RSA 2011 Session Preview: Career Architecture – Building a Career Plan from the Ground Up

January 28, 2011

As the fourth post in our series previewing the Information Security Career Development half-day at RSA 2011, I’m going to talk about my talk entitled “Career Architecture – Building a Career Plan from the Ground Up”. Lee put together a great outline of the session and an overview of the first panel, and Jeff wrote a fantastic overview of his session.

First, the logistics:

  • Date – February 14, 2011
  • Time- 1:50pm– 2:30pm
  • Location – Orange Room 305

It’s my goal to follow up the introductory panel with a session that frames the rest of the content in this Career Development session.  The initial panel is full of awesome people who are going to discuss their perspective on the issues that are present in trying to build a career in the information security industry today – the global economy, the impact of the shifting priorities of the industry and the various segments (government, enterprise, small business, etc.).  And  Lee and Jeff are talking about the actual ways that one can manage the shifting realities of the world – how to build the skill profile of your career to get the job you want.

But that leaves a big gap that I plan to fill: what job do you want?  What do you want your career to look like?

I’m going to approach this from an “enterprise architecture” standpoint – how do you look at your career as though you were going to build a high-end, robust and scalable solution that needs to last you for the next 15-30 years?  (Because your career does need to last you that long).

When I’m finished, you’ll have all of the tools that you need to plan your career for the next 15-30 years and figure out exactly how to use what Jeff, Lee and the other speakers are telling you in order to build your career in the direction that you want.  (An audacious promise for a 40 minute talk?  Come to the talk and I’ll back it up.)

Posted by mmurray | Filed Under Planning, Security Industry | Comments Off 

Career Advice Tuesday – “Infosecleaders – Please Help Me Become A Successful Recruiter”

January 25, 2011

Dear Infosecleaders,

Let me get right to it, I need help recruiting people to my security engineering team.

Here is my situation, I am a new manager and was just recruited to a position where I am responsible for building an technical security engineering program.   When I accepted the position, the goals were to hire six (6) information security engineers within the first 90 days.  This is one of the goals that I will be measured on.

I thought that this would be a simple task, considering that I am pretty well connected and figured that a bunch of my past staff would like to join me in my new role.  I could not have been more wrong.

First of all, when reaching out to all of my past staff, all but one informed me that their careers had accelerated beyond the roles that I was recruiting for, and that although they appreciated the opportunity, they decided that they would stay with their current employers.    The one that was interested in the role, went through our interview process and then asked for a compensation package that was about 10% more than they were currently earning and it got shot down by HR.   This was personally concerning since I identified them as a key hire, and I thought that the compensation request was reasonable for the change of positions.  (The offer was for about 5% more salary – and the benefits were better at his current firm).

I had discussions with my management and the human resources team and they were both pretty set in that these were the tools that I had to work with, and it was my job to make them work.  They even insinuated that they may have chosen incorrectly when electing to hire me over the other candidates for the role.

Can you give me any advice on how to overcome my predicament. I have come to realize I have bitten off more than I can chew!


Bite Too Much, Chew To Little

Dear Big Mouth/Slow Teeth:

From listening to your situations two things come to my mind:

1)   It appears that you should have asked some better questions during your interview about staffing budgets and resources, and your influence over compensation for your staff.  Sometimes in the heat of our interview processes, we get focused solely on getting the job, not what it will take for us to be successful, once we have the role. ( I think that many of your peers can learn from this.)

2)   You also may have bitten off more than you can chew in telling your employer that you could get six (6) qualified information security professionals into your organization in 90 days.   Considering that most interview processes will last between 30-60 days (after talent has been identified) – you have given yourself very little room for error.  In fact, if you did nothing but recruit for the first ninety days, and had external resources at your disposal – an information security savvy internal recruitment team, budget for external search firms, and previous commitments from past employees to work for you -  you still may fall short of your goals.

All this being said, our advice to you is as follows –

1)   Meet with your manager and HR to try to agree to an overall salary budget for your six roles.  Once you get them to commit to a number, ask them if you would be able to use your discretion on how the amount will be allocated for your staff’s salaries.   If they do not give you some leeway, my suggestion is that you abandon ship – before you get too far away from shore – considering that this effort which is tied to your success, will have little hope in succeeding.

