May 29, 2009
Many times over the past year, we have provided advice regarding developing a public brand and professional image by utilizing social media. Recently, I have been able to see this in action.
(Due to the level of confidentiality involved in the interview process, I can not reveal the identity of my candidate, his blog, or his twitter feed, but the following will serve as a summary of the events that took place.)
The candidate’s career had taken him on a journey where Information Security was not the original function of his employment, but through his own personal interests, accomplishments, and commitment, his position had evolved into the company’s only dedicated information security professional. In his current role, he is well respected by management and has been capable of affecting positive change in both the areas of technology and business process. However, information security had only become his full time job function for the past six years, and some recent changes in corporate direction had caused him to begin searching for a new opportunity.
My client is the Information Security leader for a company that has a sizable commitment to Information Security. Due to this level of commitment, he was searching to hire a Senior team member to assist in carrying out their Information Security initiatives. The key term here is Senior, and the definition as it applied to his team.
The client was pretty stern in the fact that Senior meant having a minimum of ten years dedicated to the Information Security profession. This was a derived from his experiences in leading his organization and what he found to be effective in both hiring and retaining talent in his organization.
Remember – what I believe is not important in this situation. He is the customer, he is the Information Security leader, it is his team, and my job as a recruiter is to carry out his wishes and find the candidate best suitable for him. I have to trust that he knows his organization a lot better than I do, and his experiences hold the key to his success in team building. I also know that if we locate a candidate that meets his criteria, my candidate has a better chance of career satisfaction and longer term success.
Here is the problem – my candidate only was able to demonstrate 6 years of dedicated experience on his resume, and my client wanted a minimum of 10. When I spoke with my client, I urged him to reconsider his stance, and give my candidate credit for the other years of experience when Information Security was only a portion of his job function. In addition to that, the candidate had made us aware of some industry activities that he had participated in, conferences he attended, and his personal blog, He also let us know that he was a guest on a few security related podcasts. As part of our candidate presentation, we referred the client to these resources.
The next morning, we received a note from the client expressing how impressed he was with the candidates written communication skills, his thought processes, and the content contained on his blog and twitter feed. He said that it was possible that his initial impression may have caused him to overlook a solid candidate, and asked us to coordinate an interview and initiate the interview process.
What I can tell you, is that this is purely a case where it was not the resume that opened the door, it was his blogging and his demonstration of his knowledge in the public forum that provided him with the opportunity for consideration.
At this time, we are only at the beginning of the process and a lot is yet to be determined. I will let you know the results in a later blog entry.
May 26, 2009
Not sure if any of you are poker players, but their is an expression in the game that tells players not to “overplay their hand.” This is traditionally advising players not to think that your cards are better than they are, and cautioning them not to throw away money on this account. Generally, this is good advice, considering that no one wants to sit down at a poker game and lose money.
When it relates to your career, this concept comes in handy as well. Simply put, many Information Security professionals that , when interviewing, approach the interview with the belief that their skills and experiences are more valuable then they actually are. This generally leads to looking for more compensation then their market value and searching for more responsibility then they have proven they can accept.
Well, why is this dangerous? Shouldn’t we all aim high. Aspire for greatness. Stretch ourselves to the limit. The answer to these questions are a resounding, “Yes!, Yes!, and Yes!!” However, it is also critical that you are able to honestly assess your skills and market value, so that you can make the correct career choices.
When you do not understand the “market value” of your skills, it greatly affects your attitude in the interview process. There is nothing wrong with being confident, but if you believe you are more valuable than you are, a dash of “cockiness” gets mixed in. With most interviewers, this can be a deal breaker. All employers are looking for Information Security “Rock Stars,” however they can all do without the “Rock Star attitude.”
In addition, overestimating your self worth can cause you to overlook opportunities that are better suited for your career development. Simply put, there are many roles and opportunities that will help you acquire skills that are important for your career, that may not give you more responsibility then you currently have. If you always believe that you are ready to move up the corporate ladder before you have developed the necessary experience, chances are you will not be as equipped as you should be, and your probability of failure will increase. You definitely do not want to have to explain a short duration of employment to your next employer.
Finally, it could cost you financially. There have been many occasions that people have called my office, stating that “I am underpaid for my skills”, but can not articulate why they think so, accept for the fact that they have “a friend” in another company that earns 20K more than them, and that they “do the same thing”. When you place in your mind that your skills are worth a certain amount, you often overlook good opportunities that could elevate your financial situation, but not as much as you have perceived. Last time that I checked, 5-10K more than you were previously earning,coupled with a better career opportunity, is superior than maintaining status quot.
