Career Advice Tuesday – Getting Typecast
October 20, 2009
Sometimes, it’s worth publishing a long letter because it’s an issue that many, many people have. The letter below is indicative of many of the questions we get, and it’s just such a good example that we can’t pass it up.
Dear Lee and Mike,
I’ve had an interest in infosec since I was 14 and I have been working in IT for 10 years, ever since I started my own consulting business at 16. My business was based around servicing companies’ desktops, servers and networks and this led to a full time system administration job and subsequently into an IT Manager role. I was finally given a chance to work in security full-time when I moved on to a role as a 3rd level Firewall Engineer
My next role involved helping setup the network security infrastructure at two new data centres – I stayed on as Network Lead and eventually moved up as the Network Team Lead (with my team managing hundreds of devices and dozens of firewalls).
Still I felt it was not the right move for me. I began to look for a different job and had dozens of calls weekly and several interviews. One call was from a recruiter for a small company in Switzerland. I flew down for the interview and accepted a role as a Network Security Engineer. There were lots of promises about what the role was supposed to be like but few of them ended up being true. My job at this company is maybe 40% security and 40% network support, server support, data centre management and 20% network, system and data centre design. All of the things I can do and am good at but not what I want to do.
My true passion is identifying risks in systems and networks. I have had hands on experience securing systems and have coupled this with constant study of various IT security books for the past 10 years; I’ve obtained the SSCP, CISSP and the CISA. All of my experience and studying has given me a ‘gut’ instinct about where there are security problems not only with technology but also with business processes. My goal is to use these abilities in the role of an infosec consultant doing security assessments.
Making a career change from my more operational background has been a tremendous problem for me. The Big Four that I have applied to have rejected me because, I think, I do not fit into their hiring profiles. Other security consulting companies I have been in touch with are initially very positive, returning my calls and promising interviews but then going silent.
Is it even possible for me to change from operations into a consulting role or have I been typecast?
What can I do to sell myself better and convince potential employers that I can do the job of a consultant?
Dear Ops Guy,
Where to start. First, by my rudimentary math skills, you’re 26 years old. If you’re typecast at 26, we’re all in very deep trouble. Mike’s father started his first business in his mid-50s, so I think there’s hope for you yet.
That said, you’re coming up against problems that many security professionals face on a daily basis: you’re doing work that doesn’t fit what you want to do, and you don’t know how to transition out of that. You don’t fit the profile for most of the consulting firms that you’re talking to and you’re not sure what to do to fit the profile.
First things first: many, many consultants come from an ops background. Mike is one himself – his first jobs were system administration jobs (you can even find articles he wrote in the early part of the decade in the “Sys Admin Magazine”) and he transitioned in to consultant roles.
The majority of this issue comes down to a branding problem: we talked in our recent Search Security column about the steps that you can take to enhance and build your personal brand. In this case, you need to seek out others who have done what you’re trying to do and figure out how they did it. You know what you want to be known for and where you want to end up – now it’s just a matter of working to create the brand that you want.
Additionally, it seems like you might be having trouble interviewing, but that’s a subject for another week.
Mike & Lee