If you are just starting to break into IT / Cyber Security, going after technical certifications is actually your best plan of attack. However, after a few years of experience under your belt, as well as those more hands on certifications it’s important to shift your focus to less technical focused certifications.
It may sound boring, and truth be told majority of the content in textbooks may be boring but these certifications also open up doors that you may not have thought being possible. After years of being in technical roles it’s common for a salary cap to sort of hit even when job hopping. This isn’t 100% true for EVERY cyber security niche but for a good majority it’s known that those hands on keyboards in the long run typically will earn less per year then those in Management positions. This is where those certifications that may seem nauseating / boring come into play.
For example let’s talk about Tom, a cyber security professional. Tom has been in Cyber Security for 10 years now, currently working as the Senior Security Engineer. He has multiple certifications that had tested his knowledge from a more technical standpoint and typically works in hands on keyboard roles. However, given Tom has worked in a Security role for about 10 years now from an engineering level, he understands the ins and outs of how the business works in tune with his security efforts.
A new position has just opened to take on the role of a Information Security Officer / VP. Given Tom has 10 years of technical experience and technical certifications he figures he’s a shoe in for the role, even it’s a plus that he knows how the business operates with the security technologies and what there goals are. Tom interviews well and gets a call the next week, he didn’t get the job.
The company hired someone from outside the company. They have never held an engineering position and don’t have the technical skills Tom has. He’s perplexed.
Why did the other candidate get this higher paying management role?
The new hire in this situation had about 8 years of experience. Although they were never a security engineer they worked in several departments such as IT, Risk and were most previously an IT Manager. They had no technical certifications but the new hire had the CISSP, CISM and CISA certifications currently active.
From a management perspective - there’s certifications are primarily for drilling in concepts to there test takers the role of Cyber Security has in the business world, not the inverse. They speak about some technical aspects that Tom has done from an engineering standpoint before, but he never quite understood the ‘why’. These certifications focus on the role that Cyber Security plays to promote a businesses value, to aid the organization in achieving their strategic goals, and intertwining Cyber Security with the executives at companies.
Executives aren’t interested how to set up security solutions, or how to respond to cyber security incidents or anything technical for that matter…instead they are interested how Cyber Security can enhance their business operations.
When these management positions come about - executives are looking for that team player to bridge the gap from the complexities of Cyber Security into a business translatable value. How can cyber security bring them value? How can it potentially boost their business operations and profit? How can it potentially aid in generating more revenue? How can it protect our company from losing value from a potential cyber security incident or violation of compliance?
I think the point is across by now…but ultimately for those in the IT / Cyber Security space it is important to take a look into your true understanding of the business side of things as opposed to just being a wizard on the keyboard. That is of course if these management positions are of interest to you. There’s nothing wrong with staying hands on keyboard / technical, but it is of note that a good amount of time management positions typically do earn more, again for the business value that is seen by the board of directors.
Comments