2)   If they give you the budget, the first thing that I would do would be to go back to your past employer – and re-offer him the position for 5% more than he originally requested.  If you can overcome the “bad taste” you will at least have one success, and will be able to build momentum.

3)   Now that you will have five positions remaining, what I would do would be to separate the roles into two tiers – three positions that are more senior, and three entry level hires.    What this would do, would allow you to elevate the salaries of the two remaining hires to attractive levels.  What you also can create, is an opportunity for these Senior Security Engineers to participate in the hiring of a junior “apprentice” whom they could teach and mentor.  This could be very attractive for an information security pro to gain some leadership experience.

4)   After this, figure out how much money is left – hopefully it will be around 135-160K, and divide that pool in three, and ask your internal recruiting function to help you with some campus recruiting from local schools that have either masters or bachelors programs in information security, information technology, computer science, or engineering.    See if you can find three bright minded future info sec leaders who have a good amount of aptitude, have a passion for information security, and can fit into your team’s culture.    You may need to wait for May/June to bring them on – but you may also find some who are willing to work – “part time” before they graduate,

5)   In the end, you will have your team of 6, just probably not the composition that you were expecting.  You will have some senior folks whom you should be able to offload more responsibility too, it will be your job to select the junior members wisely, and create an internal environment of knowledge sharing, training, and professional development to expedite their development as information security professionals.

Let’s put it this way, I think that if you are able to pull this off, without external help (besides this response) you will be recognized by your management for your leadership, creative problem solving, and the use of resources.    Hopefully it will work.

One thing that you should realize, is that a main component of recruiting is the ultimate variable – people.   To all of those info sec pros who are reading this , before you commit to a staffing/hiring plan, think about the intricacies of your last recruitment process, and all the things that had to go right in order for you to change positions.  Magnify that by the complexity of the info sec talent that you are searching for, the compensation parameters that you have, your location, and the amount of people that you need, and you may arrive at a better conclusion of the time and effort it takes to build a successful information security program.

Hope this helps you become a better information security recruiter.

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday, Compensation, Interviewing, Recruiting | Comments Off 

RSA Session Preview – “Making The A-List”

January 21, 2011

As a follow up in our series, you will find the preview of Jeff Combs’ RSA Presentation, “Making the A-List” -  Jeff provides a glimpse into his session that will guide the attendees to differentiate from their peers, and make themselves more attractive for internal promotions and overall career acceleration.

Session Date – February 14, 2011 (yep still Valentine’s Day)

Session Time- 2:30PM – 3:10PM

Location – Orange Room 305

Session Preview -”Making The A-List” - Written By Jeff Combs (guest blogger)

As a headhunter with over a decade of experience recruiting in Security, it’s my job to align the best candidates with the right opportunities.  It’s not an easy job, but one that can be very gratifying when you’re able to make a positive difference in people’s lives.  To be successful, a recruiter has to have a number of traits – empathy, listening skills, industry knowledge, the ability to earn trust and…the ability to think like a horse trader.

It’s a fact that companies will only pay to hire the best.  That’s why recruiters exist, to identify and attract talent that stands out from the rest of the crowd. Average doesn’t cut it.  So while I give everyone the benefit of the doubt, I can’t afford to represent anyone to my clients who isn’t a cut above their peers.  The candidates that I do advocate for have to be on the “A-list”.

What gets a candidate onto the A-list? There are roughly seven qualities that I look for when interviewing prospective candidates.  Some are “hard”, relating to a candidate’s skills and experience. Others are “soft” and focus on personal qualities. Taken as a whole, these qualities should tell a compelling story that will cause heads to nod and votes of confidence to be cast.

I’ll also describe a way of looking at your career and professional accomplishments that can have a big impact on how you present yourself and how hiring managers perceive you.  I refer to it as “Personal Product Management” and while not rocket surgery, it’s a simple way of making sure you’re headed in the right direction and conveying the right message.

