Harry, I’ve Reached the Top.
Welcome to the last installment of the career ladders blog series. Here we go.
If you missed it, here's the link to our Git repo:
Physical Security Ladder
Why is this here? It is called convergence. Once upon a time, a decade or so ago, the idea that all
security should work
for the same person was hatched. It has been slow to take up, but ironically I see it more and more
today amongst my
peers, as tech crept into the physical security space and some of the cyber-attack vectors became
kinetic (plus that
physical penetration testing/social engineering thing). Therefore, it is important we include it in.
If you are not in a
converged team, go ahead and skip this part (like we did in the SOC discussion in Part 2).
Whew. There is a lot of stuff in here. Same reason as some of the other ladders. Most of the
converged teams I know of –
especially in the tech space – have a physical team member as part of the group. Yeah, that
was not a typo. I said
member – singular. That person has a huge remit, and not a lot of support. These people can
be hired – so try and
recognize you may not get or even need all these skills in your org. Eventually, we will
likely create unique ladders
for some of these skill tracks as well.
- Physical Systems – Got to run the gear and make badges
(see Part 1 of our ladders series).
- Crisis Management – I struggled with this a bit. The
could have easily merged with the SOC incident management and
in a shop where the SOC is converged, we would have merged this skill in and
operated as an ‘all hazards’ response
- Guard Operations – This is the “Triple G” as we call it
(Gates, Guards, and Guns). It is what most people think of as
physical security, but it actually comprises only a fraction of the tasks.
- Environmental Health & Safety – Yikes. What is this? Yup,
this could be its own ladder, but let me tell you a story of
why this is here. I was working at that same large hosting provider I mentioned in post
#2. We owned our data centers
and I was responsible for physical security. One of techs was running cable on the rack
overhead run and fell off the
ladder. Guard does his patrol and finds tech. A ladder safety program was born and who
better to check/implement but the
folks that are there 24×7. This is IMPORTANT for your people and needs to be done by
someone. Step up and own it if you
- Special Services – There is a diverse set of skills here.
I would tailor your requirements to what is necessary for your
org. If you don’t have that company jet, then maybe aviation security is not important.
(Side note – If you do have a
jet, don’t be surprised if they don’t ask you to run the aviation program. It frequently
is a function looking for a
- Investigations – This complements the investigations that
might occur in the SOC, but it requires an almost completely
different skill set so shouldn’t be merged together.
You will quickly notice the big difference in pay. It is the way it is, and you as the leader
will need to manage that
message in the converged team.
NICE doesn’t actually map these skills, so we are looking for
another provider at this time. If you know of one, drop me
Information Risk Ladder
This goes by many titles. GRC. Risk. Security Compliance. Call it whatever you like. It is the
process and review side
of the practice.
As in other ladders, this is a generalist role that could easily be split into many
specialized roles. We provided the
generalist set of skills for those orgs that need to have one role due to resource
- Risk Management – It’s in the title. I have seen this be
a specific role in larger organizations (especially ones with a
Chief Risk Officer).
- Additional Practice Area – Similar to the product
security ladder, you will run into these (and may actually own them).
In my past two gigs, we executed the next level of convergence and had the privacy
function work in my team. A story for
another blog post.
- Controls/Compliance – This is what traditionally is
thought of as the IR role.
- Audits – In many smaller orgs, they perform the audit
function. In larger orgs, this may fall to the internal audit
function in finance.
- Policies – Yup, paperwork is what you will do in this
- Sales Support – Wow. I am impacting top line revenue.
Yup, in many cases, customers and suppliers want assurance that
your team’s security practices are good. This falls to this team (or a subset of this
team). We have had an active
debate amongst my peers if security should have a marketing person on staff. Again, a
story for another blog post.
- Training – Teaching is one of the most important roles
for this program.
Similar to physical security, these folks will make a little less than your more technical
Nothing too interesting in here.
Business Security Manager Ladder
What is this? I like to call it scale. In larger organizations, the need to distribute security
expertise to specific
functions and/or geographies is a must. This is the role of a BSM. To liaison with your business
stakeholders and give
them a point of contact into the larger centralized security team. I think this is a critical role
for any large org,
and to be honest, it is sometimes seen as the gateway to the top spot (as you see by the titles).
Additionally, like the
Product Security career ladder, I don’t feel there is an entry level role in this ladder. You need a
solid grounding in
security first before you take this role as you will be seen as the expert to your stakeholders.
will not end well for folks.
- Core Practice Areas – To my point above, you must be a
security professional before you jump into this role. It can be
in any discipline, but you need one (and you will learn the others as you progress).
- Adjacent Risk Practices – Like the information risk
practice, you will interact with other functions and may own them in
- Adjacent Business Practices – This role has a management
feel to it, and as a result, requires many of the management
skills you would find in the GK_Management.MD skill list.
- Incident Response – Interesting, as the single point of
contact for the function/region, you will be best positioned to
respond to an incident if it occurs (think time zones, connectivity, proximity etc.).
- Metrics – In many cases you will need demonstrate your
value, as well as the broader security team’s value to your
- Technical Currency – With a broad remit, you are going to
still need to keep your tech up to function.
The thing to note here is that technical track ends at level 2. Beyond that, it looks and
feels more managerial.
For CPA.1-3, use the skill mappings from the ladder that serves as the foundation to your
skill level. So, if you
transitioned from information risk, use that ladder to fill-in the skills you need here.
Well, we have reached the top of the org. Whether it is called Chief Information Security Officer,
Officer, Chief Trust Officer, or something else, the buck stops here. This is the only Level 6 role
in these ladders
(Vice President level). Some larger orgs may have VPs in the orgs disciplines, and this role as a
Senior VP, but for
most orgs, it stops at the VP level.
- Core Practice Area – You have to know a lot about a lot.
Continuous learning is going to be key.
- Adjacent Risk Practice – As I had mentioned in prior
ladders, you will be partnering with these leaders, and many cases
you will own some of these practices. Do not try to narrow your focus. Embrace your role
as the main risk person in the
- Adjacent Business Practices – At this level, you are
expected to be a businessperson first, and a security person
second. I am not saying you need an MBA, but you need to know the business side of the
- Risk Management – In many cases, you will be the top risk
person in the org. You need to know this inside and out.
- Sales Support – Here it is again. People want confidence
– and like it or not, you are in the confidence game. Be
prepared to talk to customers/partner/vendors and be on a plane.
- Incident Response/Investigations – You make the call
(hopefully) in incidents. You need to have the confidence,
connections, and courage to own this.
- Metrics – This is how you prove your worth/value/ROI. You
will live by this.
- Technical Currency – Interesting debate about this. Do
CISOs still need to be technical, or just business focused. My
opinion is that your peers will still look at you as a technical resource (for better or
worse) and if your skills are
low/non-existent, it will work against you. Keep up that continuous learning.
There is only one row. Word of advice: if you are taking this role, you deserve both a bonus
plan and a pre-arranged
Nothing too interesting here.
Well, this brings this series to a close. If you have any questions, post them here, DM me at @appsecdude or ping me on
LinkedIn. Last question for
folks – can you name the holiday themed movie this blog post title
refers too? Drop your
answer in the blog stream!
- Marc French