Career Advice Tuesday: Working in the US for Canadians

June 30, 2009

Hi Lee and Mike,

I am an Information Security professional with over 10 years of experience. I have heard about the TN-1 visa which allows for Canadians to work in the U.S. Can you put me in touch with recruiters in the U.S. who specialize in placing Canadians in U.S. companies and are familiar with the TN-1 visa process?

Thank you,
Looking to Expatriate

Hi Future Expat,

Mike here – I’m taking lead on this one, as this is a subject that is near and dear to my heart, being a Canadian and having been in the USA on nearly every visa classification allowable. Neither of us is a lawyer, and you should have legal counsel when dealing with these issues, but I’ll give the layman’s interpretation.

Let’s start with the basics. The US government has a non-immigrant visa program that allows US companies to hire workers that have skills that they can’t find in the USA. The goal of the program is to allow people who have qualifications that can’t be matched by an American citizen to come to the US and work in their chosen field.

There are two programs: the original, normal visa program, and the special programs available to Canadian and Mexican citizens under NAFTA. I’ll give an overview of each category that is relevant to the information security pro:

1. H-1B – This is the most popular visa for non-immigrant workers from any company. The H-1B requires that the company offers the job to a US citizen (usually through public postings in classified ads and the like), that they pay the worker a “competitive wage”. The visa is valid for 3 year terms, renewable once – after six years, a visa holder either has to return to their original company or apply for immigrant (i.e. Green Card) status. Note that the H-1B is the only “transferable” visa – you can switch companies on an H-1B, unlike the other two visa categories I’ll mention.

2. L-1A – This is an “intracompany transfer” visa. If you work for a multi-national company, you can transfer from the foreign division of the company to the US version. Note that this visa is not transferable, so once you’re in the US, you can’t then change companies. However, this is a “dual-intent” visa like the H-1B – once in the US on an L-1A, you are able to apply for immigrant status.

3. TN – The TN is a visa category available to Canadian and Mexican citizens under NAFTA. It was originally a one-year renewable visa, but has been expanded to three years (to the utter relief of all TN visa holders). The Visa isn’t transferable, so you have to apply for a new one each time you join a new company. This can be a pretty intense experience – I have had a border guard yell and taunt me for being “stupid” because my lawyer used the wrong job title in one paragraph of my letter.

Unlike the H-1B and L-1A, the application criteria for TN visas are very narrow – it is not enough to prove that the hiring company needs you, but that you fit in a particular “category” for the visa. The three that usually apply to information security professionals are:
- Software Systems Analyst – requires a 4-year degree in software engineering or computer science. The job category requires that you will work in direct support of a computer and software system. This is easiest to fit if your job is likely to involve application security or application penetration testing.
- Software Engineer – requires a 4-year degree in software engineering or computer science. Related experience may or may not be considered, but the job description needs to be tailored to show how the job is related to software engineering.
- Scientific Technologist – For those that don’t have a degree in computer science, the Scientific Technologist is the only option. Unfortunately, it’s an ugly category – it requires that the applicant will be working in direct support of a professional engineer and learning the disciplines of engineering. If your boss doesn’t have a formal degree in engineering, this one won’t work.

The TN is unlike the other two visas in that it is a “single intent” visa – you have to maintain proof that you intend to return to Canada at the conclusion of your visa. This usually involves having a permanent mailing address in Canada, a bank account, etc. While this may not seem like an issue, it’s worth noting – as someone who fell in love with an American, being on a TN would have kept us from getting married as it would have caused the TN to be invalid (we solved that by getting married while we worked in Canada for a couple of years, and getting the green card once we came back).

As far as recruiters, you don’t need one who specializes. Any recruiter who has been around for a while has dealt with the process for a candidate – I’ve had two different well-known infosec recruiters (Lee is one) deal with my TN process over the years. And most companies don’t care: in the 10 years I’ve been in the industry, I have had only a single company decide that they didn’t want to deal with the visa process, and that was because they had multiple qualified candidates. If you’re qualified for the job and you’re a great fit, the visa process is a very simple and relatively inexpensive one for the company to go through (< $10,000 total). Even if they’ve never done it, the lawyer you get will walk them through the process.