A word of caution, for those seeking empirical data and quantitative metrics this may not be the session for you.  However, for those interested in hearing an insider’s perspective on what makes some succeed and many other’s fail, as well as some open discussion on ways to stand out from the crowd I think it will be time well spent.

I hope to see you there.

Jeff Combs

Posted by lee | Filed Under Networking, Personal, Planning, Recruiting, Skills, Uncategorized | Comments Off 

Career Advice Tuesday – “Fashion Advice from Infosecleaders”

January 18, 2011

Dear Infosecleaders:

My question may seem simple, but I would like to have your opinion.  To give you some background, I am currently a Senior Security Architect at a large Fortune size company where I manager a team of 12 technical security architects, with various skill and in varying information security disciplines.

If you told me 20 years ago that I would be working for “The Man”, and am actually “The Man” to some of my employees I would not have believed you for a second.  However, this is now the case.  I grew up in the technical food chain, working as a systems and network admin, worked for some professional services companies providing technical security architecture services for my customers, and now I find myself in a corporate position. 

Truth be told, I like it a great deal.   However, I have one major problem….

I do not look the part.

What I mean by this is that I am not going to step from the pages of GQ any time soon.  It is a real personal chore for me to get into a suit, tie, and wingtips for senior level briefings and meetings.  Generally, my work attire is a collared shirt, khakis and some comfortable shoes, I generally wait a long time to get a haircut and have a strong desire to wear my DC and HOPE t-shirts.

Many in my company (mostly the technical team) do not have an issue with this, and they see me as one of their own.  However, when I get into those meetings with management, I stick out like a sore thumb.   You can tell, that my appearance has some effect on how they view my opinions and contributions. 

As much as I want to change this, something inside of me rejects it (and it appears every morning when I go to my closet).    Do you think it is possible for me to advance in my position by maintaining my current dress code?  If not, do you have any words of wisdom that can help me find some middle ground?

Thank you for your help,

“George Quackenbush”

Dear “GQ”:

The simple answer to your question is, “Yes, you need to play by the rules!”  If management in your company has a higher level of respect for professionals who dress like the way that “they” do, and you desire a future with the company – that includes more responsibility, promotion, and advancement, you will have to conform to the system in place.

Before I go on, I do not want for you to interpret this in a way that means you have to lose your identity, or lose some of the things that are unique to your personal presentation, however you have to recognize what elements of your professional dress are important and which ones have less meaning.  For example, upgrading your khakis to dressier pants should not be that much of an issue (in all of my time have never found a work environment that was “pants optional”).  Also, if you bring a sport jacket into work and keep in your closet, or on the back of your chair, you can always have it handy for impromptu meetings.   You may not need to wear this all of the time, like when you are working with your technical brethren, but having it available to wear during a Senior Management meeting, should not be too much of a sacrifice.  

Now, on to the big one, Your Hair!

I know that people get very sensitive about their hair, but understand that it is quite visible and constant.   I think that you may be able to get away with keeping your hair longer than the others, but you have to make sure that it is neat and not overly visible.   I think that the barometer for this is to not make it a conversation point or a distraction.  

Like it or not, your personal presentation is an important part of your career and your image.  People are judging you at all times, in your current role, in the industry, on the web, and in social settings – the key is to make sure that you portray a professional appearance that maps with your career goals and enables you to maximize your impact in your current information security role.

Hopefully we will see you “On the red carpet”!

Lee and Mike

Posted by lee | Filed Under Advice, Branding, Career Advice Tuesday, Personal | 1 Comment 

RSA Preview (Panel)- All-Star Panel Kick’s Off Professional Development Program

January 14, 2011

The professional development seminar kicks off with an all-star panel of information security leaders discussing the current landscape of the information security marketplace.  Moderated by seminar co-host, Mike Gentile, the panel will explore industry trends that are affecting both the supply and the demand for information security professionals.  The panel will discuss some of the career development challenges that face information security professionals as they attempt to climb their personal career ladders to attain their personal career goals.

