Alta Associates
Specialists in executive recruitment for over 20 years.
8 Bartles Corner Road, Flemington, NJ 08822 • P: 908.806.8442 • info@altaassociates.com
Expert Advice
Joyce Brocaglia is the executive career advisor for CSO magazine. The following questions and answers are featured on CSO's online magazine (www.csoonline.com).
Back to Expert Advice Question List
I have a broad background in IT, scientific research and business. I have been VP of engineering, CTO, COO and CEO in various companies. I have worked in areas as diverse as computer graphics and simulation to financial services. This experience includes raising venture capital and communicating with C-level executives in Fortune 500 companies. I have varied experience with information security, but not a deep background. I am currently formalizing my existing experience by obtaining certifications (e.g., GIAC and CISSP). My question is, given the lack of direct security role experience in my background, how will potential employers view my skills and lack of direct management experience when applying for senior infosec positions?
Based on the information that you have provided me I am going to make a few assumptions. You probably have a solid technical background (VP engineering), broad based technology skills (CTO), an understanding of business operations (COO) and executive level presentation and management skills (CEO). These are all very marketable skills. What you are lacking is deep knowledge of information security and direct responsibility for a security team. How a potential employer will view these strengths and weaknesses depends on a few basic factors: the size and type of the company, the maturity of the information security department and the role you are applying for.
My experience in understanding requirements of senior information security positions leads me to the following conclusions:
- You will have great difficulty landing the role of CISO for a large corporation with an established information security department. These firms already have individuals on board with skill sets similar to yours. They look for candidates who are immediately credible, who have a proven track record managing information security functions, and have the ability to develop enterprisewide security policies and strategies.
- If your varied experience with information security is more than just incidental, you may be able to obtain a senior level information security role within a mid-size corporation. Here you can leverage your technology skills and manage a team of engineers focused on providing information security services to the firm.
- Your best bet may be an opportunity with a startup or early stage company. They value someone who has a diverse skill set and can wear a lot of hats.
- Senior information security roles vary greatly depending upon industry. You will probably have more success with an industry that is just recognizing the value of establishing a formal information security function, such as manufacturing companies, as opposed to one that is highly regulated like the financial services industry.
- Finally, think out of the box to nontraditional technical information security roles. Your skill set would be very appealing to a security consulting firm. You have the ability to relate well with the executive management of a client, gain their trust and act as a project manager. You have a strong understanding of technology and operations, and could play an essential role in developing and closing business.
Given the extreme competitiveness of this market, landing a senior info security role is challenging even to those who have years of dedicated industry experience.