Career Advice Tuesday – “Should I Be Thankful”

November 24, 2009

Dear Infosecleaders:

I was recently summoned to my manager’s office the other day.  He began the meeting with the dreaded “I have some good news and I have some bad news.”  He told me that the good news was that I had done a good job this past year as an information security engineer and my position was “secure” and I am an employee in “good standing.”

Then he told me the bad news.   Due to the economic situation and the financial position of the company, our information security department and more important, me, personally would not be given a salary increase or year end bonus.

On the one hand, I look at the unemployment rate and I am thankful that I have a position that at least for the moment is not in jeopardy.  On the other hand, I feel that I deserve much better for both the quality and quantity of the work that I performed this past year.

I want to know if I am missing the big picture, or if it is time to look for “greener” (as in the color of money) pastures?


“Poor Pilgrim”

Dear “Poor Pilgrim”:

The first thing that I can tell you is that you have to keep a sense of perspective when dealing with your particular situation.   It is true that there are many people who are not currently working, but that by itself does not hold relevance.  What is relevant is how many people who possess your level of information security skills and experience are unemployed.

Another item that holds relevance is how your compensation compares to the rest of the market.  When you look at the market, you have to ask your peers and your network, (in other companies) what they are earning, their benefits, and the demands of their jobs.   For example, if your current position pays you more money, and requires less sacrifice, you may want to keep quiet.  But, if you are earning less than your peers, and your position is more demanding, you may want to reevaluate.

A final item that you may want to consider, is how the company treated you during the good times.  For example if they gave larger salary increases and overpaid bonuses when things were good, it would only be logical for them to eliminate increases and bonuses, when the company is struggling to survive.  If this is the case, think of it as an average, and consider yourself “even”.

I do not believe that you are being greedy.  I think that you want to understand if you are being treated fairly, and if your employer’s response to the economy is a rational one.   Leaving a position is a personal situation, and I think that sometimes it is important to give your employer the benefit of the doubt – especially when bad things are happening to many around you.

Hope this helps.  Enjoy the turkey!

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday | Comments Off 

Questions answered at Search Security

November 19, 2009

As I said in my quick post last month, this month’s SearchSecurity column is all about answering questions. We took questions from a diverse set of readers, and provided the best answers we could. We covered education, certification, career planning and choosing security as a career, among other things.

Check out this month’s Search Security column here.

As always, feel free to ask us any questions you have.

Posted by mmurray | Filed Under Advice | Comments Off 

Career Advice Tuesday – “Executive Training Program”

November 17, 2009

Dear InfoSec Leaders:

I am currently as CISO and my company has provided me the opportunity to participate in an external executive training program.  Both programs are being run at the same Ivy League Business school.  One of the programs is a focused on Security Executives (both CSOs/CISOs), while the other program is more general, attracting business executives from all different fields.

They both take require the same time commitment, they are both free of charge, and they both have the same prestige, any guidance on which one I should select?


“CISO Seeking Career Growth”

Dear “CISO”:

On the surface it appears that you can not lose from this decision.  Both option have their merits, and I believe that you will benefit from either program.  However, this is an opportunity that could possibly have a profound  influence your future .  Let me explain. 

There are two main values for executive training programs like the ones you describe: education and networking. 

During the program that is centered around security professionals, you will share common experiences with the others in attendance.  In fact, when you get there, you may even know some of the others.  The meeting will be comfortable, the perspectives will be similar, and there is no doubt that you will learn other methods to address the problems that you face in your current role.  There is no question, that you will become a more effective security leader upon completion. 

In the other program that has a more diverse executive population, it is likely that you will be the only information security executive in the program.  (There is no question that this will be less comfortable.) The people that you encounter will come from diverse background, have different views and attitudes towards information security, and will be an accurate representation of the business leaders in your organization that hold other responsibilities.    Upon completion, you will most likely not learn any more about security, but you will definitely learn more about business processes from the other “students”.

If you select the security focused group, you will definitely come away with some stronger peer relationships.  Some of these relationships will become sounding boards for you as you tackle problems in your current position.   This can be invaluable.  It can definitely make your current job easier.

If you select the broader business group, I believe that your perspective will be quite different from the other “students”  and the members of the program may be more interested in your viewpoints.   There is a chance that many of them will dismiss the importance of security (think about the executives in your current company) , but there is also a good chance that some will embrace your experience and attempt to learn from it.  This will provide you with a challenge of developing your communication skills so that you will be able to articulate the role of security and how security can assist and enable their business functions.

