July 29, 2009
We are excited about our upcoming 3 hour presentation/training class at DefCon on Thursday, July 30th at 1:00PM. We are thrilled to have been invited back to the DefCon stage and are always energized by the audience. This is the first time that we have been provided the opportunity to deliver this specific content in this type of format.
The presentation represents an interactive approach to assisting Information Security professionals in the planning, management, and the development of their careers. We have designed specific career planning exercises that will enable the attendees to leave the session with better guidelines for the creation and execution of their personal career plans.
As always, we will make ourselves available for individual career related questions following our presentation.
Lee and Mike
July 28, 2009
Dear Mike and Lee:
If given the opportunity to create your own job and job description within the organization where you work, what would be the first three questions you ask your employer?
Signed, What If?
Before we get started, I would like to congratulate you (“What If”) on being selected as our DefCon Pass winner. We will contact you via e-mail and meet up with you at the conference.
We were asked a number of excellent questions that will be featured on upcoming Career Advice Tuesday’s, unfortunately there could only be one winner. We would like to thank everyone who participated. Please keep the questions coming.
Dear What If?:
In some ways I do believe that we all have the ability to create our own job description and shape our opportunities (and future) within our current employer. I believe that employers, in general, are searching for Information Security professionals who have the ability to go past what is expected of them and go beyond their job descriptions.
Here are the questions I would ask:
Questions #1: What is the most important Information Security problem that is facing our business?
In any position it is always best to be placed in a role that can have an impact on the company’s core business. As a rule, the closer that your job aligns with the primary business, the more visibility and more impact you are able to have. If you can identify the most pressing business problem and have an impact on its solution, you will most likely be given additional opportunities for advancement and career development.
Question #2: Whom will this position interact with and whom will benefit from my work?
Your relationships with your fellow co-workers and superiors will have a great effect on your future within the company. The ability to build key relationships with people who can influence your career is of great importance. A position that can enable you to gain exposure to key leaders outside of the Information Security function will help you develop and create a strong personal brand.
If I could, I would identify two groups of people to interact with – “The Powerful” and “The Diverse”. “The Powerful” because they can make things happen for your career with the greatest of ease. Interacting with “The Diverse” would expose you to more aspects of the business and the company. The better you can positively impact multiple business functions, the more wide ranging your support you will create for yourself. Building consensus is critical to getting things done (especially in larger companies) As you accomplish more, you build more skills. The more skills you develop, the more qualified you will become.
Question #3: Will I be able to change my job description if the situation warrants it?
It is important that your position will provide you with the ability to change with the Information Security needs and the needs of the business. In our industry, if you are not able to remain on top of the current trends and developments, you eventually become irrelevant. Having the flexibility in your job description will allow you to gravitate to new opportunities, while continuing to perform your original job.
It would be nice if we could create and change our job descriptions when we felt necessary. Unfortunately corporate human resources and management generally do not afford employees that flexibility. It is critical that you seek out ways to expand your current responsibilities in a direction that coincides with your career development. If you are able to successfully pull this off, maybe a new job description will be built around your interests. If that is the case, you will be the ideal candidate!
Hope this helps,
Lee and Mike
July 24, 2009
Lee and I had a great chat with Kelly from Dark Reading yesterday about the results of the survey that we released at last year’s Defcon talk. Kelly put up a great story about one of the results, called One In Two Security Pros Unhappy In Their Jobs. From the article:
“Kushner and Murray say they were surprised by security’s high number of unhappy campers — 52 percent of the around 900 security pros who participated in the survey are less than satisfied with their current jobs. Only 27 percent said they are are satisfied, and about 21 percent said they are more than content, according to the survey. “People in security are generally passionate about what they do,” Murray says. “You’d think in a progressive industry that [it wouldn't be the case] that one out of two are not happy…that shocked me.”
Shocked doesn’t begin to cut how I felt about this result:
These numbers show that an overwhelming majority of the people who are reading this blog are less than totally jazzed and excited about what they’re doing on a daily basis. In fact, only 6.2% of you are “extremely satisfied” (and removing the entrepreneurs from the survey, that number drops a full point to 5.2%).
The first question I ask people when I’m coaching them or working with them on their career is simple: “what do you want to do?“. Because I really believe that if you’re going to spend more than 1/3 of your hours every week doing something, I can’t believe that you’d want to be one of the more than 50% who are less than satisfied.
