August 31, 2010
Mike & Lee,
I have been working as a Software Tester for the last five years an am a QA Manager in our company. I recently graduated with an Information Security degree and would like to enter the field. My problem like many of my fellow graduates is that we lack the experience in the field. I have read from other security professionals via Linkedin that the field is over saturated; yet you read that the Government is in need of individuals in these fields.
I have a family so it’s not practical for me to take an internship or a position that pays lower then I currently make. I know that employers look for certifications such as the CISSP and Security+ as requirements to even be interviewed. As you guys are aware CISSP requires have several years of experience before you can qualify to take it. The Security+ does not and I am working on this now.
What can a new college grad in my similar situation do to enter the field? What career and skill set guidance can you give individuals like myself?
Newbie, Inexperienced, and Desperate.
This is definitely a tough one, as you’re in a bit of a bind – you don’t have any experience in the field, so you can’t get a well-paying job. Yet, you can’t take a low-paying job so as to build up the experience.
It’s a classic double-bind.
You already have the information security theory background with your degree, so added certification isn’t the key here. People aren’t going to look at you and say “oh, he has a 4-year degree, but he didn’t pass a 3-hour multiple choice test, so he’s useless”. Your key here isn’t background knowledge or certification, it’s practical knowledge and daily application.
So, here’s the way out of the situation: you need to find a way to get security experience WITHIN your current job. Given your field, this shouln’t be too hard to do: in your spare time, start looking in to merging security and QA. Look in to bringing more security process and security results to your current role, even if it’s just spare-time stuff. Spend more time with whoever is in charge of secure coding and development security within your organization – if there isn’t anybody, perhaps you can even become that person within your current organization.
Here’s the thing – don’t fall in to the trap of thinking you have to go get more certifications. You can get skills and experience where you are with a little bit of extra work and effort that will be likely much more productive than studying for another test.
As Lee always says, “the best job you can get is the one you already have.”
Mike & Lee
August 24, 2010
Is it possible to get job in computer security without a degree? I have a CCNA, certifications in ethical hacking and I am a 2nd year Bsc student.
I’m really interested in the security field, and I’m wondering what I should do as far as courses or if I even need to finish my degree before starting my career.
Student Ready for Next Challenge
This is one of the hardest questions for us to answer, even though the true answer is simple:
In the IT field in general, and security specifically, there have been a number of people who have been successful without a degree in security (or even without a degree at all). In the early days of the industry, there largely weren’t any degree or certification programs, so most people in the industry were without any formal education. The most common example is Bill Gates – one would be hard-pressed to say he’s not successful without a college education. I (Mike) am a good example as well – my formal education is in Philosophy, and that hasn’t stopped me from being successful within the security field.
These days, however, many jobs are requiring some sort of degree. Many entry level security jobs at larger companies are actually looking for a formal degree in some information security related discipline (or at least a degree in computer science).
Here’s the thing – if you’re going to be self-motivated, driven to succeed and willing to spend a large amount of time on your own personal branding and investing in other ways to ensure that you can demonstrate a commitment to the field and your own career, then I’d say that a degree isn’t necessary.
But realize that you’re going to be cutting yourself off from many job possibilities, especially early – you may have to work harder, taking internships and working on visible security projects to replace the signal that the degree provides to employers early in your career.
And, ultimately, the lack of a degree will limit your career path in other ways – most high-level executive jobs at big companies require a degree (even a higher-level degree like a Master’s or Ph.D.). And if your goal is to work in a different country, often a degree can be a requirement for proving your qualifications for immigration purposes.
In short, like everything in life, having a degree is a tradeoff. You’ll have options that you won’t have without one. But you’re going to be trading time for those options.
The question ultimately comes back to you – what do you really want, where do you want to end up, and what’s your career plan?
Mike & Lee
August 17, 2010
During our presentation at Black Hat – one of the session attendees asked this question:
Attendee: Many people who speak about career development talk about the concept of finding a mentor. In my experience, finding a mentor is not that easy. Can you tell us if you have a mentor? How did you find them? How has the relationship helped you?
Lee’s Response: As a note – at the conference I touched on this – but did not elaborate in full – my response below represents a complete answer – that I hope all find helpful. Please remember that this is what worked for me. The components of these relationships may serve as the foundation for the development of solid mentor/mentee relationships.
I think that mentorship is something that happens naturally. It is very difficult to force a mentor and “mentee” relationship. For me, I have been fortunate to have a few mentors throughout my professional career – one from my personal life, one was an employer, and a few have been my clients in business.