The panel’s unique composition will provide perspectives that reflect challenges on the different components of the industry – internal information security programs, government and public sector information security programs, professional services, information security software industry and the maturing “hacker” community.   The panel will discuss topics that include the role of certifications, the different perspectives of employers and perspective employees, and the challenges that face security professionals as they attempt to broaden their skills to gain greater acceptance by business leaders and executive management.

We were very fortunate to attract a panel of influential information security leaders including:

Kevin Richards,  President, ISSA International and VP of Services at Neohapsis

Jeff Moss, Founder of Black Hat and DEF CON, and Homeland Security Advisory Council Member

Michael Assante, President and CEO, National Board of Information Security Examiners

Chris Chock, Security Lead, Orange County Transportation Authority

Posted by lee | Filed Under Advice, Networking, Planning, Security Industry | Comments Off 

Career Advice Tuesday – “Common Traits of Future Information Security Leaders”

January 11, 2011

Dear Infosecleaders:

Firstly I’d like to say that I’ve thoroughly enjoyed reading over your blog entries, and secondly I’d like to ask for some HELP!

As the year 2011 is getting underway, I’ve decided to make the New Year one of career planning and goal achievement.   My dilemma is that I am but a young grasshopper.  I have completed a 4 year IT degree at a University, my CCNA, ITIL certification and 2 years of level 1-3 Support/administration experience. I also have greater than 8 years leadership experience.

Like most here I have great ambition and drive, however I am completely stumped as to how I should progress from here. I wish to pursue a future in IT Security which will ultimately lead to a CISO position, however I am very unsure as how to achieve this.

I guess essentially what I’m asking is if you could start over how would you plan out your career path? What certifications would you benefit most from and which the least.  Now I know there is no right or wrong answer, but from your personal experience and from the experience of those that you have recruited (Lee), what would produce the best result?

Thank you so very much for your help!

“Young Grasshopper”

Dear “Young Grasshopper”:

You ask an interesting question regarding embarking on a plan for Information Security leadership.  I (Lee) recognize that your question centers on the career path to becoming a CISO – but I will answer it a bit more broadly for the audience, since becoming a CISO is only one desired career destination.

I spent some time thinking through all of the Information Security professionals that I have helped throughout their careers – from the time that they were “Young Grasshoppers” (as I once was) – to where they are now, established security leaders (CEO’s, CISO’s, CTO’s, Partner/ Business Owners, Information Security Subject Matter Experts). 

From my reflection I can provide you with the following conclusions (they are not in any specific order – and no one had all of the traits, but most shared a significant number of them):

1)      They were passionate about their profession – and were voracious learners. 

2)      They found themselves in organizations where they were surrounded by others who had similar motivations, aspirations, and intelligence.  They found ways to learn from others whom they could professionally respect.

3)      They were not afraid to command attention and differentiate from their peer group through achievement.

4)      They understood how their company’s measured success – whether it was through customer satisfaction, new technology development, business generation, industry visibility, etc.   They were able to communicate their value.

5)      They were equally comfortable in environments where they were “little fish” in bigger ponds (where they absorbed the broader skills of more experienced professionals – information security and business people) and they enjoyed being “big fish” in little ponds – where they were able to leverage their expertise for additional exposure and career acceleration.

6)      They were not afraid of failure, and had confidence in their own abilities.   Long and short, they were not afraid of getting fired – or recognizing quickly that an opportunity (job) was not right for them.

7)      Money and title were secondary, the opportunity to learn, grow, and develop were paramount.

8)      They kept great relationships with people that they met along the way.  Many times those relationships were very helpful in contributing to their success, later in their careers.

9)      They were significantly more proud of their accomplishments than their certifications.  In fact, many cared very little about certifications or viewed  certification as validation of their talents.

10)   They understood that both their internal and external brands were equally important, and performed and acted in ways that enhanced their standing in both their company and th Information Security industry.

I am not sure if I fully answered the specifics of your question, and would welcome a follow up if you would like to speak about your career – individually (just e-mail at  

I would like to let you know that I appreciate the question and it provided me the opportunity to reflect.  In the future, I may blog about each of these items separately and elaborate on the answers.

