Career Advice Tuesday -”Unfavorable Reference Hindering My Job Search”

February 23, 2010

Dear Infosecleaders:

I am hoping for some advice on how to deal with a situation that has been hindering my current job search. 

From before, I had a ‘career incident’ in 2008.  Last week, I got shut out of an excellent Security Architect position because my former agency’s HR head is the only person in the agency who can give a reference for me – none of my former supervisors can, because of the terms of the settlement I signed.

In essence, her ‘neutral’ comments and the fact that the hiring manager was referred to HR when he called, amounted to a red flag, as he told me and the proverbial ‘kiss of death’.

If I’d known the import of signing-away my rights on this, I never would have settled and my attorney sure didn’t help me!

Since hiring managers can’t directly talk to any internal people except the head of HR, how can I get around this roadblock?  I’m going to ask HR for a copy of my personnel file so I can have access to all my stellar performance evaluations to present to hiring managers in lieu of direct contact with former supervisors.

It seems my former agency is being malicious because of the settlement and they want to ‘pay me back’.

Thanks for your thoughts!


“If you do not have nice things to say ……”

Dear “If you do not have nice things to say”:

Before I begin with your individual advice, I would like to make a point about “termination settlements”.  When people leave companies under adverse situations, it is traditional for employers to ask their former employees to sign a release in exchange for a sum of money and a quiet exit.  

To be clear, signing this document is to the long term benefit of the employer not the employee. 

When you sign this document what you are doing is forfeiting all of your future rights in exchange for a short term payout and benefits.  Granted when you are terminated, any monies or additional compensation may help in the short term, but generally speaking this is not a wise decision.  

To all those that face this decision, here are two pieces of advice:

1) Seek an attorney that specializes in employment law, so that they can help  you understand fully what you are consenting to.

2) Use this opportunity to attach your own contingencies to the agreement that you will be signing.  They may or may not do it.  But, you never know what your company will agree to, unless you ask them.

Now lets address your current situation:

The first thing that I would do is recognize that you had a problem with your past employer and realize that this can be an issue as you pursue future employment.  It appears to me that by asking the question, that you have done this and understand the issue at hand, whatever it may be.

There are two ways to handle this situation that I think can work out to your benefit.   The first suggestion that I would make would be to compile a list of references from other employers, peers, and customers that you have worked with in the past.   This list of references should include people with significant seniority (CIO, CISO), people who can speak to your character (an industry association, a charitable organization that you have been involved with, clergy) and if possible, in your case,  a human resources professional from another employer (since that is the source of your problem).   By compiling this list, and presenting it to your future employer, it should show a pattern of professionalism, ethics, and solid work performance.  By demonstrating this pattern, you may overpower any one potential ”negative reference” that can surface, and a future employer may treat it as an anomaly.   If three (3) is the standard number of references that most people ask for,  you may want to provide up to six (6) but not more.

The next piece of advice that I can give you is to be candid with your future employer toward the end of the interview process, and discuss the situation with them.   If you decide to do this, I would make sure that you accept accountability for your actions and demonstrate how you have grown since the “incident”.   You have learned that they are not going to hear the entire account when they call your past employer, so by proactively explaining this, you will have taken the mystery out of the situation.  Your future employer can now make a more informed decision about how to treat your candidacy.

I have found that as a rule, that employers are much more understanding when an employee proactively addresses  a potential “red flag” in their background or work history, as opposed to having it discovered through another channel.

Let me caution you by saying that these actions will be helpful but they may not be fool proof.  In today’s economic conditions, hiring managers are being extra careful about the risks that they are taking in hiring new employees,since bad judgment could lead to their own career incident!  In a competitive situation where you possess similar skills and experiences as other candidates, this situation may be a “deal killer”.

Hopefully,  your future employer will make their decision based on your entire body of work, not just one isolated incident.

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday | Comments Off 

Career Advice Tuesday – “My Manager Won’t Let Me Go”

February 16, 2010

Dear Infosecleaders:

I’m currently working as a system administrator in huge networked environment. Good place, good team, fair compensation.   Although I have enjoyed my current position, I am getting burnt out on doing systems administration and operations work.    My passion lies in security and recently I received an invitation to join the information security team, that I accepted.

