From junior to director: one security officer
At the start of a career, it seems that more successful colleagues have gone a long way, because from the very beginning they knew in which direction they should make efforts. But over time, there is an understanding that there is not and cannot be the “secret knowledge” of a certain “winning sequence of actions”. However, it is quite possible to formulate general principles of development that will help to achieve success in your field, if, of course, you put a sufficient amount of effort into this. We will talk about this under the cut.
My name is Dmitry Gadar, I work as the head of the information security department Tinkoff.ru. My main tasks at the moment are planning a strategy and developing an information security culture in an organization. I lead a team of four departments that provide countermeasures to internal fraud, incident response, information security infrastructure and compliance, and application security. Before that, he worked as an engineer in system integrators and a cryptanalyst at Lancrypto. After gaining experience in the development and implementation of systems, he moved to banks - Raiffeisen, Barclays, General Electric, Otkritie FC. During my career, I went through all levels of the corporate hierarchy, starting from the very first - a student who literally worked for food.
Since I like stories on Habré, I decided to share my story so that today's students could look at someone else’s experience and fill fewer lumps on their career paths. Regard this as a Friday reading, although I will try to give a number of tips where this would be appropriate.
The stack of technologies used in information security, and the range of potential threats is constantly changing. Rapid landscape changes devalue the skills of specific tools, but there is a fundamental knowledge and skills that are in demand today just as they were 10 years ago. They help to develop.
At the stage of choosing a university, few people think about the liquidity of knowledge in some remote perspective. Choose according to your favorite subject. I did the same. But I chose the strongest university out of those I entered - I got to the Department of Cryptography at MEPI - in essence, pure mathematics. Only then did all this develop into programming and related areas.
In my opinion, the most important element that the university offers is the structure in the head, adapted for mastering and filtering large streams of information. I can hardly remember literally some definitions now, and I cannot prove the Cauchy theorem for group theory without reading it once. But the structure that the University laid, I use constantly. Any top-level task in my head is decomposed into small cubes, and I immediately see its practical implementation in full detail. This allows you to dive quite deeply into each of the tasks encountered.
The best advice that can be given to today's applicants is to try to find an educational institution that will do its best, but it will require maximum effort, in order to lay the necessary basis from the very beginning. In general - for the duration of the training you should not look for easy ways, and try to get the maximum benefit from training. At the same time, in my opinion, basic subjects for study are mathematics (and derivatives in the form of algebra, cryptography, etc.) and programming in low-level languages - they allow you to master and structure large amounts of useful information, to operate it efficiently, to separate the most important from the secondary.
And for the development of practical skills it is best to go to work and try to get them in real conditions. At the same time, it is worthwhile to carefully consider the choice of the employer and discuss in advance what it is specifically proposed to do at work (to start the practice to develop real technical skills, and not to engage in shifting papers, but in a cool company).
It is unlikely that the first job will determine your career path. However, it will provide the experience of real projects, which is necessary to search for “its own” sphere. This is the only way to understand what you are interested in doing and what is important for you in your surroundings.
In addition, this is a chance to pull up the necessary knowledge, if suddenly they passed by you in high school. Now, to me for interviews, the junior position is sometimes visited by guys who do not know the basic things: how the network works, how the operating systems work, what the OSI model is. All these are basic principles, without the knowledge of which it will be difficult to develop not only in information security, but also in IT as a whole.
It is important to remember that the knowledge base must not only be typed, but also constantly developed. Even those who mainly interact with the business must understand the technical infrastructure in which the organization operates in order to properly translate requirements and make decisions safe. Often, a business speaks its own language, IT embody it in its own specificity, and information security should be the bridge between two worlds that helps make the right secure architecture. Those. Information security should be involved in all stages and stages of project implementation, dive deep into every aspect. For example, in the business solution requirements. Minimal changes that are not critical for the business itself in these requirements often make the product “secured by design” - affecting the product at the very beginning, which eliminates the need for costly and not always effective remedies for unsafe products. Thus, a secure development or deployment cycle should include not only an understanding of which servers the product will be installed on, how it integrates with the existing infrastructure, but also a deep understanding of the business process and new risks to the business.
