When considering going for a management position, it’s critical to understand a cybersecurity manager’s typical responsibilities. They include monitoring operations and infrastructure, ensuring regulation compliance, auditing policies and controls, and developing a security incident response program.
To prepare for these responsibilities, you may need to gain additional skills — often the kind you can’t get a certification in. For those climbing the ladder it’s important to understand the business, be able to communicate with all departments within the business, and get noticed in positive ways.
Lorna Koppel has built an impressive career in IT and infosec over the last 20 years, and is currently director of information security for Tufts University. She explains: “Your No. 1 role is to enable the business… The first thing is accepting that you have to work on your business acumen and your communication skill sets and understanding what’s important to the business.” Specifically, Koppel recommends professionals look at key projects and strategic plans within the business to understand how it makes a profit and what its priorities are. This is an important knowledge base for people climbing the ladder.
In it Together
According to speaker and author Scott Schober, another key to moving into management is being prepared to communicate outside of your department. “Cybersecurity goes beyond IT to areas like HR,” he says. “You have to be willing to cross bridges and get along with all departments to maintain company policy. Cybersecurity is everyone’s problem and everyone’s solution, so a lot of it is about communicating best practices to all areas of the business.”
Much of this communication will be related to intentional and unintentional internal threats. According to the Harvard Business Review, cybersecurity managers must have the skills to identify the company’s most valuable information, and protect it using data, analytics and strong security standards. Such skills can be built through working closely with someone who already carries out these duties.
Learning new skills, getting additional education or certification, and seeing the big picture in terms of how cybersecurity affects all areas of the business may sound like a lot to take on — and it is! But there is yet another element that’s critical for management, and that is serving as a public face for the company.
Cybersecurity executive Daniel Miessler explains, “It’s not enough at this level to simply execute on what you’ve been given. You have to be able to innovate.” He recommends some actions for getting noticed, including lending expertise to others’ projects, maintaining an online presence, attending and speaking at conferences and earning a cybersecurity master’s degree.
These actions make you more visible to potential managers within your company and within the industry, and mark you as someone who has made the extra effort to anticipate future cybersecurity threats and trends.
Are You an Experienced Manager, But New to Cybersecurity?
For those considering a mid-career switch into cybersecurity, there are many pathways to leadership roles. Additional training paired with an advanced degree can blend with expertise earned elsewhere to create unique value within the field.
Presenter and executive Eric Vanderburg says, “Cybersecurity touches on many aspects of the organization, and your individual discipline and experience can give you insight into that part of cybersecurity. For example, those in HR would relate to employee training, onboarding and termination procedures, employee screening and background checks, and employee compliance requirements. A person from an accounting background could understand the SOC/SSAE accreditation process, ROI and the financial impact of implementing new systems.”
A cybersecurity master’s degree can be particularly useful when pursuing a management position, because it teaches skills that make applicants extremely qualified for top leadership positions. Plus, those with advanced degrees are paid better than those without. Additional certifications don’t hurt, either.