Career Advice Tuesday – The Educational Crystal Ball

September 29, 2009

Hello Mike & Lee,

How important is education to the security management career path? I’m in a well-known Masters of Information Assurance program, but I don’t often see this type of education requirement for security management jobs.

Do you think that will change?

Nervous Student

Hi Nervous,

Hold on a second while we pull out our crystal ball.

Okay. We’re now looking far in to the future… and we see… degrees… everywhere.

Enough being flip. Information security is a very young industry and, as such, hasn’t really developed a significant formal education structure. Most of the programs that exist today are less than 5 years old.

But that formal education is in demand – we need an industry of people who started to get real training on information assurance, risk management and other security concepts at a younger age. And we’re starting to see more and more of that type of program build up.

You’re right that it’s not a requirement yet – mostly, that’s a supply and demand issue. If that was a requirement for most jobs, it would severely limit the candidate pool. However, it will provide you an advantage when you go in for some jobs.

Our crystal ball says that this will start to be a requirement more and more over the coming few years.

No need to be nervous: you’re ahead of the game.

Mike & Lee

Posted by mmurray | Filed Under Career Advice Tuesday | 1 Comment 

Career Advice Tuesday – The Least Common Denominator

September 22, 2009

Dear Mike and Lee.

Most HR people seem like they always recommend security professionals with CISSP or CEH….but the sad thing is that not all certified are really good at practical application or have skills in the real world.

I bumped into this new training offered by a company that creates an important penetration testing toolset. Would this cert get me into an infosec job?! The way I see it, the people who passed this skill based exams would know really what they are doing. As an similar excample, the RedHat Certified Linux Engineer (RHCE) is a like a 8 hour exam just to trouble shoot a linux machine. With this training class, I figure I’ll get actual knowledge and ability to use it, unlike with something like the CEH.

Anyways any updates on this cert would really give good feedback for people like me.

Confused About Certs

Hi Confused,

I left out the name of the new training that you mentioned because it really doesn’t matter – while the training in question is a good one and provides some good skills, the entire point of the question misses the point.

Certifications do not get you jobs nor provide you with skills.

Without going in to a large dissertation on Signal Theory, the point of a certification is to assert one thing (and one thing only): “Person X knows a certain base of material to a certain basic and fundamental level.

Certification is an indication that someone has some ability within a domain and is able to navigate within it. For example, regardless of what the certification bodies and training companies say in their marketing material, having a certification like the CISSP does not make one competent to practice information security. What it does assert is that the person in question identifies himself/herself as an information security professional and is conversant and aware of the fundamental concepts that underlie the domain (e.g. risk, network security, fire suppression, physical security, etc.).

Beyond the marketing, this is as it should be. A CEH no more qualifies you to break in to a bank than a driver’s license qualifies you to race in the Daytona 500. However, it says that you have a certain fundamental skill set that allows someone to identify you as belonging to the group of “ethical hackers”.

Where we (as an industry) get in trouble is that we tend to believe that certification and training are supposed to convey formal competence (and, in some cases, excellence). This is impossible – a certification that only proved that someone was an above-average professional wouldn’t ever have enough members to make the certification a worthwhile signal – if the test was too tough to pass, too few people would ever take it to make HR people and management accept it as a useful signal of base knowledge.

If you don’t believe me on this one, look at all the “hard” certifications that have gone by the wayside or been ignored over the years. SANS dropped their practical requirement. The CISSP went from a very low (30-40%) pass rate in the early years to a much higher pass rate today. ImmunitySec has a phenomenal cert, but how many people reading this even knows what a CNOP is (without clicking on the link)?

The point of a certification isn’t to get you a job. It’s to admit you to the club of people who claim competence within the field. Note that I didn’t say “the club of people who ARE competent” – that you took and passed a certification is a self-declaration that you want to be considered to be part of the club. The certification is only the ticket to the door – what will make you successful is what you do once you’re inside.

In short, I’d advise working on your skill set in almost every case and considering the certification secondarily. There are some times when certification is the most important career investment at a given moment, but that number of times is about three orders of magnitude less than most people in the industry think that it is. If you think you might be in that situation, directly. We can help guide you in the right direction.

Note: as a point of full-disclosure, Mike is also the lead trainer and curriculum developer at The Hacker Academy, a leading training and certification company.

Mike and Lee

Posted by mmurray | Filed Under Career Advice Tuesday | Comments Off 

Career Advice Tuesday – “Maintaining That “New Job” Feeling”

September 15, 2009

Dear Mike and Lee:

Near the beginning of the year I graduated from ITT Tech with a degree in information security (4.0 GPA!) and last month just started a new job doing information security monitoring for a university. So far I absolutely love my job with the new skills I’m picking up and the challenge of the problems I’m being asked to solve.  Every job I’ve had previous to this one got stagnant very quickly, what can I do to keep the enthusiasm I currently feel for this job going a year from now or five? Right now I look forward to going into work the next day, what can someone do to keep from losing that as they get settled into a position? Also, do you have any other tips for someone right after they land that great job?


“Freshness Guaranteed?”

Dear “Freshness Guaranteed?” :

It is very nice to hear from someone that is so excited about their current (new) role.   

Nothing can compare to the excitement that one gets when beginning a new role.  This especially holds true for someone who has just completed a degree program, where your career investment has been rewarded and has resulted in a new opportunity that will utilize the skills that you have developed.  The challenge of keeping a job ”fresh” is one that everyone faces, especially after routine sets in, and the initial “shine” wears off.  

