Career Advice Tuesday – “Know Thyself…”

March 30, 2010

Dear Mike & Lee,

My question is simple – How do you figure out exactly what you want?


Have you ever had a time when you knew you were hungry and you went to the kitchen and, despite having a well-stocked fridge and cupboards full of food, you couldn’t figure out what you wanted to eat?

Yeah, us too.

This is something that happens to everyone at some point in time… we all run into the “what do I want?” question from time to time.

Unfortunately, telling you how to fix this is often going to be much harder than just helping you fix it. Because you generally can’t think your way out of the “what do I want?” problem. It’s often the case that if you’re standing in the kitchen swinging the refrigerator door, asking yourself “what do I want?” over and over again, that the best solution is to walk out of the kitchen and take your mind off of the problem for a few minutes. Or prime your brain to do the right thing by reading a few recipes or articles on food and cooking.

The same process applies to your career. There are ways to prime yourself to make that next step and know a little bit more about yourself. (Mike actually wrote an entire 130-page e-book about that process)

While we don’t have the time or space to detail all of those exercises here, let’s talk through one quickly (and feel free to ask us if you have questions about the process).

Exercise: Common Elements

Write the following two lists:

  • What are five things that I really love to do?
  • What are five things that I am really good at?

Now, take those lists and make another list of all the activities that are similar about the things on your list. What are the common themes? For example, if “speaking to an audience” and “writing blog entries” are on your list (as they are on ours), there are numerous commonalities:

  • You may enjoy putting out content to an audience.
  • You may enjoy expressing your opinions publicly.
  • And many, many more…

Once you have thought through all of the commonalities (and, again, if you’re having trouble, send us your questions), you should probably have a list of 10-20 items that are common among the things on your initial two lists.

Now… brainstorm all of the jobs that are in your field that would have many/most/all of those opportunities.

That’s but one exercise of a whole pile that you could do that would help you find what you’re looking for while you’re standing at the refrigerator. Hopefully, it helps spark some new ideas and new thoughts…

Lee & Mike

Posted by mmurray | Filed Under Career Advice Tuesday, Planning | Comments Off 

Career Advice Tuesday – “Is This A Good Career Plan?”

March 23, 2010

Dear Infosecleaders:

I just finished reading your article on career planning and I have decided to begin to formulate my career plan.  I would really like to become a CISO one day.  I currently have 10 years of information security experience working in government environments.  I also just recently passed my CISSP exam and am in the final stages of completing my bachelors degree in Information Security.

I have taken the time to map out my short, mid, and long term career goals :

Short term – obtain CISM, finish bachelors, gain more IA knowledge
Mid term – obtain Masters in InfoSec, get management role
Long term – obtain Doctorate in InfoSec, get CISO role – somewhere

Does that sound like a reasonable career path?  In your experience, where should I tweak that plan to give myself a better chance of success?


“Is this a good plan, Stan”

Dear Stan:
First of all, let me congratulate you on first on passing the CISSP, and next beginning to think about your overall career plan and career goals.   Let me point out a couple of items that may be of some guidance to you as you continue through your career planning exercise:

You seem to be placing a great deal of emphasis on formal education and certification as the main ingredients to achieving career success.

I applaud you for getting completing your bachelors in information security, and I believe that in today’s world that a bachelors degree is critical component of your career foundation, but the Masters and Doctorate in Information Security may not be the best way to spend your career investment dollars to provide you with the best chance of fulfilling your long term career goal   Advanced degrees can be important, if you utilize them to build skills outside of your core competency.  For example, instead of a Masters in Information Security, you may want to think about pursuing a Masters degree in a more general business discipline – like Management, Finance, Marketing, or something else that will enhance your current career and help you develop skills beyond information security.
What I would do, would be to find a CISO that you respect, and ask them about what educational knowledge is important in their current role. You could also ask them, if there is certain knowledge that they wish they possessed, that would make their job easier.   Either of these answers should point you in the right direction in determining your best choices for the focus of your advanced education.
Also, regarding your intended pursuit of a Doctorate, I am not quite sure how critical that would be in attaining a CISO role.  A Ph.D garners a great deal of respect in research, educational,  and technical environments, but it also comes with different prejudices in business settings.  I am not saying that this is a bad idea, but you also have to think about the effect that a Ph. D. would have on your personal brand and if you would like to be associated wtih the message that it conveys to others.

The other item that I need to point out to you, is that what you have created is not a career plan, it is a high level outline.

