Career Advice Tuesday – “First Time Job Changer Seeks Advice”

January 26, 2010

Dear Infosecleaders:

I am hoping for some guidance on how to approach my first professional information security job change.   First, here is some background – I was recruited out of college to go work for the security consulting practice of a Big X firm.   I have spent the past three years working on many different clients and some pretty interesting projects.   In addition to developing some of my technical skills – assessments, forensics, network design – I have also developed some good skills in the area of project management (rudimentary), client presentations, written communication (we write a lot of reports) and verbal communications.

I will say that the Big X experience has been good for me, but I have determined that my long term career goal lies in working in an internal security program, actually doing secruity work, as opposed to selling it.

My concern about pursuing a corporate information security career is based on the fact that I fear that a corporate environment may limit my professional growth.  I want to make sure that if I move to a corporate info sec function that I do not get boxed in to performing one task, as opposed to the diversity of challenges that I have experienced in consulting.

Can you help me try to avoid making this mistake?


“First Time Job Changer”

Dear “First Timer”:

I believe that for many people the first job change is the most difficult and the one that causes information security professionals the greatest apprehension.   The main reason is that you are choosing to give up the safety and “security” of a position that you enjoy, for the unknown.

I guess that the best thing that I can tell you is that you should not worry if your new job does not work out.  Here are a few reasons why:  from what you described, you have developed a good skill foundation that will be valued by other companies (both consulting and corporate),  you represent good value (the Big X develops great talent but they pay relatively poorly at junior levels), and you have three years of experience with one respected employer (even if the next job only last 6 months, you would not be labeled a job hopper – it will be viewed as simply a mistake).  Hopefully, this will make you breathe a bit easier.

The best way to avoid being “pigeon holed” by your next employer is to make sure that you identify components of the employer that will lend to your professional development and skill diversification.   It will be your responsibility to figure this out in the interview process. 

Do not expect the interviewers to willfully divulge this information, you are going to have to make sure that you ask probing questions to get the answers to help you arrive at your conclusion. 

The first thing that I would find is an employer where information security is a key component of their business strategy.  Generally speaking, the more serious an employer takes security, the better it is for the information security professional.  This can be demonstrated by asking questions during your interview about current security initiatives, training budgets, and tools.

The next thing that I would look for would be a company that is either looking to formally develop an information security function or a company that is looking to upgrade their information security posture.   If you can find a company that is building something new, or trying to fix something that is broken – there will be opportunity for you to use more of your skills and take on more responsibility.  Conversely, if you find a company that has a well developed program, they will most likely be relying on you for one specific skill that you possess.  Generally, this is not a bad thing, but for the sake of your question I would avoid these companies.

The last thing that I would look for would be a company that has smart people that you can learn from and emulate.  I would ask your interviewers about their backgrounds, why they enjoy working at the company, and their attitude toward sharing information security knowledge.  You can also see if they are willing to share any stories during the interview about current (or past) information security employees career development.   If you can find an environment where you can learn from talented, experienced information security professionals who are willing to share their knowledge with you, it should accelerate your professional development (just like it did in the Big X firm).

After you formal interview is complete, you should do some digging on your own.  You should reach out to your network to see if you can attain a credible, unfiltered, and unbiased account of what it is like to work at the new company. 

In closing, the best advice that I can give you (and all first time job changers)  is do not be afraid to take a chance.  Many first time job changers look for guarantees (that do not exist) and often reject well suited career opportunities because they want everything spelled out to them during the interview process. 

Whenever you do arrive at your decision to switch positions, make the most of your new opportunity! 

Go with your gut.  Trust your instincts.  Don’t look back. 

Hope this helps and best of luck,

Mike and Lee

Posted by lee | Filed Under Uncategorized | Comments Off 

Career Advice Tuesday – “Aspiring CISO”

January 19, 2010

Dear Infosecleaders:

I have gone through your blog, its fascinating advice you have given to others queries.

Am seeking your opinion and help on getting where i really want to go…

My Aim: To be a CISO / CIO.
My Professional Background: Was into BCP / DRP kind of projects most of the time. Little exposure to Information Security.
Education: Commerce, MBA, CISA, now pursing CISM.
Strengths: Creative, Learning, Fascinated towards security loopholes, judgemental, and a good devils advocate.
Weaknesses: Not a tech pro, but can grasp and understand. No exposure to practical side of networks, applications, admin, etc.

With the given details, could you guide me and help me as to how I can achieve my goal. Without practical exposure to tech side, how feasible is to get such role, if not feasible, then what are the area of improvement and other workarounds if any… :)


The Aspirant

Dear “Aspiring CISO”:

Before we get into the meat of your question, I want to start out by saying that you have the ability to  accomplish any goal that you can set your mind to, if you are willing to put in the hard work in order to achieve it.