The real key will be to find a company that wants you aboard – the visa is going to be an after-thought in most situations.

Mike & Lee

Posted by mmurray | Filed Under Career Advice Tuesday, Uncategorized | Comments Off 

New Blog Series- “The Other Side of The Desk”

June 26, 2009

Interviews are the gateway to opportunity. Whether it is for the purpose of employment, education, or social activities, interviews provide a framework for information exchange, skill validation, and ethics.

All job interviews have two different components: the employer and the candidate. The main reason for employers to begin interviewing is due to the fact that they have an organizational need that they have to address. The main reason that candidates decide to interview, is that they believe that they will gain some kind of benefit by joining the employer. Depending on the candidate’s particular motivation, this could include money, responsibility, skill development, career advancement, quality of life, or a number of other things.

Upon conclusion of the interview, there are four possible outcomes, they are as follows:

Both the employer and candidate like each other.
The employer likes the candidate, but the candidate does not like the employer.
The candidate likes the employer, but the employer does not like the candidate.
Both the candidate and employer do not like each other.

When both parties agree upon the outcome, the situation is comfortable. However, when the parties leave the meetings with different impressions, people’s feelings begin to get hurt. That is when things become difficult and generally mishandled.

After thirteen years of recruiting information security professionals, I have reached the conclusion that the recruitment process itself is very delicate. The outcome of the interview process can have a significant effect on the candidate’s career and the organization’s success. There is a good deal of pressure, that can cause the process to become emotionally charged. It has become clear to me that many things have to go right during this process, to insure successful recruitment. It is possible that only one negative interaction, can undo all of these positives.

It is a true shame when opportunity is lost because of process, rather than skill.

I am astounded by the general disconnect that come from both sides of the interview process. Whether it originates from the candidate, or the employer, I have been able to witness some of the most inconsiderate forms of human behavior, in my role as a recruiter. I have seen far too many opportunities squandered due to poor communication, lack of professional courtesy, and the absence of common sense.

In response to this, I am going to begin to share some of my experiences from my time as a recruiter in this industry with both successful and unsuccessful recruitment processes. I believe that in taking some of the mystery away from the interview process itself, and sharing the different perspectives of both the employer and the candidate, we will be able to help people become more successful interviewers and team builders. I also hope that if we can help create an environment where Information Security professionals can learn from their interview failures, communicate better during this process, and can better prepare themselves for future interviews.

I promise a minimum of one blog entry a month under this title and on this subject. All of the entries will be anonymous and based on my collective experiences, not just one particular recruitment situation. If you have a personal story that you would like to share (as a candidate or an employer), questions to ask, or something you would like for me to comment on, please send them to

Posted by lee | Filed Under "The Other Side of The Desk", Interviewing, Uncategorized | Comments Off 

Career Advice Tuesday – “When The Players Earn More Than The Coach”

June 23, 2009

Before getting into this week’s Career Advice Tuesday, we would like everyone to know that we will always respect the confidentiality of the person asking the questions. We want to make sure that everyone understands that these will remain anonymous. We try to come up with some clever nick-names to reflect the content of the question and potentially the answer. Keep the questions coming.

Dear Infosecleaders:

I am nearing my annual compensation review and I have recently found out that both members of the engineering team that I manage, are earning about 10% more than me. I am trying to think of a way to address this with my mangement during my review. I always thought that being a manager would equate to more pay. What am I missing?

Signed -”Miss-Conception”

Dear “Miss-Conception”

I hate to be the bearer of bad news, but your compensation and value as a manager should be evaluated completely independent of your engineering team. Engineering and management are two different skills, and should be ultimately judged by different criteria.

