October 27, 2009
I was just recently involved in an interview process for a desirable information security position. I will admit that the position itself was a stretch, but I felt that it was the next logical step in my career. I interviewed well, aced the technical component, connected with the hiring manager, and made it to the final interview.
At the end, the human resource representative informed me that I was the second choice for the role. From the feedback that I was provided, it led me to believe that the other candidate had more relevant information security experience.
Is there a way that I can overcome this, if I pursue a similar opportunity?
“First Runner Up”
Dear “First Runner Up”:
From your question, it appears that you have learned some valuable things from your interview experience, although you were not selected. This is a good thing, We are big believers that you learn more from your failures than your successes It is good to reflect on your interview performance, and discover what you did well and where you can improve.
It appears that you have learned that their is some steep competition for good information security roles and that many information security professionals have similar career paths. During an interview process, it is unlikely that you will have a glimpse into your competitors – but it is possible that they can be more experienced, more technical, better communicators, and better business skills. When you interview – you have to assume that they have all of the above, so you need to prepare yourself to compete.
In the Information Security employment market place of the future, in order to be selected for the the most desirable information security career opportunities, you not only will have to be good; you will need to be better!
I would use this interview process as a chance to evaluate your skills and figure out where your true deficiencies are, that could possibly place you at a competitive disadvantage for these types of roles Be honest with yourself when you go through this exercise. Upon conclusion, select one or two areas that you believe are most critical, and make a conscious effort to develop them through career investments that can help separate you from your competition.
I know that you raised your primary concern regarding your amount of experience. There are some hiring managers that hold this as their chief criteria for making decisions. If this is the case, you will always lose out (until you acquire more experience). However, if the hiring manger is using talent and skill as their primary criteria, solid career investments that differentiate you from others and demonstrate your aptitude and passion, could compensate for your lack of experience.
Hopefully, the next time you will get the job and “wear the crown!”
Hope this helps,
Lee and Mike
October 20, 2009
Sometimes, it’s worth publishing a long letter because it’s an issue that many, many people have. The letter below is indicative of many of the questions we get, and it’s just such a good example that we can’t pass it up.
Dear Lee and Mike,
I’ve had an interest in infosec since I was 14 and I have been working in IT for 10 years, ever since I started my own consulting business at 16. My business was based around servicing companies’ desktops, servers and networks and this led to a full time system administration job and subsequently into an IT Manager role. I was finally given a chance to work in security full-time when I moved on to a role as a 3rd level Firewall Engineer
My next role involved helping setup the network security infrastructure at two new data centres – I stayed on as Network Lead and eventually moved up as the Network Team Lead (with my team managing hundreds of devices and dozens of firewalls).
Still I felt it was not the right move for me. I began to look for a different job and had dozens of calls weekly and several interviews. One call was from a recruiter for a small company in Switzerland. I flew down for the interview and accepted a role as a Network Security Engineer. There were lots of promises about what the role was supposed to be like but few of them ended up being true. My job at this company is maybe 40% security and 40% network support, server support, data centre management and 20% network, system and data centre design. All of the things I can do and am good at but not what I want to do.
My true passion is identifying risks in systems and networks. I have had hands on experience securing systems and have coupled this with constant study of various IT security books for the past 10 years; I’ve obtained the SSCP, CISSP and the CISA. All of my experience and studying has given me a ‘gut’ instinct about where there are security problems not only with technology but also with business processes. My goal is to use these abilities in the role of an infosec consultant doing security assessments.
Making a career change from my more operational background has been a tremendous problem for me. The Big Four that I have applied to have rejected me because, I think, I do not fit into their hiring profiles. Other security consulting companies I have been in touch with are initially very positive, returning my calls and promising interviews but then going silent.
Is it even possible for me to change from operations into a consulting role or have I been typecast?
What can I do to sell myself better and convince potential employers that I can do the job of a consultant?
Dear Ops Guy,
Where to start. First, by my rudimentary math skills, you’re 26 years old. If you’re typecast at 26, we’re all in very deep trouble. Mike’s father started his first business in his mid-50s, so I think there’s hope for you yet.
That said, you’re coming up against problems that many security professionals face on a daily basis: you’re doing work that doesn’t fit what you want to do, and you don’t know how to transition out of that. You don’t fit the profile for most of the consulting firms that you’re talking to and you’re not sure what to do to fit the profile.
First things first: many, many consultants come from an ops background. Mike is one himself – his first jobs were system administration jobs (you can even find articles he wrote in the early part of the decade in the “Sys Admin Magazine”) and he transitioned in to consultant roles.
The majority of this issue comes down to a branding problem: we talked in our recent Search Security column about the steps that you can take to enhance and build your personal brand. In this case, you need to seek out others who have done what you’re trying to do and figure out how they did it. You know what you want to be known for and where you want to end up – now it’s just a matter of working to create the brand that you want.
Additionally, it seems like you might be having trouble interviewing, but that’s a subject for another week.
Mike & Lee
October 14, 2009
We talk a lot about personal branding – this month’s SearchSecurity column focuses on the things that you need to do to build and improve your personal brand.