I will tell you that the one thing that all of these relationships had in common was that the mentor believed that they were going to be able to get some unique value in return, for the time and guidance that they shared with me. This is a fact that gets overlooked in most mentoring relationships. If you are on the hunt for a mentor, it would be best to recognize a relationship where you can provide some value in return to the mentor. By developing this return on investment, the mentor has incentive to commit the necessary time and share the knowledge that you are searching for, to aid you in your professional development.
To take you inside my mentoring relationships – I can explain in some detail how these relationships developed for me.
1) The personal relationship – My personal mentor was someone who I first met when I was 15 years old. He was a successful local businessman who was initially my father’s friend, and eventually became his employer. Initially, we bonded over two things that are very common - a father/son relationship (he has a son that is about 10 years younger than me) and baseball. As I got older, we remained close.
When my father past away, he became a surrogate to me – and helped provide me with some guidance as I was beginning my career. I believe that this was primarily out of love, but it could have also derived from a sense of obligation (to my dad). He became my sounding board for my career and life decisions. He taught me about business over the course of many lunches and dinners, holidays, and Sunday football games. The key here, was that whenever he was willing to teach, I was willing to listen. I made spending time with him a priority (not solely because of business, I happen to like him a great deal as well) , because I knew that this education was not available to all and I was fortunate to have access.
So the question becomes what did he get by serving as my mentor. I believe that he received a few things: the sense of returning my father’s friendship and loyalty in a substantial way, a lifelong friendship with me (I do not believe that anything is unconditional – but this relationship is pretty close) and the assurance that I would “pay it forward”, and serve in a similar capacity with his son (we know that children have a general reluctance to listening to their parents).
2) My past employer - When I began recruiting, I worked for a man whose background was quite different than mine. The best way that I could describe him is that he was “Tony Soprano-esque.” He was a street smart man from Brooklyn, NY who did not have any formal education. However, he had an incredible work ethic, a desire to succeed, an amazing way with people, and a dominant personality. In addition, he had 20 years of recruiting experience, ranging from executive assistants to CIOs.
By sitting by his side for three years, I received exposure to every element of the recruitment business. I was able to take note, about things that he did which I agreed with, and things that I disagreed with. As I observed, he willfully shared his knowledge with me, and allowed me to experience victories and to experience disappointment.
The key here is that he provided me with the opportunity to learn, with the benefit of his guidance. (this is key element in all mentoring relationships)
With an employer, it is pretty easy to understand his motivations. The better his mentorship, the better off the company would be both financially and in terms of capacity( in a small business “the company” was him.) By training me, this enabled him to spend more time away from the office and significantly increased revenue for the business.
In the end, the relationship ended when I decided that I had outgrown him, and there were not any more lessons to be learned. However, when I left the company, I did so in an honorable way and he was honorable in return.
I would have very much liked to continue the relationship after my departure, but he was an old school guy. He believed that once I left the company, that we were now competitors, as opposed to potential partners. (This was one of his business principles that I did not agree with.)
3) My clients - Being in my own recruiting business for the past 11 years, I have had the fortunate opportunity to interact with many business leaders. I have had exposure to entrepreneurs, venture capitalists, technology business leaders (CIO’s and CISO’s), and business leaders in other professions.
With many of these interactions, the relationship was very common – they needed information security talent, and we were able to supply them with this talent. However, there have been a few key people whom I have gotten to know personally, beyond our standard business relationship.
The key element that these select folks have in common is that at one point in their lives they were all young businessmen, and they had some appreciation for the struggles of a young entrepreneur. I believe that as they got to know and trust me, they made themselves increasingly available. In addition, the more success that I had in helping them grow their businesses, the more comfortable I felt in asking them questions about mine.
(I believe that this is key as well, mentees have to realize where the lines are drawn in these relationships, and make sure not to overstep these bouunds – this can be a delicate dance.)
In closing, I think that I have been quite fortunate to have such a diverse group of mentors. In addition to developing a professional link, I also have found that there has been some very good alignment with key personality traits that we all share. As I also look at these mentors, I realize that they are all “self made” business people – meaning that their success has been derived from themselves and their efforts, rather through means of inheritance or birthright. This is something that I strongly relate to, appreciate, and respect.
At the point at which I first met them, I saw in all of my mentors a person whom I aspired to become, and I believe that they saw in me, an earlier version of themselves.
If you can recognize and develop theses simialr relationships, you are on the correct path to finding a meaningful mentor/mentee relationship.