If you are able to make this type of impression, you will leave the diverse program with a different type of network.  One that you can call on, to help you address the different obstacles that you face when dealing with certain business function in your organization.   Being able to call on these business leaders could also be helpful to you in your current role.

In addition, as a member of the program with unique skill and specialty you do not have any competition.  If you are able to effectively convey your ideas, you become the authority.    After a couple of weeks,  you will now have credibility with high level  business executives in other other organizations.  All of these executives have different career goals, outside of security. 

They are not your competition! (like all those in the security program)

It is possible that security leadership positions could materialize in their companies, and when they do, and are asked if they can recommend anyone.

I would imagine their response would be something like this:

 ” You know, I met someone in that Executive Training program that I attended last year, and I think they would fit well here.  They really understood how security and business could co-exist and form a strong partnership.”

Good luck in choosing.  I think you know which direction we would lean.


Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday | Comments Off 

Why Information Security is the Hardest Career

November 10, 2009

I was talking to my friend Ian the other day and he mentioned that he was posting about our careers and what we do. I pointed that I have been ranting on the topic of why our career is the most difficult for the past couple of years – anybody who saw Lee and I speak at Defcon, Source or RSA in the past couple of years heard my rationale.

Security is an interesting discipline – the threat landscape is always changing and we’re forced to keep up constantly. The simple reason behind that change is that security is ultimately a quality issue. What’s interesting about quality is that issues in product quality are heavily front-loaded – as a product matures, the number of newly discovered quality issues decreases. Thus, the security issues are almost always within the newest technologies.

This forces security professionals to be always conversant on the newest technologies. Imagine for a second that we had a time machine, and we brought three IT professionals from 1997 to the present: a Unix system administrator, a C programmer, and a security engineer.

The Unix system administrator’s knowledge of SunOS 2.6 would allow them to be functionally conversant on a modern *nix system. They’d have a few things to learn, but most of their fundamental knowledge (e.g. run levels, cron, syslog) would be useful today.

The C++ programmer would still be able to hack on code. Sure, there have been changes to the STL over that time and there are some new constructs. They might have to learn pair programming and agile methods. But their coding skills would be the same.

The security engineer would be…. well, lost. Functionally incompetent. They could expound on Smurf and Land attacks and ensuring that there were as few SUID binaries on your box as possible. But they couldn’t even use the basic technologies… Firewalls weren’t stateful. IDS was barely nascent. There was no such thing as spyware. SIEM, DLP, and anti-spyware would have been terms that made no sense. No wireless networks. Not to mention that “cloud” and “social network” would have garnered confused looks.

Five years from today, the Unix admin and the coder will still be conversant. And my examples that I used talking about the security professional will seem quaint and antiquated.

This is because the challenges for the security professional are always in the brand new technology – we don’t deal with issues in the IP stack because we handled them in 1997. And we moved on because the attackers found more fertile ground in the new technologies. And we will move on again – in five years, web app security will be old hat, as will “the cloud”. (“Remember when we were all worried about issues on Facebook and Google Apps?“, we’ll remenisce at Defcon 22…)

This makes it extremely difficult to create a long-term career in infosec – the moment you stop being conversant in the newest technologies is the moment that you’re functionally obsolete. So, we have to be willing to make a long-term commitment to our own growth and investment. We have to study. And we have to continue to grow every day lest we be left behind.

Posted by mmurray | Filed Under Planning, Security Industry | 2 Comments 

Career Advice Tuesday – “Talking About A Revloution”

November 10, 2009

Dear Infosecleaders,

As I was reading your post from last week, something stated in “For Love or Money’s” question really struck a chord with me.  When they stated that “I work for one of those employers that is known for being a low payer, and can get away with it because of the coolness quotient associated with the opportunity,” I felt as if they were one of my co-workers.

Let me explain.  I work in a security research environment.  My team is full of smart peoole.  We have a great deal of freedom in our jobs.  If I do say so myself, we do produce some great results.  Security research is an important component of our company, however it is not our core business.   The downside is that we are not paid as well as our peers in other security research organizations.

During some informal work meetings, the subject of being underpaid comes up regularly.  I know first hand that for myself and other individuals, the low wages are making things difficult in our lives.  There are some members of the team that have not have increases for over 2 full years, not even cost of living. 