It is true that in most organization’s managers are paid more than the staff, but that is not an absolute. Employers will place different values on different skill sets depending on their importance and availability. My guess would be that you work in a smaller company and your engineers are highly talented. It is most likely that their engineering skills may be more critical to the company’s success than the skills that you bring as a manager. (This may not be your opinion, but the opinion of executive leadership.)

In our opinion, it would be a big career mistake to compare yourself to the engineers on your staff within a review.

You are a manager and a leader – now is the time to act like one!

A week prior to the review, I would submit a document that clearly communicates your most significant accomplishments as a manager of your team over the past year, to the person responsible for your review. I would try to demonstrate to your superiors that the team would not be as productive without your guidance and direction. I would equate these personal victories to larger business successes, that had a measurable impact on the company.

Hopefully, your communication skills are effective and your management will recognize your value and contributions to the company. If you are able to provide solid documentation of your performance, there is a good chance that they will give greater thought to how you are compensated. This should result in a better than expected increase and more recognition of your success as a manager.

Many times we overlook the impact of the written word and the strength of the documenting of performance and accomplishments. When you “put it down on paper”, you always provide a more indelible impression.

Let us know how it turns out.

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday, Compensation | Comments Off 

The Basics on the Other Side

June 19, 2009

Timely to my last post about remembering the basics, Jack Daniel’s recent post talks about the basics for when you’re hiring someone. I thought his post was right on, but there’s something I need to say:

You can’t expect a company to do all of these things.

This especially applies to the largest (generally, the most bureaucratic) and smallest (generally, the busiest) companies You can hope that they do. You can like it when they do and be happy about it.

But expecting it is a way to ensure that you’re frustrated and disappointed in your job search.

I’m the first one to tell a company that is hiring that they need to do all of the things that Jack talked about. But, especially in a short-term search (for a definition of that, listen to the Career Incident Audio Series), you’re not going to have a personal relationship with the company, and you need to prepare yourself for them not to have a personal relationship with you.

Posted by mmurray | Filed Under Advice | Comments Off 

Everyone Has A Personal Brand

June 18, 2009

Wanted to share a personal experience that has a great deal to do with the concept of “personal branding,” but has nothing to do with Information Security.

Here is some back-story. In December 2007, we bought a fifteen year old home. The previous home owner had neglected most of the maintenance for the past year. One item included in the sale was a 12 year old “hot tub” that is embedded into an outdoor deck. Needless to say, when we first attempted to turn on the hot tub, it did not work. I called the local spa company and they agreed to send a repairman.

It is now about 2 hours past the time that he was supposed to arrive, and a truck comes into my driveway. Out steps a sixty year old man named Jerry. It was clear from the greeting that he gave me, that arriving two hours late did not bother Jerry. He offered no apologies for his tardiness as we walked to the backyard. As we walked, I looked at Jerry’s wrist, as I expected, he did not wear a watch.

Soon after arriving at the hot tub, it did not take long for Jerry to convince me that he was the right man for the job!

He quickly deduced the exact model of the hot tub and told me about the manufacturer’s history of product development. He then told me that when my model came out, he regularly spoke with the lead engineer at corporate, who helped him troubleshoot and resolve specific issues with the hot tubs. Jerry even told me that he diagnosed some problems that they were unaware of, and that corporate often called him and asked him for advice.

It was no time before Jerry had his “a ha” moment. With the combination of a little elbow grease, the reattachment of some wires, and a wave of his magic elecrtical wand – the tub was working again.

I offered Jerry a cold drink and he happily accepted. I told him how impressed I was with his knowledge and efficiency. He gave me some history regarding his personal backgrund. He was a licensed electrician, who became involved fixing hot tubs by accident. He told me that he liked the work because, as he stated, “there are no real emergencies that involve a hot tub.” It was clear to me that Jerry earned a living to satisfy his lifestyle. He liked making his own hours. He was not interested in promotions or additional responsibility. He enjoyed his work.

