Career Advice Tuesday – “Don’t Quit Your Day Job!”

June 29, 2010

Dear Infosecleaders:

I work as Information Security Manager for global firm and have around 9 years work experience.  I currently lead a team of 10 resources across the globe and hold CISSP and CISM certifications.  The foundation of my career has been more technically focused.  It is my long term career ambition to be the CISO/CRO of a Fortune 100 firm.

I have recently been looking into applying to and attending a full time MBA program.   I believe that receiving this type of business education would provide me with the necessary knowledge that would enable me to reach my career goal.  Most of the programs that I have been looking into would require my full attention and the obligation would force me to quit my job in order to complete my program in a year’s time.

What would you recommend? Should I leave my position to pursue this career investment? If I do, would it be correct for me to assume that the MBA program will help me find a meaningful information security position?   Do you have any other advice that may be helpful?



Dear Work/Study:

The simplest answer to your question is “No”.  There is no way that I would recommend leaving a full time job to pursue an advanced degree.  First of all, you are leading a team of 10 people, you work in a global firm, and you seem to have some significant opportunities to grow and develop your leadership skills in the context of your job.
I do believe that an MBA from a top flight Business School would provide you with the education that could help you accelerate your career and develop some of the skills necessary to accomplish your goal to be a CISO/CRO.   However, many top flight schools offer an Executive MBA program that is geared toward working professionals who simultaneously want to pursue this type of education.  These programs recognize the need for flexibility in their curriculum  and schedule classes on alternate Fridays and over the weekend.
As far as job placement, I do not believe that an MBA program will directly place you into a better position.  I am not sure that these programs would be well equipped to locate you an information security leadership role.  I am not even sure that they would be motivated to do so.   For experienced professionals (information security or in other disciplines) the value of most Tier 1 MBA programs are in their brand and their alumni network, not in direct job placement.
In closing, I think that I believe that the investment that you are seeking is a good one, and would make good sense in the pursuit of your information security positions.   If you do decide to do this, please do not quit your day job, and figure out a way where you can do both in concert.
Please realize, that an MBA is only a credential, it will not provide you with a guarantee of career success.  If you do indeed get the MBA, recognize that the value does not lie in the education alone, but the ability to leverage and apply this knowledge to your duties as an information security leader.
Hope this helps,
Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday | Comments Off 

Career Advice Tuesday – “Access Denied”

June 22, 2010

Dear Infosecleaders:

A few months ago I accepted an IT Security job with an organization I will refer to as company X. In my interview process I was asked a number of very technical questions, as well as questions regarding my experience with policy. The position is a brand new position, having never had a dedicated security person. Traditionally the network group has managed these tasks and have implemented a number of effective technical security controls with serious gaps on the policy, process maturity, security testing and risk management side of the house. I accepted the position after reviewing the position description as it was a more purely security focused role than my previous job and it appeared from the description that I would be engaged in a security operations role.

Unknown to me, this position was originally slated to report to the network manager and was reworked to report to another group within IT that is more focused on administrative tasks. Having started the new position several months ago, I have still not been granted access to the resources I need to do my job as laid out in my position description and it appears that the network group would like me to be a policy drone. The network manager is very overprotective, and since I do not report to him, he sees me as a threat to his network dominance.

I have been unable to garner management support to push the issue as his superiors find themselves in a position where he is the sole source of much of the knowledge about the environment and are afraid if they upset him he will leave. he has threatened to do so in the past and they have caved in to his every demand. Even for his own staff, the vetting period before he trusts them enough for access seems to be in the neighborhood of 3 to 5 years. One network admin I spoke to had been there for 5 years and did not have the passwords for the switches, access points or routers. The network manager would change a password temporarily, grant access to the admin, and then change them back when the work was done. To make things worse, his level of understanding of technology is very outdated and his lack of faith in the technical staff and his extreme reliance on contractors and VAR guidance has lead to some questionable purchases. I see great potential in this position for a number of reasons, but this is a major roadblock for me.

If you could help me out I’d be most appreciative.