It is important to be confident in your skills and abilities, however unwarranted confidence can truly hinder your career development.
A full house is a great poker hand, unless of course your opponent is holding a royal flush!
May 23, 2009
I can’t tell you the number of people I have talked with lately who are either afraid of losing their job, are about to lose their job or already have lost their job. Lee and I talk about it almost daily – it’s a consistent flow of new people who are having their career plans “hacked” by some unexpected event.
Because it’s so constant, Lee and I decided to get on the phone a few times over the past couple of months and put together a guide to setting up your own “Career Incident Response” plan. The people who have planned for it and are prepared are the ones who land on their feet most easily.
Click here to sign up to start receiving the audio and the exercises that will walk you through setting up your plan, dealing with your career incident, and coming out the other side.
May 19, 2009
Recently, I have been working with a number of talented information security professionals that are currently in between positions. This recent change in their employment is most caused by external factors, mostly focused on broader economic environment, then their individual performance. These professionals find themselves in an unfamiliar position, and under a good amount of stress. From my perspective, the stress comes in two different categories, financial and personal.
The financial stress is quite easy to figure out. Severances are running out, savings are depleting, and resposnibilites remain. The personal stress traditional begins with a deflation of one’s self -esteem. People question their value, their roie in their profession, and their overall usefulness. The idle time does not help.
The idle time is mostly spent worrying about the future. It illustrates how liitle control that you currently have over your present situation. The silence and lack of feedback becomes deafening. You become consumed with questions /statements that include- “Why have I not heard back from that company”, “Is my resume correct?”, “When is the right time to follow-up?”, “Am I being a pest?”, “Have they decided to go another direction?” etc.
When people start asking these questions to themselves, they begin to create a feeling of anxiety. When these feelings begin to creep up on you, many times it clouds your judgement, and produces a feeling of desperation. When you begin to have these feelings internally, it is almost impossible for them to not come out in conversations with perspective employers and during interviews. Many times, without realizing it, candidates will share some of their personal hardships during these discussions and it creates an uncomfortable mood. It also creates the feeling of desperation. This causes these potential employers to believe that you are searching for “any position” as opposed to “their position”.
So, how do you avoid “Wanting a Job Too Much?” Here are some things that you might want to consider:
1) Remember that you have talent, and know what that talent is. Talent is the key to any professional,s career. Chances are if you have built a career in the Information Security profession, you have built it on a foundation of skills. Knowing those skills, and how to apply them to the role that you are searching for is key.
2) Think back to the time when you were “over recruited.” You all remember those times when you were gainfully employed and you had multiple employment offers from competing companies. You remember how it felt to be wanted and to be in demand. That was a good feeling to have. Those people who came looking for you in the past, will come looking for you again. It just may take a little longer to find you. Carry that attitude into any interview situation. Exhibit confidence, without being “cocky”.
3) Take your mind off the job search. Regardless of how much stress that you are under at home or financially, you have to take your mind off that for a period of time each day. Use that time to do something that makes you happy or that you have neglected due to your work schedule. Maybe this will remind you why you do work, and give you more incentive to balance your career and your life. It might also provide you with some clarity as to what type of position that you are searching for.
The three items above are geared to help you more mentally then financially. However, if you take care of the mental aspects of a job search, you should find yourself with the abillity to think clearly, be exposed to more opportunites and leave yourself with better options.
In closing, I think that everyone should look around what is happening to themselves or to their peers. This can happen to anyone. Plan accordingly. The better you plan, the less stress you will have.
May 13, 2009
I found this one on Twitter in HD Moore’s feed. It’s the transcript of a fantastic IRC conversation that serves to remind you: you never know who can affect your career.
May 13, 2009
Two Saturday’s ago I went to my first baseball game at the new Yankee Stadium. We had purchased the tickets on StubHub, in February, and paid about 50% more than face value. We took the subway and arrived at the stadium at 11:30 for the 1:00PM game. As we got off the train, I saw the old stadium, and immediately it brought back a number of fond memories. It was there I saw my first baseball game in 1977 and witnessed Game 7 when the Red Sox broke “The Curse”.
I have to give credit, the new stadium is beautiful. The design captures many of the features of the old stadium (it really looks the same), but has all the amenities of a modern ballpark. The “sight lines” were great, all of the refreshment stands had calorie content (make you think twice about ordering a chicken parm), and the bathrooms were clean.
As game time approached, the sun came out, 40,000 plus settled in their seats as rose for the National Anthem, one thing stood out. A majority of the best seats were empty. I am no genius but I believe that it has something to do with the ticket prices. That started me thinking – could you social engineer your way into sporting events and wind up with the best seats, without forking over the equivalent of a mortgage payment?
