Career Advice Tuesday – “Career Rebuild”
Dear Infosecleaders:
I have more than 15 years of experience in the IT Application Development area. As part of my career, I was an ’Applications Solution Architect’ as well. I am seeking to switch into IT Security area. How do I go about and where do I start? I do not want to give up my existing experience, I want to do some which will complement my App dev and Architect experience.
One person suggested getting a CISSP. Another suggested that I begin wtih some penetration testing, gravitate toward wireless security and then take the CISSP.
Can you please advise me on how I should go about rebuilding my career with a focus on information security. I am unemployed now and I could really use some sound advice.
Signed,
“Career Re-Builder”
Dear “Re-Builder”:
When anyone who has 15 years of work experience thinks about making a career transition, the best advice is to attempt to leverage your past experience the best way possible. You state that you have spent your first 15 years as an application developer and application architect – so figure out a way to use those skills – and apply them to information security.
There are many information security roles that focus on the broad topic of “application security” – I would try to figure out which of these roles would best utilize your past experiences. After I understood where the needs were, I would do all that I could to learn about security concepts that are critical to succeed in these roles. I would then aggressively pursue these roles and companies that are attempting to solve these problems.
You may also consider to apply for pure application development roles that have an information security component. These particular roles will allow you to hone and develop your information security skills so that in the future you may be able to attain a role that is 100% security centric.
One thing that is great about security is that it touches all areas of technology. The fact that you have deep experience in application development (coupled with your new security knowledge) may place you at an advantage when competing against others that do not possess your depth of application development subject matter knowledge.
As you get settled and back on your feet, you can always go after a CISSP or maybe a SANS certification to provide you with additional credentials if that is your desire. However, before you spend money and time on any certification, make sure that it is geared toward a subject matter that you would like to learn more about and enhance your new career direction.
Hope this helps,
Lee and Mike
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
No Comments »| 
Advice, Career Advice Tuesday | 
Permalink
Posted by lee
Career Advice Tuesday – “First Time Job Changer Seeks Advice”
Dear Infosecleaders:
I am hoping for some guidance on how to approach my first professional information security job change. First, here is some background – I was recruited out of college to go work for the security consulting practice of a Big X firm. I have spent the past three years working on many different clients and some pretty interesting projects. In addition to developing some of my technical skills – assessments, forensics, network design – I have also developed some good skills in the area of project management (rudimentary), client presentations, written communication (we write a lot of reports) and verbal communications.
I will say that the Big X experience has been good for me, but I have determined that my long term career goal lies in working in an internal security program, actually doing secruity work, as opposed to selling it.
My concern about pursuing a corporate information security career is based on the fact that I fear that a corporate environment may limit my professional growth. I want to make sure that if I move to a corporate info sec function that I do not get boxed in to performing one task, as opposed to the diversity of challenges that I have experienced in consulting.
Can you help me try to avoid making this mistake?
Signed,
“First Time Job Changer”
Dear “First Timer”:
I believe that for many people the first job change is the most difficult and the one that causes information security professionals the greatest apprehension. The main reason is that you are choosing to give up the safety and “security” of a position that you enjoy, for the unknown.
I guess that the best thing that I can tell you is that you should not worry if your new job does not work out. Here are a few reasons why: from what you described, you have developed a good skill foundation that will be valued by other companies (both consulting and corporate), you represent good value (the Big X develops great talent but they pay relatively poorly at junior levels), and you have three years of experience with one respected employer (even if the next job only last 6 months, you would not be labeled a job hopper – it will be viewed as simply a mistake). Hopefully, this will make you breathe a bit easier.
The best way to avoid being “pigeon holed” by your next employer is to make sure that you identify components of the employer that will lend to your professional development and skill diversification. It will be your responsibility to figure this out in the interview process.
Do not expect the interviewers to willfully divulge this information, you are going to have to make sure that you ask probing questions to get the answers to help you arrive at your conclusion.
The first thing that I would find is an employer where information security is a key component of their business strategy. Generally speaking, the more serious an employer takes security, the better it is for the information security professional. This can be demonstrated by asking questions during your interview about current security initiatives, training budgets, and tools.
