Career Advice Tuesday – Career Planning For Senior InfoSec Pros

September 28, 2010

Hello Lee and Mike,

I enjoy your column and regularly forward it around to my peers in the industry. One area that I would like some input on is career growth for people in senior level positions.

I have been very fortunate in my career. I work as a network security manager, with reasonable hours, and a low six figure income. I am in my mid-thirties and have been thinking about how I want to spend the next thirty years in the industry. When I look around, most positions in InfoSec are at or below the pay I make now. Where do I go from here?

I am looking for the next level of challenges and rewards. Can you recommend an InfoSec career plan for someone with a lot of energy, a lot of drive, and a fair bit of luck? What steps should I take to transition into a senior level position with a mid six figure salary?

Appreciate it,

Looking Forward

Dear “Forward Thinker”:

First of all, thanks for the question.  You bring up an excellent point.  As we speak across the country at information security events, it is common to think that career planning is the responsibility of emerging information security leaders as opposed to information security professionals who have reached some level of seniority and advanced responsibility.   

I would say that “career planning” is more critical for senior level information security professionals than information security professionals just starting out.  The reason for this, is that when you reach a certain level of seniority, your career decisions are more magnified.  Each decision that you make about skill development, position selection, and personal investment comes with bigger rewards and greater consequences.  When you are just starting out in your career, you have the luxury of making smaller mistakes and you can overcome minor detours.  As you move further along in your career, ill advised decisions and impractical choices are more highly scrutinized and have greater impact.

As far as some personal advice, the first thing I would say is to figure out what makes you good in your current role.  You should ask yourself the following question “ I do ______________ better than most, if not all.”  This can be as a technician, a project managers, or an interpersonal skill.  (As a note, if it is an interpersonal skill, you better be able to demonstrate its impact.)  That answer should serve as your prime differentiator and it should represent your most logical value to both your current employer and to future ones.  This is your most marketable skill, and the one that you can best leverage.

Next, you should ask yourself about areas that you have some interest that leverage your current skill set.  You should figure out some areas that you have an interest in learning more about, and already have some exposure to through your current role.   In your case, you may think about getting more into computer forensics, compliance and governance, incident response, or identity and access management.  Whatever has interest to you, you may want to investigate further and develop some new skills.

If you decide that you are happy with your current technical skill set, you may want to select some broader business skills to develop.  You may want to learn more about the network security product market space, you may decide to take a greater interest in your current company’s industry, or you may want to build some of your leadership skills.   Any of these skill developments may prepare you for increased responsibility, managing more visible projects, or leading larger teams.

Without knowing your personally, I am not sure which of these recommendations directly apply to you, but without question you should drive yourself to either become more proficient at what you do, build new technical skills, or develop broader business/leadership skills.    A combination of all three will definitely have increased value to you, your current employer, and future ones. 

When you have developed these skills, try to align them with your local market and industry.  As you do, you should find others that see the value to get you to the next level of your organization and increase your earning potential.

If you would like, you can always contact us at our regular work addresses to discuss your background in greater depth and for more personal advice.

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday | Comments Off 

Managing Your Career Through M&A

September 24, 2010

There have recently been a large amount of mergers in the information security industry.  As company’s struggle to increase revenue and expand their portfolio of offerings, we will experience more of this activity; amongst information security products and services vendors and tradtional corporate businesses.

Check out our article on the topic:,289483,sid14_gci1520519,00.html - we would be interested in your feedback and thoughts.

If anyone is dealing with this and has questions, pleae submit on the sight – we would like to drill down on this topic in upcoming Career Advice Tuesday’s.

Lee and Mike

Posted by lee | Filed Under Planning, Security Industry | Comments Off 

Career Advice Tuesday (late) – Learning Impaired

September 22, 2010

(Wow. After more than a year on schedule, we managed to be late on this one.  Sorry about that, and we’ll be back to the regularly scheduled CATs next Tuesday.)

Dear Mike & Lee,

I have a question: how do you gain knowledge for inforsec career if you do not have money for certs or a degree? I mean, I can learn without tutors, by myself, but the problem is to find the relevant information and to prove later that you have the knowledge.

Learning Challenged


We get this kind of question a lot, and it’s incredibly difficult to answer so generally.

Knowing what learning to acquire is an incredibly personal question – you need to figure out where you want to go first.  Do you want to be a PCI auditor?  A firewall engineer?  A penetration tester?

Each of these require radically different learning paths.

The key to knowing what to learn is simple once you’ve figured out what you want to be: do your reconnaissance.  Find a bunch of people who already are what you are and figure out what they know.  You can do this directly (by asking them) or covertly (by using Linkedin or the like to read up on backgrounds of people with job titles you’d like).

Once you have the knowledge, proving it is a matter of demonstrating your skill.  You can do that a million different ways: through writing, speaking, joining industry working groups and boards, working on open-source projects, etc.  Again, it depends on which skills you wish to demonstrate.

Once you’ve figured out what you want to do, feel free to email us again for more concrete advice.

Lee & Mike

Posted by mmurray | Filed Under Career Advice Tuesday | Comments Off 

Career Advice Tuesday – The Job Search

September 14, 2010

Dear Lee & Mike,

About 5 months ago, I became the victim of a bad economy and had a “career incident”.

Since then, I’ve applied to a huge number of jobs, but never heard back from any of them.

Do you have any advice on making my job search more successful?