It is great that you aspire to be a CISO, if you have goals, they should be big ones.  In addition, I think that it is very important that you have identified your strengths and your weaknesses.   The main weakness that you state is the “lack of exposure to the practical side of technology,” which can be a huge obstacle.    There are some CISO positions that will deemphasize your degree of technical skill, but I would say that having some technical competency will be required to successfully interact with the Senior technical stakeholders and inspire confidence in your leadership from your technically focused direct reports.

The best thing about accurately defining your weakness is that you have the ability to do something about it.   This can be done either formally (through education/training) or informally (through reading, webinars, conferences, etc).   I would begin this process by identifying a few key areas that both interest you and that are considered important to the role of CISO.   Set a goal to learn as much as you can about these topics in first a six month period, then a year.   As you learn more about these topics, begin to volunteer your insight to security related projects in your current position, where you feel comfortable and confident that your opinion would have meaning and potential impact.  If you can do this, you will find that you will be developing some practical experience, outside your regular responsibilities.   Due to the background that you have (MBA, CISA, expected CISM) and your “fascination towards security loopholes,”  I believe that you will be convincing enough to create this opportunity for yourself.

If you are able to pull this off, you should be able to create some good momentum for yourself when you have the chance to interview for a CISO role.

When you do eventually begin to search for this type of opportunity I would provide the following guidance.  The first would be to find an organization that will emphasize your non technical strengths as more key component of their CISO position.  The second would be to make sure that you can effectively compete with anyone else who possesses similar skills.   The reasoning for this is that if you find an organization that relies on technology for their CISO role,  you will be quickly dismissed based upon your degree of technical experience.  In addition, when you are competing for your CISO role (and believe me there will be a great deal of competition), you want to make sure that you come out on top in any candidate comparison, when it comes to your less technical security skills ( policy, compliance, governance, risk, management, etc.) or the intangible skills that you would define as your strengths.    In closing, in addition to developing your weakness, make sure that you spend additional time enhancing your competencies.

Beauty is in the eye of the beholder, and there are many skills that comprise effective CISO’s.  You just need to find someone who thinks that your are beautiful – and the right person for their CISO role.

Keep following your dreams and pursuing your goal!

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Uncategorized | Comments Off 

Career Advice Tuesday – “Feeling Short-Changed”

January 12, 2010

Dear Mike and Lee:

I would like to let you both know about a situation that I just experienced, in the hope that you can propose some advice so that others do not suffer the same fate.

I am an experienced information security leader and am a direct report to the CSO of my current company, a large Financial Services firm.  Recently, I was approached by an internal recruiter of another company searching for a CISO.  I believed that it was a good opportunity, and my next logical career step so I decided to pursue.  Early in my conversations with the internal recruiter, the subject of compensation came up.  I shared with the recruiter my current compensation (all components – base salary, bonus, and equity) and they told me that my compensation was in line with their expectations.

I then proceeded to go through a series of seven different interviews and I met with many senior executives of the potential new company.    Due to scheduling, this process consumed about 10 weeks, and I utilized 4 vacation days to make the interviews happen.  After the final interview, I received a call to inform me that I had been selected and an offer would be formulated. I was very excited.

I received a call from the HR/internal recruiter the next day with the verbal offer.  To my dismay, the total compensation package was well below my current levels.  I asked if the offer was correct, and they said it was.  I informed the HR person that this was unacceptable and I was surprised considering the assurances that I was provided.   The HR person went back to “sweeten the pot”, but even then the second offer was substandard.

In the end, I declined the position and felt that my time had been wasted, and I left upset because I felt that I could have done something different.  Can you suggest some ways that I (and others) could avoid this situation in the future?


“Feeling Short Changed”

Dear “Short Changed”:

Compensation is always a sticky subject especially during the initial courting stage.  As in your case, discussing compensation early on, prior to undertaking a job search, is an important step in determining baselines and starting points.  I believe that you did the right thing by informing your suitor the value of your compensation.  I strongly believe ( and  as you later found out) there is not any reason to invest the time in an interview process if there is not a possibility of a mutually beneficial outcome.

As far as what you could have done differently, I think there are a couple of things.  First is that you could have attempted to get some advice earlier on in the process, from someone who was a bit removed from the process and had some real experience negotiating an employment contract.  This could have been helpful because it may have provided you some perspective and with an idea of how the “new company” would value your compensation.  Sometimes, the way that an individual values their bonus and their equity is different then an outsider would value it. (Salary is pretty black and white)

The other thing that you may have done differently is to discuss compensation at different points, as you got deeper involved in the interview process and interest began to grow.  Since you did not have an advocate working for you, you had to rely on the internal corporate recruiter to represent your interests – which is a contradiction becasue they work for the company (not you).  Realizing that compensation is a delicate item, and that you do not want to appear purely motivated by money, you need to be tactful in your approach.