The next thing that I would look for would be a company that is either looking to formally develop an information security function or a company that is looking to upgrade their information security posture. If you can find a company that is building something new, or trying to fix something that is broken – there will be opportunity for you to use more of your skills and take on more responsibility. Conversely, if you find a company that has a well developed program, they will most likely be relying on you for one specific skill that you possess. Generally, this is not a bad thing, but for the sake of your question I would avoid these companies.
The last thing that I would look for would be a company that has smart people that you can learn from and emulate. I would ask your interviewers about their backgrounds, why they enjoy working at the company, and their attitude toward sharing information security knowledge. You can also see if they are willing to share any stories during the interview about current (or past) information security employees career development. If you can find an environment where you can learn from talented, experienced information security professionals who are willing to share their knowledge with you, it should accelerate your professional development (just like it did in the Big X firm).
After you formal interview is complete, you should do some digging on your own. You should reach out to your network to see if you can attain a credible, unfiltered, and unbiased account of what it is like to work at the new company.
In closing, the best advice that I can give you (and all first time job changers) is do not be afraid to take a chance. Many first time job changers look for guarantees (that do not exist) and often reject well suited career opportunities because they want everything spelled out to them during the interview process.
Whenever you do arrive at your decision to switch positions, make the most of your new opportunity!
Go with your gut. Trust your instincts. Don’t look back.
Hope this helps and best of luck,
Mike and Lee
No Comments »| Uncategorized | Permalink Posted by lee
Career Advice Tuesday – “Aspiring CISO”
Dear Infosecleaders:
I have gone through your blog, its fascinating advice you have given to others queries.
Am seeking your opinion and help on getting where i really want to go…
My Aim: To be a CISO / CIO.
My Professional Background: Was into BCP / DRP kind of projects most of the time. Little exposure to Information Security.
Education: Commerce, MBA, CISA, now pursing CISM.
Strengths: Creative, Learning, Fascinated towards security loopholes, judgemental, and a good devils advocate.
Weaknesses: Not a tech pro, but can grasp and understand. No exposure to practical side of networks, applications, admin, etc.
With the given details, could you guide me and help me as to how I can achieve my goal. Without practical exposure to tech side, how feasible is to get such role, if not feasible, then what are the area of improvement and other workarounds if any… 
Regards,
The Aspirant
Dear “Aspiring CISO”:
Before we get into the meat of your question, I want to start out by saying that you have the ability to accomplish any goal that you can set your mind to, if you are willing to put in the hard work in order to achieve it.
It is great that you aspire to be a CISO, if you have goals, they should be big ones. In addition, I think that it is very important that you have identified your strengths and your weaknesses. The main weakness that you state is the “lack of exposure to the practical side of technology,” which can be a huge obstacle. There are some CISO positions that will deemphasize your degree of technical skill, but I would say that having some technical competency will be required to successfully interact with the Senior technical stakeholders and inspire confidence in your leadership from your technically focused direct reports.
The best thing about accurately defining your weakness is that you have the ability to do something about it. This can be done either formally (through education/training) or informally (through reading, webinars, conferences, etc). I would begin this process by identifying a few key areas that both interest you and that are considered important to the role of CISO. Set a goal to learn as much as you can about these topics in first a six month period, then a year. As you learn more about these topics, begin to volunteer your insight to security related projects in your current position, where you feel comfortable and confident that your opinion would have meaning and potential impact. If you can do this, you will find that you will be developing some practical experience, outside your regular responsibilities. Due to the background that you have (MBA, CISA, expected CISM) and your “fascination towards security loopholes,” I believe that you will be convincing enough to create this opportunity for yourself.
If you are able to pull this off, you should be able to create some good momentum for yourself when you have the chance to interview for a CISO role.
When you do eventually begin to search for this type of opportunity I would provide the following guidance. The first would be to find an organization that will emphasize your non technical strengths as more key component of their CISO position. The second would be to make sure that you can effectively compete with anyone else who possesses similar skills. The reasoning for this is that if you find an organization that relies on technology for their CISO role, you will be quickly dismissed based upon your degree of technical experience. In addition, when you are competing for your CISO role (and believe me there will be a great deal of competition), you want to make sure that you come out on top in any candidate comparison, when it comes to your less technical security skills ( policy, compliance, governance, risk, management, etc.) or the intangible skills that you would define as your strengths. In closing, in addition to developing your weakness, make sure that you spend additional time enhancing your competencies.
