Career Advice Tuesday – Graduation Day

April 26, 2010

Mike & Lee,

I have recently completed my Master in Computer Security from [a prestigious university]. My question is why there are few opportunities for security graduates. In my five month search I have found two Information Security jobs, both of which have been taken by someone with experience in Information Security. Now I need your help in finding a job for myself.

What should I do in these circumstances where finding a job is really difficult and how should I get experience if no one is giving it to me?

Secondly, could you please give an idea of the companies where the graduate vacancies are available?

I hope you will reply quickly.

Recent Graduate

Dear RG,

This may come out as a bit harsh – we assure you, it’s not meant to be. You’ve graduated from a prestigious MSc program. And, in five months, you’ve found only two posted jobs in security? Really?

Here’s the problem with that. In 10 minutes on, I was able to find 5-10 jobs within 50 miles of your location that you might be qualified for.

That said, I can understand the difficulty that recent graduates face: it’s often hard to get experience when you don’t have any, especially in information security. It’s why a large number of infosec pros start out in a different part of the technology industry — most of the best have spent at least some time as a programmer, QA analyst/tester, system/network administrator or DBA. That kind of experience also gives you an extremely solid background in other parts of the IT industry and a deep understanding of the issues that end up causing security problems in the long run.

Another key thing that you can do is internships. Find the local security group in your area and go to it. (ISSA is always a good one, but there are others – if you need pointers, email me or ask on Twitter). When you get to the meeting, mention that you’re a recent graduate and are looking to spend a couple of months as an intern.

Most security companies (especially small, under-resourced ones) are always looking for qualified help. And if you come at the right price (because you’re getting good experience), you’ll be amazed at how many people will take you on. I (Mike) have hired a number of interns over the years, some of whom have gone on to become full-time staff for me, and most others who have gone on to other awesome infosec jobs.

In short, since you’ve graduated, it’s time to take on the responsibility for your own job hunt. Get out there and offer your services or take another IT job that allows you to use your skills while you build a network in infosec.

If you need more assistance, please feel free to ask.

Mike & Lee

Posted by mmurray | Filed Under Career Advice Tuesday | Comments Off 

Career Advice Tuesday – “Should I Sign This”

April 20, 2010

Dear Infosecleaders:

Really need your advice on the situation that I find myself in.  Here is the background: 

About a month ago, I applied for a position via the Internet with a company that provides information security services to the government.  I had a phone interview with the HR person, and never heard back.  Just last week, I received a note, from another HR/internal recruiter from another company, stating that they received my resume and would like to offer me a position.   I have never heard of the company but the e-mail stated that they received my information from the previous company (that I submitted my resume to).   To my surprise, attached  to the e-mail was an offer letter that included a salary figure.  

Here is the catch.  The offer letter did not have a start date.  The offer letter said that my employment was contingent on my completion of the interview process, and the company being selected for an information security engagement.  

I do not know what I should do.  I am currently in between positions so I do not want to close off an opportunity – but something here just does not seem right.  I do not know the company, have not interviewed, not sure of the responsibilities attached to the job, and not sure I would agree to that salary.   Do you have any advice for me?


“John Hancock”

Dear Mr. Hancock:

First let me explain to you the situation that you most likely find yourself in. 

When you applied for the position, you most likely applied to a government contractor who was posting an information security position in anticipation of winning a contract.  What transpired in the next month, is that they found out that they did not win the contract, but another firm (the one issuing your letter) finds themselves in a better position to win the contract.   It appears that in this time, the first firm felt entitled to submit your resume to the other firm  – with the intent of gaining a “commission” or “finders fee” for your introduction.   In the interim, your skills match the generic  job description, and this new firm would like to include your resume with their proposal to perform the work.  

 (They must believe that by including your resume in the bid- they have a better chance of being selected to win the contract)   

By providing you with a contract, they are asking you to make a “commitment” to them and consent to be included in the bid.  By including a salary amount, they are also guaranteeing your internal rate, so that they can determine how much money they would be able to make off of your work product.   It appears that the firm that offered you a contract would like for you to commit to them, however they are making no commitment whatsoever to you.

Here is my advice,  “Be afraid, be very afraid!”

Here are my reasons:

1) The people are treating both you adn your resume like it is a commodity.  This first firm sees you as a “piece of paper” and a money making vehicle, as opposed to a person, who has their own motivations.  The idea that they did not even extend you the courtesy of a simple phone conversation, asking for your consent to forward your resume to the other firm, gives me cause for concern.  I mean, how long does it take to make a phone call?

2) They are asking you to agree to a salary number without you understanding the position in detail.  For example, salary should be determined by skills utilized, the demands of the position, and other factors.   Considering that you do not know what you are agreeing to and do not fully understand the responsibilities of the job, I would not sign anything.  

3)  I would not sign anything unless I fully understood my obligations.  For example, if you sign this letter, and then you decide to take another position, it is possible that this firm can sue you for breach of contract (disclosure – I am not an attorney).  With the business practices that they have demonstrated thus far, I would not put anything past them – and I would have a very low expectation for ethical business practices. 

In closing, the best advice I can give to you is to call the people on the offer letter and ask them about the mechanics of how this transpired.  Ask if you can interview for the position, without the signed offer letter.  If they consent to this, go on the interview with an open mind, and try to determine what you believe would be a fair salary for the work.  If they reject this, and make a fuss, simply thank them for their time and wish them well.

I am sure that if you received an offer this easy, another one will be around the corner waiting for you!