Hackers and pen testers have made their names by claiming the various trophies of the digital world, NASA, the White House, the NSA, but could the sports and entertainment venues be hacked?
Earlier this year I read an article by Rick Reilly, about a life-long Philadelphia Phillies fan, Lionel Rodia, who worked his way onto the field after the final out of the World Series, participates in the on field celebration and then works his way into the Phillies clubhouse where he joins the Phillies in the champagne spraying ritual that comes with sports championships.
I thought that the Reilly’s account of Lionel Rodia’s sport’s hack was a one shot deal. A perfect storm of activity. But could it be done consistently. What about a “Grand Slam” of Event Hacking?
To me the trophies would include the following:
Seats behind home plate at a Yankees vs. Red Sox playoff game (where you are in the TV shot)
50 yard line seats at the Super Bowl?
Floor Seats at the Staples Center next to Jack Nicholson at LA Lakers Playoff Game
Front row tickets to a Springsteen Concert in the Meadowlands
I wonder if anyone from the Information Security/Hacker community had tried this, and what it would take to accomplish such a feat. I thought it would make a great realty show!
Or at least a great DefCon presentation!
May 12, 2009
The interview encompasses some of my thougthts around career management and career planning.
I welcome any questions or comments.
May 8, 2009
During the 1986 baseball season, the New York Mets were getting ready for the World Series. During the season, their four starting pitchers Dwight Gooden, Ron Darling, Sid Fernandez, and Bobby Ojeda were all pitching well. Since the World Series schedule (back then) only required three starting pitchers, a reporter stated to Mets manager Davey Johnson, “You have a dilemma on your hands, you have too many starting pitchers. ” Johnson responded, “You are incorrect. A dilemma is when you do not have enough starting pitchers. I have a decision to make.”
In speaking with a candidate the other day, he told me that he had a dilemma on his hands, he had two job offers that he was considering, both were compelling and he did not know which one to choose. At that time, I remembered the Johnson quotation, and explained to him that he was fortunate to have two opportunities and he had to make a decision regarding his immediate future.
Due to the shortage and need for Information Security professionals, we, as an industry, have been fortunate enough to be faced with more “decisions” than “dilemmas.” When you are currently employed or engaged, you always have a decision. You can evaluate if the new opportunity is better suited for your career than your current one. In many cases, even when in transition, Information Security professionals could choose between a number of career choices, and had to make “decisions” regarding a variety of options and environments.
Today, the market is a bit different. Sure, there is still a shortage of talent and we are in better shape then most other professions, but I am surprised to see how many quality Information Security professionals, have found themselves in “career dilemmas.” Many of these talented professionals, some whom I have known for over a decade, have traditionally been highly sought after and have impressive credentials. Unfortunately, many have not planned accordingly or developed “career contingency” plans.
The problem they are facing is that their qualifications and their salaries have put them in a place where their job searches are going to take a good bit of time. However their financial situations do not afford them the luxury for waiting out a lengthy job search process, and they need to find a steady paycheck. This is definitely a “dilemma.”
Here are three pieces of advice that I traditionally give to them:
1) Leverage your network to find contract work so that you can relieve yourself of immediate financial pressure.
2) Position your resume, so that you can demonstrate your most marketable skills that solve pressing information security issues.
3) If you are forced to find a full time job immediately, define the “lowest common denominator” for your career. By that I mean, to figure out the lowest level position and salary that you are willing to accept, as you try to find employment quickly.
There is no substitute for proper long term career planning, it is truly the only way to avoid a career “dilemma”. We never know what the future will bring.
May 6, 2009
Those that know me wouldn’t call me a “sports fan”. I don’t run around chasing the Sharks like Mediaphyter and I don’t play any of the major sports. I didn’t go to college in the US, so college basketball and football have no real pull for me.
But there’s one day of the year that I reserve to sit down on the couch and watch sports. It’s the day of the first few rounds of the NFL Draft.
I’m a total geek about it. I read all the stories. I watch all the pre-draft shows. I know who ran what 40-yard time at the combine. This year, I even followed Peter King on Twitter.
It’s because I’m a sucker for talent evaluation. I could care less about the result of any given football game over the course of the year (Super Bowl included). What I love about football is the idea that talent evaluation at this level determines success. I’m a total geek for what differentiates a successful organization (and person) from an unsuccessful one. It’s what has led me to study communication technologies, organizational design, and watch successful people incredibly closely over the years.