Beauty is in the eye of the beholder, and there are many skills that comprise effective CISO’s. You just need to find someone who thinks that your are beautiful – and the right person for their CISO role.
Keep following your dreams and pursuing your goal!
Hope this helps,
Lee and Mike
No Comments »| Uncategorized | Permalink Posted by lee
Career Advice Tuesday – “Feeling Short-Changed”
Dear Mike and Lee:
I would like to let you both know about a situation that I just experienced, in the hope that you can propose some advice so that others do not suffer the same fate.
I am an experienced information security leader and am a direct report to the CSO of my current company, a large Financial Services firm. Recently, I was approached by an internal recruiter of another company searching for a CISO. I believed that it was a good opportunity, and my next logical career step so I decided to pursue. Early in my conversations with the internal recruiter, the subject of compensation came up. I shared with the recruiter my current compensation (all components – base salary, bonus, and equity) and they told me that my compensation was in line with their expectations.
I then proceeded to go through a series of seven different interviews and I met with many senior executives of the potential new company. Due to scheduling, this process consumed about 10 weeks, and I utilized 4 vacation days to make the interviews happen. After the final interview, I received a call to inform me that I had been selected and an offer would be formulated. I was very excited.
I received a call from the HR/internal recruiter the next day with the verbal offer. To my dismay, the total compensation package was well below my current levels. I asked if the offer was correct, and they said it was. I informed the HR person that this was unacceptable and I was surprised considering the assurances that I was provided. The HR person went back to “sweeten the pot”, but even then the second offer was substandard.
In the end, I declined the position and felt that my time had been wasted, and I left upset because I felt that I could have done something different. Can you suggest some ways that I (and others) could avoid this situation in the future?
Sincerely,
“Feeling Short Changed”
Dear “Short Changed”:
Compensation is always a sticky subject especially during the initial courting stage. As in your case, discussing compensation early on, prior to undertaking a job search, is an important step in determining baselines and starting points. I believe that you did the right thing by informing your suitor the value of your compensation. I strongly believe ( and as you later found out) there is not any reason to invest the time in an interview process if there is not a possibility of a mutually beneficial outcome.
As far as what you could have done differently, I think there are a couple of things. First is that you could have attempted to get some advice earlier on in the process, from someone who was a bit removed from the process and had some real experience negotiating an employment contract. This could have been helpful because it may have provided you some perspective and with an idea of how the “new company” would value your compensation. Sometimes, the way that an individual values their bonus and their equity is different then an outsider would value it. (Salary is pretty black and white)
The other thing that you may have done differently is to discuss compensation at different points, as you got deeper involved in the interview process and interest began to grow. Since you did not have an advocate working for you, you had to rely on the internal corporate recruiter to represent your interests – which is a contradiction becasue they work for the company (not you). Realizing that compensation is a delicate item, and that you do not want to appear purely motivated by money, you need to be tactful in your approach.
One way to go about doing this is initially by sending a friendly e-mail to the human resources/internal recruiter in writing that begins to outline your expectations. The initial e-mails can be general, and sometimes they can just serve as documentation of your original discussion. The reason that you put things in e-mail is because they can be referenced and forwarded. It makes everyone accountable.
As you go on in the process, and interest is increased you can become more specific, becoming a bit more assertive and specific in your approach. Your e-mail can state that you are hopeful that the process will conclude positively for both parties and that you want to make sure that both parties are on the same page as you continue to move forward. Again, this provides an additional data point, and begins to discuss not only your baselines, but what it would take for you to accept the position. You may also decide to include the hiring manager on the e-mail if you feel comfortable.
Finally, as you near the end of the interview process and get to the last interviews, you should begin to have a better sense of comfort with the people you will be working with. At that time, you can ask them questions about components of the compensation and the history of achieving these milestones (bonus, equity, other). You can also close those discussions by stating that on a “number of occasions” you have shared with the internal recruiter/HR professional your compensation expectations.