One way to go about doing this is initially by sending a friendly e-mail to the human resources/internal recruiter in writing that begins to outline your expectations.   The initial e-mails can be general, and sometimes they can just serve as documentation of your original discussion.  The reason that you put things in e-mail is because they can be referenced and forwarded.  It makes everyone accountable.

As you go on in the process, and interest is increased you can become more specific, becoming a bit more assertive and specific in your approach.   Your e-mail can state that you are hopeful that the process will conclude positively for both parties and that you want to make sure that both parties are on the same page as you continue to move forward.  Again, this provides an additional data point, and begins to discuss not only your baselines, but what it would take for you to accept the position.  You may also decide to include the hiring manager on the e-mail if you feel comfortable.

Finally, as you near the end of the interview process and get to the last interviews, you should begin to have a better sense of comfort with the people you will be working with.  At that time, you can ask them questions about components of the compensation and the history of achieving these milestones (bonus, equity, other).  You can also close those discussions by stating that on a “number of occasions” you have shared with the internal recruiter/HR professional your compensation expectations.

At the end, what you have done is build a case for yourself during your interview process.  More importantly your case will have gotten stronger as the interview process has progressed.  If you communicate this clearly (and in writing) the internal recruiter will have some explaining to do for wasting the hiring manager and other executives time, if your candidacy can not be brought to closure.

In general, we often are afraid of discussing compensation, and we should not.  If compensation is a main criteria, you have to be assertive and tactful in discussing it.

Hopefully it will work out better next time.

Mike and Lee

P.S. Sorry about the lost vacation – however there are always some opportunity costs in pursuing your career goals.

Posted by lee | Filed Under Advice, Career Advice Tuesday | Comments Off 

Career Advice Tuesday – “Reflection”

January 5, 2010

Dear Mike and Lee:

I have spent the past two weeks reflecting on both my career as an information security professional and my life in general, and I am hoping for some advice.

I have spent the past six years of my career as an information security consultant, primarily perfoming penetration tests.  My first 2 years were performing network pen test, and my next 4 years have been performing Web-App pen tests.  I have traveled to some fun places, met some very smart people, and have had the chance to do a bunch of “cool work’ (we’ll leave it at that).

I am now close to 30.  My friends outside of the industry are beginning to settle down, have families, advance in their field, and have “normal lives”.   Granted, I would not trade my past experiences for theirs (I am the interesting one when we all get together), but I will admit that I am getting a bit envious.

The last two weeks I have given some thought about changing my career, and my life for that matter – but I am not sure where to begin and what I am truly qualified to do (beyond pen testing).   I do not want to earn less money and I do not want a boring job – can you give me some advice.


At a Crossroads

Dear Crossroads:

I am glad that your time of reflection provided you with a clear direction.

Congratulations,  you are on the right path!  You have identified your problem and are ready to make some adjustments to accomplish your short term goal.  I think that there are many people out there that believe that their career problems will just go away without any effort.  You have a journey ahead of you, but at least you know where you want to head – and that is the most important part of the battle.

I will be candid with you, the life of a security consultant/penetration tester is an exciting one, for the reasons that you outlined.  When you are young, and responsible to only yourself, it is a great way to see the world, get exposure, and meet all types of people.  However, the trade off for all of the frequent flier miles, the hotel reward points, and the atypical hours -  are the regular aspects of life ( that it appears that your friends enjoy).   The fact is that you most likely will never experience this type of “professional thrill” again in your career – will be something you should be willing to accept before your transition.

Once you have accepted this, you have to plan your transition. I think that it is important to understand that just because you have come to this personal revelation over the past 2 weeks – it does not mean that finding nirvana will be as quick of a journey.

A career transition usually takes some time – especially if you are looking for an opportunity that is a departure from your current role.  (For example – I am sure that you could find a pen testing/consulting  job in less than 30 days). You also may have to come to grips with the fact that you will have to accept a more junior role, take orders for someone less qualified then you, or take a reduction in pay – to achieve the lifestyle that you desire.  However, this is up to you.

One of my favorite quotes is that “Life is always a series of trade-offs.” You will have to figure out which ones are worth making.

You should think of the skills that you already possess and can apply to the position (and environment)  that you would ultimately like to be in.  Whatever those skills are, you should spend the time developing, refining, and enhancing them.   You should also be using this time to reach out to your professional network and past clients ( in environments that interest you) and see if they have opportunities that would align with your new career direction.

The best pieces of advice that I can give to you are as follows:

1) Remain Focused on your Goal  (This will be harder the longer it takes)

2) Do Not Settle For New Position Where You Will Be Miserable  (This will be easier the longer it takes)

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday | Comments Off