The best way to keep a job fresh is by keeping yourself challenged and motivated.  Keep looking for ways to add value, learn more, and be needed.  I would advise you to work on building relationships with other members of your company, and try to volunteer yourself on projects where you can be of assistance.  If you are successful in doing this, you will always have several new “mini-jobs” within the context of your main role. 

Keep in mind, five weeks and five years are two entire different time periods. Look at your role in four month increments, and make sure that you are continuing to learn new things and acquire more skills.  If two consecutive  four (4) month periods pass, and you have not grown professionally – it may be time to look for something that will inspire the same feelings you currently possess.

Let me close by saying that if you have a strong passion for what you do, you will always feel fulfilled in your career.  Generally speaking, the more passion you have – the less your job will feel like work.

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday, Uncategorized | Comments Off 

Career Advice Tuesday – “More CERTs Not Always The Best Answer”

September 8, 2009

Dear Lee & Mike,
I have over 20 years of technology vendors experience in enterprise computing including biometrics identity management, SOA enterprise integration, storage management, IT infrastructure management, CRM application, and RDBMS.  In the last 4 years, I worked for 2 vendors who specialize in biometric identity assurance and secure credentialing solutions (smart card) to the Federal Government.  I got laid off last Oct due to an economic problem at my last employer.
Since then, I have been looking for that right job and decided to take advantage of the down time to learn more about security with the goal of gaining the CISSP certification.  I took the exam in early April and got the official CISSP cert. in May.  In looking for a new job in the metro Washington DC area, there seems to be many opportunities in the different areas of security.  I know I am coming from a different path than most people with CISSP.
I am most interested in learning and working in the security planning, policy, and C&A area.  Can you please advice on what additional training I should look to get and where I can look to get some real life hands on experience?         

“The Experienced Rookie”

Dear “Experienced Rookie”:

We often say that there’s no good substitute for experience, and in this case, you’ve got a significant amount of it.  As you point out, that puts you in the position of being very different than most in the information security industry.

With your background, “more training” and “more certifications” aren’t the first things we’d suggest.  With a background like yours, the issue with you getting a job isn’t likely that you don’t have the background or the experience; it’s likely that you aren’t presenting the experience well.  That means you probably need to work on your resume, your network, and your brand within the industry.

Were we coaching you directly, we’d ask you to go through a personal brand assessment (like the one that we gave to the attendees of our seminar at Defcon) and we’d ask you to think about the following big questions:

  • What makes you unique within information security?  (Hint: it’s probably your experience)
  • Does your resume adequately communicate and highlight those differentiators?
  • Which people do you know within the information security industry that are influential in the places you hope to work?
  • What do those people know you for?  What is your “brand” with those people?

Far too often, people think that “more certifications” will make them more employable: while we’re all for certifications, that’s not usually the case, especially in situations where someone has a significant amount of experience. 

Hope this helps,

Mike and Lee

Posted by lee | Filed Under Advice, Career Advice Tuesday | Comments Off 

Career Advice Tuesday – “It’s Tough Being A One Man Show”

September 1, 2009

Dear Mike and Lee:

I have been in various roles as an IT pro for 12 years or so. The last 3 years have been in management roles both in Operations & Security more recently. Being a one man show building a security organization it’s not very difficult to stay technically engaged but as the team grows, or as I move on to work for other companies and larger teams, what advice do you have for keeping your hands in tech as much as you can? I’m pretty well headed down the management track but I think we all need to keep our heads out of the clouds when we manage technical teams. What advice do you guys have for staying in touch with the guys in the trenches & touching the tech without falling short on your leadership role?

Signed – “One Man Show”

Dear “One Man Show”:

You are correct in your statement that being a one man show is no easy task for any information security professional.   Many information security professionals in your situation get caught up in the breadth of responsibilities of their current position and neglect the development of specific skills that will differentiate them in the market.     Since you are functioning as a team of one – you will appear to lack people management skills (due to size), and if you choose to let your technical skills lapse – you may have a hard time proving your value to external employers if your skills are deficient in both areas.  

In a competitive situation -  you will most likely  always be out shined by people with greater management experience, and you will lose out to engineers and architects who have not had the responsibilities of management. 

Fear not – all is not lost.   The technically competent manager is always in great demand.  Companies always believe that they can develop managers, but it is mostly the information security professionals responsibility to keep their technical skills sharp. 

If you have ever heard me speak, one of my favorite lines is that “In thirteen years of recruiting information security professionals, I have never received interview feedback that one of my candidates had too much technical competency.”   (Which is true!)

Although remaining technically sharp is  essential to an information security professional’s long term career success., it is not easy  and requires extra effort.    As your position leads you into other areas, you have to remain conscious about the depth of your technical skills, and make sure that you allocate proper time and training to maintain them.  There are many information security professionals that have neglected these skills, and are now no longer relevant, because the industry has surpassed them. 

Keeping yourself technically sharp is difficult.  It takes extra time and takes extra effort.  However, if you are able to stay on top of the current technical trends and industry developments, it will enhance your credentials as a manager and a leader.  

It is possible to become overwhelmed by amount of technical challenges that we face as information security professionals.  If it helps, focus your efforts and education on two or three topics that have an interest to you, are important to your current role, and are recognized by the information security industry as a whole as “growing trends.”    Some technical areas that I see emerging are “cloud computing,”  the technical aspects of PCI, security event management, and green computing.

Try to leverage and direct the responsibilities of your current role so that it requires you to become more educated on these topics, therefore more marketable and relevant.   This approach  may enable you to allocate your time better – and “kill two birds with one stone.”

It is never easy being a “one man show,” but at least you get to make all the decisions!

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Uncategorized | Comments Off