Not to mention that I’ve always been a believer in the idea of “do what you love and the money will follow”. The survey definitely backs that up – of the 6.2% who are “extremely satisfied” with their position, a whopping 56% of them have an annual salary greater than $120K. Only 26% of those in the survey as a whole are making that much. (Note: the cynical of you may suggest that they’re satisfied because they’re so well compensated, but studies have repeatedly found that money isn’t a good long-term predictor of job satisfaction).
July 21, 2009
Dear Lee and Mike:
The ongoing hardships caused by this lovely economy have now really
started to impact our company culture. Things are now quite strained.
We’re not getting any raises, no empty positions are being filled,
everyone’s doing extra work, training budget has been killed off. In
short, it’s getting fairly grim.
In spite of it all, I’d honestly like to stay at this job. I
strongly believe in our mission, and I’m friends with most of the
coworkers, but things are souring… what can I do to re-sweeten
things? Or am I simply holding onto past glories?
Let me start by saying that you are not alone. Many of your peers are experiencing some of the same things due to economic issues. The loss of corporate revenue has negatively impacted training budgets, technology advancements, raises, and bonuses across the board. Unfortunately, as professionals we have grown a bit accustomed to the perks attached to our position. When employers begin to tighten the purse strings are we are asked to share in the burden, it becomes a bit uncomfortable.
From what you have described it appears that you particularly have a couple of good things going for you:
1) Although you are currently experiencing some short term discomfort, it appears that your company has a track record in the past for “doing the right thing” by making solid investments in the Information Security program and the staff.
2) It also appears that some of the core values that relate to your situation remain intact. You believe in what the company is doing, you have solid peer relationships, and my guess is that you are well thought of, and your opinions are well respected. All of these things are positive.
My advice to you (and your peers) is to give your current employer the benefit of the doubt, in the near term, and utilize this as an opportunity to attempt to creatively solve your problems and build your personal brand.
Here are a couple of examples :
When a department is understaffed, and are not adding new personnel, there is usually an opportunity for work that is outside of your traditional comfort zone. Try to volunteer for some of this newer work, so that you can develop a new skill or perfect an existing one. If you can utilize this opportunity to build more skills, your future value and marketability will increase, whether you choose to remain at your current employer or move on.
Regarding training, I believe this is when you need to utilize your creativity to continue receiving training but at a lesser cost. This is the time that you can get together with your team and figure out some solutions and present them together to management. Remember, there is always strength in numbers, and you may achieve a greater impact if you address this with your manager in collective fashion.
Here are some suggestions that may provide a lower cost option to training:
1) Build an Info Sec Library – Ask your employer if they will reimburse the purchase of information security related books, that can be kept as a corporate reference guide.
2) Volume Discounts – Call up some of the traditional training programs and conferences and ask for volume discounts. These folks are in business too, and they may be flexible. They are facing some of the same economic issues.
3) Invite Guest Speakers – Many people in Information Security like to share their knowledge. Create a guest speaker program where you can bring in an external speaker (you may have to cover some travel expense and meal) once a month, to address a specific topic.
Unfortunately, I do not have any solutions for bonuses or raises. If money is the main motivator, you may be forced to begin looking for a new role.
In closing, I believe that you will benefit for exhibiting a little bit of patience with your current employer. However, if things do not change in three – six months, and you are still having the same feelings, you may have to begin looking elsewhere.
Hope this helps.
Lee and Mike
July 16, 2009
Last week, I posted some guidelines about selecting a recruiter, and I wanted to add to that post. I have recently spoken with a number of Information Security leaders that have told me that they have been told about opportunities, but that the recruiter would not reveal the name of the employer.
There is not any excuse for a reputable recruiter to operate in this manner. I would challenge anyone to come up with a reason, that this practice would be beneficial to you, as a candidate for an Information Security opportunity.
My advice would be to steer clear of any recruiter or recruitment firm that utilizes these practices.
Here are my reasons:
1) Trust : The recruiter/candidate relationship is based on trust and professionalism. If a recruiter can not even reveal the name of their client, it simply means that they do not trust you with this information. What they are really saying is, “If I tell you who my client is, you may send them your resume by yourself and cut me out of the picture.”