Jerry was not going to be managed by anyone, and he did not want the headaches of running his own business. He took tremendous pride in his work product and his ability to solve the customer’s problem. You could tell he liked to be needed, and have people depend on him. He had no worries regarding his future, he knew that there would always be hot tubs to fix.

All of these items defined Jerry’s personal brand. The characteristics that comprised his skill set included deep knowledge and expertise, a commitment to customer service, and professional pride. If Jerry was also punctual, he would clearly have his place in the “Hall of Fame.”

Recently, we had another hot tub issue. I called the store, and asked for Jerry, and only Jerry. They told me that it would take a week longer and that Jerry would be by on Sunday morning. I said, “No problem.”

His car pulled up this Sunday at 3:00PM in the afternoon.

Just as I expected.

Posted by lee | Filed Under Branding, Personal, Story | Comments Off 

Career Advice Tuesday – When You’re Truly Stuck

June 16, 2009

There are a lot of questions out there about career stuff. Lee and I get them often, and it’s amazing the overlap. So, we got talking that we’d start answering the questions online. And that we’d start taking the questions online.

Without further ado, this is the first post in our new series that we’re calling “Career Advice Tuesday”.

Mike & Lee,

I’ve got a unique challenge. I’m currently working for a large security company in a very visible position, and I’ve done a great job (if I do say so myself).

Here’s the problem: my boss is stagnating my career. He blocks my initiatives, he won’t promote me to senior management, and he takes credit for anything that I do. He does everything he can to undermine me to others in the company and is generally hurting my growth and career advancement.

I’m also suffering from a bit of the “Golden Handcuff” syndrome, as my current compensation is about 20% higher than I have managed to find in any of the other offers I’ve had.

What should I do? How do I get out of this one?


Stuck in Silicon Valley

Dear Stuck,

Nothing like starting Career Advice Tuesday with a genuinely tough question. Being at a company with an unsupportive boss during a recession while you’re being paid more than market rate is certainly one of the most difficult situations that you can find yourself in.

That said, there is reason for hope. As you said, you’re doing a great job and have been spending the time building your personal brand (we assume, since you said “very visible”). That is going to work for you in the long-run.

And, in this situation, that’s what you should focus on. This is a good time to work on your career rather than in your career. Now is the time to learn some new skills, work on your personal brand, and do everything that you can to prepare yourself for the next opportunity. Because you want to be ready when that next opportunity arises.

This is also an opportunity to learn how to deal with the kind of boss that we all will have at some point in our career. Your boss clearly sees you as a threat, and it’s your job to help him to understand that your success will make him more successful as well. It’s not an easy thing to do, but it is definitely worth the effort – if you can pull it off, you have an ally for life.

We know that this is a tough spot, but there are always opportunities in adversity.

Mike & Lee

Posted by mmurray | Filed Under Career Advice Tuesday | 1 Comment 

First, Just Get the Basics Down

June 15, 2009

I recently wrote a post that referenced a post over at PR Squared entitled “First, Be Flawless”.

The author got it right on with this line:

First of all, those clever notes seem to contain more than their fair share of typos. If I see a typo on a resume or cover letter, I immediately discard it. I don’t care about your qualifications if you send me a letter with typos in it.

On this point, I’m in 100% agreement – it is not that hard to ensure that you proof-read your resume. It’s also not that hard to ensure that Word has grammar-checking turned on, and that any egregious grammatical errors are dealt with.

There’s a branch of economics known as Signal theory that deals with information flow. Signal theory is concerned with how information implies other information. As a (trite) example, the guy who drives an expensive car may be trying to convey information to the people around him about his social status, his job, etc.

In the case of the typo on a resume or a cover letter, it serves as a very effective signal to a potential employer. The information conveyed is: “this didn’t matter enough to me to put in the effort to run spell check”.

