August 25, 2009
Dear Mike and Lee:
I’m currently a systems administrator whose looking to get into the information security field. I’m currently taking night classes towards a bachelors in computer science degree. However, I’ve been hearing about schools that offer information security specific degrees. What do y’all think about these degrees and what curriculum do you think would be the best for someone wanting to get into this field?
Dear “Degree Seeker:”
Education alone will not determine the success of your information security career. As a society, we have been improperly conditioned to believe that education is a “magic bullet” for career success. This false expectation often results in ”buyer’s remorse” when achievement of a degree does not translate into career acceleration. There is no doubt that education is an important component of one’s career foundation. However, your ability to combine your education, with experience, talent, professional development, and interpersonal characteristics will ultimately determine your future as an information security professional.
Having said this, I do believe that pursuing a degree is a good thing and a valuable career investment. If you choose to go undertake this commitment, please make sure that you are doing it for the right reasons. The right reasons should include, satisfying your own intellectual curiosity, a keen interest in the course of study, and qualified faculty, not because you believe you will have an easier time getting employment.
Next, if you decide to go to a school with an information security degree program, your choice should be determined by the curriculum, the alumni network, and the career placement program. Cost is a consideration, but should almost be a secondary factor. This is a major career investment, and you should be more concerned with the value that you are receiving, in relation to the amount of money that you are spending. Like with most things in life, you traditionally get what you pay for.
The curriculum should be something that interests you and aligns with your career goals, the network will provide you with connections throughout your professional career, and the placement program may provide you with the advantage of getting your foot in the door with the right entry level position.
Understand that choosing to go to school is a major investment and sacrifice. It will cost a significant amount of time and money. However, if you elect to pursue and achieve this degree, it will stay with you for the remainder of your career. You will carry the brand of the program and will be responsible to both uphold it and reinforce its credibility.
Make sure you choose wisely and fully understand what you are getting yourself into, before you sign the check.
Hope this helps,
Lee and Mike
August 20, 2009
We received a closely related question to this week’s Career Advice Tuesday segment – we believe that they two are closely intertwined and are on topic.
Dear Mike and Lee:
How do I become a technical leader without heading down the path of management? It’s been my experience that every time I start managing, I begin forfeiting technical skills for people issues.
Signed – Career Crossroads
Dear Career Crossroads:
Technical leader and people manager are two different skills and should be treated as such. One of the biggest (and most common) career misconceptions that people have is the belief that solely because they excel at the technical components of their information security position, they will automatically excel in a management capacity. The truth of the matter is that to be good at anything, you have to develop and cultivate the skills required to be successful.
It appears from your question that it has been recognized that you have a solid technical background, and possess attributes that could make you a good manager. Your fear of losing your “technical edge” is a real one. As a manager, your time is diverted to other issues, and it is only natural that your technical skills will lapse, due to these demands on your time.
The only way to become a successful manager and maintain your technical skills is by hard work, professional dedication and sacrifice. This is the difficult part. It requires a time commitment that usually falls outside of your regular work responsibilities. Most people choose not to do this, because of the sacrifice that it entails. Lets be clear, it is much easier to choose to neglect the development of any skill.
At some point in your career, it is most likely that you will either receive the reward or face the consequences for the choices that you make in the development of your skills.
Choosing to continue to develop your technical skills should act as your “unemployment insurance” policy. When company’s downsize, the area that they usually cut is middle management. Being a manager with strong technical skills should shelter you from this type of career incident.
Managers that choose to keep their technical skills sharp traditionally make better information security leaders. The fact that they have an understanding of technical information security issues, provides them with a level of respect from their team members, that their non- technical management counterparts have to work harder to attain. Having a motivated and effective team, is one of the most important factors in determining a manager’s success.
The information security market place of the future will become increasingly competitive. Information Security professionals who have competency in both technical and managerial disciplines will have a competitive advantage over others.
It will be hard work. But if it wasn’t, everyone would do it!
Hope this helps,
Mike and Lee
August 18, 2009
Dear Mike and Lee:
I’m at the point in my career where I’m being asked to consider a management track (because I’m technically really good). How do you forward your career technically without moving into management?
Signed – Technically Talented
Dear Technically Talented:
You ask a question that is echoed by many other information security professionals. Many info sec professionals work in environments where management is the only way to earn additional pay and increased responsibility. Unfortunately, this does not allow technical information security professionals the ability to advance their career in a direction that aligns with their personal career goals.
If this is the case, your are left with a few choices.
The first is to speak with your manager about your career desires, and see if they have an avenue to pursue this direction.
In a perfect world, you would have made your manager aware of your career aspirations prior to being faced with this situation. (This is your responsibility, noone else’s.) If you have not, do not assume. It is customary for people to believe that everyone shares their own personal career goals. Since your manager most likely began their career as a technical professional, they may believe that the path they have chosen for themselves is the best one for their top performing team members.
Second, you can give management a try, and see how you like it. This could turn into a great opportunity for you, and may recognize (after trying it) that you are a good manager and enjoy the challenges that this role presents. However, you should come to an agreement with your employer that if you do not enjoy the managerial role, then you could return to your technical individual contributor capacity, without penalty.
The third choice could be to look for employment elsewhere. I would only suggest this after exploring the first two options that I outlined. When searching for a new employer, I would look for one that has a clearly defined career path for technically focused professionals. The company should value professionals that are able to advance and contribute to the company’s mission by their technical contributions alone. Traditionally, these will be environments where technology contributes to their market advantage and competitive posture. Many of these organizations will have a research and development capacity whose funding and success is core to the business.