Conversely, you are supposed to trust them with your career.
Something here just is not right.
2) Authorization:The recruiter might not even have a working agreement with the client or be authorized to present candidates. Since many jobs are posted on the internet, recruiters have access to these job descriptions, and search for profiles that appear to fit. It is a common practice for recruitment firms’ to “market candidates” in the hopes of gaining a formal recruitment agreement with a new client. As a the owner of a business I do not begrudge anyone from trying to build new client relationships, however as an information security professional I would prefer that my career not be a guinea pig for someone else’s business development experiment.
3) Control – If your recruiter does not reveal who their client is, you have basically given them permission to send your resume to anywhere that they deem fit. By allowing someone to “wallpaper” the world with your resume, you will most likely waste significant time interviewing for opportunities that could benefit the recruiter, but have no benefit to you. The surrendering of control over the distribution of your resume, could lead to ……
4) Exposure - When anyone is more interested in quantity, and opposed to quality, details sometimes get overlooked. In this case, the detail may include having your resume sent to your current employer (unfortunately I am not making this up) or people with big mouths (who will notify your current employer)
Use your imagination to consider all of the potential consequences of this.
5) First Impression - If more than one recruitment firm submits your resume to a particular opportunity it makes you look unorganized in the eyes of the prospective employer. Your recruitment process is the first window into how you operate and communicate. Failure to properly manage this process is not the first impression you want to make on a new employer.
When speaking with a recruiter, you need to demand transparency to insure that you understand which company you are applying to and where your resume is being sent. You should also verbalize with your recruiter that you resume should not be sent to any third party without your consent and knowledge.
Your career is important, make sure that you use good judgement in whom you trust it to.
July 14, 2009
It must be the end of the school year – Lee and I have been inundated with questions about starting out in the infosec field. (Aside: have you sent in a question yet? You could win admission to Defcon.) And I must say, we’re actually pretty excited to see all of these future information security leaders out there chomping at the bit to get in to the industry.
I wanted to answer a question from one of those future leaders this morning:
“I recently graduated college with a bachelors in Computer Science. I have very little InfoSec experience (Attended a couple cons, read several blogs etc., but nothing real), but I’m interested in the field. Should I go for some training, or try for an entry level job right away?
I’m going to answer this as simply as possible: there is absolutely no substitute for experience, especially early in your career. You are far better to go out and get a job that lets you put your hands on technology on a daily basis for the purpose of helping a real organization than you are doing another training class or certification. Not that there’s anything wrong with certification, but you need real-world experience early in your career.
This brings up another dilemma: it is sometimes hard to break in to the field in this economy. To that end, feel free to broaden your scope. Not all of the jobs in your career need to have “security” in the title. In my career, I have worked as a programmer for a while and a system administrator for a couple of years. That experience in my background gave me insight into the problems that our IT users and coders face, and made me a far more well-rounded security professional than I might have been if my first job was in a security operations center and every job after had “security” in the title.
What is most important in the first part of your career is to acquire as much diverse experience as possible. I have always believed that the first five years of your information security career should involve learning as much as possible about as many parts of the field as you can: penetration testing, architecture, policy writing, technical operations, incident response, etc. And if you have to (or want to): coding, system administration, database administration, project management and other IT disciplines.
In short: while training is great, nothing beats hands-on experience.
July 9, 2009
Yes, I said free.
Lee and I recently announced our Career Advice Tuesday series and the ability for us to take questions online. We’ve had some good questions, but we really want to hear what’s going on and what questions people have out there.
And, since we’re going to be speaking at Defcon, we figured we would incent everyone to ask good questions by offering to give away a free pass.
So, here’s how it works. Ask us a question. We will award the best question asked between now and July 29 a free pass to Defcon.
Have questions? Ask.
July 9, 2009
Have to say that we are quite excited about our appearance on PaulDotCom this evening beginning at 7:00PM EDT.
The topics that we will be discussing will be:
1) Breaking In To The Security Profession – We have received many questions from Future Information Security Leaders about how to go about getting their first security role and making information security a larger part of their current responsibilities. We will answer these questions and provide guidance on “what to do” and more importantly “what not to do” to help land your first role.
