Establishing and Managing an Infosec Career Development Program


The IWC ISSO knew that as the ISSO, there was an additional responsibility: to be a mentor to the IWC InfoSec staff and help them in their careers. This would include a career development plan for each staff member for progressing within the InfoSec Department.

If a staff member wanted mentoring or some assistance in developing a career development plan that was not limited to working at IWC, the ISSO would assist in that also, but only based on a staff member's request. The ISSO reasoned that the career plan for progressing inside the InfoSec Department and IWC was a benefit to the InfoSec Department and IWC; whereas a career development plan that included working outside of IWC was a personal matter.

The ISSO discussed the career development program with the InfoSec managers and subsequently at staff meetings with all InfoSec personnel. One InfoSec manager stated that career development was the individual's responsibility, and InfoSec managers had enough to do. The ISSO explained that each InfoSec manager would also be involved with the ISSO in his or her own career development plan. The ISSO explained that one cannot sit idly by without continuing to learn. For example, the InfoSec professional must continue to learn about high technology to provide more efficient and effective protection, as well as continue to meet the future needs of IWC. No training, within or outside of IWC, would be approved unless it was part of an individual's career development plan. The ISSO further advised that if the manager wanted to attend an InfoSec conference every year or periodically, it must be part of the manager's career development plan. Also, as part of the InfoSec managers' career development plan, there would be milestones and tasks related to mentoring staff members. After all, the ISSO stated, managers manage through people, and the more education and experience a staff member received, the better for all concerned. After all, isn't that why IWC pays college tuition for salaried employees?

The ISSO advised that career development for staff members would include, as mandatory, gaining all education and experience that could be gained during regular business hours. Also, the InfoSec staff member, without being coerced, must decide to also use personal time. After all, the plan benefited the staff member as well as IWC. Any staff member who did not want to participate at all would be explained the benefits on an individual basis.

The ISSO reasoned that those who did not want to participate considered themselves to be employed in a job, not professionals in the InfoSec profession. The ISSO would view such individuals as valuable employees as long as they did their job to the best of their ability. However, it would be difficult to consider them for promotions and merit raises or other bonuses if they only did their 8-hour job while others took on more tasks and responsibilities, exerted extra effort to learn and gain additional security knowledge, and grew in the profession. The promotions, merit raises, and bonuses would obviously be given to them as a priority. This would also be explained to any employee who did not want to participate. If the person still insisted on not participating, the employee would be asked to state that in writing, and then would be allowed to not participate. This was done to ensure that the employee could not later deny opting out of the program, especially after being passed over for a bonus or promotion. This process was agreed to by the Human Resources Department and the IWC CIO.

The career development plan was developed as follows:

  • Each employee was interviewed by the ISSO and the employee's security manager.

  • Each employee completed a form noting his or her education in a list of both college/university courses taken and technical courses taken, for example at conferences.

  • The manager's career plan for them, such as future jobs leading to promotions, was noted and compared to those noted by the employees. Where there was a conflict, a mutually agreeable compromise was worked out.

  • The education and experience future needs of the employees were identified at the meeting. Based on the needs assessment, education and training courses and ways of gaining additional experience were identified.

  • The career development goals for the first year were identified and agreed to by the employee, InfoSec manager, and ISSO.

  • The goals were incorporated into the employee's performance goals for the year, thus committing the managers and the InfoSec staff member to supporting the successful completion of the goals.

The ISSO also explained to the security staff that career development meant learning in formal and informal ways. Matrix charts were used to support the employees' career development program (see Figures 15.2 and 15.3). The ISSO provided the following examples:

  • Courses at colleges and universities;

  • Courses at technical schools;

  • Courses at conferences and workshops;

  • Reading books, magazines, and trade journals, such as security-related associations' magazines;

  • Networking with peers, for example, learning how they solved some of their asset protection problems;

  • Studying for certifications, such as Certified Protection Professional (CPP), Certified Fraud Examiner (CFE), Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA);

  • Volunteering at senior centers and other centers for children and adults; and

  • Reading online (Internet).

Management Topics

Current Knowledge

Learning Priority

Time Management

Project Management

Communicating with Others

Managing People

Planning

Directing

Controlling

Budgeting

Managerial Finance

Managerial Accounting

Marketing


Figure 15.2: Example of a table to be used to determine current ISSO management strengths and weaknesses, and to identify training needs.

Technical Topics

Current Knowledge

Learning Priority

InfoSec Policies & Procs.

Sys. Authorization & Access Control

Systems Security

Risk Assessment

Communications Security

Physical/Environmental Security

Security Awareness & Training

Contingency Planning

Disaster Recovery

Application Security


Figure 15.3: Example of a table to be used to determine current ISSO technical strengths and weaknesses, and to identify training needs.

Experiences would be gained by providing opportunities for employees to become involved in projects and tasks in order to gain experience in other aspects of the InfoSec profession.

Whether you want to become an ISSO, or are an ISSO now, you should have a career development plan. That plan is similar to any other project plan. That is, it has a stated objectives, milestones, and starting and ending dates. The starting time is now and the ending date is the date of your planned retirement. Remember, it is never too early, or too late, to begin planning your ISSO career and developing the career plan which will challenge you to reach your full potential. The sooner you start, the more likely you are to succeed in meeting your goals and objectives before your retirement. After all, once you're retired, you don't want to spend your time thinking what might have been!

Assume that you enjoy the profession of InfoSec and being an ISSO. That is your chosen profession—your career. Therefore, you should strive to be the best ISSO in the business, and the one most eligible to fill any ISSO position. That takes hard work and dedication.

So, let's put together an ISSO career development plan outline. You can add the specifics as they apply to you. Also, let's assume you are new to the field and you're starting with no InfoSec experience whatsoever.

The basic categories which are the foundations for your career development are (1) the basic categories that make up the ISSO profession; (2) education and training required for each position; (3) experience needed for each position; and (4) certifications.

For the person putting together his or her personal career development program or plan, it is important to know the basic positions available within the ISSO career field. The job family provides a gradual progression through an ISSO career beginning with little or no education and experience. The job family emphasizes the technical career development. The management career field generally follows the common management job family; therefore, it is not addressed here. In addition, in most corporations the InfoSec management position(s) within the corporation are very limited—actually limited to one! Career growth is likely to be achieved by changing corporations or government agencies.

An ISSO or InfoSec job family was previously provided. The titles, functional descriptions, and qualifications are based on actual ISSO job families found in several InfoSec organizations of international corporations.[4] They should be used as part of your career development plan outline. Note especially the position description and job qualifications for each position.

[4]Detailed job descriptions and responsibilities will be found in Chapter 7, "Establishing a CIAPP and InfoSec Organization."




The Information Systems Security Officer's Guide. Establishing and Managing an Information Protection Program
The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program
ISBN: 0750698969
EAN: 2147483647
Year: 2002
Pages: 204

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net