Career Advice Tuesday – New Year’s

December 29, 2009

Due to the holiday, the number of questions we received in the last week has been pretty light. So, instead of doing a question this week, we’re going to do a quick post on the year end.

First, let me say that I hate New Year’s “Resolutions” – the idea of becoming resolute based on a date is a recipe for failure. (And research shows that 78% fail in that)

But the end of the year is often a good time for planning and thinking. It’s a time of year spent around family and a time where work in our industry often takes a slight lull. And Lee and I both use this time to take stock of our lives and our plans for the coming year.

So, we’d urge you to make this a time for career planning. As we said in our Defcon talk, our survey from last year showed that career planning matters – those with a written career plan are about 25% more likely to make more than $120K/year than those that don’t have a plan.

As far as what we’re planning for 2010, you can expect a lot from InfoSecLeaders. The results for that survey will be fully available in the immediate future, as well as a bunch more surveys in the coming months. Additionally, we’ll be continuing our articles in Search Security and be announcing other relationships with other publications. We’ll be speaking at conferences. And we’ll be releasing more online courses (like our Career Incident Response Series) soon as well.

And Career Advice Tuesday will continue. Ask your questions here.

Posted by mmurray | Filed Under Career Advice Tuesday, Planning | Comments Off 

Career Advice Tuesday – ” The Waiting Is The Hardest Part”

December 22, 2009

Dear Infosecleaders:

As I am writing to you, I find myself in the middle of an interview process and I am hoping for some advice.

Let me describe my process to you thus far – first I had a phone interview with the human resources person, then I had a phone conversation with a person to gauge my information security experience, I then had a phone conversation with the head of the information security consulting practice.  At the conclusion of the phone conversation with the hiring manager (the consulting leader) , I was told that I had performed well, and I would be hearing from the internal recruitment person to coordinate an in-house visit.

As I write to you, I am now on my tenth day of waiting, and I have not heard a response.  I have placed phone calls to the human resources person, I have sent e-mails to the hiring manager, I have even tried contacting a “Linked IN” acquaintance about trying to help me.

None of these angles have worked and now I am writing you guys for help.

Can you give me any advice on how to handle this situation?  Should I write them off completely?  Any guidance you guys can give me would be appreciated.


Tom Petty

Dear “Tom Petty”:

I would tell you first that I believe that you have done everything correctly and within the bounds of expectations to show your interest in the opportunity and your intent to continue on in the interview process with this company.  The fact that none of your overtures have been returned can be interpreted in one of two ways – “lack of interest” or “rudeness.”

If they are not interested in your candidacy, I would think that at the very least they would be able to communicate to you their reasoning for ending your interview process and provide you with the simple courtesy of closure.   Many times, people involved in the interview process are not comfortable in providing bad news, or direct negative feedback.  They believe that by withholding this information, they are doing you a favor.   However, what they do not realize is that “interview purgatory” is a lot worse than providing you the closure that you need to forget about the opportunity, develop your interview skills, and move on to exploring other options.

On the other hand, if all of the parties that you interacted with have not returned your voice mails or responded to your e-mails, that is purely a sign of rudeness and a good inclination of how you would be treated and communicated with if you were to go to work at the company.  If they exhibit this poor behavior while they are courting you, can you imagine how you will be treated once you have already committed to join them.

Consider the fact that you are able to witness this behavior prior to joining them as a blessing.

At this point, even if they come back to you and apologize for their behavior, I would think really hard about reengaging in an interview process and entertaining employment.  If they are coming back to you after a long pause, (without any communication) you were most likely a second or third option, and they are only coming back to you because they have been rejected by the others.

Our best advice  is to move on and find a company that deserves you and will treat you with some professional courtesy.  The information security community is a small place, and it does not take much for a company to acquire a bad reputation for how they treat people in the interview process.

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday | Comments Off 

Career Advice Tuesday – “Rolling The Dice”

December 15, 2009

Dear Infosecleaders:

Here is my situation.  I began working as an information security consultant about five years ago.  In that time, I have worked for 3 different companies, and have developed some good consulting skills.   Although I am good at my job, it is not the direction that I would like for my career to head.  I would like to work in a corporate information security function, and one day hold an information security leadership role, where I would be in a position to hire someone like myself.