The outline that you have provided is a good start to a plan, but it is quite vague.  Yes, your outline has goals, and has some investment milestones, but that is where it ends.  To build a proper information security career plan, you really need to invest the time to dig into the details on the skills, commitment, and sacrifices necessary to attain your ultimate career goal.   It is clear that your recognize that certification and education are important components to your career, but so do your competitors for the CISO role.   Information security career planning is about figuring out the specific skills necessary to attaining your long term career goal, and figuring out how to acquire them through experience, career investments, networking, and personal development.
My advice to you would be to block off an entire day to develop your career plan.  I would tell you to utilize a personal day or a vacation day to do so – considering the importance of this exercise.  Find a place where you can think clearly, without interuptions, and spend some time focusing on yourself, your skills, your interests, and your goals.   If you can come away with a detailed framework for your career, you can spend the next couple of weeks figuring out the best way for you to achieve your desired success.
It is very easy to say “I want to be a CISO”, however, it is much more difficult to put in the work to become one.
Hope this helps,
Lee and Mike

Posted by lee | Filed Under Uncategorized | Comments Off 

Career Advice Tuesday – Following Up

March 16, 2010

Dear Lee & Mike,

I just came back from RSA with a pile of business cards an inch thick. I know that all of the networking books say that I’m supposed to follow up with everyone I meet. But really? Does anybody really sit down and email all of these people?

What are the ground-rules here?

Networking Newbie

Dear Newbie,

The short answer: “Yes, really”.

While it can be exhausting and overwhelming, following up on the meetings you have at a conference is one of the most important relationship building steps. And your decision to follow up will set you apart from all of those out there who just go to conferences and let all of the valuable contacts that they make fall on the floor.

This doesn’t mean that the process of following up needs to be arduous. While that pile of business cards may seem daunting, it’s entirely possible to follow up with every one of your new contacts over the course of a couple of hours. You don’t need to write a novel to each of the people you met – a simple “hi, great meeting you” is perfectly effective.

Mike works with one of the masters of follow-up, his partner Dean Pace at MAD Security. Dean’s follow ups are the picture of efficiency and effectiveness – when he finishes a conference (like RSA), he sits down on the return flight and writes a quick note to each of the people he met at the conference. A sample of one of his notes is below:

Subject: Nice meeting you
Hi ….,
It was nice meeting you at the RSA show. It is always good to put a face with a name. Let’s keep in touch to see how we may be able to do some business together. Maybe you, Aaron and I could jump on a call one day soon to discuss a plan. Safe Travels!

That’s about as long as Dean goes. He usually personalizes the note to be about whatever he talked with the person about at the show, but it’s never more than a paragraph or two.

And it’s what sets Dean apart as a great networker. Because people remember the small touches and they come to trust Dean over the years.

The answer to the question is simple: sit down with each of your cards and write a quick email. Don’t pass up the opportunity to make really powerful connections with the people you have just met.

Mike & Lee

Posted by mmurray | Filed Under Uncategorized | Comments Off 

Career Advice Tuesday – “Help Me Convert”

March 9, 2010

Dear Infosecleaders:

This past year I began working for a company as a consultant.  Although I was pursuing full time employment, the company at that time was not able to add full time headcount, so they offered me an hourly position.  This was not my first choice, however the money was really good and the they guaranteed me a minimum amount of hours per month.  All in all, I was comfortable with the arrangement so I accepted the role.

Well, do to the need for the information security specific work that I was performing (security event management software implementation) my company was asking me to work 40+ hours a week.   This has progressed for the past six months – and the money has been fantastic – almost twice the amount I was earning in my last job.

Last week, I was called into the office by my manager and she told me that they wanted to convert me to a full time employee.   Although I will receive benefits, the pay will be about 60% of what I was earning as a consultant.  

I believe that this is just too little and I feel that I am being taken advantage of and am inclined to reject their offer.   Do you have any advice on how to handle this situation?  Do you have any thoughts on what fair pay would be if I were to convert? 


Resiting Conversion

Dear Unwilling Convert:

It is clear that there are two big concerns that you have regarding this matter:  your pride and your wallet.  

It appears to me that you have a big problem with the way that your employer (contracting firm) has been treating you.  From what you have told me, they seem to do what is best for them, as opposed to what is best for you.  Unfortunately, this is the nature of a contracting relationship and is typical business practice for firms that utilize information security professionals who consent to this type of business relationship.   The fact of the matter is that they are not an employer in the true sense of the world, they hold the contract or contracts that you are working under. 

I liken the relationship that you described to the one that a host shares with a parasite – let me explain:

In this relationship, you are the host, and they are the parasite.  As long as you are working on their engagements, they are able to make money off of your work (feed off of you).  Once you stop working and performing, they will either cease to exist (lose the contract) or find themselves another host (someone else with your skills).   However, as you know, if the parasite kills the host, both parties will die, so they have incentive to retain your services and keep both you (and the customer) happy. 

Since you have already determined the nature of the relationship, what you have to find is the necessary balance that you require to continue working and feel good about going to work.   In the case of a contracting relationship,  the more money you earn, the better that you will feel. 