The path of the safety guard is the path of continuous development. But from my point of view in this process the least need to look at the proposed position. The time when I was worried about the position or the line in the workbook, had passed - I was already vice-president, department director, etc. So now call at least an ordinary specialist. It is much more important for me to participate in the safe development of a business, to have the opportunity to realize changes and see the result of my work.
Developing in the framework of information security, you should not be limited to any one position or direction, for example, just cryptography. This is too narrow a specificity - you need to be interested in something big. And I believe that one can neglect some preferences in money or in office, especially at the beginning of a career, preferring more interesting and can be difficult and responsible work.
The strangest transition I had was from managing a public key infrastructure to creating an antifraud system. It was 2008 - the first financial crisis with sufficient development of the Internet and, probably, the first wave of fraud in remote banking systems. Practically no organization was ready for this, it was a new direction. We started IT on our knees to build antifraud and introduce basic measures of protection. For me, this was a completely new experience in building customer profiles, identifying fraudsters, and tracking their behavior. Naturally, in my duties I had not written anything like that. It was just interesting for me to develop somewhere wide. Subsequently, this interest grew into new career opportunities, which, in turn, opened up new perspectives in knowledge.
For me personally, several of the first employers provided a good start and a general understanding of what is happening in the industry - they gave a diverse experience that helped orient. I tried myself in programming and administration. And these are useful skills that I still need, and I try to develop them. Thanks to this, I can communicate with IT if not at one, then at a close level, because I know how everything works from the inside, how it works. I can talk to programmers, because I once wrote the code. Now I can hardly write the optimal code without preparation, but my experience is enough for more productive communication.
In general, you need to delve more into knowledge, try to process and structure new information, because the more you accumulate knowledge, the easier it is to offer safe solutions. If there is no development - it's time to think about changing jobs.
We must remember that information security is not IT-security. It is not enough to install an antivirus or any other solution and configure it correctly. This is not how it works.
Information security should be immersed in all projects and business processes. And the deeper you go, the more you realize that you know very little, and the more you see the path of development in breadth. In this, in my opinion, a big plus of this area - there is practically no limit to the horizontal development of a specialist.
The second point is that knowledge, as well as the technical base, must be constantly reviewed. If any solutions are implemented in information security, this does not mean that they have been implemented correctly or have not become unsafe over time. Security is a vocation, a certain approach to work with a certain amount of paranoia. And this is right, because security must always be in the head: you need to reconsider your own decisions, to be afraid that you proposed the wrong approach.
If at some point the bezopasnik decides that he is fine (completely safe), he probably ceases to be a bezopasnik. I have not seen good specialists in this field who have stopped their development.
Information security is a process, not an end result. And if this process is stopped, the organization will gradually become unsafe. So that the process does not stop, there must be tools to maintain it, and they must be implemented in such a way as not to interfere, but help the business to earn money. For example, following our inclusion in projects at the Bank Otkritie after some time, the business itself came to us and asked to take part in projects. This is the right approach - when a business is interested in the implementation of safe products and knows that there is security that will not prevent its implementation, but will help make it safe.
We must constantly set ourselves a challenge. For example, for me one of the last such people was the transition to Tinkoff.ru. This is not a classic bank, but a cross between a financial institution and an IT company. Accordingly, the approach to security is not “prohibitive” here, which is very close to me.
Information security should help reduce threats to the business, it should offer an alternative or in some other way reduce the identified risks. The approach to working at Tinkoff.ru is similar to General Electric or other American companies. Here you can do something and immediately see the result of your work, while not feeling any obstacles in your path, such as replicas "this is not my duty." If guys or teams see what they really need to do, they take and they do. In such an environment, I like to interact with other teams and build information security with the support of management and colleagues.
And when you are looking for another place to work, you need to look closely at the internal climate in the company and the facilities that the internal HR dictates there. Most often, successful practices are found in large companies with Western management. It is very important to pay attention to the team and the development vector of the area to which you are going. Ask at the interview what the team had achieved over the past six months, what goals for the next quarter are facing the company and your division, what role in achieving them will be assigned to you?
Leadership and team management is not always a natural step in the development of a technical specialist. But at a certain stage I understood one simple thing.
Leadership is skills that need to be developed as well as technical knowledge. It is hardly possible, without having any special gift, to effectively manage a team from scratch. In general, this is the same work on yourself, as well as the development of technical skills.
