IT Security Career: Technical Vs Governance/Policy

2»

Comments

  • TheFORCETheFORCE Member Posts: 2,297 ■■■■■■■■□□
    UnixGuy wrote: »
    To rephrase, doing more policy work vs doing more technical work, which one leads to better career prospects, leadership, freedom (time management). And If working on the technical side or the policy or both, best to approach that? I know it's general but I think it'll benefit a lot of people reading this

    I promised I will post on this, been a little busy but better late than never.
    I'm speaking as someone who has worked on both and currently working on the governance side. Here is my experience with this. The company you work for matters when it comes to Governance. I worked in a medium size company that was very well organized. When thing would pop up the management would get involved and do things right, get all the parties involved and come up with a solution. This expedited the time something was completed and did not cause politic battles within the groups and the company.
    Then i worked for a big international company in IT Security and the Governance guy was probably the most hated person, no one wanted to work with him, no one respected him or his work. Every time we would get emails from him or he would come to our office we all were shrugging him off, we considered governance tasks too bothersome and too bureaucratic, but eventually we would give him what he asked or do what he told us, but in the process we were being difficult. I think this was the mentality of the entire organization where there was no transparency and everyone was too individualistic.

    I didn't realize it then that his job was an important part of the whole environment. Anyway, it got to the point were the guy left and found another job. Few months l left also and this time i went from It Security to the Governance side. The company is very very small, less than 1000 users. So you can imagine the employees have very senior positions or hold manager positions. As soon as i got there i saw things that were not done according to pest practice standards, policies were not being followed or policies did not exist at all, IT was bypassed in general and basically each department only cared for their own stuff. Now i'm trying to put some order and organize processes and procedure and most of the time i tap into my experience in the technical side of IT Security as i see them. The thing though now i find myself in the same position that the guy in my previous company way, when i ask for information people do not take me seriously. Maybe it's because i am new, or maybe because they do not find it important.

    On the other hand, i noticed that some not only they do not provide the information, but instead question my inquiries. I have not seen this anywhere else, except this company. From my experience when an Audit guy or Governance guy asked for information, you do not question the reason they want that information. But as I mentioned, i am dealing with senior department personnel and managers that support their own systems so they feel like they have ownership of everything. Little do they know that the whole environment is build incorrectly from the ground up in terms of governance and IT Security policies.

    So, to conclude, you will respect more the Governance side if you start somewhere more technical first. Governance is very time consuming, sometime you will find that you have so many things on your plate that you wont know were to start and other things you will feel like there is nothing to do and feel like you are dieing of boredom. If you however are in a good company that management support Governance and has the ability to enforce it without caring about office politics then you will be like a king, what you say goes! I am getting so much push back from certain people right now that it halts my progress. But eventually hopefully things will turn better. So like mentioned above, i would go technical first and then go into governance.
  • UnixGuyUnixGuy Mod Posts: 4,570 Mod
    I really appreciate your replies guys!

    I think now I have a clear idea on what I will do!
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Learn GRC! GRC Mastery : https://grcmastery.com 

  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    I started technical and ended up on the policy side of the house by accident, it wasn't planned. I just found myself doing more and more paperwork, research and ended up in an advisory role doing policy, auditing and compliance. I kinda blame Western Governors because of that GIAC Certified ISO-27000 Specialist certification I had to get :) I took that test and with that stuff fresh in my head aced an interview, actually that worked back when I did the CISSP which kinda shows taking a cert every once in a while helps.

    Wait there are only 1046 of us?? GIAC Forensics, Management, Information, IT Security Certifications

    I cannot emphasize enough the importance of having a technical background though. I found myself having to find/detect all of the b.s. people try and hide when they pencil whip reports. I have to review Cisco firewall reports, Websense, SQL exports, etc. I also have to regularly explain stuff to management and act as the middle man for security and the network administrators.

    I could become a pure paper pusher, there are compliance people like that out there but I found out it's better to have firm grasp of the technical and compliance parts of the job. When our external auditors come in every year I notice they are good at asking for stuff but during meetings I can tell they came from the CPA Accounting side of the house and don't have any technical skills but have to work with technical documentation.
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    Working in compliance is interesting and I can share some from my experiences. First, it depends on the industry. Some industries are heavily regulated and the organizations that make up those industries don't give their compliance people as hard a time. I've seen industries with few or no regulations and that's when a compliance person is given the cold shoulder. Second, you are the instrument that can change the perception of compliance people (but you also pay for the mistakes of those before you).

    In my position my name is basically a curse word and there are numerous people who wish I didn't exist. At the same time, if you spoke to those people they'd tell you I am one of the best to work with. I make it a point to respond quickly, work with the various stakeholders to help craft solutions that work for all parties and still remain in compliance, and I have helped to catch a lot of things that have saved the companies I regulate a lot of money. Compliance can be a value add and companies learn that eventually.

    Third, having an extensive IT background is definitely that biggest asset. When the IT people you regulate (or cover compliance with) know that you have been in their position they are more likely to work with you. Also, management tends to go with you more when you have solid technical knowledge behind you.

    There are two things that are extremely difficult in the compliance/governance/regulatory role. First, knowing what questions to ask. This is something you will only gain with experience and when learning from seasoned veterans. When I first started, I was truly amazed at how the investigators and auditors I worked with arrived at what they knew were the facts. All I will say, is keep it general and keep your cards close. Second, (and this is probably the biggest hurdle) is being able to address an agency director or a company CEO and explain why something cannot go live. Lots of money and time are invested in a project only to come to a grinding halt. It can be one of the most nerve wracking positions to be in. You have a job and have to be willing to stand your ground when all around you are applying pressure. Hope this helps!
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • UnixGuyUnixGuy Mod Posts: 4,570 Mod
    Thanks again everyone!

    This is a great example of a job that requires deep technical, policy, and business knowledge! Something to look forward to:
    https://www.linkedin.com/jobs2/view/53550350?trk=jobs_home_click_jymbii&refId=fb76b234-7452-4470-b1a7-8f83cdb8f657
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Learn GRC! GRC Mastery : https://grcmastery.com 

  • RemedympRemedymp Member Posts: 834 ■■■■□□□□□□
    What it sounds like to me (and I do disagree with a few comments), that you should focus on 'IT Risk Management'. It wont strip you of your thirst for tech, but will give you the governance of policy management that you're looking for with the higher pay ceiling. You might want join ISACA

    I, like you, am found myself in a tangled web of the SOC with a more sys admin background and bachelors degree in Information Systems Security as well as academic background in Electronic Engineering. The more I work in the SOC, the more I hate it and it hasn't even been six months yet. It's literarily like an ER ward in a hostile environment trauma patients coming in by the hour. (trauma patients being incident response tickets)

    Currently, my plan is to spend the next 12 months in the SOC, and enroll in an MS program for either Information Assurance or Risk Management, and then study for my CRISC and then move into IT Risk Managemen sometime later next year.

    Could be something to think about.
Sign In or Register to comment.