October 26, 2010
Dear Lee and Mike,
Hello, I recently graduated with a M.S. degree in Security Management/Information Security. My major interest and research in grad school was in Insider Threat Countermeasures. I am in a non IT position (security administration- regulatory compliance) with my current organization and would like to make a career change to Information Security.
It would please me greatly if I may someday possess the minimum qualifications in the field of Information Security in order to use a recruiting firm such as yours. My graduate course work was broad and covered literally every aspect of Information Security. Additionally, I recently completed a SANS Institute training course/conference and am now studying to take the GSEC certification exam. Consequently, I feel that I need to also concentrate on learning a specific technical skill.
Am I on the right track? If so, can you please recommend which technical skill set/sets organizations are actively seeking and where can someone go to get this training?
Dear Recent Grad:
First let us say that you are definitely on the right track and you are thinking correctly. You have made a conscious decision to gain advanced education in information security and are progressing towards the achievement of a well respected industry certification. All of the above items will enable you to create an external brand of “information security professional.” This is a very good start.
You do bring up the fact that you are lacking in experience and are trying to determine the best way to supplement your educational background with practical knowledge. Have no fear, you are like many others who are attempting to address this career issue – and although there are no “magic bullets” to solve your problem – we can offer the following suggestions.
1) Finish Your Certification - There are many organizations that will hire you based exclusively on the achievement of a technical certification. Although, many of these firms are just looking to “repackage” your skills to fill a contracted need – an opportunity to work for a year or two in this type of environment can provide you with the technical experience that you are searching for.
2) Apply for positions with the government – It is pretty well documented that there exists a big need for “Cyber Security” professionals in the government. The credentials that you have developed and the commitment that you have demonstrated should make you an ideal candidate for an entry level position. If you take this route, continue to take advantage of all fo the technical training that they will give to you, and further develop your skills.
3) Explore professional consulting – Many of the Big 4 or large systems integrators have needs for information security professionals. Granted you may not have the technical experience, but you may possess some skills that other information security professionals do not have – resulting from your advanced education (which these organizations value). You may be able to leverage some of your non-technical skills, to find projects and opportunities that will enable you to be exposed to more technical work, and more technical co-workers.
Whatever you decide, it is important to remain flexible. This may mean that you will have to relocate (on your own), travel, or accept less money. Keep the larger picture in focus, and understand that your first position should serve as a springboard to your future.
Hope that this helps you and others in the same situation.
Lee and Mike
October 22, 2010
Check it out and let us know what you think.
October 20, 2010
Well, Career Advice Wednesday, actually… I’m late. It’s been quite the week.
This week, we’re doing something slightly different – I’ve decided that I’m going to write a quick note without answering a question. Because sometimes career advice isn’t necessarily the advice that we want to ask for.
Anyone that knows me (Mike) knows how I’m often over-subscribed (to put it lightly) – I’m running multiple companies, multiple projects, and doing more than I should.
Well, last week I got a bit of a wake-up call. After lunch, I thought I had a bit of indigestion. When, 12 hours later, I still had the indigestion and it had me curled up in the fetal position in bed, my wife finally convinced me to go to the hospital. They took my appendix out a few hours later.
After I woke up from surgery, I got more than a bit of a lecture from the doctor about my stress levels and other things that are going on with my health.
This week’s career advice is simple: nobody can work at their best without their health. Yet how many of us smoke, drink too much, get too stressed out, eat too much or the wrong things and don’t exercise enough? I don’t know many within our industry who don’t fall in to at least one of those categories. It’s especially true in our industry, where we spend most of our times behind our desks, eating takeout and drinking too much caffeine.
This might sound like a lecture and like triteness, but I’m speaking from a position of being exactly like that. I’m not some health-nut giving this one – I’ve been one of the worst at controlling my stress levels, work load, diet and exercise.
Here’s my advice: do one thing today that makes you healthier. It might be just stepping away from the desk for a while and taking a few deep breaths to relax. Maybe it’s a salad instead of the Double Whopper with Cheese. Maybe it’s taking a walk at lunch. Do something.
Don’t wait for the post-surgery lecture.
Back next Tuesday with our regularly scheduled career advice…
October 12, 2010
I am an information security consultant and for the past few years I have been working on a 1099 basis, performing consulting work in the area of identity and access management with my clients. Let me give you my situation.
In 2008 I contracted to a client to perform work for a client at a rate of X (Like to keep the numbers confidential). The contract was completed on time, the client was more than satisfied, and I was given a letter of recommendation by the project manager.
Recently, the same client called me up and asked me if I would like to perform additional work for them. The work is quite similar, but it also requires me to use some updated skills that I have picked up over the last few years. I spoke with the project manager about the scope of the work, the time, and the particulars. When it came to discussing the rate, I told him that the previous rate, X, was acceptable and I would honor it. It appeared that everything was agreed upon when I received a call from procurement, telling me that the rates were now X- 20%, and if I wanted the work, I would have to accept it.