At the end, what you have done is build a case for yourself during your interview process. More importantly your case will have gotten stronger as the interview process has progressed. If you communicate this clearly (and in writing) the internal recruiter will have some explaining to do for wasting the hiring manager and other executives time, if your candidacy can not be brought to closure.
In general, we often are afraid of discussing compensation, and we should not. If compensation is a main criteria, you have to be assertive and tactful in discussing it.
Hopefully it will work out better next time.
Mike and Lee
P.S. Sorry about the lost vacation – however there are always some opportunity costs in pursuing your career goals.
1 Comment| Advice, Career Advice Tuesday | Permalink Posted by lee
Career Advice Tuesday – “Reflection”
Dear Mike and Lee:
I have spent the past two weeks reflecting on both my career as an information security professional and my life in general, and I am hoping for some advice.
I have spent the past six years of my career as an information security consultant, primarily perfoming penetration tests. My first 2 years were performing network pen test, and my next 4 years have been performing Web-App pen tests. I have traveled to some fun places, met some very smart people, and have had the chance to do a bunch of “cool work’ (we’ll leave it at that).
I am now close to 30. My friends outside of the industry are beginning to settle down, have families, advance in their field, and have “normal lives”. Granted, I would not trade my past experiences for theirs (I am the interesting one when we all get together), but I will admit that I am getting a bit envious.
The last two weeks I have given some thought about changing my career, and my life for that matter – but I am not sure where to begin and what I am truly qualified to do (beyond pen testing). I do not want to earn less money and I do not want a boring job – can you give me some advice.
Signed,
At a Crossroads
Dear Crossroads:
I am glad that your time of reflection provided you with a clear direction.
Congratulations, you are on the right path! You have identified your problem and are ready to make some adjustments to accomplish your short term goal. I think that there are many people out there that believe that their career problems will just go away without any effort. You have a journey ahead of you, but at least you know where you want to head – and that is the most important part of the battle.
I will be candid with you, the life of a security consultant/penetration tester is an exciting one, for the reasons that you outlined. When you are young, and responsible to only yourself, it is a great way to see the world, get exposure, and meet all types of people. However, the trade off for all of the frequent flier miles, the hotel reward points, and the atypical hours - are the regular aspects of life ( that it appears that your friends enjoy). The fact is that you most likely will never experience this type of “professional thrill” again in your career – will be something you should be willing to accept before your transition.
Once you have accepted this, you have to plan your transition. I think that it is important to understand that just because you have come to this personal revelation over the past 2 weeks – it does not mean that finding nirvana will be as quick of a journey.
A career transition usually takes some time – especially if you are looking for an opportunity that is a departure from your current role. (For example – I am sure that you could find a pen testing/consulting job in less than 30 days). You also may have to come to grips with the fact that you will have to accept a more junior role, take orders for someone less qualified then you, or take a reduction in pay – to achieve the lifestyle that you desire. However, this is up to you.
One of my favorite quotes is that “Life is always a series of trade-offs.” You will have to figure out which ones are worth making.
You should think of the skills that you already possess and can apply to the position (and environment) that you would ultimately like to be in. Whatever those skills are, you should spend the time developing, refining, and enhancing them. You should also be using this time to reach out to your professional network and past clients ( in environments that interest you) and see if they have opportunities that would align with your new career direction.
The best pieces of advice that I can give to you are as follows:
1) Remain Focused on your Goal (This will be harder the longer it takes)
2) Do Not Settle For New Position Where You Will Be Miserable (This will be easier the longer it takes)
Hope this helps,
Lee and Mike
No Comments »| Advice, Career Advice Tuesday | Permalink Posted by lee
Career Advice Tuesday – New Year’s
Due to the holiday, the number of questions we received in the last week has been pretty light. So, instead of doing a question this week, we’re going to do a quick post on the year end.
First, let me say that I hate New Year’s “Resolutions” – the idea of becoming resolute based on a date is a recipe for failure. (And research shows that 78% fail in that)
But the end of the year is often a good time for planning and thinking. It’s a time of year spent around family and a time where work in our industry often takes a slight lull. And Lee and I both use this time to take stock of our lives and our plans for the coming year.