“Access Denied”

Dear “Access Denied”

It appears to us that you find yourself in a position where the position that you felt that you were originally signing up for is not the one that your encoutered when you began working.   Unfortunately, you are not alone – many information security professionals fall victim to this for a variety of reason – some within their control and some outside of it.

The first thing that we can give you credit for is assessing the situation and understanding the lay of the land.  It appears that you have identified your major issue, the person who holds the key to your job satisfaction, and the obstacles that you may need to overcome in order to recognize the full value in your current opportunity.

Here is some advice on how to handle them:

1) Your issue – You are having a hard time getting the support and resources that you need to do your job – and your employer wants to limit your influence.

The best advice we can give on this is to focus on the tasks that you are given and do an outstanding job.  In doing this, you will demonstrate to everyone your level of competence and the quality of your work.  You will begin building your internal brand as someone who is a “credible resource” and people will respect your thoughts and decisions – especially upper management.  By building the credibility, you should find yourself in a position where the “controlling” network manager may be forced to grant you some access and listen to your opinions.

2) The Person – The overprotective network manager

Like it or not, you are going to have to adapt your style to work with this person – if you have any desire to remain at the company. We all have to deal with difficult people in our jobs, our success and satisfaction is often determined by the way that we handle these relationships and figure out ways to have them work to our advantage. It becomes a simple case of, “if you can’t beat ‘em,  join ‘em.”

Our advice would be to go out of your way to be helpful to the “network manager”, and perform this work on his terms.  Regardless of your opinion, you should defer to his and demonstrate both loyalty and value.  At some point, you will gain their confidence and build some level of trust.  At that time, he may begin to be receptive to your ideas and grant you access, considering he will believe that your intentions are pure.

This is going to take time and a concentrated effort.  You will have frustrations and you may have to bite your tongue,  but only you will be able to determine if the value of the opportunity is worth the work.   You may begin attempting this, and get frustrated.  If you do and decide that this is more trouble than it is worth, you should begin to look for another position.  But you owe it to yourself and your career to give this your best shot.

One thing that I think you need to accept is that you are not going to change anyone who is set in their ways and their personality.  You may be able to change some of their behaviors – but that will only happen if they see a personal benefit to their own job and success.

It would be good to look at your sitaution as an opoortunity for personal growth to see if you can change the culture of the organization and build a relationship of mutual respect between yourself and the network manager.

Good luck – hopefully you will get the result and the access that you desire to make your role a success.

Mike and Lee

Posted by lee | Filed Under Advice, Career Advice Tuesday | Comments Off 

Career Advice Tuesday – My Specialty

June 15, 2010

This one didn’t come in via email but through a conversation I was having with someone I was coaching through some career questions….

I want to be a penetration tester, but I’m not sure what I should specialize in within the field.  I mean, should I be a network penetration tester, a web app penetration tester?  Perhaps focus on physical penetration testing and social engineering?

How do I decide what to focus on?  How do I know what I want to be when I grow up?

My answer was exactly the opposite of what Anton said in a post a few months ago:

Don’t specialize. At least, not yet.

I find far too many people in this industry try to specialize in something very narrow early in their careers.  Here’s the thing: for the first few years of your career, you’re still attempting to learn about the field you’re in and how your personal aptitudes, skills and desires fit within that career.  The person who I was giving advice to has been around long enough to figure out that he likes breaking in to things, but he’s still figuring out what he wants to do with that.   And people around him are already pushing him toward a specialty within an already narrow part of this industry.

Here’s the trick (and Anton did call this out): penetration testing is a relatively specialized part of the security industry.  And, at least for the first few years, I (as someone who runs a company that does penetration tests and a site that trains penetration testers) want to see someone gather a whole lot of skills.

One of my biggest frustrations in hiring testers is to find that they’re only useful on a very small number of engagements.  For example, the tester who is amazing at running network and system penetration tests but couldn’t find a cross-site scripting hole in a web server to save her life.  Or the tester who knows web apps backwards and forwards but can’t explain how TCP/IP works.