That is not the signal you ever want to send. So, get the basics down. Make sure that the structure of your resume is consistent. Everything is spelled correctly and in appropriate English sentences. Have at least one person proof-read your resume (and if you can’t find anyone, send it to me and I’ll proof-read it just to save the hiring manager the pain). And always, always, always make sure that you spell the hiring manager’s name right.

This stuff is simple, but if more people did it, I wouldn’t have to say it.

Posted by mmurray | Filed Under Resume | 1 Comment 

No InfoSec Talent for Open Positions? “Well,That Figures?”

June 11, 2009

I read a blog post by Meridith Levinson, on CSO Online,  in response to the recent ISC2 survey which stated that 80% of hiring managers who are looking to fill IT security positions are having a hard time filling these openings.   The report cited the following reasons for this situation – wrong skills, not enough qualified people in the local area, and security professionals are commanding too much money.

It appears that Meridith was quite frustrated wtith the results of the survey.  She titled her post with the dreaded “WTF” which I know is not an abbreviation for “Well, That Figures.”   

So, how could this be?  Are the reasons valid?  Can this be possible when so many talented information security professionals are looking for work?  

If you are listening Meridith, I hope this helps to explain these findings and alleviate some of your fury:

1)  There is a Big Difference Between Shopping and Buying.  

Information Security Managers are short staff in general, and are always looking for talent to address the work load.    However, looking for people, and actually being able to hire them are two entirely different actions.  Corporations are dealing with many more -pressing business needs in this climate, and hiring full time employees (Information Security professionals or others) are down on their list.   Currently, hiring decisions are being scrutinized at every organizational level and business function. 

The desire to hire is not in doubt.  The ability to hire definitely has some resistance.

2) Job Opening – Information Security Superhero

Employers are looking for Information Security Superheroes, when in many cases what they are able to afford is a one trick pony (especially one that can perform a really cool trick).  Often employers receive permission to add a single headcount.  When this happens, they often try to cram all of the possible skill sets that they are searching for into one singular position. 

Throughout my time as a recruiter, I have seen many job descriptions that require skill matrices that rarely exist in the real world.   Due to the rarity of the skill combos, the candidate is able to command a higher salary.  This salary is often outside the compensation range that HR has allocated for the role. 

Remember, just like in the comics, Superheroes do not ever have to look for work, work finds them.

3) Employers  Are Not Searching Correctly

Information Security leaders are only part time recruiters and often cannot dedicate the necessary time to the talent acquisition process.  They often rely on other resources to help locate the right candidates for their open positions.    Due to the complex skills that these roles require, your recruiters need to be educated to properly filter candidates best suited for the roles.  Many times, qualified candidates are overlooked for consideration during the early stages of the process.  The more detailed the position, the more elaborate the  search process needs to be.  Whether employers are utilizing their shared internal recruitment resources or external search partners,  this level of education is generally lacking.

4)  The “Right” Candidates are Happy with their Current Position.

This would make sense.  Many talented information security professionals are gainfully employed and well thought of by their current employer.  In these economic conditions, many Information Security professionals are not keen on jeopardizing the “security”of their current role, for the potential opportunity that exists with another employer.

5) We are Information Security Professionals not Professional Resume Writers

First, we are generally guilty of producing generic resumes that are not geared to specific positions that we are applying for.  (See Mike’s last post).  Second, many people in the recruitment process only consider the resume, and never pick up the phone to discuss the candidate’s skill and the position requirements.   Since they are currently inundated with so many resumes, it is near impossible for them to go into this level of depth.  This fault is shared by both the candidates and the hiring entities.

6) Too Many Pre-Existing Notions About Candidates’ Individual Circumstances

We are always making judgment of others, especially in the hiring process.   As security professionals we are skeptical by nature (it is why we are well suited for our profession) .  Throughout our careers, we have been preconditioned to think certain things when we learn about a candidate’s employment history.    Here are a few that should sound familiar – “Overqualified, ” Short Term Job Durations,” “Big Company Person,” “A Consultant not an Operator,” and “If they are so good, why are they out of work.”  When we think these things, we immediately create doubt in our mind about the person’s ability to be a valued employee.   Sometimes these prejudices prohibit hiring managers from considering suitable applicants.