Disgruntled And Tired


If there’s one word that fits the most successful job seekers in troubled times, it’s “tenacity”.   I hate to say it, but that’s a quality that sounds (from your email) like it could be dialed up a little bit.

I (Mike) remember the dot-com boom in the Bay Area in the late 90s and early 2000s.  In those times (and even some of the good times afterward), getting a job (not necessarily a good one, but a job) was relatively easy – go online (Craigslist, Monster, Dice, etc.), and spam your resume out to 15-20 jobs per week.  Because there were so many people hiring and so few people, you were pretty much guaranteed an interview.  And, if you could prove even a modicum of capability, you were likely to get hired for something.

As you’ve noticed, times have changed.

These days, companies who post jobs online are generally the exception, not the rule.  Because there are so many extremely qualified candidates out there, hiring managers often have a handful of quality, good candidates in mind before the job even comes available.  There are significantly more good people than there are good jobs, so the jobs don’t ever have to be posted to the “mass hiring” locations.  Sure, some HR departments and body-shop type recruiters still use the online mechanisms (especially for entry-level or low-paying jobs), but the market for experienced and high-level jobs rarely sees itself open to the job boards that allow you to (as you say) “apply”.

The key in this economy is simple: a large majority of the “good” jobs are being hired through people directly.  Whether that means knowing a lot of hiring manager type people, having relationships with good recruiters (like Lee or our friend Jeff Combs) or just through knowing a lot of smart and interesting people who hear about things, you need to get out there and in contact with the people who are influencing.

Here’s the rub: this is going to be a lot of hard work.  You’re going to need to send out emails to everyone you can think of.  Contact everyone on your LinkedIn list directly.  Phone everyone you can think of.  Pick up the phone and reach out to recruiters and the heads of your local professional networks (e.g. OWASP, ISSA).  You’re going to need to work the phone and email like a pro for hours and hours per day.

And, with a lot of work and a lot of calls, you’ll find what you’re looking for.  Eventually.  People will respond.

A story of a friend of mine should illustrate how this works: she lost her job two weeks ago when her company decided to axe her entire department on a Friday afternoon.  She took the weekend and ranted and raved and was angry and hurt and upset.  And then, on Monday morning, she threw herself into a job search with ferocity.  She called all of her former managers, mentors and executives that she had ever worked for to reconnect, mention that she was looking, and see what they had heard about.  She called every reputable recruiter in her industry and shared her story and her qualifications.  She sent emails to reconnect with old colleagues.  She started setting up lunch meetings with people she knows to be influencers in her local area.

She started two Mondays ago.  As of today, she’s had 3 first interviews and is on her third interview with one of the companies that she found.

If she had just been “applying to jobs” online, she’d likely be sitting at home with no results.

Follow her lead.  Get out there.  And if you have questions on how to do it, ask us.

Hoping for some tenacity,

Mike & Lee

Posted by mmurray | Filed Under Career Advice Tuesday | Comments Off 

Career Advice Tuesday – Finding Your Way Back

September 7, 2010

Dear Mike (and Lee),

I was spending some time with your “Forget the Parachute” e-book (that you gave away at Defcon a couple of years ago) yesterday and I keep getting stuck at the vision exercise.

You see, I’ve gone through what you guys would call a “Career Incident” that blossomed into a “Life Incident”…. suffice it to say, the past year has been really difficult.

I feel like I had a vision for my life, and when that collapsed in front of me, I had a really hard time. So now I’m really afraid to lock in/ write down/ commit to a vision for the future… Logically I know I need to make a plan and work to make that happen, but I’m having a hard time getting past the fear of it not happening the way I want it to. I like plans. I like structure. I like predictability. And I have a hard time with the unexpected.

Any advice on how to move past the fear?

Needing Career Advice Tuesday


Everyone who has ever experienced what author Thomas Moore calls the “dark night of the soul” has been where you are.  One of the most common feelings in the midst of a career (or life) incident is the loss of the ability to see forward into the future.

Especially when you’ve been hurt and you’re feeling beat up by the circumstances of whatever is going on, it can be incredibly scary to attempt to look forward into the future and find hope.  Indeed, this is actually the hardest part about hope – it’s always easiest to have hope when everything is good.  It’s never so easy to have hope when everything has been bad… hope, in those situations, can seem like the scariest thing one can possibly have.

Paradoxically, it’s at those times when hope is the most important.  Which is where your vision comes in.  Creating a vision will allow you to start to nurture your hope for a better future once again.

And, equally paradoxically, it’s important to remember what Mike Tyson said: “Everybody has a plan ’til they get punched in the mouth“.   Don’t cling to your vision as though it’s a life preserver – just realize it’s a general direction and allow yourself to wander in the direction of your vision without trying too hard to hold on to every step along the way.  Predictability and structure are great, but rigidity only leads to disappointment.

Most importantly, allow yourself time to heal and cut yourself some slack.  If you’ve been through some traumatic events, it’s okay to admit that you don’t know for now.  Just work on a short-term plan (3-6 months) and allow yourself to come back to the vision later if that’s what your heart and mind really need.

In short, take your time and allow yourself to come back slowly.  Don’t try to force yourself to find hope for the future – let it come as it does.  And handle the short-term in the mean-time.

Hope that helped,

Mike & Lee

Posted by mmurray | Filed Under Behavior, Career Advice Tuesday | Comments Off