The strands that weave together to form the fabric of a satisfying career are often rich and varied. This is especially true in security, which – despite its ancient roots – is, in many respects, a new field.
Some chief security officers arrive at their posts after following educational paths or early work experiences that appear to contrast with their current profession. Some pursue multiple certifications or complementary degrees to build their knowledge.
This development of multiple areas of expertise can turbocharge a security professional.
Marc Fidanza is a good example of the phenomenon.
He earned a degree in business and accounting as well as a CPA before he got involved in security — almost by accident — in the early days of the profession. Now director of security at Takeda Pharmaceuticals North America Inc. in Chicago, he worked in internal audit at American Airlines Inc. right out of college.
When the airline’s audit division was broken up into different groups, Fidanza found himself working on fraud cases involving frequent-flyer miles. That was the beginning of his love affair with security.
“It worked well because they had a gap on their team from a financial accounting standpoint. That was a skill set they didn’t have,” he says.
“I was given the opportunity to demonstrate my value. [Having the CPA] definitely opened some doors for me to be placed on the security staff permanently.”
But the biggest benefit of his background is built-in credibility with the people to whom he has presented plans or budgets. “They are typically very savvy people, so it has helped me articulate the security value proposition.”
Because the field is evolving and widening in scope, having a diverse background — whether educational or experiential — stands a CSO in good stead.
The dizzying array of risks today demands a holistic approach to security, and that meshes well with a CSO who has wide-ranging educational or professional experience.
MBAs need apply
David Kent, for example, aspired to be chief of police in a small town like the one in which he grew up, so he earned an undergraduate degree in criminal justice.
Upon graduation, he found there were not many places that needed a sheriff. Working for a small defense contractor in the late 1980s, he started to develop an interest in information security.
“It was a nascent field at the time,” says Kent, currently vice president of security at $3 billion pharmaceutical giant Genzyme Corp. in Cambridge, Mass. He worked in other roles, including a multiyear stint at Bolt, Beranek and Newman (now BBN Technologies) at the beginning of the Internet era, before he decided he needed a better grounding in business.
“The only way you can apply the discipline of security is to fully understand the environment. I had to go learn business,” says Kent.
Now, with a graduate degree in business management under his belt, Kent frames proposed solutions in the language of business, underpinned by an understanding of the unique challenges of today’s pharmaceutical industry.
He believes having a deeper knowledge of business is critical to CSOs, who now must be aware of the interrelated nature of risk. “It is convenient to divide the world into information security and physical security and supply chain security and whatever else, but you have to protect the enterprise by taking the whole view,” says Kent.
Tim Williams’ path in life is strikingly similar to Kent’s. Global director of security at $44.9 billion manufacturer Caterpillar Inc., Williams had his eye on a career in public law enforcement. After earning an undergraduate degree in criminology, however, he went to work for The Procter & Gamble Co.
There, he got training in the trenches on how things were done at one of the world’s top-performing companies.
“I consider it a gift that I got my start at such a great company,” says Williams, who is also president of ASIS International Inc., an association for security professionals.
That early experience convinced Williams to go for his MBA. This took several years because of a heavy international travel schedule at Boise-Cascade Holdings LLC and Nortel Networks Corp.
The long hours studying at night and on planes were worth it in the end, he says. “I knew that [the MBA] would give me a better basis for management-level positions regardless of what track I took,” Williams says.
Indeed, when Caterpillar came knocking, he was able to take a seat at the table with the other top executives. There are other ways to develop broader business perspective besides getting an MBA, but it is clearly a sound credential for CSOs — one that garners automatic respect from business leaders.
Lazy need not apply
Certifications are another avenue to attaining diverse qualifications to enrich your career, especially for those just starting out. As with degrees while working, earning certifications can require a lot of self-discipline, not to mention an autodidactic nature.
Chad McDonald spent more than one year of his life earning three certifications: Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA) and Project Management Professional (PMP).
McDonald was thrust into the world of security a few years back when he was working in computer support at Georgia College & State University in Milledgeville.
Two students flooded the college’s mail server with malicious messages, shutting the system down for several hours. (The students were later prosecuted; one was deported.) The school’s IT staff had to scramble to contain the damage, and McDonald was called upon to help.
“That incident opened my eyes to the fact that we were at risk and to what we could do to mitigate those risks,” says McDonald.
Soon, he found himself acting as the college’s one-man security shop. On his own accord — out of his own pocket and without taking a prep course — he started spending his weekends studying for the CISSP. After a full year, he took the test and passed.
“It was tough. But I got really interested in all aspects of security. I transformed myself,” says McDonald.
He then knocked off the CISA and the PMP in another few months.The certifications are more than so many pieces of paper to McDonald. For one thing, they made him a much more attractive candidate when he was interviewing for a position as chief information security officer at Georgia College.
“They were looking for someone who had not only experience but [also] credentials behind their name. [The certifications] show that I do have the knowledge. They were a door-opener,” he says.
Even better, McDonald will receive an annual bonus for each certification that has no doubt sweetened the memory of those long hours studying.
The Long View
All of the security professionals interviewed here strongly endorse the idea of obtaining multidisciplinary expertise as a way to further one’s career. Genzyme’s Kent encourages executives working in security — including those on his own staff — to fill the gaps in their knowledge by obtaining education in complementary areas.
“We try to have all the members of our team take a multidisciplinary view of security,” he says. “The woman who runs our product security just got her master’s in information security. That wouldn’t seem to be tied to her role in global product security, but it gives her great overlap of knowledge.”