I am really torn. I would like to accept the contract, because I could use the work, it is a good project, and I liked my past experience. However, I have a real issue in performing the somewhat more advanced work at a significantly reduced rate. I have spent a good amount of time and resources developing my expertise, and I think that at least, I should be able to maintain my rate (if not increase it).
Any advice would be appreciated.
Seeking Fair Value
Dear Seeking Fair Value:
The decision to either accept this work is a personal one and in the end one that you will need to feel comfortable with. When you are negotiating rate, you will always be effected by factors that include, your level of skill, your client’s budget, availability to perform the task, the urgency of the client’s need, and the price point of others to perform a similar task (the market).
In your situation, before agreeing to a lesser rate, you should think about the advantages that you have in this circumstance – first you are a known commodity, therefore there is less risk in engaging you. Second, you have a previous business agreement that can be referenced and which can serve as your baseline. Third, you can point out that they are requiring you to access new skills that you have recently added (you could argue that this would entitle you to a premium).
All of these things are important, but the most important advantage that you have is the past relationship with the project manager whom will ultimately be the beneficiary of your services. What I would do in your situation would be to speak to the project manager and explain the situation and see if you can garner their support in helping you negotiate your rate. When you do this, you should make it clear that you want to do the work, but the new rates make it very hard to commit.
If you can have the project manager make your case for a higher rate to procurement, you should accomplish two things – first you will be able to make a more convincing argument because the project manager should be able to convey the business impact and your skill value better than doing it yourself. The second advantage is that you will create a middle person in the negotiation, and in the end, the project manager should be able to get back to you with the best possible fee rate, after their discussions. You should keep in mind – if you wind up with a rate that is either X or X-5% or X-10%, it is still an improvement from X-20%, and this way you can make an informed decision about what you plan to do.
Again, in the end you will make the decision based upon your desire to do the work, your need for money, and your pride.
Best thing I can tell you is do not let your pride get in the way of making a solid business decision. In all businesses, you should take the good with the bad, and although you may eat a little crap, you will at least not go hungry.
Hope this helps,
Lee and Mike
October 5, 2010
Like to have some advice. Recently I have been attempting to transition my career from internal security professional to “professional consulting.” I have been trying to do this for the past six months, and I have basically gotten nowhere.
The process normally goes like this: I send my resume, and get a quick response from the human resources team. After that, I traditionally get a phone conversation coordinated with a mid level person in the consulting practice. Shortly after the phone conversation, I get a rejection e-mail.
I am willing to admit that phone communication is not my strongest suit, and I know I have to work on this. However, I do believe that I am better in person, and I seem to communicate better in a one-on-one setting. Do you have any advice on how to overcome this obstacle?
Dear Mr. Watson:
It is very good that you recognize that you have an issue with your verbal communication skills when the phone is the medium. I think that the first thing that you need to do, is to address this issue and turn this negative into a positive. Before you apply anywhere else, you need to work on your phone skills.
Considering that you are applying for a consulting position, where a good portion of your success is based upon your ability to communicate and transfer knowledge, a poor performance on a phone interview is traditionally enough to disqualify you for this type of role. Generally speaking, a mid level person is going to be more critical about putting a person forward if their communication skills are lacking, as opposed to a perceived technical weakness. The reason for this, is that if they move you to the next role, they are going to have to commit a great deal of resources (and their time) to your interview process. This is not only time consuming – but costly – given the business they are in. The mid level person is going to have to be very confident that you will perform well during the next interview, or they will be inclined to dismiss you.
Keep in mind, by rejecting a candidate they will not risk anything, by putting forward a substandard candidate, their judgment will be questioned and they will lose credibility with their management.
First you need to figure out the nature of your problem. Some common problem areas will include the following: clarity, articulation, skills, structure (order of thought process) or energy – these are all common points of rejection for phone interviewers. This is the time to be honest with yourself. If you do not know the answer, ask your friends or peers.
Next, you should go through some mock phone interviews with people whom you trust. It s most helpful if you can have other information security professionals interview you, if not, try to find a human resource professional, or someone who is in general IT or risk. When you do this, record your conversation – and play the results back to you.
Another thing that you can do, it to get a better understanding of the position – and take some better control over the conversation. By now, you should have a good sampling of the questions that they will ask of you, so you should try to demonstrate your knowledge during the call. Generally the more prepared you are, and the better you can anticipate the questions (and the answers) the more likely you will be able to make a solid impression.
Finally, I would advise you to dial up the energy, one to two notches above your usual level of enthusiasm. Generally, if there is some indecision, a candidate who has a higher level of energy is generally going to receive the benefit of the doubt, whereas a candidate with low energy will generally be discarded.
I agree that phone interviews are generally lousy, but you need to accept that they are standard operating procedure, and they are a significant obstacle in your professional pursuits. If you are bright enough to realize that this is an issue for you, I am confident that you will be bright enough to figure out how to overcome this hurdle.
Hope this helps,
Mike and Lee