I have some really solid relationships with my clients and I believe that they have opportunities in their organization where they could utilize someone with the very skills that I currently provide them (on a full time basis). 

My question is, how do I approach these customers about considering me for employment, without damaging the relationship with my current employer?  I feel that I would be taking a huge gamble, and placing my current position in great jeopardy, if my idea backfires.


“Should I Roll The Dice”

Dear “Dice Roller”;

I think that any professional gambler would tell you that the best bets are the ones that have the greatest probability of a producing a pay off.  However, “Rolling The Dice” with your career, could be a dangerous proposition and can lead to unforeseen consequences if you do not take the right steps.

The first thing that I would recommend would be to speak with your clients about true employment potential and if they are actively seeking someone with your skills and more importantly have the ability to hire.   Many companies have budgets to employ consultants (even at higher hourly rates) but they do not have the ability to hire full time employees.   Before you decide to “Roll The Dice”, make sure that your gamble can actually pay off.

If they do tell you that they have headcount and they think you would be a good fit for the company and their team, figure out if you are willing to accept both the position and  financial terms that are being offered.  ( It is common for consultants to be compensated at a premium over their counterparts in end user organizations).

At this time, if the above are affirmative you have to decide whether or not you would like to speak with your manager (current employer) before you fully engage in an interview process.   This is truly the biggest gamble, because until you actually have the conversation, you will not truly know how your employer will react.

In general, my hope would be that you currently share a level of mutual respect with your employer, and that they would be supportive of your desire to pursue different professional interests.    However, I know that this is not always the case.

My advice would be to invite your manager to an off site meeting (where you can speak uninterrupted) and you can share your overall career intentions with them, and gauge their response and reaction.   At this meeting, I would not speak about specific opportunities, but your career in general.  You can also ask them for some advice and professional guidance.  (As a rule, managers typically like when you ask them for advice.  It is a sign of respect and courtesy.) 

In addition, I would also explain to your manager that your life has had some changes (in personal obligations - family, children) and you will most likely need to cut down on the traveling and uncertain schedule that traditionally accompanies consulting.  In general, if you speak about family – two things work in your favor – no one can make a good argument that work is more important than family, and your manager may have a spouse/family at home and maybe able to relate to your situation on a personal level. 

After this meeting, you will understand if  indeed ” the odds are in your favor.”  You will either leave with a good understanding of how your manager will react and how receptive they will be to your decision, or you will be able to tell that they believe your only option is to continue to work for them.

If they believe the latter, you have an issue.  You will have to keep your job search hidden and make sure that it does not get out that you are considering employment at one of your current customers.   On the other hand, if your manager is supportive, they may even help broker the relationship between you and your customer, in the hopes of gaining more consulting business and having an inside ally at the client, that could potentially help steer work to your former employer.

Best advice here is to try to get the best read possible before you decide to “throw your career on the crap table.”   You may figure out that when you are straightforward about your intentions, it is not necessary to gamble.

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday | Comments Off 

Career Opportunity : “”Cloudy” About an Opportunity”

December 8, 2009

Dear Mike and Lee:

I’m an ISO for a mid-size firm, stable and happy in my current job.  I hired on a couple years ago having spent most of my time in IT and security management in a different industry vertical.  I’m paid fairly for my skills/responsibilities.

Someone in my security network is recruiting me to join their new “cloud venture”, a new subsidiary of an established local growth IT firm for SMBs now branching out with new government contracts.  I’m NOT looking but this could be a neat opportunity for career growth and bigger $$$ … but definitely a lot less stable, should things not go well.  With a young family to consider … would you make the leap? What factors would push you one way or the other? Cloud computing seems to rule the discussions of the day and virtual security challenges are compelling problems to solve. I’m just wondering if this is the right whirlpool to jump into right now?  If I don’t will I likely regret it?


“The Weatherman”

Dear “Weatherman”:

The best things that you stated in your questions are that you are currently happy in your role and your position is stable. In addition, you believe that you are fairly compensated.  Collectively, these elements provide an excellent foundation for evaluating additional opportunities, no matter what their form.

Here are some things that we would like to point out from the details that you provided, and the questions you should ask yourself:

1) Someone in my network is recruiting me:  Who is this person in your network and how well do you know them?  What is their vested interest in the situation?  Why do they believe that the opportunity is beneficial to you (and your career), as opposed to why you are good for the “new company’? Are they qualified to have a meaningful opinion about the matter?