What is so amazing to me is that sports (and especially the draft) are is one of the few places in the world that we get to observe the direct relationship between talent and success. A team like the Detroit Lions can be the absolute worst organization in the world in their space, and with proper talent acquisition (and management/leadership), they can change their path radically. (Note: I talked about the leadership/management opportunity here).
Posted by mmurray | Filed Under Personal | Comments Off
May 4, 2009
During the RSA conference I was invited to have dinner by a friend and industry colleague. The dinner was set up by representatives (sales people) from a large software company, which provides software and services to my friend’s company . I think that it is safe to say that the company does between 7 and 8 figures worth of annual business with this vendor, and my friend is a key advocate of the vendor.
From what I understood when receiving the e-mail invitation, my friend was given the liberty to invite industry colleagues and other potential “customers” to this dinner to forge relationships and potentially develop new business opportunities. I believed that I was added to the guest list for some broad perspective of the security market which would have been beneficial to all in attendance.
The dinner was initially to be attended by somewhere between 9 or 10 people, however for one reason or the other – jet lag, previous plans, not wanting to begin dinner at 9PM PST, the final number in attendance was 5. The final roster included me, my friend, his co-worker, and two representatives from the vendor.
The vendor chose a San Francisco favorite, Scoma’s, an Italian/Seafood restaurant located at Fisherman’s Wharf. After a round of drinks, we sat down at a table. It became very evident to me, whom the most senior member of the vendor team was, as he interacted with the waiter, received the wine list, and quickly accepted the role of “table captain.”
The conversation at the table was free and easy. We spoke about our families (even showed some pictures), sporting events, our college experiences, careers, the economy, and other topics. We did not even begin to discuss Information Security, their products, or anything relative to traditional business.
As this was going on, the “table captain” took the reigns and began to order. He ordered appetizers for the table, an extra course of salad for himself, a main course, and selected the wine. As a guest, I followed his lead. Shared the appetizer, did not select a salad, chose a main course within five dollars of his choice, and had a beer instead of wine. As the meal came to a close, he ordered himself a desert, coffee, and asked everyone if they every had port wine – and ordered himself a glass, I passed on dessert and coffee – but took him up and the port wine. I am not really a wine drinker, but I was up for the experience – and at his encouragement, I thought I would take him up on his suggestion.
The conversation continued throughout the meal, and everyone became more relaxed during the time, and people were obviously comfortable. The one single person discussed his current dating dilemmas, one spoke about raising a special needs child, we even touched on the standard no-nos, religion and politics. But that was the level of comfort, it was really a great dinner, until…
The check came!
The table captain left the table at the end of the meal to seek out the waiter and to call a cab. In his absence the waiter appeared and handed me an itemized copy of the bill and stated “Everything else is taken care of. This is for you.”
I did not know how to react at first. There were many items going through my mind, but I chose to just stare in disbelief for the first couple of moments. My first inclination was to go to see the waiter, and pay for the entire check – just our of principle and make the “table captain” feel uncomfortable, my second thought was to just reach in my pocket, pay cash, and leave on my own, the third option was to refuse to pay, and create more discomfort. The remaining three other people, including the person who invited me, were obviously uncomfortable and this created a very awkward moment.
After the awkwardness subsided, I reached for my money but was interrupted by the other member of the vendor team. Obviously embarrassed, he reached to his wallet and paid on the corporate credit card. It was also obvious to me how embarrassed my friend who invited me was. He remarked to me after how impressed he was on how I handled the awkwardness of the situation.
As we waited for the cab, the “table captain” returned to an much different table. The subject of business took hold and I can tell from the reaction of the two “customers” they were not nearly as engaged as they would have been, if the “table captain” would have just paid the entire check. The actions of the “table captain” gave off the impression that he was only concerned with people who could make him money. Personally, I think this spoke loudly for his character and I believe that I would reconsider sending any additional business in his direction. But that is just me!
There are a number of things we can learn from this. First, if you are going to invite someone to dinner, the expectation is that it is your meeting and you are going to be responsible. Second, it is always a good idea at a business meeting to follow the lead of the “table captain”. Your ordering pattern should mimic theirs. Third, never take advantage of a good gesture. If everyone is ordering $20 items, do not order the 4lb lobster that costs $80 – that is just rude and says a great deal about your character. Also, think before you speak. Know which topics are fair game to discuss, and which ones are a bit taboo for the subject. Finally, never make anyone feel insignificant. In the situation above, if the waiter produced five separate checks, I would not have had any issue. However, singling me out made me feel like a second class citizen, even though throughout the dinner I was treated like an invited guest.
Just remember, people are judging and evaluating you in many different environments. Your are always interviewing.