Career Advice Tuesday – “In Podcast Form (Thanks Securabit)”

December 28, 2010

As we close 2010, the last Career Advice Tuesday is going to come in the form of a podcast, courtesy of the gang at Securabit.   Many topics that Mike and I have touched on over the course of the year were included during the discussion.  During the episode, topics touched on include career investment strategies, position selection, career planning, and compensation. 

We also touch on the Professional Development Track that is going to take place at RSA on Monday February 14th (before the main event).  The track will include a presentation from Mike on “Career Planning” and one from me on “The CSO Skills Matrix”

Mike and I look forward to addressing more of your questions in the upcoming year.

We wish all a happy, prosperous and healthy New Year!

Lee and Mike

Posted by lee | Filed Under Uncategorized | Comments Off 

Career Advice Tuesday – “Do I Take The Job, or The Severance?”

December 21, 2010

Dear Infosecleaders:

I have been working in the same company for the past 8 years in an information security capacity.  The current role that I am in, is more of a generalist, where I focus on areas that include risk assessments, compliance, governance and training.  In addition to these tasks, I also have a background in Information Systems Audit and I hold a CISA Certification.  My CISSP is currently pending, but  I have yet to be notified if I have passed the exam.

About 2 weeks ago, I was told that my position has been eliminated and that the company was going to sell the business unit that I am assigned to.  At the same time that I received a notification, I was told that I would have thirty days to look for new employment within the company or I could elect to receive a severance package that was equal to about 35K ( 4 months of my salary).  In addition, I am part of a two income family and my spouse has a job that pays well, which provides me with piece of mind, but the income is not enough to support our lifestyle.

Since being notified I have interviewed both internally and externally.  Internally I have been offered an opportunity in another business unit in the company that is similar to my current/past role, but it is not that exciting, and I do not have faith in the company’s future.  Externally I have found a couple of potential opportunities that hold a good amount of promise.  One of the positions allows me to combine both my Information Security and Information Systems Audit skills, and the other is to serve as the CISO (highest ranking security pro) in a non-profit organization.

I have been on initial interviews with both companies and have been notified that I will be invited for second interviews.  However these interviews will not take place until after I am forced to make a decision about my current role.   I have asked the external companies if they could expedite their interview process, but due to both the timing of the year and the depth of the candidate pool, they said this would be impossible.

Do you have any advice?  I think that I have made up my mind to leave my current role and keep the 35k, but I am afraid that I could be unemployed for quite some time if these positions do not come to fruition.

Should I Take The Money and Run?


“Steve Miller”

Dear Steve:

I think that it is good that you have some options and I believe that you have a good handle on the consequences of whatever decision you make.  It is very good to hear that you have a supportive spouse at home, who is producing a meaningful income.  Having this cushion is helpful, and really provides you with the opportunity to create your destiny – however that can be both a blessing and a curse.

Ultimately, you have to answer the questions – “How much risk are you willing to accept?  and “How much risk can you really handle – mentally, physically, and emotionally”  You also need to figure out if you should play it safe (and take the job) or aspire for greatness (and pursue the unknown)?  The answer to these questions really depends on you – where you are in your life, and what you aspire to become in your career as an information security professional.

I will not provide you with an answer but I will provide you with a couple of insights that you may want to consider – that may help you arrive at your conclusion:

1) How would you feel if neither of these two external positions worked out? – The reason for asking yourself this is that it is most likely that they will not – you are pretty early in the interview process, and although you have cleared an initial hurdle – there are going to be many variables and competition.  The combination – InfoSec/InfoSys Audit job sounds like something that yoy maybe well matched – but the CISO role may be a stretch, especially if you wind up competing with others who have more experience.

2) Take the 35K out of the equation -  Money clouds our judgment – and this amount – 4 months worth of salary, is not significant enough to seriously impact your decision.  Four months is not a long time, and although 35K is nothing to sneeze at, it is not going to change your life in the long term.   You should make your decision independent of this.

3) Do you think you have a future if you accept the internal position? – When I ask this question is that it appears that you are not being challenged enough and you are searching for opportunities for growth.  The internal position sounds safe (for now) but ultimately it sounds like a dead end role, without much room for advancement.  If this is the case, you may only be delaying the inevitable.   You have to make sure that your new position allows you the opportunity to grow skills, so that you can compete in the future.

The last thing that I can leave you with is to please try to not let this happen again to you.  You need to make sure that you remain proactive in your career and stay aware of things that may be happening to the organization around you.  Try your best to develop a career contingency plan, so that you can prevent a repeat of this situation.

Hope this helps you “Fly Like An Eagle”  (Sorry -  I could not help it)

Mike and Lee

Posted by lee | Filed Under Advice, Career Advice Tuesday, Compensation, Interviewing, Planning | Comments Off 

Becoming an Information Security Thought Leader

December 20, 2010

Saw Chris Eng’s video on the Veracode blog.  Captures the essence of differentiation and personal branding.  Love that they included the tidbit about 70,000 CISSP’s – the number is still rising, further diminishing  the value to the current holders.  Guarantee that you will get a chuckle.  Gotta love Xtranormal.

On a side note, if anyone that you know has decided to pursue a career on Broadway or the Theater – check out this one as well.


Posted by lee | Filed Under Uncategorized | Comments Off 

InfoSecLeaders on Securabit Podcast- Tonight

December 15, 2010

Wanted everyone to know that I (Lee) am going to be a guest of the Securabit podcast this evening.  I will be discussing and answering questions about career planning, the employment market, compensation, and general information security career advice.  I will also be giving a preview of the Professional Development Track at the RSA Conference, which will be offered on Monday afternoon, prior to the standard conference sessions.