In my experience, it’s almost always easier to gather a significant amount of general knowledge and then specialize than it is to acquire a deep specialty in an area and attempt to generalize afterwards.  So, my advice to my friend was this:

While you’re still early in your career, spend at least a year or two gathering experience in many different areas of the field.   At some point, as you gather that experience, you may find yourself gravitating to a specialty – but you can’t possibly know what that specialty will be until you’ve got enough experience in all of the facets of penetration testing to give you enough experience to get over the awkwardness of the initial learning within those facets.

Of course, if you’re not a penetration tester, that advice doesn’t apply to you.  ;-)

Posted by mmurray | Filed Under Career Advice Tuesday | Comments Off 

Career Advice Tuesday – “Circumventing the Chain of Command”

June 8, 2010

Dear Infosec Leaders:

The time I’ve been with my company, I can absolutely state that I am very comfortable interacting with my boss.  The only challenge I and several others in my department have had with him is his ability to do what he says he will do.  This behavior has unfortunately spread to other areas that rely on his support and leadership and have also started to complain about his lack of leadership, support and strategic engagement.

On several occasions I have tried emphasizing to him (note that I have stressed this in the collective vs. pointing him out as the sole problem) that people are not happy with our department as a service provider to the company due to a lack of execution.  He also received his leadership survey results a few months ago which made him feel very bad but he saw it through and tried to make some changes…the changes lasted for a few weeks then started to dwindle again.

Recently I felt trapped as I started to get a lot of heat from the rest of the business and decided to finally go to my boss’s boss (my second level manager) and asked him for advice and hopefully provide some advice and guidance to my boss to finally rectify these issues.  My intentions were purely supportive and not vindictive in any way.

At this stage my second level manger has decided to be straight with my boss and tell him that his own department had expressed concerns about his lack of execution (which makes me nervous but understand he needs the feedback directly) which mirrors other complaints he (my boss’s boss) has received from the rest of the company.  I know this is the right thing to do, but wonder if it was the best thing to do…it had to be done, otherwise my boss (who I think highly of as a person) would eventually fail which none of us want for him.

Did I do the right thing by eventually going to my second-level manager?

Look forward to any thoughts you may have for me.


“Over His Head”

Dear “Over His Head”:

We appreciate your question, but it can be interpreted to mean two different things, so allow us to address them in this manner – and rephrase the question.

1) As it relates to the effectiveness of our information security function, did I do the right thing by going over my bosses’ head?

If this is the reason for your actions then we would be inclined to confirm your actions and assert that you did do the right thing.  It appears that in listening to your situation that your direct manager is a nice guy, but he an ineffective leader, and is in the process of losing his team.  Going to your “second level manager”, to make them aware of the situation probably will have a positive impact on the security of your company’s information, and may provide your direct manager with the chance of saving their job.  However, it appears that from what you have explained, it is recognized throughout the company that he is not capable of leading the information security organization, it is my feeling that his days may be numbered, independent of your actions.

2) Did I do the right thing by my manager, by going over his head, and speaking with my second level manager?

The answer to this question is clear, NO!  I do believe that by circumventing your boss and going over his head, will have consequences for both you and your boss in the context of your current organization.  As it relates to your boss, your circumvention of the “chain of command” reveals his inability to lead your organization and communicate with his team.  I think that if I was your manager, I would be looking for another position.

In addition, I believe that your manager will have a difficult time in trusting you in the future.  If he remains with the company in his current capacity he is most likely going to be very cautious about what he exposes you to and he may likely be very careful about  the opportunities for professional  development that he makes available to you.   I also believe  that there could be some backlash from both your team members (who may not have endorsed your actions) and potentially from your second level manager, who may question your ability to address a problem and arrive at a solution without going outside the chain of command.

Now if your concerns were on target and undeniable, then you may not have an issue, however if it is determined that they could have been resolved in the course of standard business practices, your second level manager may question both your judgement and intentions for handling the problem the way that you elected to.  He may even think that he better watch himself in his actions, or you may go to your third level manager (his boss) to criticize his ability to perform his role.

I believe that in the course of our daily work we are faced with certain decisions that will impact both our personal and professional relationships.  Without question, you should be lauded for the sense of responsibility that you have to protecting your company’s information, however you should also think real hard if you did everything in your power to settle the issue the correct way, as opposed to the path that you ultimately decided to pursue.