7) Employers Have a Right To Be Picky

Why shouldn’t they be? Don’t they have this right?  Team building is one of the characteristics used to judge their effecitveness as an Information Security leader.  When you create an information security culture, it is critical that you utilize a high level of scrutiny is being used in all of your hiring decisions.   If you relax these standards, for even one hire, it could have a negative impact on your existing team and the function as a whole. 

Hiring managers also understand that theri is a consequence for being too selective.  If the hiring process takes too long, it will sometimes be determined that the position is not necessary, and the job opening will be eliminated.  In that case, there are no winners.    


I do believe that all of the items that ISC2 cited in their survey are valid and accurate.  I have a great respect for the organization and the professionals that hold their certifications.    As the report referenced, there is still a demand for Information Security professionals, who have a high level of skill and contribute fair value for their compensation. 

If you listen closely, you will hear what the industry is telling us. 

Keep investing in your career, keep current with your skills, develop new ones, and demonstrate your value.  

It should be comforting to know that 80% of the hiring managers are looking for someone just like you!

Posted by lee | Filed Under Security Industry | 1 Comment 

Social Engineering the Job Search

June 10, 2009

While on twitter the other day, I came across a link to some career advice over on PR-Squared. The author writes a post deriding the declining quality of cover letters he sees and what he’d like to see in the letters he gets:

Y’know what’s been interesting? With the rise of Social Media, I’ve noticed subtle changes to the tone and quality of the cover letters that come over the transom.

We still get plenty of highly formal letters on heavy stock paper. But we also get informal cover letters that seek to echo the tenor and tone of a casual blog post.

Here’s my message to those folksy writers: that’s probably not gonna work out so well.

Of course, the author is completely right: if you are applying for a job to his company, you now know precisely how to write a cover letter to him. This is part of what Lee and I would call the “social engineering” part of the job search – you now know precisely what this company is looking for in terms of cover letters. And if you don’t follow the instructions, you deserve to get tossed out.

And that’s precisely what I want to point out – other organizations may look at those formally written cover letters as an anachronism. They may want their communications with their clients to contain personality. (Note – I’m entirely in agreement with other parts of the post, which I’ll talk about in a future entry).

The most important thing that you can do when writing to a potential employer is to be precisely what that employer wants. I can show a great example with the job ad that I recently wrote for Foreground. It’s pretty clear what I’m looking for when I say this at the bottom of the ad:

Do you think you have what it takes? Then we want to hear from you. Email us at – send us your resume, and tell us why you’re our ideal candidate.

Note: In case it isn’t clear, we’re not a cookie-cutter consulting firm. As such, don’t send us a cookie-cutter resume/cover letter – make it clear why you’re different and fit our company and what we’re looking to do.

Of course, less than 10% of the resumes we received were tailored in that way. We get stock cover letters. We get no cover letters. Anything other than that 10% gets tossed out because if the consultant can’t read the instructions, I doubt that they’re going to be good at meeting customer needs. (Aside: now I have told you how to get a job with me)

The point is simple: if a company is looking for something, give it to them. In order to do that, look for any information advantage you can find about what it is they’re looking for.

Posted by mmurray | Filed Under Advice | 2 Comments 

There is No Joy in Greenville

June 8, 2009

It turns out that I will not be heading to Omaha this week.  My ECU Pirates were dominated by North Carolina this week, losing two games by the lopsided scores of 10 – 1 and 9-3.   Great pitching will always beat great hitting, and this weekend was no exception.

Congratulations to the ECU Pirates on a wonderful season.  There is always next year!

Posted by lee | Filed Under Personal, Uncategorized | Comments Off 

Next Page »