Hope this helps,
Lee (and Mike)
Infosec Recruiting Social Media Experiment – “Unique Entry Level Opportunity for Future Infosecleaders”
August 13, 2010
Mike and I have often debated the power and practical applications of social networks. Mike regularly urges me to utilize social media in our recruitment process – and I regularly object. In addition, we have read and fielded many questions about entry level positions and “breaking into” the information security industry – and the fact that there are not many solid entry level roles (1st or 2nd jobs) for bright, talented “future” infosecleaders .
Recently, I have come across an opportunity through my recruiting business where we have the opportunity to combine the two – and I have decided to utilize Twitter and our blog to introduce this opportunity to the Infosecleaders community, and find the right candidate for our customer.
I am looking forward to seeing the outcome.
Here is the position description:
The client is a well respected, highly specialized security consulting firm that has Tier 1 clients – most of them based on the West Coast. The position that we are searching for would be based in Seattle (near their corporate HQ))- and there would be limited travel.
The client has been in business for close to a decade. They are comprised of some very well recognized information security professionals who built their careers at some of the leading edge security companies in the earlier part of this century.
The client offers a flexible work environment, predicated upon the maturity of the candidate and the ability to service their customers. The client is supportive of a constructive industry presence – whether it is related research, public speaking at local or national security events, or writing.
Our client is looking for an information security professional with both aptitude and passion, and an interest in software security and a desire to learn about security in the software development life cycle.
The candidate that we are searching for will ideally have some work experience – 1-4 years, or have recently graduated from a respected university (either bachelors or masters or Ph.D) with a degree in computer science, computer security, or other related disciplines. Ideally the recent graduate would have had some practical experience through the course of their studies.
Experience in environments that include information security consulting, software development, quality assurance, web app development or penetration testing – would be beneficial – but not a hard and fast requirement.
It would be great if the candidate came with a good foundation of technical skills – but if your skills are just good – but you have aspiration for them to be great – that could be acceptable as well. If this is the case, we will ask you to demonstrate examples of this desire during our pre screening process.
The opportunity is two-fold. The first component of the opportunity is a bit more process focused and requires that the candidate to have some good organizational skills – serving as a central point of contact for the management of the operational tasks of a technical information security engagement. The opportunity will enable the candidate to get a first hand look into enterprise software security and how secure software development is done correctly. (This would be the part where you “pay your dues.”)
The second part of the opportunity is the ability to learn and evolve. (here is where aptitude and passion come into play) The candidate will undergo guided training by the senior members of the team in areas that include software security,web application security, penetration testing, and reverse engineering. (This will be the part where you accelerate your career.)
The idea, is that after some time – the candidate will evolve into a security professional with developed expertise in these areas. They will develop customer skills, organizational skills, consulting skills, and have exposure to world class clients.
The salary for this role will range between 55-85K – depending on the amount of work experience and the quality of education. I would say that the sweet spot is probably between 65-75K.
The candidate would also be eligible for a bonus – based on their performance and company success. The company has a demonstrated history of paying bonuses to their employees.
The company pays fully for individual/family medical benefits (health care and dental) – this is fairly unique in these economic times.
The company is willing to assist in the relocation to Seattle – as a guide, if you rent an apartment and can place your stuff in a u-Haul – you will be fully covered. If you own a home – this will be quite difficult.
My first expectation for this experiment is that people will only apply to the role if they fit the parameters that I have outlined in the description above.
For example – If you do not want to live in Seattle – please do not apply. If your salary demands are over 85K – please do not apply. If you do not have an interest or aptitude toward software security -please do not apply.
If you do fit the requirements, please submit your resume (word or Adobe format) to firstname.lastname@example.org – in the subject line please write “Recruiting Social Media Experiment”. I would also like to know what about the opportunity is particularly appealing to you.
All qualified submissions will receive a call from either myself or one of my experienced information security recruitment professionals – within 3 business days – to conduct a more detailed interview and to answer particular questions about the client and opportunity.
If you do not receive a call in 3 business days, please call my office directly at 732-577-8100 – sometimes e-mail gets swept inot junkmail folders.
As always, resumes will not be submitted to our client without your consent, after learning more about the opportunity. Confidentiality is always observed.
I am going to provide some regular updates (via the blog) on this experiment to chart the progress and share some issues. If it is successful, I may begin to utilzie this method more – for some unique opportunities.
Lets see how it goes.
August 10, 2010
The following is another question that we received during our presentation at Black Hat:
I have been hearing some conflicting things about the industry and I am hoping that you can help provide me with some clarity. On one front, I have been hearing that the need for information security skills is decreasing, and more technical information security positions are disappearing. However, I recently have heard that our government is in need of between 1,000 and 2,000 “Cyber Security” specialists.
How can this be? What should I believe?
Black Hat Attendee
Here was our response:
It turns our that both of these statements are true, and here is the explanation.