So, we’d urge you to make this a time for career planning. As we said in our Defcon talk, our survey from last year showed that career planning matters – those with a written career plan are about 25% more likely to make more than $120K/year than those that don’t have a plan.
As far as what we’re planning for 2010, you can expect a lot from InfoSecLeaders. The results for that survey will be fully available in the immediate future, as well as a bunch more surveys in the coming months. Additionally, we’ll be continuing our articles in Search Security and be announcing other relationships with other publications. We’ll be speaking at conferences. And we’ll be releasing more online courses (like our Career Incident Response Series) soon as well.
And Career Advice Tuesday will continue. Ask your questions here.
No Comments »| Career Advice Tuesday, Planning | Tagged: career advice, Career Advice Tuesday, career planning, New Years Resolutions | Permalink Posted by mmurray
Career Advice Tuesday – ” The Waiting Is The Hardest Part”
Dear Infosecleaders:
As I am writing to you, I find myself in the middle of an interview process and I am hoping for some advice.
Let me describe my process to you thus far – first I had a phone interview with the human resources person, then I had a phone conversation with a person to gauge my information security experience, I then had a phone conversation with the head of the information security consulting practice. At the conclusion of the phone conversation with the hiring manager (the consulting leader) , I was told that I had performed well, and I would be hearing from the internal recruitment person to coordinate an in-house visit.
As I write to you, I am now on my tenth day of waiting, and I have not heard a response. I have placed phone calls to the human resources person, I have sent e-mails to the hiring manager, I have even tried contacting a “Linked IN” acquaintance about trying to help me.
None of these angles have worked and now I am writing you guys for help.
Can you give me any advice on how to handle this situation? Should I write them off completely? Any guidance you guys can give me would be appreciated.
Sincerely,
Tom Petty
Dear “Tom Petty”:
I would tell you first that I believe that you have done everything correctly and within the bounds of expectations to show your interest in the opportunity and your intent to continue on in the interview process with this company. The fact that none of your overtures have been returned can be interpreted in one of two ways – “lack of interest” or “rudeness.”
If they are not interested in your candidacy, I would think that at the very least they would be able to communicate to you their reasoning for ending your interview process and provide you with the simple courtesy of closure. Many times, people involved in the interview process are not comfortable in providing bad news, or direct negative feedback. They believe that by withholding this information, they are doing you a favor. However, what they do not realize is that “interview purgatory” is a lot worse than providing you the closure that you need to forget about the opportunity, develop your interview skills, and move on to exploring other options.
On the other hand, if all of the parties that you interacted with have not returned your voice mails or responded to your e-mails, that is purely a sign of rudeness and a good inclination of how you would be treated and communicated with if you were to go to work at the company. If they exhibit this poor behavior while they are courting you, can you imagine how you will be treated once you have already committed to join them.
Consider the fact that you are able to witness this behavior prior to joining them as a blessing.
At this point, even if they come back to you and apologize for their behavior, I would think really hard about reengaging in an interview process and entertaining employment. If they are coming back to you after a long pause, (without any communication) you were most likely a second or third option, and they are only coming back to you because they have been rejected by the others.
Our best advice is to move on and find a company that deserves you and will treat you with some professional courtesy. The information security community is a small place, and it does not take much for a company to acquire a bad reputation for how they treat people in the interview process.
Hope this helps,
Lee and Mike
No Comments »| Advice, Career Advice Tuesday | Permalink Posted by lee
Career Advice Tuesday – “Rolling The Dice”
Dear Infosecleaders:
Here is my situation. I began working as an information security consultant about five years ago. In that time, I have worked for 3 different companies, and have developed some good consulting skills. Although I am good at my job, it is not the direction that I would like for my career to head. I would like to work in a corporate information security function, and one day hold an information security leadership role, where I would be in a position to hire someone like myself.
I have some really solid relationships with my clients and I believe that they have opportunities in their organization where they could utilize someone with the very skills that I currently provide them (on a full time basis).
My question is, how do I approach these customers about considering me for employment, without damaging the relationship with my current employer? I feel that I would be taking a huge gamble, and placing my current position in great jeopardy, if my idea backfires.