You need to regularly communicate with the team, discuss the pros / cons, communicate them correctly. It is necessary to form a culture in the team and monitor compliance with it. To learn this, I went to various management trainings, feedback, watched how effective managers behave, applied their knowledge in practice.
At one time, the CIO of General Electric, which itself was a very cool leader, ran a huge IT department, but was not a deep IT specialist. Watching her work, I tried to interact with the team, solicit feedback and evaluate the team’s behavior, how it changes, how effectively the interventions used. In accordance with the internal culture of General Electric, the team also gave feedback to my supervisor, and he discussed with them without me what is happening effectively and what is ineffective, and gave comments to me.
When applying for a job, where you plan to pump your administrative skills, it is important to understand what kind of personnel management culture is inherent in the organization. Usually in western companies it is more developed, in state companies it is less. It is worth asking questions related to management - is there a culture of feedback, how is it organized, how often does the manager meet with the team and each immediate subordinate, how does soft skills develop? It is necessary to understand the range of questions that arise at the meetings: is the approach to the fulfillment of tasks (and not only the status of their accomplishment) or the positive qualities of the staff and development area discussed? Each of the mentioned points will help to move faster in the administrative field.
At the initial stage, many managers make typical mistakes and it’s good if there is an observer who can point at them. For example, there are young managers who are not ready to insist on their opinion or harshly suppress unauthorized change of plans or ineffective management of expectations.
This is a business. And we must behave in accordance with the objectives of the organization. We are all here to achieve certain goals. And people should be able to work in a team. And the task of the manager is to unite this team so that each member works most effectively. Sometimes this requires some stiffness. Her absence or the transition to friendly relations within the team can damage management. There are novice executives who allow the team to relax. For example, I consider it unacceptable if the person did not come to the meeting that the manager appointed. And there are guys who forgive it. But it should not be so. This is not a friendly gathering, but, say, team planning. If a person does not come, it is important to take him aside and talk so that this does not happen again, because it makes it difficult to achieve goals. Some guys find it difficult to hold such a conversation, because it is not the most pleasant. But avoiding conflict situations can lead to a decrease in the importance of the leader and the loss of controllability of the team as a whole.
In my experience, corporate personnel management is better developed in large companies. In a small business, relationships are built on the personal communication of all members of the organization among themselves, and serious investments in personnel management here look ineffective. Probably, it was General Electric that pushed me to the fact that all of this needs to be seriously addressed, no less than with planning a strategy or with any specific technical solutions.
Naturally, the responsibility of the head is not limited to interactions within the team. Coming into a new organization, it is necessary not only to delve into new technological challenges, but also to build relationships with colleagues of the same level, to develop a safety culture.
In the field of information security, interaction and building cross-functional security is extremely important. For this, it is necessary to build effective communications with the business, with the operating units, with risks, with all the rest. And from this point of view, it is important for the information security manager to understand into which environment he falls and whether he can effectively build communications with people who are on the same level as him.
The ability to manage a team is also a self-improvement path, on which you constantly make new discoveries. For example, not so long ago, I realized that I had long since crossed the line when I was afraid to hire guys smarter than myself. On the contrary, I try to hire a super-strong “dream team” where I can learn something from everyone.
At the beginning of my career, I treated this differently, like many other leaders.
Instead, I want to give a few recommendations. Home - constantly learn, and not only at work. It is extremely important to independently study new technologies and trends in IT and information security in order to stay on the wave. If you are confronted with something and do not fully understand the technology, it is important to spend time studying it. But the depth of this study may vary, depending on the tasks - from a 15-minute video on youtube to complete a full course.
There is literature in each area, but it is better to read something, after consulting with an expert in the chosen field. My “required minimum”: “7 skills of highly effective people” by Stephen Covey. This is probably one of the coolest books on personal effectiveness. I often see inefficient work, and there it is directly written how to avoid it.
You can attend conferences. For practical security, I can recommend:
As for the courses, in my opinion they should be applied, developing a certain skill. And it does not necessarily have to be management skills. Often strong technical pros become bad leaders or leaders, losing technical skills and with great difficulty acquiring basic management skills. Management, in my opinion, has ceased to be a natural step in the development of technical specialists. If you are not inclined towards managing people, you should continue to develop in a technical field. At the same time, in practice, the cost of a good technical expert is often higher than its head.