Many information security skills are being absorbed into other areas of technology, like networking, application development, and systems administration. The main reason for this, is that information security is being recognized as a key area of expertise for someone to be proficient and effective in these roles.
For example, in the late 90′s and early 2000′s, an information security professional who had firewall skills and expertise was considered valuable. However, as network engineering and architecture have evolved as skills, information security knowledge has been absorbed by these larger job functions. In today’s job market, you could not be an effective network engineer without knowledge of firewalls, intrusion detection/prevention, or security event management/threat correlation skills.
What this means to us, is that security knowledge has become a requirement for these positions – but has disappeared as a stand alone skill, for core technical positions. It can be assumed that any accomplished networking professional will have a degree of security expertise. So in essence, candidates that exclusively have security skills, but lack a strong understanding of network architecture or engineering, are being bypassed for candidates who do possess this skill background.
To your other point, regarding the government’s need for 1000-2000 information security professionals, this is correct as well. It is well documented that the government has a need for information security professionals who want to dedicate themselves to securing our nation’s infrastructure. What makes things difficult for the government in hiring these information security professionals – are things that face all entities that are undergoing significant information security staffing initiatives.
These factors include the following: career opportunity, skill requirements, compensation, location, and the effective management of a recruitment process. In addition, the government has a different obstacle, the need for people who can receive security clearances and who are willing to submit themselves to these rigorous background checks. The government is competing with corporations, security consulting firms, and security product vendors for this talent – and in many cases they do not have the necessary resources to win in competitive recruitment scenarios.
To further make this point – We would welcome the opportunity to assist the US government in solving this human resource/recruitment problem. As a US citizen, I (Lee) would be able to do so, however since Mike is Canadian, he may not be able to get the clearances to be able to do so.
In closing, as we have said before, we do not believe that there is a shortage of information security talent, but there is a shortage of good opportunities that meet the goals of many information security pros – career advancement, career development, compensation, and quality of life.
Hope this provides some clarity – we can see why you could be confused with all of the mixed messages out there.
We really appreciated the question – and are glad that you asked.
Lee and Mike
August 3, 2010
Last week, we guided an open forum at The Black Hat Briefings, that let the audience members ask any questions about the information security employment market and their individual information security career. Over the next few weeks, we are going to feature some of these questions to provide advice to our audience.
We are going to start you off with our personal favorite:
Question: “I was recently given additional responsibility in my position that is requiring me to work more hours. These new responsibilities are helping me develop leadership skills that I know that I need to develop for my information security career, which is terrific. The issue is that I am not receiving any additional compensation for performing these added duties. Can you provide me with any guidance on how to handle this? Should I ask for a raise, I think that I deserve one.”
One of the biggest mistakes that information security professionals generally make is that they believe that they are immediately entitled to additional compensation once they are offered more responsibility and opportunity. When employers provide you with additional responsibility, many times they are viewing it as a test of your skills, or even an “organizational experiment”. Initially, management would like to see how you handle these new responsibilities, see if you rise to the challenge, or if you reject them and are put off by their byproducts (more hours, people management, additional demands), prior to making them official and rewarding you with a compensation increase. Basically, they are asking you to prove yourself and to validate their decision of selecting you for the role.
When given the opportunity to gain additional skills and create additional impact, it is our advice to accept these challenges and develop your skill matrix. Independent of pay, you will be improving yourself and making yourself more valuable to your current employer, and more marketable to future employers. By accepting these challenges, you will also learn more about yourself, and gain a preview into your readiness for new career challenges. You should always remember what drives your market value - your combination of skill, talent, and experience (and its application). It is a shared responsibility for both you and your employer to make sure that this value is recognized.
Our advice to you, would be to continue on in your new role for at least ninety (90) days before introducing the subject of additional compensation. During that time period, you should take it upon yourself to demonstrate to your management (through results and impact) that they made an excellent decision in selecting you for the role. If you are successful in doing this, chances are that they will come to you (within 90 days) and make your new role “official” and reward you with additional compensation.
If they do not come to you, then I think it would be important for you to set up a meeting with your management, asking for an evaluation of your performance in your new role. If during that meeting they provide you with positive feedback that you are doing a good job, at that point you should introduce the concept of monetary reward and compensation increase. It would be our hope that they are prepared with a suitable answer and provide you with either action or a timeline for this ”salary adjustment” to take place.
In closing, our advice is to look at increased workload as an opportunity for learning, growth, and access. The value in the experience will stay with you throughout your career. If your current employer does not realize your added value, do not worry, a future employer definitely will.
Lee and Mike