If you are comfortable with both your decisions and your motivations, then you have your answer to your question.

In closing, independent of which question you intended to ask, I believe that ultimately, in this situation one of two things have to happen – either your manager leaves the company, or if they remain, you begin to look for another position working for an information security leader that you can believe in and respect.  I do not believe that your working relationship will be the same and I believe it will be difficult for either of you maximize your effectiveness in your current roles.

Hope this helps,

Mike and Lee

Posted by lee | Filed Under Advice, Career Advice Tuesday | Comments Off 

Career Advice Tuesday – “Managing Multiple Offers”

June 1, 2010

Dear Infosecleaders:

I am in the process of changing positions and I have been simultaneously involved in multiple interview processes.  The three opportunities are quite different – two are quite similar, while the third one would be a bit of a stretch for my current skills.

Here is where I need your help – the interview processes are at different stages and I am trying to manage them to the best of my ability, without turning any of them off.   One of the companies informed me that they are going to make me an offer next week, one of the other companies (the similar one) the interview process will take 2 additional weeks, as I still have to meet with others, and the third opportunity (the stretch) may take 6 weeks to finish.

Can you give me any advice on how I should handle this?


“Info Sec Pro In Demand”

Dear “In Demand”:

While it is nice to be “In Demand”, I think that you have to take a good look at your situation and figure out how “In Demand” you truly are.  Let me explain.

The way that I interpret  your situation is that you have one solid opportunity that is going to make you an offer, one that is still vetting your talents, and the other that is most likely not to come to fruition.   Keep in mind, just as you are looking at other opportunities, the employers are looking at other information security professionals that most likely have similar skills and credentials.  Granted, they may all materialize, right now you only have one firm commitment – and that should be your focus.

The first thing that I would do would be to evaluate if the offer that you have coming this week .  I would ask myself he following questions: is the  opportunity that is better than your current position, is the opportunity will enhance your career, is the compensation is fair, and is the company is a place where you would like to work.    If the answer to all of those questions are “Yes”, then I believe that you should express your interest in earnest, and get the offer in your possession.

When you are speaking with the company, you should feel comfortable enough to  let them know that you are actively interviewing, this may or may not have an effect on the aggressiveness of the financial terms of the offer.   If you do let them know that you are looking, you should be prepared for the following questions:

1) Is there a certain amount where you will discontinue all other interview processes?  If you do get asked this question – you should be prepared to have a reasonable number to share with the employer.

2) When are you planning to make a decision?  This is a key question.  How you answer it may either result in the company delaying their offer to you (and continue interviewing other candidates) or they may send you the offer and provide you with additional time to make your decision.  You should be prepared for either result – but understand that there may be consequences if you delay – (remember this is the only company that has expressed that they would like to make you a commitment).

As it relates to your other suitors, I think that it is up to you to inform the other parties about your new accelerated time table for decision making and ask them to make adjustments to their interview processes.  If they are willing to do so, chances are they believe that you are a leading candidate and they do not want to lose the chance of employing you.   However, if they drag their feet  – and do not make an attempt to expedite their process, there inactivity is telling you something about either their perception of your skills or how they view the urgency of recruiting talent.

Please keep in mind – you should separate lack of desire and lack of possibility (i.e. decision makers on vacation).  Sometimes no matter the intent, accelerating a recruitment process is just not possible due to external factors.

You can also take this opportunity to let these other suitors know the details of your offer from the original company.  For example, if your current offer (from the first suitor)  is greater than the others have allocated for their positions, they may share tell you that they can not match the terms and encourage you to accept the other one.

In closing, I would advise you to prioritize the opportunities.  It appears that two of the offers are similar- so I would try to see if I could rank them.  If they turn out to be basically even, I would go with the one that has made you a commitment, and thank the other one for their time and interest.

Also, while it would always be advantageous  to have the details of as many offers as possible, sometimes it is just not practical.  I would never advise anyone to  jeopardize a solid opportunity for one that may not materialize.

Remember the old adage .. ” A Bird in the Hand is Worth Two in the Bush”.  This applies to information security careers as well.

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday | Comments Off