Mentoring in Information Security
Mentoring is a potentially magic word in the workplace. Experienced professionals “take into their care” more junior employees and teach them skills that they otherwise might never have learned. “Learn from the experts,” so they say, and no better example of this than on-the-job mentoring exists. A dedicated and experienced mentor can make a huge difference to an organization—mentors in effect bring the next generation of employees to the next level—the point to which those have been mentored can deal with situations and issues that it otherwise could not have dealt. Mentoring also can drastically reduce training costs.
I know of some senior information security professional who invest the time and effort to mentor those who work for them. I fear, however, that these individuals are very much the exception to the rule. In contrast to, say, ten years ago, the nature of jobs today has changed drastically, and with these changes have come significant obstacles to mentoring. Some of these obstacles include:
• Busyness. Both potential mentors and potential to-be-mentored individuals are typically overwhelmed with tasks, due in large part to today’s weak economy. Many able workers have disappeared from an organization due to “business process engineering,” leaving those who are left to do not only their own work, but also the work of their former colleagues.
• No reward. Those who consider mentoring may not choose to do so because the organization for which they work does not offer any incentives for doing so.
• Over-confidence on the part of individuals who are mentoring candidates. Candidates for mentoring may be overconfident of their skills and knowledge, and as such may turn down opportunities to be mentored by a more senior employee.
I have been mentored by two information security giants, William Murray and Donn Parker. Why they took me under their wings I do not know, but I know that their noble efforts very much accelerated my recognition and understanding of information security issues as well as my ability to make critical judgments (not that I am the most understanding and capable person in the field!). I am not at all boasting, but I have in turn mentored a number (but not nearly enough) of information security professionals. I have been handsomely rewarded through seeing their success and in many cases their rise to prominence, as well as their gratitude.
All I am saying is that mentoring in information security needs to be revived. Yes, we have suffered through difficult times and those of us who have held on to our jobs ought to simply be grateful for this, But there is a next generation of information security professionals. They can read books and take courses, and in so doing they will benefit. But nothing compares to the power of mentoring. I’d like to see organizations such as SANS, ISSA, and ISACA promote and encourage mentoring more in their training courses. Information security professionals say that conformance to security policies, standards and procedures should be an employee appraisal issue, and they are right. How about also including mentoring performance as another appraisal issue for more senior information security professionals?