Hope this helps,

Lee and Mike

**One important caveat – I am assuming that the amount of salary included in the contract is less than 1 million dollars per year.  If the amount is greater than 1 million - ignore everything that I said and take your chances** 

Posted by lee | Filed Under Advice, Career Advice Tuesday | 1 Comment 

Career Advice Tuesday – “Converting CERTS Into $$”

April 13, 2010

Dear Infosecleaders:

I am a CISSP with programming experience, static code analysis and web penetration testing.   I am thinking about taking the CSSLP or GIAC Certification – I was thinking that having these certs will enable me to attain more work and increase my hourly rates, like to know what you guys think.


“CERTainly Want To Improve”

Dear “CERTainly”:

It is quite possible that acquiring either certification (the CSSLP or the GIAC Secure Software) could enhance both your rate and your credibility as a specialized software security consultant. Many companies that are looking for these skills view the certification as an indication of proficiency, and in these cases the certification will provide them the required “signal” to authorize your engagement or your rate.

However, companies that are hiring full time staff traditionally apply a greater level of scrutiny during their interview process, and place less emphasis on these certifications, either when selecting the candidate or determining compensation.   I do agree that either of these certification will help “get your foot in the door” , with perspective clients/customers and should significantly enhance you the chance to be seriously considered for contracting work, or full time employment

As you go through your selection process (on which certifcation to pursue),  you have to keep the  the big picture of your career in mind.     I think that you should place a good deal of emphasis on the certification that helps you acquire skills that you believe would be useful in furthering your career, and developing your personal brand as both a software security consultant and an information security professional.  

There is no question that either of these certifications can help you accomplish the goal of being branded as a software security professional, but this may only serve as a component of your long term career goals.  For example, you may  want to select the certification that you may be able to more effectively leverage in attaining broader credibility (for example if you want to become a GIAC Expert, you may want to select the GIAC Cert, if you want to become a CISSP, you may want to select the CSSLP)

Like any information security career investment, you should try to determine your desired result and the desired sacrifice (money and time) that you need to complete it.   In your case, you should make sure that you keep your initial goals in site, more consistent work and a higher rates, as this may provide you with the quick return on investment that you are searching for.

In the end, I do not think that either selection is a bad choice, but depending on your personal circumstances and career goals, one may have more benefits than the other.

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Uncategorized | Comments Off 

Career Advice Tuesday – “On the Verge of a Breakdown”

April 6, 2010

Dear Infosecleaders:

I’ve had my current job for about 6 months and really enjoy it. It is more of what I want my career path to be than previous jobs I’ve had. I have decent compensation, as in I’m able to pay my bills each month and save up a little at the end, but that’s it. I don’t even have a car yet, and my compensation doesn’t allow me as much freedom in that department as I’d like.

The problem I am running in to is that I am more and more having to work not just Monday through Friday, but Saturday and sometimes even Sunday as well. While I certainly appreciate that I have a job while many in the industry do not, and that management has stated that they are very pleased with me, I am also getting burned out and feeling that my compensation no longer reflects on the amount and quality of work I am putting in. It is getting to the point where I am having a hard time taking care of myself both socially and medically. In addition to all of this, I am trying to get a degree to supplement my knowledge and experience so that I can enter the career path that I want to enter. Because of this, both school and work are suffering, and of course my mental status as well.

How can I get myself out of this hole before something bad happens? I don’t want to leave this job because I do enjoy it, but it has been on my mind lately.

- The Security-Conscious Nail Biter

Dear Nail Biter:

I will tell you that when we read your note, your situation sounded pretty severe,   The way that we interpreted your note was that you had a position that you enjoy a great deal and is adequately paying the bills, but your manager seemed to be taking advantage of your willingness to work long hours, without the benefit of additional compensation.   These additional work hours and stress seem to be having a great effect on both your physical and mental health, and you were looking for a solution.

I am going to offer you two pieces of advice that I believe can apply to the situation that you described.

Communicate With Your Manager

I have a feeling from your note that you have not been able to have a discussion with your manager about how you have been feeling and the effect that it has been having on you.  My suggestion would be to do this sooner, rather than later, and explain to him how the changes in the job have been affecting your life and your health.  After you do this, you should see how he responds.  If he approaches the situation with a “take it or leave it” attitude, then I think you have to begin to search for another position.  However, if he is understanding about how you feel, he will most likely attempt to alleviate your pain and try to figure out a solution to your issues.

Determine Your Level of Sacrifice

One of the things that you (and all other information security professionals) have to figure out is how much you are willing to absorb for a “good position.”  I know that you speak about not earning extra money for your extra time, but that really is a secondary issue.  The main issue is how this position is effecting your health and personal well being.  The best advice that I can give you is that no position is that great and unique that it is worth jeopardizing your health.  It appears that you have developed some very good skills, you just may need to find another work environment where you can apply them.

In closing, I think that it is great that you have found a good position.  I hope that you will have the self confidence to approach your manager and figure out a solution that enables you to keep your position and maintain your health.

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday | Comments Off 

Leadership and the Dancing Guy

April 1, 2010

A friend of mine sent this to me in an email – it’s a brilliant lesson about leadership and followership.  While we spend a lot of time thinking about becoming leaders, the best leaders are almost always the best followers as well.

It may be counter-intuitive, but I’ve watched too many people think that “leadership” is about telling everyone what to do.  More often, true leaders are the most effective “first followers” – they may not be the lone nut that comes up with an idea, but they’re the champion of that idea.

Posted by mmurray | Filed Under Skills | Comments Off