However my boss (operations head) wont’ let me go easily.   And he told me: “If you think this is the right move I won’t stand in your way”. 

I attempted to tell him that this is my passion and what I like to do.  However he keeps giving me new projects and new work thinking that I will get the idea out of my mind.  He is wrong.  The more work that he gives me, the more frustrated I become. 

I really would like need some advice in demonstrating to my current boss that a move into information security is both a good move for me and a good move for the company. 

How can I go about doing this is a way that will accomplish my goal and not hurt his pride?


“Career Captive”

Dear “Career Captive”:

I appreciate your sense of loyalty to your manager but I want you to understand that he has made it clear that he is more concerned with his own career than yours.  As soon as you become aware that he is not looking out for your personal best interests, I believer the more comfortable you will become in being more direct about your intentions to transition to information security.

The bottom line here is that information security is your passion.  You have been rewarded (by the company) for doing a good job in operations, by getting the opportunity to transition to information security.  It is clear that there is someone (positioned higher than your boss) that understands the value of good employees and the cost of losing them.   I think that it is time that you made your manager aware of this, in a more direct, and clear manner.

The first thing that I want you to do is to set up a meeting with your manager during non work business hours.  This can be in the early AM, lunch time (if you go to a place off campus), or after work – whatever your manager prefers.  Prior to this meeting, I want you to write a letter that explains your contributions to the company and your current team.  In that letter I want you to explain your career goals and your passion for information security.

When the meeting comes, you should begin the meeting by saying that you have been very disappointed by his recent demands and his attempts for holding you back.  (This will be difficult, but lets face it the first time you tried it did not sink in.)  You should explain to him that out of respect for him, you have delayed your transition, but out of respect for you, he should allow it to happen and support your efforts.   At this time, you can reference all of the recent successes that you have had working for him and the company in your operations role.  You can then explain to your manager that if the internal transfer opportunity did not come about, you were going to begin to look outside the company for an information security role.  The internal transfer enables you to stay with the company (a good thing for everyone) and pursue your career goals and passions (which is a good thing for everyone – but him).    At this time, he should realize this, and provide you his blessings.  If he does not, this is where you can hand him the hand written note.  A handwritten note is a powerful tool – it is more permanent than e-mail  Ask him to read it at night, and see if it changes his mind the next day.

At the end of this exercise, if this does not sink in, and he does not provide you with his blessing to transition, I would get the new manager involved.  I would explain to your new manager that he needs to step in to expedite your transition to the information security team.  I am pretty confident that this should end your time in “career purgatory”.

Also, as a side note, good for you to transition your career from systems administration/ops to security – you have built a great foundation of skills for an information security professional.  We have seen many talented information security professionals begin their careers this way!

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday | Comments Off 

Career Advice Tuesday – “Indentured Servitude By Tuition Reimbursement”

February 9, 2010

Dear InfoSec Leaders:

I am looking for some advice about funding an investment in my career.  Let me explain the situation.   I am a technical information security professional that has been striving to transition my career to become more of an Information Security business leader.  I have identified getting an MBA from a good school as part of that goal.  The cost of this investment is about $75,000 plus my time.  At this point, I am willing to commit the time, but the cost is a bit prohibitive.  One way that I have thought about supplementing the cost was to find an employer that is willing to provide tuition reimbursement as part of their benefit program, since my current employer does not.

Well, after months of searching I have found an employer that has such a program and a role that is suited to help me accomplish a near term career goal.  (That is the good part.)

Here lies the catch.  First, the position is a good one for my career now, but I do not see more than a 3 year life expectancy for me in the company or the role for various reasons.  The 3 years will enable me the time to begin and complete my MBA program.   However, the tuition reimbursement program will require me to reimburse my employer the amount of the tuition if I leave the company any time within 2 years of participation. 

If my plan plays out, and I remain for 3 years, I will owe my employer about $50,000.  If I do not want to reimburse my employer, I will have to remain for an additional 2 years - which may cause me to miss out on career opportunities that my MBA and my experience will have prepared me for.