The way to do this would be to figure out a fair salary for you to convert to a full time employee or reducing your contract price to ensure that the relationship still works for your contracting firm (employer).  The best guidance that I can give you is that contractors are usually compensated at a rate of anywhere between 1.33X and 1.66X of a full time equivalent.    If we took the average which is 1.5X that could be the multiplier.   

For example - if you are earning 200K as a contractor - a reasonable salary would be $133,333.00.  If you are earning 100K as a contractor the reasonable salary would be $66,667.00.

In your note, you stated that your compensation was over 2X the amount of your last full time salary.  If that is the case, I can see why the amount that they are paying you is drawing some attention.   You also stated that they offered you about 60% of  your contract pay - which would make sense if your plugged the numbers into the equation.

I would try to use the parameters that are described above to determine a fair compensation package – either as an employee or as a contractor – whichever way works best for you.  You should try to be fair in these discussions, but now that you are a proven “commodity” you have some additional value and you should exploit this with your employer/contract firm, just as they have attempted to exploit your talents by offering you compensation at the lower end of the scale.

Let us know how this turns out.

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday | Comments Off 

Career Advice Tuesday – “Making The Case For Conference Attendance”

March 2, 2010

Dear Infosecleaders:

I believe that attending information security conferences is an important part of my career development.   I see a tremendous value in attending conferences both for myself and for my employer.    My problem is that my employer does not believe that attending these events are a valuable use of my time, and he refuses to allocate any additional monies or time for my attendance.  I have tried many times to state my case and demonstrate the value of these conferences but these attempts have been quickly dismissed.

The RSA Conference is approaching and I would like to attend.  It has been three years since I last attended ( the year before I started my new position)  and I would really like to go this year.

Do you have any advice on how I can get there?


“Do You Know The Way To RSA”

Dear “Do You Know The Way”:

I am not sure if this advice is going to be helpful for this year’s event, but maybe it can help you get permission to attend future events.

From the situation that you have presented there are a couple of things that are apparent to me:  first your boss is a not a fan of conferences and he believes that they are not a good use of time, the second is that you have not done a very good job of articulating and explaining the return on investment in terms that he can endorse and appreciate.

I would first accept the fact that you are most likely not going to change your boss’ mind about the value of conferences (his opinion on conference attendance was probably formed long before he met you),  but you may be able to pick and choose your battles and zero in on a select conference to make your case.

In order to do this, I think that you have to understand that there are two potential costs to your employer:  the cost for conference attendance (the conference, travel, meals, etc.) and the cost of you not being available that week ( your salary).   The first thing that I would do is to determine exactly what this value is (in dollars).  When you come up with that number, your job is to demonstrate to your boss how by allowing you to attend, they will be able to recoup that investment.   You are going to have to be creative in your approach but I would focus on three areas:  knowledge acquisition and transfer, cost/time savings, and retention.

Here are a few ideas on how to articulate this:

Knowledge - you should first demonstrate to your boss the specific knowledge that you are hoping to learn at the conference and illustrate to him how what you learn will enable you address issues that your internal security team is facing.  In addition, you can also outline how you will share this information with your other team members as a regular work activity.  This can take the form of a “lunch and learn” session where you lead discussions with your information security co-workers.  By sharing this information with others, you can make the argument that the cost should actually be divided by the number of all team members.  Also, when you lead these sessions, you will be developing your business communication and presentation skills.

Cost Savings – You have to think of how your attendance will save your manager money and time.  One of the things you can do is use the time to meet with vendors and to provide a report upon your return of any products that you may be evaluating for corporate use.  This will need to be detailed so that your manager will be able to utilize the information to make better purchasing decisions.  If you think about how much time it would take your boss to attend all of these meetings, it may be easy to justify.

Employee Retention: This may be your most valuable weapon, however it can also be the most deadly.  I think that if you tell your boss that you consider attending conferences as part of your professional development and an element of job satisfaction.  You can also inform your boss that your peers at other companies are allowed to attend one conference a year, and you are hoping for the same benefit.   In bringing up your peers and policies of their employers, you may want to be careful and tactful in your approach, because your boss may believe that this is an attempt at conference by extortion,  However, if you do this in a respectful manner, your boss may look at this as a cost effective way to retain your service and keep you happy in your role.

Although these are many ways that could be helpful to you to gain approval, my best piece of advice would be to fund your conference attendance out of your own pocket and take the necessary vacation if you really want to attend.   Since we can no longer count on our employers to fund our career development, we have to take the matter into our own hands.  Ultimately you will benefit.  It is also great to not have any strings attached to an aspect of your professional development.

In closing, it is quite possible that if you demonstrate to your boss that you are willing to fund this effort yourself and use your personal vacation time, your conviction will serve as an illustration of the importance of conference attendance.   After they witness your resolve, maybe they will surprise you and reimburse you somewhat for your efforts.

Hope to see you at RSA in 2011!

Mike and Lee

Posted by lee | Filed Under Advice, Career Advice Tuesday | Comments Off