My name is Dmitry Gadar, I work as the head of the information security department Tinkoff.ru. My main tasks at the moment are planning a strategy and developing an information security culture in an organization. I lead a team of four departments that provide countermeasures to internal fraud, incident response, information security infrastructure and compliance, and application security. Before that, he worked as an engineer in system integrators and a cryptanalyst at Lancrypto. After gaining experience in the development and implementation of systems, he moved to banks - Raiffeisen, Barclays, General Electric, Otkritie FC. During my career, I went through all levels of the corporate hierarchy, starting from the very first - a student who literally worked for food.
Since I like stories on Habré, I decided to share my story so that today's students could look at someone else’s experience and fill fewer lumps on their career paths. Regard this as a Friday reading, although I will try to give a number of tips where this would be appropriate.
It all starts with education
The stack of technologies used in information security, and the range of potential threats is constantly changing. Rapid landscape changes devalue the skills of specific tools, but there is a fundamental knowledge and skills that are in demand today just as they were 10 years ago. They help to develop.
At the stage of choosing a university, few people think about the liquidity of knowledge in some remote perspective. Choose according to your favorite subject. I did the same. But I chose the strongest university out of those I entered - I got to the Department of Cryptography at MEPI - in essence, pure mathematics. Only then did all this develop into programming and related areas.
In my opinion, the most important element that the university offers is the structure in the head, adapted for mastering and filtering large streams of information. I can hardly remember literally some definitions now, and I cannot prove the Cauchy theorem for group theory without reading it once. But the structure that the University laid, I use constantly. Any top-level task in my head is decomposed into small cubes, and I immediately see its practical implementation in full detail. This allows you to dive quite deeply into each of the tasks encountered.
The best advice that can be given to today's applicants is to try to find an educational institution that will do its best, but it will require maximum effort, in order to lay the necessary basis from the very beginning. In general - for the duration of the training you should not look for easy ways, and try to get the maximum benefit from training. At the same time, in my opinion, basic subjects for study are mathematics (and derivatives in the form of algebra, cryptography, etc.) and programming in low-level languages - they allow you to master and structure large amounts of useful information, to operate it efficiently, to separate the most important from the secondary.
And for the development of practical skills it is best to go to work and try to get them in real conditions. At the same time, it is worthwhile to carefully consider the choice of the employer and discuss in advance what it is specifically proposed to do at work (to start the practice to develop real technical skills, and not to engage in shifting papers, but in a cool company).
First job - first experience
It is unlikely that the first job will determine your career path. However, it will provide the experience of real projects, which is necessary to search for “its own” sphere. This is the only way to understand what you are interested in doing and what is important for you in your surroundings.
In addition, this is a chance to pull up the necessary knowledge, if suddenly they passed by you in high school. Now, to me for interviews, the junior position is sometimes visited by guys who do not know the basic things: how the network works, how the operating systems work, what the OSI model is. All these are basic principles, without the knowledge of which it will be difficult to develop not only in information security, but also in IT as a whole.
It is important to remember that the knowledge base must not only be typed, but also constantly developed. Even those who mainly interact with the business must understand the technical infrastructure in which the organization operates in order to properly translate requirements and make decisions safe. Often, a business speaks its own language, IT embody it in its own specificity, and information security should be the bridge between two worlds that helps make the right secure architecture. Those. Information security should be involved in all stages and stages of project implementation, dive deep into every aspect. For example, in the business solution requirements. Minimal changes that are not critical for the business itself in these requirements often make the product “secured by design” - affecting the product at the very beginning, which eliminates the need for costly and not always effective remedies for unsafe products. Thus, a secure development or deployment cycle should include not only an understanding of which servers the product will be installed on, how it integrates with the existing infrastructure, but also a deep understanding of the business process and new risks to the business.
Growing deep and wide
The path of the safety guard is the path of continuous development. But from my point of view in this process the least need to look at the proposed position. The time when I was worried about the position or the line in the workbook, had passed - I was already vice-president, department director, etc. So now call at least an ordinary specialist. It is much more important for me to participate in the safe development of a business, to have the opportunity to realize changes and see the result of my work.