If you have any question that you would like to have answered anonymously (similar to Career Advice Tuesday format)  -please send them today to – I will be happy to try to incorporate them in the discussion.

Posted by lee | Filed Under Advice, Social Media | Comments Off 

Career Advice Tuesday – “Getting Back in The Game”

December 14, 2010

Dear Infosecleaders:

I was a Security Analyst for a small start up company.  I was laid off in May of 2009.  Over time, while I was working, my job became more a more non technical.  I was presenting at sales meeting, providing security awareness training, authoring security policy, etc.

I am looking for job right now but not having much luck.  I can’t find many jobs with skills I posses, and I am not confident with my technical skills since I have been so out of touch.

Any advice on how to get back into the field. Or are there not so technical careers in Security arena??

Please advise.

“Bench Warmer”

Dear BW:

Please do not give up hope and think that your information security career is over.  Before we begin addressing your problem, I would like to provide you with some insight and clarity into what you are experiencing.

Technical skills are very easy to quantify and assess.  During any credible interview, a hiring manager can easily assess someones technical knowledge and competency.  Therefore, information security professionals who maintain a high level of technical knowledge very rarely have a difficult time in finding a paycheck.   Unfortunately, the softer skills of information security are not as easy to value and articulate.  Tasks that include policy writing and security awareness training by themselves are very difficult to quantify during the confines of an interview.   It appears that this may be where you are having your issues.

I think that the first thing that you have to figure out for yourself is where you believe you can perform best- technical roles or policy/training/awareness roles.   After you figure this out, you have to come up with a way to demonstrate your proficiency in marketing yourself (resume and interviews).

It appears that you have a good technical background but that these skills have lapsed a bit.  It also appears that you are very good at writing and articulating security concepts to non-technical people through training and awareness.  What you may want to think about is pursuing positions whose primary skill requirements are policy/awareness/training – and utilize your technical proficiency (although lapsed) as a secondary skill.

For example, you will compete better if you market yourself as a technically proficient security awareness professional, as opposed to marketing yourself as an average technician with good writing skills.

I do believe that your best bet is to target opportunities where companies are going through transitions in their information security function, or look for companies who have been recently effected by new legislation or whom have experienced a breach.  It is these company’s that have to communicate information security’s importance throughout their enterprise.   If you can demonstrate that you can articulate some of the technical information and put this into terms that the average employee can understand, you may have found your avenue for success.

Once you identify these opportunities, I would make sure that your resume accentuated these skills and you included a writing sample or some training collateral, that you created (sanitized of course) to demonstrate your knowledge and the relevance of your experience.

Hopefully these tips should help get you going in the right direction and out of career purgatory.

Lee and Mike

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Skills, Uncategorized | Comments Off 

Career Advice Tuesday – “Too Much Back and Forth”

December 7, 2010

Dear Infosecleaders:

Most recently I have completed an interview process with a company and I have been notified that they would like to hire me as their Information Security leader.   Prior to them making their decision, I had a detailed discussion with their HR representative, about my current compensation and some of my expectations about what compensation I would require to accept the position.

After about 3 days, I received a call from the HR person, informing me of the details of the offer.  The offer that they provided was actually a little less than my current compensation (when taking all into account).   I then called the HR person the next day, and told them that I remained interested in the position, but that the compensation was not aggressive enough for me to leave my current position.  I reminded the HR person of our previous comp discussion.  The HR person said they would get back to me.

Two more days passed.  The HR person called me back with a revised offer.  The offer was adjusted slightly higher – and was now more than my current compensation – but still significantly short of my expectations and to account for the risk of leaving my secure position.   The HR person stated that they believed that this was the best that they could offer, and I should think about it.

I called the HR person back the next day, and I began the conversation by stating that I was going to decline the offer, based on compensation.  I told them that my initial compensation requests were the one that I was looking for, and although I would be flexible, I expected the offer to be very close to the amounts I had requested.

Immediately, the HR person said that they would like to take one more shot at the offer and I should hear from her in the next few days with their final response.

My feeling right now is that most of the excitement and the good feeling about the new role has disappeared.  I believe that I have not been listened to, that I am being “nickel and dimed”, and that the company does not understand what it takes to acquire high caliber information security/information risk professionals.

Are my feelings valid?  What do you think I should do?



Dear Pong,

Yes, your feelings are valid.  During any negotiation process when one side does not feel that they have been listened too or dealt with fairly, it is natural for them to feel slighted and undervalued.   When people’s emotions are involved and their sense of self-worth and value are involved, the bad feelings naturally escalate.

I believe that what you are seeing is how the company operates and generally looks at talent acquisition.  I believe that you should treat this as a warning sign – as what you would most likely expect if you were working there.  It should also be somewhat of an indicator on how they will compensate in the future – this will include both pay raises and bonuses.

Plain and simple, their behavior should not be ignored or taken lightly.  Considering that you are applying for the top information security position – you should have more leverage than someone applying for a subordinate role.  If their initial response to the end of this recruiting process was to offer you a position for less money than you currently earn, and significantly less money than you initially requested, then I think this is  a big red flag.  You are correct to draw the conclusion about how this attitude will effect your ability to both attract and retain junior members of your information security team.

Furthermore, for the HR person to tell you that after the second pass that the offer was most likely the best they could do, and then after you declined, their response was to tell you that you would go back another time for some possible revisions, would really cause me to question my level of trust.

Long and short, you should wait for their response and consider it.  I would definitely keep an open mind.

However, I think that you are justified in your conclusion that their behavior may have  soured the opportunity beyond repair.  In the end, you should trust your gut instincts and do what you feel is best for your long term future and your career as a whole.  Let us know what you decide.

Hope this helps.

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday, Compensation, Interviewing | Comments Off