You’ve spent years writing code, configuring networks and racking up certifications. But getting to know people is the kind of networking infosec pros ought to be spending at least as much time on a senior IT manager for a Canadian bank told the annual SecTor conference.
“Most of us would attribute our success in our careers to getting to know people and building through relationships,” Laura Payne, director of information security services at the Bank of Montreal, said Tuesday during a panel discussion on infosec careers.
“A resume is one way to get in the door,” she said, but it’s better if the person interviewing you for the job says ‘Put that person’s resume in my pile.”
In an interview she expanded on this approach.
“It probably feels counter-intuitive to anyone who knows deep technical people are known — stereotypically — for their introversion, but one of the realities is because security is the vast majority of the time a collaborative effort you need to get out from behind your computer screen and meet other people.
“And generally I think when people do that they find a lot of kindred spirits, and it’s not as scary as might feel at first. And through those networks of connections, that’s where we find good hires. It goes both ways, too – companies that are exciting or have a good culture, the word gets out that it’s a good place to work.”
She also had this advice on being professional in your job: Be curious, be engaged, have a thirst for excellence. “You don’t have to love it but you have to be passionate and not drag your butt– because that will show.”
The panel also featured leaders from a wide range of industries who offered a wide range of career advice to experienced and not so experienced infosec workers.
—Nik Alleyne, a Canadian-based senior manager at consulting firm Forsythe Technology and a SANS Institute instructor, said employers are looking for those with certifications, including the treasured CISSP (Certified Information Systems Security Professional).
If he faces two staffers in a room and all else is equal, he believes the one with the certification has the advantage. “The fact that you have a certification means you put in the effort, you’re motivated,” he said. “It doesn’t necessarily mean you know more … but I appreciate the effort you put in.”
If you don’t have five years of experience needed for the CISSP, he added, get the associate certification and then continue for the full one.
–Tim Wyatt, chief scientist at Lookout, a mobile endpoint security firm, said being a humble security analyst is a good place to start a career. But, he told the audience, walk before you run. “A lot of people think you get some cyber security exposure, get some training and think they’re going to go out and become the high-paying consultant. But it does take some work.”
–Eric Belzille, director general security at Shared Services Canada, where he runs the security operations centre, said the federal government suffers from stereotypes (it’s boring to work in a bureaucracy, Ottawa has old technology). But, he added, there are advantages including job security, good benefits, many opportunities for career development. And there’s the satisfaction of helping defend the country.
–Moderator Dave Millier, CEO of Uzado, a Vaughan, Ont., provider of services that streamline IT practices including risk management, said those who work in consulting have to be outgoing and dynamic. Things change almost daily as you deal with different customers, he said, so you “need to be a jack of all trades.”
It’s also important for job applicants to be themselves, said Millier. That means being honest. He’ll ask candidates to submit a paper showing something they created. One gave him a paper Millier had written.
–Asked how they keep up with technology after moving into management, Wyatt admitted that “the higher you go the harder it is to “play in the dirt.”
“If you want to be a good manager you have to learn how to put down your tools,” said Payne, “and be a manager, which means you surround yourself with people who are better than you.” You need to keep up with current topics by reading and talking to staff. “I don’t need to know how to write SIEM rules to understand what SIEMs do.”
Payne went to the University of Waterloo and graduated as a systems design engineer and joined BMO in 2005, where she’s spent all but a brief time of her career. At the suggestion of a manager she joined the security team in 2009.
Although IT – and information security in particular – is a male-dominated profession, Payne said she had the good fortune to work with many women at BMO and suffered “minimal incidents relating to my gender.”
Asked her advice to women who are thinking of an infosec career, she replied that they should think about a career in the field.
“A lot women aren’t thinking about it, for whatever reason – especially security. It’s not just about technology. We have people who are mathematically inclined and do risk, we have people who need to be good communicators and tend to come from an arts background… it’s a long way of saying we need people from all different backgrounds.
So I encourage women to think about a career, and if you are don’t be afraid there aren’t a lot of women here because there’s more coming, and you can be part of that.”