Can you advise me on how I should proceed with my career and if I should accept this new role or not?


“Indentured Servant”

Dear “Indentured Servant”:

Let me first applaud you for clearly thinking about your career and attempting to plan your career in a logical fashion.   It is great that you have taken the time to look at your new employment situation from all angles – the pros and the cons – prior to making this decision.

Here are the questions that you should ask yourself:

1) If the new employer did not offer tuition reimbursement would I accept the position? 

By removing the added benefit from the equation you can look at the job without prejudice which will provide you a good foundation for your decision.

2) Is it possible that I will remain at the company for more than 3 years?

I find it very interesting that before you have even accepted your new position you have already predetermined your exit.  I am not sure that this is fair to you, your career,  or your employer.  If you do accept the position, one of your goals could be to create a career opportunity that will provide you with leadership opportunities that go beyond three years.   Even if the role lasts 4 years, you would have saved $25,000 more than you had originally planned.

3) Would I be willing to pay $50,000 for the MBA program that you have been accepted to?

In this day and age, $50,000 for an MBA from a well respected university seems to be a good deal.  However, I think that the item that you have to make peace with is the fact that  you may be on the hook for $50,000 if you decide to leave your company during that time.  One way you can look at this, will be how quickly will this added MBA credential enable you to recoup your investment (in terms of compensation).  You may want to get outside advice so that you have a realistic expectation.   You should get comfortable with the required time frame. 

Whatever you do, do not go into this thinking that your future employer will reimburse these monies – and if they do, it will most likely be under the same “indentured servant” contract conditions.

 Here are some other things to think about:

If you do leave the employer how quickly will they require you to pay the money back? 

If you have to pay it back immediately, you will need to plan to save a certain portion of your income. 

What are the tax implications of accepting tuition reimbursement?  

Seek professional advice from your accountant. 

How will your salary increases/bonuses  be affected by this benefit? 

For example, if they know you can not afford to leave, they may take advantage of the situation (there is no real way of knowing – so you need to come to peace with this).   

In general, my belief is that if you want to pursue your MBA (or any career investment) do so because you believe in its value.  If you can find someone to pay for it – even better.  

Tuition reimbursement programs can be an excellent benefit, provided that you do not allow them to turn into an albatross that hinders your career growth.

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday | Comments Off 

Career Advice Tuesday – “Career Rebuild”

February 2, 2010

Dear Infosecleaders:

I have more than 15 years of experience in the IT Application Development area.   As part of my career, I was an  ’Applications Solution Architect’ as well. I am seeking to switch into IT Security area.   How do I go about and where do I start? I do not want to give up my existing experience, I want to  do some which will complement my App dev and Architect experience.

One person suggested getting a CISSP.  Another suggested that I begin wtih some  penetration testing, gravitate toward wireless security and then take the CISSP.

Can you please advise me on how I should go about rebuilding my career with a focus on information security.     I am unemployed now and I could really use some sound advice. 


“Career Re-Builder”

Dear “Re-Builder”:

When anyone who has 15 years of work experience thinks about making a career transition, the best advice is to attempt to leverage your past experience the best way possible.   You state that you have spent your first 15 years as an application developer and application architect – so figure out a way to use those skills – and apply them to information security.

There are many information security roles that focus on the broad topic of “application security” – I would try to figure out which of these roles would best utilize your past experiences.  After I understood where the needs were, I would do all that I could to learn about security concepts that are critical to succeed in these roles.   I would then aggressively pursue these roles and companies that are attempting to solve these problems. 

You may also consider to apply for pure application development roles that have an information security component.  These particular roles will allow you to hone and develop your information security skills so that in the future you may be able to attain a role that is 100% security centric. 

One thing that is great about security is that it touches all areas of technology.  The fact that you have deep experience in application development  (coupled with your new security knowledge) may place you at an advantage when competing against others that do not possess your depth of application development subject matter knowledge. 

As you get settled and back on your feet, you can always go after a CISSP or maybe a SANS certification to provide you with additional credentials if that is your desire.   However, before you spend money and time on any certification, make sure that it is geared toward a subject matter that you would like to learn more about and enhance your new career direction.

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday | Comments Off