My current employer (the CEO) regularly reminds me and my peers that we are fortunate to have the jobs that we have, and to do the work that we are doing.   He also says that there are many people who would like to have these jobs, if we do not want them.   Statements like those, have made us all afraid to ask for additional salary, since we fear the consequences of becoming jobless.

However, recently we have been speaking about the ideal of coming to him, collectively, to let him know how we feel and our dissatisfaction with our compensations.   I have spearheaded the idea with my peers, and I feel like the leader.  As the end of the year approaches, it becomes a logical time to approach him with this – however I/we am not sure if this is the right move in the back drop of this economy.

Hoping for some help,


“Paul Revere”


Dear “Paul Revere”:

This is a personal decision that has big consequences for everyone that could be involved.  I think that before you begin preparing for the revolution, you and your peers have to strongly consider the following factors: their feelings about their current employment, the importance of compensation, their ability to find suitable employment elsewhere (marketability), and the personal financial situations (which do not appear to be that solid).

I realize that you frame this question as a “revolution”, as an outsider it appear to be more akin to “unionizing” your workplace.   Many times when people attempt to “unionize,” management is forced to make some hard decisions either  give into the demands, appease the workers in the short term (until suitable replacements can be found) or fire everyone. 

Generally speaking, management does not respond well when they are foced to do anything.

Here are two thoughts that you may find helpful:

The first thing that I think you should all do is figure out a risk/reward scenario for your potential actions. 

I would think that the largest amount of increase (best case scenario) that your company can stomach would between 5-10K per person.  At the end of the year, that amount equals somewhere between $100-$200 per week/ per person – before taxes.  Generally speaking, that kind of money is not going to change any one’s lives dramatically, although there is no doubt that it could make things easier.    

The worst case scenario, is that your management decides to fire either one of your team’s members, or all of your team.   If they choose to fire all of you, then at least you are all in the same boat, and have learned your lesson together  (Although this is not good, but there is something to be said for solidarity). 

What could possibly happen is that your management decides to fire one of your team’s members (most likely the least productive one) and then divides their salary amongst the remaining team members.  If that happens, all but one of you will have accomplished your goal (getting more money), but at the expense of one of your team members losing their job.   If this does occur,  you all may feel a sense of obligation to that fired team member (since it is a result of a collective effort)  and each of you should contribute to a team created “severence fund” (until they locate employment) – therefore negating the compensation increase.

The second thing that you should do is to come to grips with the fact that your company’s attitude toward compensation is not going to change.  

Your CEO has made it clear tha they are not going to pay you any more money.  They have even gone as far to say, that you should be grateful to work there.  Since that is the prevailing attitude, toward you and your team,  you should begin to polish your resumes, and begin to search for an employer that places a higher value on your talent and contributions.    

One thing you may try to do, is to market yourself as a “team” – and approach companies collectively.  Given the nature of your work, there could be a few companies out there that are looking to establish or enhance their information security research function.   If you do decide to package yourselves as one unit, make sure that you all are realistic in your compensation expectations and that these potential employers understand that you come as a unit – that they can not hire one, without the other.   This way, they will fully understand the total cost associated with your hiring, and will know very quickly if they have the budget to absorb you and your team.

Having had some experience with recruiting teams, I can tell you that it is human nature for people to look out for their own self-interests and careers during this process.  I have seen some of the best teams deteriorate, when they have competing self-interests.   

Please remember that everyone’s career is unique to them – and what is good for one person is not necessarily good for the other.    Your intentions to mobilize the team are honorable.  However, they can turn out to be quite complicated and more than you originally bargained for.

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday | Comments Off 

Career Freakonomics – 6 hours per week

November 4, 2009

I’m a big fan of Levitt and Dubner’s work – their NY Times blog and Freakonomics. I just finished up the new one (Super Freakonomics) and couldn’t put it down. Definitely worth a read.

The first chapter had a line that forced me to write here, though. In the middle of a discussion about how women are still underpaid in America, this quote appeared (pg. 45):

Over the first fifteen years of their careers, women work fewer hours than men, 52 per week versus 58. Over fifteen years, that six-hour difference adds up to six months’ less experience

These are the average working hours for MBAs that graduated from the University of Chicago. (Original Paper Here)

This is something that applies to me. Early in my career, I had no social life. I spent all of my time working on computing projects through college and the first 4 years of my career. I ported a version of Gnome to OpenBSD for fun because I wanted it to run on my laptop. I figured out how to run my home firewall with the OS unbooted. We found the first remote vuln in Windows 2000. And I worked at crazy startups non-stop. I worked 70, 80, 90 hour weeks for years.