As always, feel free to ask us any questions you have about personal branding.
Also: we’re going to be doing a special question and answer session in our SearchSecurity column next month: if you want to end up in the column, feel free to mail the editors.
Posted by mmurray | Filed Under Uncategorized | Comments Off
October 13, 2009
Dear Mike and Lee:
I have recently found myself looking back at my career and find myself to be dissatisfied with the way that things have been turning out. I have 15 years of overall IT experience, and have been with my current employer for about 7 years. Although the pay has been good, I feel that my advancement and professional development has stalled. I believe that there are some opportunities within my current company that would enable me to build the information security skills that I am seeking to develop, but because I am doing a “good job” in my current role, my manager is reluctant to let me pursue these other opportunities.
I like my company, and do not want to jeopardize my employment in this economy, but I fear that my window of opportunity for advancement is quickly closing an my skills are growing stale, and I am basically running in place.
Can you provide me with some guidance on how to better my situation?
“Stuck on the Treadmill”
Dear “Stuck on the Treadmill,”
Before we answer your question, I want to bring to light the importance of development of a written career plan. Your personal situation is not unlike many others, who settle into a comfort zone, excel at their position, and become a victim of your own success. The development of a career plan, that will map out skill and professional milestones, and intermediate steps for overall goal attainment is critical to preventing the situation that you currently find yourself in.
All that being said, all is not lost. The fact that you have recognized this at the midpoint of your career is a step in the right direction. Here is some guidance for your current situation:
First, I would try to figure out what you would believe would be the next step in your career and the right opportunity for you at this time. When determining this, I would keep in mind the information security skills that you could best leverage from your current role, to attain this next position.
After you determine this next position, I would attempt to see if there was an internal opportunity at your current employer that would enable you to accomplish your goals. If these opportunities do exist, I would sit down with your manager and have a candid discussion with them. (For your own protection this meeting should be documented.)
This discussion should include both your appreciation for your current opportunity and your desire to remain with the company. You should also express your interest in career growth. At the conclusion of this meeting, I would ask for their permission to pursue these opportunities – while providing them with assurance that, if selected for this role, you will not leave them in a bind.
I would hope that at the conclusion of the meeting, they will give you their blessing to pursue these opportunities. In the event that they do not, I would immediately (possibly concurrently) set up a meeting with your human resources team, make them aware of the situation, and ask them the proper internal process to apply for this role. Keep in mind, if you have to go down this path, your manager will most likely will not be happy, and could possible hold this against you. (You should understand that this is possibly risky- and you should weigh the consequences before going through with this.)
Simultaneously, I would begin an external search process, and prepare a resume that would be targeted at the role that you would like to pursue. I would seek out opportunities that fit the description of the information security role that would enable you to move your career on your desired path. Undertaking an external job search, may shed some light on your current skills and the value that you could bring to an external entity. Independent of the result, you should come away with a better benchmark on your marketability and qualifications for this type of role.
Hopefully, this advice will get you off the “treadmill” and lead you “off and running” in the direction of your desired career goal.
Hope this help,
Lee and Mike
October 6, 2009
Dear Mike and Lee:
I would like some advice on my future career as an Information Security professional (which has yet to officially begin).
Here is some background, I am 22, just finished a CS degree, hold 3 information security related certifications, and have recently began a masters degree program. I also write a blog and contribute to the open source community. In addition, I have built a home “lab” environment which I use on a daily basis.
I was thinking that when I graduate the Masters program, I will not have any real world experience to support my academic and self directed information security pursuits. Do you foresee this as being a big problem as I approach the job market, and officially begin my professional career?
“Future InfoSec Leader”
Dear “Future InfoSec Leader”:
The first thing that I will tell you is that you appear to be doing everything correctly to get your career started down the right path. You have received formal education, you have attained relevant certifications, and you are contributing to the community (blog, open source projects). In addition, you are running a lab environment that is providing you with some hands-on experience (albeit at a much different scale).
The second thing that I can tell is that you have some of the intangibles that employers are looking for, commitment and passion. It appears that from your efforts you are able to demonstrate to information security hiring managers that you are going to be a dedicated employee, and that you have a drive to take on responsibility and are willing to work hard (once you get a job).
All that being said, I do agree that you are falling short on a key component that could hinder you in landing your first full time information security role, formal work experience. Please understand that work experience does not have to come in the form of a full-time job. It can take the form of internships (which you may be able to get through the university), part-time work (potentially in the university’s computer lab/IT environment) or through donating your time to charitable causes (who need security skills).
I think that if you pursue these types of opportunites, and find a way to garner some “real world” experience, you will offer an employer the “complete package” and skill matrix that most will search for in an entry level information security employee. Most importantly, the cumulative result of all of your activities (and experiences) will place you at a competitive advantage to your peers (and competition) for these roles.
In closing, you are doing the right things and are off to a good start. If you keep working hard at your career, your future should be quite bright. Please keep us posted.
Hope this helps,
Mike and Lee