Career Advice Tuesday – “First Time Job Changer Seeks Advice”

January 26, 2010

Dear Infosecleaders:

I am hoping for some guidance on how to approach my first professional information security job change.   First, here is some background – I was recruited out of college to go work for the security consulting practice of a Big X firm.   I have spent the past three years working on many different clients and some pretty interesting projects.   In addition to developing some of my technical skills – assessments, forensics, network design – I have also developed some good skills in the area of project management (rudimentary), client presentations, written communication (we write a lot of reports) and verbal communications.

I will say that the Big X experience has been good for me, but I have determined that my long term career goal lies in working in an internal security program, actually doing secruity work, as opposed to selling it.

My concern about pursuing a corporate information security career is based on the fact that I fear that a corporate environment may limit my professional growth.  I want to make sure that if I move to a corporate info sec function that I do not get boxed in to performing one task, as opposed to the diversity of challenges that I have experienced in consulting.

Can you help me try to avoid making this mistake?


“First Time Job Changer”

Dear “First Timer”:

I believe that for many people the first job change is the most difficult and the one that causes information security professionals the greatest apprehension.   The main reason is that you are choosing to give up the safety and “security” of a position that you enjoy, for the unknown.

I guess that the best thing that I can tell you is that you should not worry if your new job does not work out.  Here are a few reasons why:  from what you described, you have developed a good skill foundation that will be valued by other companies (both consulting and corporate),  you represent good value (the Big X develops great talent but they pay relatively poorly at junior levels), and you have three years of experience with one respected employer (even if the next job only last 6 months, you would not be labeled a job hopper – it will be viewed as simply a mistake).  Hopefully, this will make you breathe a bit easier.

The best way to avoid being “pigeon holed” by your next employer is to make sure that you identify components of the employer that will lend to your professional development and skill diversification.   It will be your responsibility to figure this out in the interview process. 

Do not expect the interviewers to willfully divulge this information, you are going to have to make sure that you ask probing questions to get the answers to help you arrive at your conclusion. 

The first thing that I would find is an employer where information security is a key component of their business strategy.  Generally speaking, the more serious an employer takes security, the better it is for the information security professional.  This can be demonstrated by asking questions during your interview about current security initiatives, training budgets, and tools.

The next thing that I would look for would be a company that is either looking to formally develop an information security function or a company that is looking to upgrade their information security posture.   If you can find a company that is building something new, or trying to fix something that is broken – there will be opportunity for you to use more of your skills and take on more responsibility.  Conversely, if you find a company that has a well developed program, they will most likely be relying on you for one specific skill that you possess.  Generally, this is not a bad thing, but for the sake of your question I would avoid these companies.

The last thing that I would look for would be a company that has smart people that you can learn from and emulate.  I would ask your interviewers about their backgrounds, why they enjoy working at the company, and their attitude toward sharing information security knowledge.  You can also see if they are willing to share any stories during the interview about current (or past) information security employees career development.   If you can find an environment where you can learn from talented, experienced information security professionals who are willing to share their knowledge with you, it should accelerate your professional development (just like it did in the Big X firm).

After you formal interview is complete, you should do some digging on your own.  You should reach out to your network to see if you can attain a credible, unfiltered, and unbiased account of what it is like to work at the new company. 

In closing, the best advice that I can give you (and all first time job changers)  is do not be afraid to take a chance.  Many first time job changers look for guarantees (that do not exist) and often reject well suited career opportunities because they want everything spelled out to them during the interview process. 

Whenever you do arrive at your decision to switch positions, make the most of your new opportunity! 

Go with your gut.  Trust your instincts.  Don’t look back. 

Hope this helps and best of luck,

Mike and Lee

Posted by lee | Filed Under Uncategorized 


Comments are closed.