Developing in the framework of information security, you should not be limited to any one position or direction, for example, just cryptography. This is too narrow a specificity - you need to be interested in something big. And I believe that one can neglect some preferences in money or in office, especially at the beginning of a career, preferring more interesting and can be difficult and responsible work.
The strangest transition I had was from managing a public key infrastructure to creating an antifraud system. It was 2008 - the first financial crisis with sufficient development of the Internet and, probably, the first wave of fraud in remote banking systems. Practically no organization was ready for this, it was a new direction. We started IT on our knees to build antifraud and introduce basic measures of protection. For me, this was a completely new experience in building customer profiles, identifying fraudsters, and tracking their behavior. Naturally, in my duties I had not written anything like that. It was just interesting for me to develop somewhere wide. Subsequently, this interest grew into new career opportunities, which, in turn, opened up new perspectives in knowledge.
For me personally, several of the first employers provided a good start and a general understanding of what is happening in the industry - they gave a diverse experience that helped orient. I tried myself in programming and administration. And these are useful skills that I still need, and I try to develop them. Thanks to this, I can communicate with IT if not at one, then at a close level, because I know how everything works from the inside, how it works. I can talk to programmers, because I once wrote the code. Now I can hardly write the optimal code without preparation, but my experience is enough for more productive communication.
In general, you need to delve more into knowledge, try to process and structure new information, because the more you accumulate knowledge, the easier it is to offer safe solutions. If there is no development - it's time to think about changing jobs.
We must remember that information security is not IT-security. It is not enough to install an antivirus or any other solution and configure it correctly. This is not how it works.
Information security should be immersed in all projects and business processes. And the deeper you go, the more you realize that you know very little, and the more you see the path of development in breadth. In this, in my opinion, a big plus of this area - there is practically no limit to the horizontal development of a specialist.
The second point is that knowledge, as well as the technical base, must be constantly reviewed. If any solutions are implemented in information security, this does not mean that they have been implemented correctly or have not become unsafe over time. Security is a vocation, a certain approach to work with a certain amount of paranoia. And this is right, because security must always be in the head: you need to reconsider your own decisions, to be afraid that you proposed the wrong approach.
If at some point the bezopasnik decides that he is fine (completely safe), he probably ceases to be a bezopasnik. I have not seen good specialists in this field who have stopped their development.
Information security is a process, not an end result. And if this process is stopped, the organization will gradually become unsafe. So that the process does not stop, there must be tools to maintain it, and they must be implemented in such a way as not to interfere, but help the business to earn money. For example, following our inclusion in projects at the Bank Otkritie after some time, the business itself came to us and asked to take part in projects. This is the right approach - when a business is interested in the implementation of safe products and knows that there is security that will not prevent its implementation, but will help make it safe.
We must constantly set ourselves a challenge. For example, for me one of the last such people was the transition to Tinkoff.ru. This is not a classic bank, but a cross between a financial institution and an IT company. Accordingly, the approach to security is not “prohibitive” here, which is very close to me.
Information security should help reduce threats to the business, it should offer an alternative or in some other way reduce the identified risks. The approach to working at Tinkoff.ru is similar to General Electric or other American companies. Here you can do something and immediately see the result of your work, while not feeling any obstacles in your path, such as replicas "this is not my duty." If guys or teams see what they really need to do, they take and they do. In such an environment, I like to interact with other teams and build information security with the support of management and colleagues.
And when you are looking for another place to work, you need to look closely at the internal climate in the company and the facilities that the internal HR dictates there. Most often, successful practices are found in large companies with Western management. It is very important to pay attention to the team and the development vector of the area to which you are going. Ask at the interview what the team had achieved over the past six months, what goals for the next quarter are facing the company and your division, what role in achieving them will be assigned to you?
Specialist or supervisor?
Leadership and team management is not always a natural step in the development of a technical specialist. But at a certain stage I understood one simple thing.
Leadership is skills that need to be developed as well as technical knowledge. It is hardly possible, without having any special gift, to effectively manage a team from scratch. In general, this is the same work on yourself, as well as the development of technical skills.
You need to regularly communicate with the team, discuss the pros / cons, communicate them correctly. It is necessary to form a culture in the team and monitor compliance with it. To learn this, I went to various management trainings, feedback, watched how effective managers behave, applied their knowledge in practice.