In order to advance your career and maximize your professional potential, it is critical to work in an environment that understands your talent and value.
Hope this helps answer your question.
Lee and Mike
August 11, 2009
Dear Mike and Lee:
I have not been able to get what I feel is full/good advice in my attempt to enter the Infosec career. I have a felony record here in the US. The crime was when I was younger and I have since(11years now) proven that I have changed my ways and that the whole issue actually helped me get on the straight and narrow.
My question is: Can a person in my situation expect to enter and survive in an Infosec career? I was reading a book titled “Infosec Career Hacking”. It said, if you have a felony record, you can forget a career in this field. That was not a direct quote but the point clearly stated the same thought. Is this true?
I have worked my way up the IT ladder and currently fill an Enterprise Architect position for a government contractor on a government contract. I have not achieved the clearance that I need yet. I do have a chance to voice my opinion on security issues in my current role, but I would like security to be a main focus for me. Do you have any insight into this?
Dear “Changed Man”:
You are definitely facing an uphill battle.
First of all, I think that blanket statements are bad – and I do believe that it is possible to get a career in information security even if you have a criminal record. I have seen it done before and have worked with a few candidates that have had to overcome this obstacle.
In order to accomplish this, you are going to require a combination of candor, excellent skills, reformed character , open-minded hiring managers, and some old fashioned “good luck”.
I am not saying that it will be easy, but it is definitely possible. I also believe that you may find more acceptance in the commercial/corporate world, then you would find in the public sector (Government roles).
Here are some guidelines for you to consider:
1) Full Disclosure – Make sure during the initial part of the interview process, you reveal that you have a felony. No matter how embarrassing, tell them what happened, what you learned, and how your reformed.
Many people believe that a past transgression alone will disqualify them for a position, and choose not to reveal that to the hiring party. That is the worst possible thing that you can do! More people lose opportunity due to the “cover-up” as opposed to the offense.
It turns out that many people have open minds and are willing to forgive past transgressions. When you choose not to tackle this type of situation head on and address it, you appear to be dishonest and deceitful, which are not positive attributes for any Information Security professional.
2) Demonstrate Examples From The Past 11 Years That Enforce Your Character – I would give examples of how you have given back, made restitution, and changed your life to reflect the code of ethics required to be an Information Security Professional. This is critical. It is one thing to say that you have reformed, it is another thing to have proven it with tangible examples.
One of the best ways to do this is to volunteer your time – either at schools or public gatherings, and help educate others on computer security. You can speak about relevant topics that could include on-line safety, protecting your personal information, or the negative consequences of hacking.
3) Outshine Your Competition – Because of this felony, you will have to be that much better than your competition – so make sure you blow them away during the interview. This is essential, since you enter the interview process in a less than enviable position.
As we learn by examples in society, people with special talent usually receive some preferential treatment, and are more likely to receive the “benefit of the doubt.” (I am not saying I agree with this, but it happens to be the case.)
Make sure that your talent is indeed special. Become great at something and develop expertise that can demonstrate your value to your employer. If you indeed are exceptional, chances are they may become a stronger advocate of your hiring, and you may be more than likely to overcome this obstacle.
I wish you well in your pursuits and appreciate your bravery by asking this question. I do not believe that your situation is unique in the Information Security profession.
I hope that your future employers have the ability to see the “changed man” in front of them, and not the “foolish teenager” of 11 years prior.
Good luck to you.
Mike and Lee
August 4, 2009
Hi Lee & Mike,
I’m currently working in the Information Security field in the public sector. I have a Graduate Certificate and CS Masters focusing on Information Security. Unfortunately, I only have approximately 3 years of experience. In 1.5 – 2 years, I will be starting a family and may need to take as many as 8 years off from traditional employment as a result. I’d like my lifetime career to be in Infosec, so do you have any advice on ways to remain viable in the field while not being able to work in it for awhile? It seems prudent to ask now while I still have time to take action. If I were in any other field, I do not think I would be so concerned but the Infosec field changes more rapidly than most.
Future InfoSec Mom
Dear Future InfoSec Mom:
First of all, let me commend you for your foresight in anticipation of this situation.
It is very difficult to balance the responsibilities of a family and a career at the same time. I know that many other Information Security professionals, both male and female, can empathize with your situation and the choice that you are planning to make.
One thing that you have going for you is that you work in the public sector and they are generally more sensitive to work/life balance issues. Here are a couple of pieces of advice:
1) Work for a company or agency that has a long term commitment to Information Security as a career path for their employees. If you can prove yourself as a valuable asset to the Info Sec program, they should have a vested interest in welcoming you back upon your return.
2) Figure out if you can locate or potentially help develop a role where you could work part time and still be of value during your eight years away. This will require creative thinking and progressive management. If you can introduce a logical use for your skills in a part time capacity while you are current working, you will be the one most likely to benefit for this new position.
3) Focus on developing some of the skills that are centered around policy, governance, awareness, and business risk - as opposed to hard technical skills. The hard technical skills may be very difficult to keep up with if you are not engaged with the technology on a daily basis. It may be easier to keep up with regulations and standards – since these can be acquired by traditional educational means.
Good luck to you in both of your pursuits. We hope this helps.
Lee and Mike