A couple of months ago, the Information Security Group (ISG) at Royal Holloway, University of London established a new Centre for Doctoral Training (CDT) in Cyber Security. The aim of this centre is to deliver highly-trained researchers in cyber security, in line with the UK government’s objective of strengthening the country’s cyber security capability.
As part of their training programme, researchers at the CDT have the opportunity to meet representatives from high-tech and consulting companies (like McAfee, Vodafone, MasterCard, KPMG) to give them a glimpse of what cyber security at companies is all about.
As part of the industry seminar series, I talked last week to the CDT researchers about possible career paths in information security. One of the topics I addressed was how to select a company to work for. While this is a broad and subjective topic, I believe it is essential to understand the role of the security department in the company you are considering to join. Therefore I created a model to identify and confront the various roles of the security department in a company (MBA graduates will be happy to see I used a two-by-two matrix to depict the model):
In my opinion the role of a security department in a company is determined mainly by two elements, namely 1) the importance of security for the company’s business strategy, and 2) support for the security department by the company’s executive management. This gives rise to four quadrants, each representing a potential role for the company’s security department.
The bottom-right quadrant, which I like to call the time bomb, is a place you want to avoid as a security practitioner. If security is important to the company’s business strategy but management does not support it, the company probably lacks resources to implement a decent security programme, resulting in incident-driven security management. In such an environment things will likely go horribly wrong one day. And when things go wrong, the security department will probably be blamed for it – that is, if the business still exists. So, not a very nice place to be.
The bottom-left quadrant is a place you want to avoid as well, and probably even more than the “time bomb”. When working at a company that has no business interest in security and where management does not support the security department, the security function might not exist in the first place or be outsourced. If it exists, security practitioners will essentially have a supporting role, outside the company’s value chain, without impact on the company’s business. So I call this role the slave. Again, not a very attractive place to be.
At first sight, it would be impossible for any company to be located in the top-left quadrant. Indeed, why would the management of a company pay attention to security when it is not important for the company’s business? This is where compliance comes into play. In more and more areas, such as financial services and healthcare, companies pay attention to security because they are required to do so because of legislative or regulatory pressure. Companies in this area often outsource their security function or work with consultants, as it is not at the core of their business. Security professionals here very often focus on maintaining the security of the company’s assets, such as the network infrastructure and sensitive data. I call this quadrant the guard.
Finally, the place where every ambitious security professional should work is with a company in the fourth quadrant. When your work is important for the company’s business, and management supports you, you are most likely to have an interesting role and the potential to be successful. That’s why I like to refer to this quadrant as the supermanquadrant. Many security technology providers are located in this quadrant.
This model might simplify reality very much (which is why it is a model in the first place), but I do hope that all CDT students will remember this when they graduate in a few years, and that they will all find a role as a superman or superwoman!
Note: this blog post originally appeared on http://frederikmennes.wordpress.com.