At one time, the CIO of General Electric, which itself was a very cool leader, ran a huge IT department, but was not a deep IT specialist. Watching her work, I tried to interact with the team, solicit feedback and evaluate the team’s behavior, how it changes, how effectively the interventions used. In accordance with the internal culture of General Electric, the team also gave feedback to my supervisor, and he discussed with them without me what is happening effectively and what is ineffective, and gave comments to me.
When applying for a job, where you plan to pump your administrative skills, it is important to understand what kind of personnel management culture is inherent in the organization. Usually in western companies it is more developed, in state companies it is less. It is worth asking questions related to management - is there a culture of feedback, how is it organized, how often does the manager meet with the team and each immediate subordinate, how does soft skills develop? It is necessary to understand the range of questions that arise at the meetings: is the approach to the fulfillment of tasks (and not only the status of their accomplishment) or the positive qualities of the staff and development area discussed? Each of the mentioned points will help to move faster in the administrative field.
At the initial stage, many managers make typical mistakes and it’s good if there is an observer who can point at them. For example, there are young managers who are not ready to insist on their opinion or harshly suppress unauthorized change of plans or ineffective management of expectations.
This is a business. And we must behave in accordance with the objectives of the organization. We are all here to achieve certain goals. And people should be able to work in a team. And the task of the manager is to unite this team so that each member works most effectively. Sometimes this requires some stiffness. Her absence or the transition to friendly relations within the team can damage management. There are novice executives who allow the team to relax. For example, I consider it unacceptable if the person did not come to the meeting that the manager appointed. And there are guys who forgive it. But it should not be so. This is not a friendly gathering, but, say, team planning. If a person does not come, it is important to take him aside and talk so that this does not happen again, because it makes it difficult to achieve goals. Some guys find it difficult to hold such a conversation, because it is not the most pleasant. But avoiding conflict situations can lead to a decrease in the importance of the leader and the loss of controllability of the team as a whole.
In my experience, corporate personnel management is better developed in large companies. In a small business, relationships are built on the personal communication of all members of the organization among themselves, and serious investments in personnel management here look ineffective. Probably, it was General Electric that pushed me to the fact that all of this needs to be seriously addressed, no less than with planning a strategy or with any specific technical solutions.
Naturally, the responsibility of the head is not limited to interactions within the team. Coming into a new organization, it is necessary not only to delve into new technological challenges, but also to build relationships with colleagues of the same level, to develop a safety culture.
In the field of information security, interaction and building cross-functional security is extremely important. For this, it is necessary to build effective communications with the business, with the operating units, with risks, with all the rest. And from this point of view, it is important for the information security manager to understand into which environment he falls and whether he can effectively build communications with people who are on the same level as him.
The ability to manage a team is also a self-improvement path, on which you constantly make new discoveries. For example, not so long ago, I realized that I had long since crossed the line when I was afraid to hire guys smarter than myself. On the contrary, I try to hire a super-strong “dream team” where I can learn something from everyone.
At the beginning of my career, I treated this differently, like many other leaders.
Recommendations
Instead, I want to give a few recommendations. Home - constantly learn, and not only at work. It is extremely important to independently study new technologies and trends in IT and information security in order to stay on the wave. If you are confronted with something and do not fully understand the technology, it is important to spend time studying it. But the depth of this study may vary, depending on the tasks - from a 15-minute video on youtube to complete a full course.
There is literature in each area, but it is better to read something, after consulting with an expert in the chosen field. My “required minimum”: “7 skills of highly effective people” by Stephen Covey. This is probably one of the coolest books on personal effectiveness. I often see inefficient work, and there it is directly written how to avoid it.
You can attend conferences. For practical security, I can recommend:
- in Russia - Positive Hack Days, Zeronights, СyberСrimeСon and, possibly, OFFZONE;
- Abroad - Black Hat Conference, Chaos Communication Congress, OffensiveCon.
As for the courses, in my opinion they should be applied, developing a certain skill. And it does not necessarily have to be management skills. Often strong technical pros become bad leaders or leaders, losing technical skills and with great difficulty acquiring basic management skills. Management, in my opinion, has ceased to be a natural step in the development of technical specialists. If you are not inclined towards managing people, you should continue to develop in a technical field. At the same time, in practice, the cost of a good technical expert is often higher than its head.