Signed,
“Should I Roll The Dice”
Dear “Dice Roller”;
I think that any professional gambler would tell you that the best bets are the ones that have the greatest probability of a producing a pay off. However, “Rolling The Dice” with your career, could be a dangerous proposition and can lead to unforeseen consequences if you do not take the right steps.
The first thing that I would recommend would be to speak with your clients about true employment potential and if they are actively seeking someone with your skills and more importantly have the ability to hire. Many companies have budgets to employ consultants (even at higher hourly rates) but they do not have the ability to hire full time employees. Before you decide to “Roll The Dice”, make sure that your gamble can actually pay off.
If they do tell you that they have headcount and they think you would be a good fit for the company and their team, figure out if you are willing to accept both the position and financial terms that are being offered. ( It is common for consultants to be compensated at a premium over their counterparts in end user organizations).
At this time, if the above are affirmative you have to decide whether or not you would like to speak with your manager (current employer) before you fully engage in an interview process. This is truly the biggest gamble, because until you actually have the conversation, you will not truly know how your employer will react.
In general, my hope would be that you currently share a level of mutual respect with your employer, and that they would be supportive of your desire to pursue different professional interests. However, I know that this is not always the case.
My advice would be to invite your manager to an off site meeting (where you can speak uninterrupted) and you can share your overall career intentions with them, and gauge their response and reaction. At this meeting, I would not speak about specific opportunities, but your career in general. You can also ask them for some advice and professional guidance. (As a rule, managers typically like when you ask them for advice. It is a sign of respect and courtesy.)
In addition, I would also explain to your manager that your life has had some changes (in personal obligations - family, children) and you will most likely need to cut down on the traveling and uncertain schedule that traditionally accompanies consulting. In general, if you speak about family – two things work in your favor – no one can make a good argument that work is more important than family, and your manager may have a spouse/family at home and maybe able to relate to your situation on a personal level.
After this meeting, you will understand if indeed ” the odds are in your favor.” You will either leave with a good understanding of how your manager will react and how receptive they will be to your decision, or you will be able to tell that they believe your only option is to continue to work for them.
If they believe the latter, you have an issue. You will have to keep your job search hidden and make sure that it does not get out that you are considering employment at one of your current customers. On the other hand, if your manager is supportive, they may even help broker the relationship between you and your customer, in the hopes of gaining more consulting business and having an inside ally at the client, that could potentially help steer work to your former employer.
Best advice here is to try to get the best read possible before you decide to “throw your career on the crap table.” You may figure out that when you are straightforward about your intentions, it is not necessary to gamble.
Hope this helps,
Lee and Mike
No Comments »| Advice, Career Advice Tuesday | Permalink Posted by lee
Career Opportunity : “”Cloudy” About an Opportunity”
Dear Mike and Lee:
I’m an ISO for a mid-size firm, stable and happy in my current job. I hired on a couple years ago having spent most of my time in IT and security management in a different industry vertical. I’m paid fairly for my skills/responsibilities.
Someone in my security network is recruiting me to join their new “cloud venture”, a new subsidiary of an established local growth IT firm for SMBs now branching out with new government contracts. I’m NOT looking but this could be a neat opportunity for career growth and bigger $$$ … but definitely a lot less stable, should things not go well. With a young family to consider … would you make the leap? What factors would push you one way or the other? Cloud computing seems to rule the discussions of the day and virtual security challenges are compelling problems to solve. I’m just wondering if this is the right whirlpool to jump into right now? If I don’t will I likely regret it?
Signed,
“The Weatherman”
Dear “Weatherman”:
The best things that you stated in your questions are that you are currently happy in your role and your position is stable. In addition, you believe that you are fairly compensated. Collectively, these elements provide an excellent foundation for evaluating additional opportunities, no matter what their form.
Here are some things that we would like to point out from the details that you provided, and the questions you should ask yourself:
1) Someone in my network is recruiting me: Who is this person in your network and how well do you know them? What is their vested interest in the situation? Why do they believe that the opportunity is beneficial to you (and your career), as opposed to why you are good for the “new company’? Are they qualified to have a meaningful opinion about the matter?
