My career in business continuity has been very kind to me so far. In the last 6 or 7 years I’ve become an award-winning published thought leader and I’ve been able to meet some truly great individuals from around the world and I’ve also worked on some pretty interesting projects as well. Although I think it’s fair to that the vast majority of the interest in my blogs, book, articles and presentations is because of my brutally honest style. I’m also one of the very few “junior” professionals who provide this regular type of insight. So, as I come to the end of another year and I am about to embark on my next challenge I wanted to capture my thoughts and share them with other fellow like-minded peers and colleagues.
So, what happened?
It was BCI World 2015 that was the turning point for me. It had been a year since I’d won my global best newcomer award and I was trying to figure out what direction to take next.
I had a podcast interview around the same time with Ken Simpson and we discussed “that difficult second album” and I knew then that I had to have a plan for the future. Once I took the decision to move into Cyber Security I was often asked:
"If you just received a global award from your profession, why would you move out of it and start again in a completely different field?”
It’s a valid question and it’s easy to see why individuals were curious. I was doing well in BC and I was moving into a more junior role after years of building up my experience. I even took a pay cut to do so. However, my decision wasn’t because I wanted to leave business continuity, it was because I wanted to be better at what I do.
Stick with me on this and I’ll explain…
The Enterprise Resilience Manager
The theme for the conference back in 2015 was “organisational resilience” and there had been a number of discussions and white papers regarding what this meant for the profession. Many folks were left scratching their heads trying to figure out how to become this new hybrid role. The message was clear in my mind… I had to diversify. I needed to be an enterprise resilience expert but what did this look like? It was at this point I came to a few conclusions:
· I didn’t know nearly enough about technology or the rising theme of “Cyber”
· I didn’t know nearly enough about real risk management processes in business
Looking back (if I was patient enough) I probably could have stayed in my BC role and engineered my workload around gaining that exposure but the path wasn’t clear. I decided I needed a plan. I wanted to become an Enterprise Resilience Manager but that particular role is still maturing and only a few businesses are buying into it at the time.
The plan was simple… I would find a Cyber/Info Security role and kill two birds with one stone. I would spend a year or so (while completing my part-time Masters in Risk) learning all about the buzz words that “experts” try to dazzle you with and also get my head around innovations in business technology. I figured this would give me a much better handle of both information security and risk management themes. A year on and this has proven to be one of the best career decisions I have ever made.
A Mountain of a Learning Curve
The learning curve this year has been totally immense and many nights after work, particularly in the early days, I would go home feeling like the class dunce with my mind completely frazzled but it was totally worth it. I wanted to cut my teeth with security and technology and that’s exactly what happened. I was thrown into a whole new world of networks and infrastructure and before I knew it I was looking at things like trust certificates, SFTP, firewalls, reserved IPs, access control lists and pen tests among many other far more technical things. I spent my days absorbing this knowledge and my evenings studying risk management and my mind was about to explode! It was totally worth it though because I am now becoming a stronger professional for the experience.
I’m also a big believer in combining academic and vocational learning because they both offer different perspectives in their own right. I took the opportunity to attend the CompTIA Security course and also get my hands on the CSX Cyber Security Fundamentals study guide simply to enrich my front-line learning. I would highly recommend the CompTIA training to any resilience practitioners touching on technology as I found it really helped me to understand the associated risks and threats. I also took some training in CRISC to help me better understand the frameworks like COBIT 5, ISO 27001, ISO 30001 for tech risk management and governance.
So, as I come to the end of a year in Cyber Security, and as I finalise my Masters in Risk, the next step for me is to move into the enterprise risk management space to help me reach the next stage in my development and that’s exactly what is happening in 2017. The next adventure is going to help me work through the risk management life cycle where I can combine all of my acquired skills to become the resilience manager that I want to be. In contrast to technology, where everything is black and white, risk management is a dark art. It’s subjective, requires a good knowledge of the business and it’s something that you cannot appreciate until you experience the full life span of a risk. I fully expect this journey to be far longer than the previous but equally as fruitful.