As I mentioned in passing last week, I had a job interview at the end of the week. There was one question, near the end of the interview, that’s a fairly common question, but I wanted to record my answer to that question because I think it’s important.
The question: What do I see my next role being?
Fair question. I said I didn’t know for sure, but I knew what I have to do to find out.
I’ve actually known for a couple of months. I’ve been on a new journey, and there are two things that I am trying to do. Even though I was interviewing for a security position, these two things aren’t pure security, so they’re a little bit counter-intuitive, but I think they’re the key to moving forward.
The first is working on certain soft skills. There is an art form to getting people to help you, and getting people motivated to come along with you, work together to get things done, and make something better than what always has been. Some people seem to be born with that ability, but for those of us who weren’t, it’s a skill that can be taught and learned. And since I’ve started that journey, I’ve seen a difference. There are still difficult people out there, but some of them help anyway. I’m still listening to podcasts and learning, but that’s going to be part of it.
The other part is a change in mindset. I think people have been saying this a while, but sometime around the start of the new year, it registered with me and I started hearing it. Security isn’t IT. IT is an important element of security, but security is more than IT. Security is business. That can be good, but it’s mostly bad, because so many security people understand IT intimately, but few security people understand business and even fewer business people understand security.
If we ever wonder why nobody likes the security department–and that’s a sentiment I’ve seen everywhere I’ve been–that’s why. We’re stuck between two worlds, neither world understands us, and we only understand one of those worlds as well as we probably need to.
So I’ve been trying to read books about business. It doesn’t seem 100% natural, but security can’t expect business to meet it halfway. But I have this crazy idea that if we as security people try to meet the business people at 90%, then the business people will be a lot more motivated to give their 10%.
I don’t know what’s going to happen after a year or two or three of doing those two things. But that’s how I’ll know what’s next.