2) Hitting the technical glass ceiling - Many information security professionals have selected a career path, where they would like to remain focused on delivering technical information security solutions. Unfortunately many organizations cap pay and career growth for these individuals. We will talk about the reality of this situation, how to build additional skills that will compliment a technical career path, and how to recognize which organizations are best suited for you.
3) Career Incident Response - Information Security professionals are not immune to the effects of the economy and unfortunately many have fallen victim to a “career incident.” We will provide an overview of our Career Incident Response Podcast Series, and provide an overview of how to best deal with a “Career Incident.”
4) We will also be previewing our 1/2 day DefCon presentation/seminar – “Effective Information Security Career Planning”
Hope that you tune in.
Lee and Mike
Posted by lee | Filed Under Uncategorized | Comments Off
July 7, 2009
Hi Lee and Mike:
I am beginning to search for new employment and have not had much luck using job sites like Monster and Dice. I believe that I am at a point in my career where working with a professional recruiter would benefit me. What qualities should I screen for in making my selection?
Looking for Representation
Dear “Looking for Representation”:
I believe that you have to be very careful in whom you decide to trust your career. Therefore, you should place a great level of effort in selecting the best recruiter to assist you in your search for a new opportunity. To follow you will find, what I believe are the some of the most important criteria:
1) Responsiveness - This one is simple, if you call them, they should answer. Please do not confuse calling with e-mails – since the best recruiters are inundated with requests for assistance, and sometimes e-mail gets overlooked. However, if you reach out to speak with a recruiter, they should be able to call you back within a reasonable time table.
If you are looking for guidelines, anywhere between one and three business days should be acceptable parameters. If a recruiter regularly takes more than a week to get back to you, it is time to find another recruiter.
2) Candor – When you are dealing with your career, you have to be willing and able to have unfiltered conversations, where both sides can speak frankly with each other, and not worry about hurting the other side’s feelings. A good recruiter will ask you difficult questions regarding your intentions, and you will have to be able to provide good thought in answering them. On the other hand, the recruiter can not be afraid to express their opinions to you, regarding your experience and qualifications, even if they may be unpopular, and not what you want to hear.
3) Industry Awareness - You have dedicated your career to the field of Information Security. You should expect the same level of commitment from a recruiter who you are looking to for assistance in your job search. A recruiter with Information Security industry knowledge will be able to provide you with greater insight regarding specific career opportunities and their potential to help you accomplish your career goals. They should also be able to provide you with a proper compensation assessment, so that you can understand if your skills are being correctly valued.
4) Knowledge - It is important that the recruiter that you are working with understands your skill sets and how they relate to specific openings. Since information security is comprised of many specialties, it is key for the recruiter to be able to correctly identify opportunities that align with your skills. This understanding should aid them in assisting you in identifying opportunities that enhance your career development and fit your long term career plan.
5) Access Through Relationships - One key component to all good recruiters is their access to opportunities. A good recruiter will have trusted client relationships that can be leveraged to help bypass the traditional gatekeepers and streamline the interview process. Usually, more experienced recruiters will have deeper relationships with their clients.
In my opinion, the number one reason that recruitment processes deteriorate is because of the recruitment process itself. Opening the door to an opportunity is only the beginning; a good recruiter will be able to drive continued interaction and feedback throughout the interview process, because of their client relationships. Due to the development of trusted client relationships, a good recruiter will be able to help prepare you for the interview, provide you with background on the interviewers, and navigate through the offer process and employment transition.
As a rule, if a recruiter is nothing more than a resume router and does not add value, you may be better served by representing yourself.
6) A Relationship Builder – Not a Transaction Processor - What this means is that you want a recruiter that is in it for the long haul, not the quick buck. You want to make sure that they are willing to invest their time in building a relationship with you for the length of your career, not just at the time of a transaction (job search). It is true that recruiters earn their fees at the time of placement, however you should have enough foresight to select a recruiter that will take an interest in your career and candidacy, when there is not any transaction pending. This could be something as simple as returning a phone call, providing career guidance, or helping you evaluate an opportunity (even if they are not your representation).
In closing, one of the nice things about selecting a recruiter is that you are not obligated to select only one. I often counsel my candidates that they should explore all avenues to locate the best position for their career. However, if you are able to identify multiple recruiters that fit these requirements, it is imperative that you keep them informed of all of your recruitment activities, so that they are aware and do not get blindsided by developments in your recruitment process.