2) A new subsidiary of an established local IT firm for SMB’s now branching out with government contracts: How is the firm treating this subsidiary – as a separate entity or as a new business unit? Is the established business able to support the new business if things do not go smoothly? If so, for how long? What does the firm know about doing business with the government? Has anyone done business with the government on the executive team? Why do they believe that they will be successful? Are you convinced?
3) I have a young family to consider and this would be a neat opportunity for career growth (We’ll get to the money later): What does your spouse think of the opportunity? Will you be required to work longer hours? Travel more? At this point in my life, can I afford a “neat opportunity?”
4) Bigger and better $$$: What does bigger and better mean? Will the $$$ change your life? In what way? How much more would you be able to save? Are there any hidden costs (insurance, vacation, benefits)?
5) Focus on Cloud Computing: Can you attain experience with cloud computing working in your current role? What skills will you be able to develop in Cloud Computing? Will these skills make a measurable impact in your career? Are these new skills currently marketable inside your geography (location)? Can you acquire this skill in a less risky way?
6) General Questions: Is this part of your career plan? Do you have a career plan? What is the greatest reason for accepting this role? For joining the company? If the opportunity does not work out, how quickly could you find a role similar to the position you hold now (your ISO role)?
As you can tell from the questions, there are many things to think about. When looking at the questions, think about the ones that are most important to you. Keep in mind, all of the questions will not be able to be answered with a complete degree of certainty. When choosing a new opportunity, there is always going to be risk. It is part of the excitement. However as information security professionals we make our living managing risk, and measuring the consequences.
Like all risk based decisions – the level of reward has to equal or exceed the level of risk.
We are not going to tell you to accept the position or not (especially without all of the details). This is your choice and a conclusion that you will need to personally determine.
If you want to speak more in detail, please send an e-mail to us – and we can set up some time to speak.
Hope this helps,
Lee and Mike
No Comments »| Advice, Career Advice Tuesday | Permalink Posted by lee
Career Advice Tuesday – Recovering from a Slump
Dear Lee & Mike
I recently started a new job in a Security Operations Center and I’ve had a run of bad luck. Immediately after I started, I had a death in the family that kept me out of work. Because of that I missed a few of my first days (including orientation and training), and I’ve been feeling disoriented and confused for most of my first three months. And, on top of that, all the stress ended up with me getting sick.
I’m worried that I’ve dug myself a pretty deep hole with my colleagues and my management. I’m afraid that I’m not going to manage to be successful and I was wondering if you guys had any advice on getting out of this situation unscathed.
And if I do get fired what do I put on my resume? How do I explain it in the interviews I’m going to be going on?
Thanks,
If It Wasn’t for Bad Luck, I’d have No Luck at All
Dear Bad Luck,
Sometimes we all go through a slump. And, often, a slump is through no fault of our own – we get sick, people die, and things happen. Life sometimes takes you away from focus and work just takes a back-seat. As a manager, Mike’s actually had a couple of employees go through this at different times – one of his team members a couple of years ago missed two full months of work, and getting back into the swing for that guy was extremely hard.
But it can be done.
The key to staying employed is what we talk about during our Career Incident Response series: a good employer judges on how much value you create. Regardless of the circumstances, it’s your job to figure out what value is for your employer and to create as much of it as possible. In the training classes, they would have spelled out what value is – you just have to figure it out for yourself now.
That’s how you get out of the quagmire that you’re in – you need to find a way to create value. The trick is that value isn’t what you think it is… it’s what your employer thinks it is. Some employers value attendance at meetings. Some value being in the building early. Some value that you spend your time doing a bunch of technical work. And some value that you send a lot of email.
Figure out what it is that your employer values and then provide that in spades and you’ll be back to an even keel in no time.
As for your other questions, let’s suppose that you do get fired. You have to put it on your resume. Because you will be asked in interviews about what you have been doing during the time between your last job and your next interview. Since lying to a potential employer is bad, you’ll have to tell them about the job, which will make it look extra suspicious that you didn’t have it on the resume.
And, when asked, just tell the truth. That you had a run of bad luck and got behind, it’s not like you, and that you’re not usually like that.
And, if it comes to that, let us know… we’re here to help.
Lee & Mike
No Comments »| Career Advice Tuesday | Tagged: career advice, career incident, creating value | Permalink Posted by lee