle that, but it still is difficult to explain security’s impact and benefits to executives. Not to mention mastering languages in operating systems. I try to find an expert resource or a contact within a department to help me communicate security concerns. Providing proof or data can also be helpful if you want to convey the impact or benefits of security to an organization’s executives.
Since you’re relatively new to the field (four years), what have you learned from mentors that will help you advance in the years ahead?
In this field, information is very important. My managers always tell us to continue learning and stay updated with what is happening in the world. They send us to trainings and conferences. Information security requires a 360-degree spectrum of knowledge…on essentially everything. It’s hard to learn everything, but you have to absorb as much as you can, every day.
If a member happens to be vacationing or on business in the Philippines, what is one Filipino dish they must order while there?
There are a lot of Filipino dishes to try, but the one I would recommend is the roast pork in Cebu we call lechon. Cebu is an Island city located at the center of the Philippines. There are different ways of cooking lechon, but they perfected it in Cebu. Most tourists liked it and some considered it to be the best in the world.
And finally, now that they’ve eaten well, any suggestions for places to go and things to do to burn off some of those extra calories?
Go to the beach. El Nido Palawan is the best, with pristine clear waters and white sand beaches. There are a lot of islands, lagoons and “Instagrammable” places to go to. If you want to burn those calories, rent a kayak on a small lagoon and you will discover a lot of hidden places. There is also a place on the island of Cebu where you can go canyoneering, snorkel with turtles and schools of sardines or swim with dolphins. Those are just two places; we have a lot of islands with different attractions and adventures.
For all past issues see the archives.