2) A new subsidiary of an established local IT firm for SMB’s now branching out with government contracts:  How is the firm treating this subsidiary – as a separate entity or as a new business unit?  Is the established business able to support the new business if things do not go smoothly?  If so, for how long?  What does the firm know about doing business with the government?  Has anyone done business with the government on the executive team?  Why do they believe that they will be successful?  Are you convinced?

3) I have a young family to consider and this would be a neat opportunity for career growth (We’ll get to the money later): What does your spouse think of the opportunity?  Will you be required to work longer hours?  Travel more?  At this point in my life, can I afford a “neat opportunity?”

4) Bigger and better $$$:   What does bigger and better mean?  Will the $$$ change your life?  In what way?  How much more would you be able to save?  Are there any hidden costs (insurance, vacation, benefits)?

5) Focus on Cloud Computing:  Can you attain experience with cloud computing working in your current role?  What skills will you be able to develop in Cloud Computing?  Will these skills make a measurable impact in your career?  Are these new skills currently marketable inside your geography (location)?  Can you acquire this skill in a less risky way? 

6) General Questions:  Is this part of your career plan?  Do you have a career plan?  What is the greatest reason for accepting this role? For joining the company?  If the opportunity does not work out, how quickly could you find a role similar to the position you hold now (your ISO role)? 

As you can tell from the questions, there are many things to think about.  When looking at the questions, think about the ones that are most important to you.    Keep in mind, all of the questions will not be able to be answered with a complete degree of certainty.   When choosing a new opportunity, there is always going to be risk.  It is part of the excitement.  However as information security professionals we make our living managing risk, and measuring the consequences.  

Like all risk based decisions – the level of  reward has to equal or exceed the level of risk.

We are not going to tell you to accept the position or not (especially without all of the details).  This is your choice and a conclusion that you will need to personally determine.   

If you want to speak more in detail, please send an e-mail to us – and we can set up some time to speak.

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday | Comments Off 

Career Advice Tuesday – Recovering from a Slump

December 1, 2009

Dear Lee & Mike

I recently started a new job in a Security Operations Center and I’ve had a run of bad luck. Immediately after I started, I had a death in the family that kept me out of work. Because of that I missed a few of my first days (including orientation and training), and I’ve been feeling disoriented and confused for most of my first three months. And, on top of that, all the stress ended up with me getting sick.

I’m worried that I’ve dug myself a pretty deep hole with my colleagues and my management. I’m afraid that I’m not going to manage to be successful and I was wondering if you guys had any advice on getting out of this situation unscathed.

And if I do get fired what do I put on my resume? How do I explain it in the interviews I’m going to be going on?

If It Wasn’t for Bad Luck, I’d have No Luck at All

Dear Bad Luck,

Sometimes we all go through a slump. And, often, a slump is through no fault of our own – we get sick, people die, and things happen. Life sometimes takes you away from focus and work just takes a back-seat. As a manager, Mike’s actually had a couple of employees go through this at different times – one of his team members a couple of years ago missed two full months of work, and getting back into the swing for that guy was extremely hard.

But it can be done.

The key to staying employed is what we talk about during our Career Incident Response series: a good employer judges on how much value you create. Regardless of the circumstances, it’s your job to figure out what value is for your employer and to create as much of it as possible. In the training classes, they would have spelled out what value is – you just have to figure it out for yourself now.

That’s how you get out of the quagmire that you’re in – you need to find a way to create value. The trick is that value isn’t what you think it is… it’s what your employer thinks it is. Some employers value attendance at meetings. Some value being in the building early. Some value that you spend your time doing a bunch of technical work. And some value that you send a lot of email.

Figure out what it is that your employer values and then provide that in spades and you’ll be back to an even keel in no time.

As for your other questions, let’s suppose that you do get fired. You have to put it on your resume. Because you will be asked in interviews about what you have been doing during the time between your last job and your next interview. Since lying to a potential employer is bad, you’ll have to tell them about the job, which will make it look extra suspicious that you didn’t have it on the resume.

And, when asked, just tell the truth. That you had a run of bad luck and got behind, it’s not like you, and that you’re not usually like that.

And, if it comes to that, let us know… we’re here to help.

Lee & Mike

Posted by lee | Filed Under Career Advice Tuesday | Comments Off