And it gave me a huge advantage. After 3 years, I was doing what people who had been in the business for 5 were doing. After 5 years, I was doing what the 10 year people were doing.

I always felt like hard work was the biggest advantage. I’m excited to see it in an academic paper (and in Super Freakonomics.

And I realize that I’m an extreme example. But you don’t have to be so extreme. How many of your peers work 35-40 hour work-weeks? If you average a 58-hour week (like the majority of the male MBAs in the study), after 5 years, you’ll be six months ahead of them. After a decade: a full year.

While we often counsel people on their careers and give advice on resumes, interviewing, career planning, etc., I think the best advice I can give is simple:

Love what you do and work hard. The more you love it, the harder you’ll work. And the harder you work, the more successful you’ll be in the long-term.

Not quite Tim Ferriss. But definitely true.

Posted by mmurray | Filed Under Advice, Behavior, Personal | Comments Off 

Career Advice Tueday – “For Love or Money”

November 3, 2009

Dear Infosecleaders,

Currently I am faced with a career decision to make and I would like for your guidance. 

Here is my situation – I have been working for my employer for a little more than a year.  I like my job, my manager, and the people that I work with.   All that being said, my compensation is something to be desired.  My employer is known for being a “low payer”, and they can get away with this because of the “coolness” quotient associated with the opportunity.

I have recently been approached by an industry peer about working with him at his current consulting company.  It is a good company, and reputable.   The job offers about 15% more pay, and considerably better benefits.  However, the job is going to reduce my overall quality of life – due to commute and travel.  In addition, I am not confident that I will be working with the same caliber of people that comprise my current team.  Also, I am not sure that the technical components of the position will provide me with the same level of enjoyment as my current responsibilities.

In the background of this is the economy.  I am the sole bread winner in my family and times are a bit tight.  The extra money (around 15-20K) would make a huge difference to me and my family.  There is not doubt that I am feeling the pressure at home.

I am really torn in making this decision.   Can you give me some guidance on this.


“Security Sell-Out?”

Dear “Potential Sell-Out”:

Money is clearly a core reason for working and could be the determining factor in changing positions.  It appears that you have some growing responsibilities at home, and people who count on you for providing for them.   That is a huge undertaking and should not be taken lightly.  Next to your own happiness and satisfaction, the people at home are the ones that matter most.

15% more income is a good amount of money and could make a significant difference in your financial happiness,  but it may take a greater personal toll.  Let me explain:

First, the position appears to take you away from an environment that you enjoy, people you like working with, and technical information security challenges that keep you motivated and focuses.   In the new position, you may develop different skills, but they may not give you the same level of intellectual satisfaction.   Conversely, it is possible that if you are exposed to these new opportunities, you may respond well to them, and they can open your eyes to something that may be more challenging and rewarding. 

Simply put, you need to figure out if you will find happiness and satisfaction in your new role.

Second, is the impact on your quality of life.  I am not sure where you are located but unexpected travel and extensive commuting can be both physically and emotionally draining.    Also, this additional time away from home can cause strain on your personal relationships, especially if you (and your family) have never been exposed to this type of work environment.  This can greatly effect your happiness on a daily basis, and the only saving grace will be that more money is deposited in your account every 2 weeks.

As a side note, the cost of divorce is much greater than 15-20K.

One of the ways to figure out how much travel you will ultimately do, is to ask your potential new peers about the travel demands they have faced over the past 12 months – this should provide you with a good indication of what you could  be getting yourself into.

You have to be real honest with yourself about this, and figure out if your relationships at home can adjust to this life change.

In closing, I think that you need to sit down with yourself first, and figure out if the increase in compensation is fair value for the sacrifice and change that you are going to make.  You have to weigh the reward of money – with the risk of losing job satisfaction.   

If the answer to that question is “yes”, you then need to explain to your spouse what the extra demands of the role will be, and the sacrifice that your family will be making by not having you “around as much.”  You need to make sure that you have their full support and understanding before moving forward.

After this, reflect again.  Think about your career and your financial future (Yes – they are intertwined).  Make your decision.  Once you have made it, be prepared to stick by it, before you share it with anyone.  Move Forward – Full Speed Ahead.

Let us know what you decide, and how this turns out.


Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday | Comments Off