Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.

How to Become an IT Security Director

By - Source: Toms IT Pro

Making the transition into management may mean assuming security responsibilities, or security director may be the first of several steps up a longer chain to chief information security officer (CISO).

Credit: ShutterstockCredit: ShutterstockIn climbing the cyber or information security job ladder, one huge rung comes when making the transition from individual contributor into management. An equally big step comes when taking over responsibility for security operations for an entire organization or organizational unit.

In smaller companies, making the transition into management may also mean assuming security responsibilities. In larger outfits, security director may be the first of several steps up a longer chain of middle and senior managers, such as (information or cyber) security director, vice president for (information or cyber) security, and perhaps even chief information security officer (CISO).

MORE: Best Information Security Certifications

Whatever the progression might be, moving into information security management means picking up skills and knowledge, as well as continuing to develop and expand upon one's information security chops.

Security directors must see the big security picture

Moving into security management means looking at security from all angles, making sure that policy and practice square solidly with an organization's mission and promote success. That means understanding not just security tools and technologies, but also risk assessment and management, and trading the costs of taking risks against the costs of protecting against or mitigating them.

Whereas individual contributors in the security sphere are likely to concentrate on some aspect of information security – such as threat intelligence, analysis and management, incident response, or access controls and authentication – security managers (especially in directorial or higher positions) must deal with the whole enchilada. That means increasing the focus on security policy and best security practices, understanding related legal or regulatory requirements (such as PCI-DSS when handling credit card transactions, HIPAA when health records are involved), and making sure an organization has all the right kinds of technical security controls and technologies in place to protect the organization (and its clients or customers, and all related data) from unauthorized or unwanted access, disclosure, or loss.

For management-level security professionals, higher-level and broader cybersecurity certifications come increasingly into play. These include the Certified Information Systems Security Professional (CISSP) and its various extensions, Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), and Certified in the Governance of Enterprise IT (CGEIT) credentials, among others. Though one may already have earned any of several excellent vendor-specific cybersecurity certifications by this point in their career, going forward, learning and certification will be almost entirely vendor-neutral with a focus on security governance, policy and architecture, rather than digging into the details of specific security platforms and solutions.

Directors must give (and take) direction

Beyond the ins and outs of technical security, security directors and more senior security managers need to understand that security is the means to an end, not an end in itself. That is, security is necessary to protect an organization and its employees, clients, customers, data, intellectual property and other assets. Such professionals are keenly aware that security suffers when it becomes an impediment to productivity and other important aspects involved in conducting business, providing goods or services, or otherwise seeking to accomplish an organization's mission or objectives.

This understanding has several profound implications for those who take responsibility for cyber or information security, including the following:

  • A willingness to observe closely and keenly the emerging and ever-changing landscape of security threats, vulnerabilities and exposures, along with detection, response, and mitigation tools and technologies (especially automated ones, given the volume and frequency of such things).
  • An understanding of current and emerging laws, regulations and best practices that touch upon information security, especially those involved in maintaining and preserving the privacy and confidentiality of client, customer, employee, company, and partner records and data. These days, that includes a proactive and aggressive commitment to ongoing security audits and penetration testing supported with heavily documented security policies and procedures, along with formal change management, to accommodate changing tools and circumstances and constant improvement and remediation.
  • Sufficient courage and integrity to face up to threats and breaches, and to do what's right and required when such things occur, including handling public notifications and disclosures with candor, tact and grace.
  • A deep and abiding interest in security tools and technologies, allowing you to help your employer decide if the outlays required to adopt and implement what's new are justified by enhanced protection or decreased risk of loss, compromise, or damage to reputation and brand.
  • Sufficient dedication to the job to seek to attract, develop and maintain a top-notch information security team. That includes making sure one's staff is armed with the tools, technologies, budget and bandwidth they need to excel at their jobs. Ultimately, your success as a manager comes down to empowering those who report to you to be their very best.

For more information on the management side of a security director's job (or those who fill more senior security slots), consult our companion stories Best IT Certifications for the Management Track and How to Successfully Transition from IT Pro to IT Manager.

Directors must understand (and protect) the business and the bottom line

Ultimately, a security director succeeds by doing his or her part to help the organization succeed in meeting its business objectives and adding to the bottom line. That means a security director must understand what the business is about, how it works, and what elements of its IT operations and infrastructure add most to its productivity and capabilities. Security is about identifying and prioritizing risks and putting people, money and technology to work where they can do the most good (or prevent the greatest potential harm).

Thus, a security director must be willing to engage with senior, executive or C-level staff and do everything in his or her power to understand what makes an organization tick. That person must also strive to understand and enact how information security and information technology in general can achieve two vital ends:

  1. Remove obstacles that impede progress, reduce productivity or increase risk
  2. Erect barriers and other forms of protection to prevent security breaches, and ensure that information, systems, and assets serve those intended and authorized to use them but prevent anyone else from obtaining access

The security director's job is maddeningly simple and complex for a single overriding reason: He or she must make sure that the organization has just as much security as it needs and can afford, no less and no more. Because the devil is in the raft of details entailed thereby, the job is fascinating and daunting at the same time.