In addition, you should not judge a recruiter by their ability to find you a position, but their ability to understand which opportunities are best suited for you. Sometimes the best thing a recruiter can tell you is that they do not have current opportunities that fit your parameters.
Beware of recruiters that operate under the premise that “any job, is a good job.” You want to avoid becoming the proverbial “round peg” that is being shoved into the “square hole.”
Also remember, good recruiters have high expectations of their candidates, and will be holding you to similar standards throughout the duration of your relationship.
July 6, 2009
I attended the Gartner Conference on Monday and I sat in on a panel called “The CISO’s Skill Set.” The panel was headed by Ray Wagner of Gartner, and the panelists included David Foote (Foote Partners), Alan Paller (SANS), and Joyce Brocaglia (Alta Associates).
As the panel went on, the discussion headed in the direction of what skills would comprise the CISO of the future. Almost on cue, the panel unanimously agreed that the CISO needed to have a good blend of technology, business, and people skills. They also stated that the future CISO would be a great communicator, consensus builder, and a change agent.
In response to this, Ms, Brocaglia stated that the latter of these interpersonal qualities necessary to be successful for the role will most likely be found in women.
Whoa! That was heavy. This statement should have sent shockwaves through the audience, which was comprised of corporate information security leaders and was roughly 85% male. I could not possibly imagine devoting your career to a profession and then being told that by gender alone you are less than desirable.
Before I go on, I would like to provide a couple of disclosures:
1) I am male
2) Ms. Brocaglia’s company (Alta Associates) is a competitor of mine (LJ Kushner & Associates)
3) I have professional respect for Ms. Brocaglia and the Executive Women’s Forum (which I think is a great idea)
4) I often disagree with Ms. Brocaglia
Ms.Brocaglia’s statement (which she supported with a reference to a HR study) that females are most likely to be more effective communicators, change agents, and consensus builders, promotes a prejudice and a stereotype, that men (as a group) are less capable of possessing these attributes. The results of the HR survey may be accurate, and indeed women (as a group) may be more likely to excel in these areas better than men (as a group), but this should not have any effect on the recruitment of an effective CISO.
Companies do not hire groups, they hire individuals. Generalizations should have no bearing on and should never influence the decision making process, when it comes to selecting a qualified CISO. When a company is searching for a CISO, they will identify an individual who possesses relevant skills,has demonstrated professional excellence, and is capable of providing leadership to their information security program.
Collectively, it is my experience that the women who have chosen Information Security as a career are traditionally high achievers and many have gravitated towards positions of leadership. In many cases, they have had to overcome greater adversity and gender based prejudice to achieve similar professional success as their male counterparts.
The female information security leaders that I have encountered share common traits. They are all smart, business savvy, technical, personable, and driven to succeed. They are tough negotiators and have a great deal of conviction in their beliefs. Ironically, these are the same skills sets that male information security leaders possess.
In my opinion, skills that include consensus building, effective communication, and organizational transformation can be classified as softer skills. These are skills that are developed through experience, maturity, and conflict resolution, and are not inherent to gender.
I agree that the skills that Ms.Brocaglia mentioned are all skills that are necessary to be an effective CISO. However, these aforementioned skills are ones that need to be developed and cultivated, independent of gender.
In the past thirteen years, I have worked with many companies in their search of competent information security leadership. They all have one thing in common, they are looking for the best talent who can thrive within their environment and get the job done. I have never once heard a client mention the applicant’s gender as a qualification (nor do I ever think I will).
One of the items that I stress the most in any recruitment process is to keep an open mind to candidates with different backgrounds and unique experiences. I have had many instances where clients have hired Information Security leaders who did not come close to matching their initial “ideal” candidate profile. However, by getting to know these candidates through the interview process, they discovered that their experiences were quite relevant and would enable them to succeed in an information security leadership capacity. In all of those cases, the customer was happy that they discarded their initial prejudices and overlooked their preconceived notions.
The CISO of the future will be a special leader. They will be innovative, the will be highly skilled, and they will inspire others. They will be of different gender, race, religion, and ethnicity. They will have made strategic career investments that separate them from their peers. They will be hard workers. They will have high moral character. They will be competitors.
They will be the top 1% of our profession.
We all still have the chance to be that leader!
“All generalizations are false, including this one.” – Mark Twain