Thank you – hope that this helps,
Lee (and Mike)

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Planning, Security Industry, Uncategorized | Comments Off 

Nothing Says “ I Love You” Like an Information Security Career Development Seminar – RSA -Feb 14, 2011

January 7, 2011

The RSA Conference is traditionally known as one of the marquee information security conferences in the United States.  This year, the conference organizers have decided to create a pre conference seminar that is focused exclusively on the information security professional’s career development. The seminar is included with all paid conference admissions.  Personally I was honored when the program committee asked me to co-host the event and contribute to the content of the agenda.

Different then past RSA events, the Seminar is scheduled outside of the main conference tracks, where it does not compete with the highly technical presentations or the key notes.  By doing this, they have enabled all delegates to dedicate time to focus on their careers – and to learn how to best maximize their current positions and strive to attain their long term career aspirations.  The program is designed to take the Information Security professionals through a journey that will provide them with both content and context for managing their careers.

The Seminar will take place on Monday afternoon, February 14th from 12:30 – 5:00PM.

On  the upcoming Fridays leading up to the conference, The InfoSec Leaders blog will feature an in depth abstract and preview to the content of the panels and the individual presentations.

The agenda for the seminar will be as follows:

A panel discussion, moderated by seminar co-host Mike Gentile, that will address  current state of the information security market, the skills that employers are looking for, and trends in today’s employment market.

An individual presentation from InfoSecLeaders’ Mike Murray on Career Planning.  This presentation will help guide the attendees through some basic steps to create a career plan tailored to achieving their long term information security career and life goals.

A presentation given by Jeff Combs focusing on differentiation and personal brand development.  Jeff will utilize his decade long experience as an Information Security executive recruiter to illustrate to the attendees how to make themselves more marketable and attractive – to both their current employers and future ones.

A presentation by me, Lee Kushner, that will focus on the skill requirements for the CISO of the future.  From our Infosecleaders survey we learned that 37% of the respondents aspired to become a CSO/CISO.  This presentation will outline the real skills that company’s are requiring and demanding from their Information Security Leaders of the future.

The seminar will then conclude with a panel discussion (moderated by me) of three current Information Security Leaders – Stephen Scharf, CSO Experian, Patrick Heim, CISO Kaiser Permanente, and John Kirkwood, Global CISO of Royal Ahold who will discuss their own careers paths and progressions, how they select and identify future information security leaders, what skills and attributes they search for in employees, and where they are heading next in their careers.  The panel will allow questions from the audience.

Posted by lee | Filed Under Behavior, Branding, Networking, Planning, Security Industry, Skills, Uncategorized | Comments Off 

Career Advice Tueday – “Dual Validation”

January 4, 2011

Dear Infosecleaders:

I’m an active duty military member and am working towards my B.S. in Computer and Information Science.  I plan to seek an Infosec position when I retire from the military, preferably in penetration testing or a related field that I could later apply toward a pen testing position.  With that goal in mind, I would like your recommendation on which subject areas I should focus my core courses.

I have already taken introductory and intermediate Java programming courses, and plan to also take “Unix with shell programming”, “Advanced Unix and C”, and “Programming in Perl”.  The remaining core courses my school recommends are “Relational Databases”, “Advanced Relational Databases”, and “Web Database Development”.  One alternative to the database courses would be “Data Communication” and “Computer Networking”, both of which are more focused on signaling, encoding, etc. rather than traditional IT networking topics.  I could also substitute many or all of these courses with software engineering courses.  With a few remaining electives, I could also take any of the above courses that I don’t apply toward my core classes, or more traditional IT courses such as a variety on Windows Server technologies, interconnecting Cisco devices, etc.

I was previously leaning toward the more IT-oriented courses, or those geared toward preparing for a certification (Network+, Security+, CEH, etc.) rather that computer science courses, but now I am coming to the opinion that the programming and database computer science slant might be more beneficial in that the knowledge can be applied to pretty much any Infosec field.  Having read most of your posts, I’ve probably already answered my own question, but I suppose I’m looking for validation of my train of thought.

While my current job is not entirely IT or Infosec, it does involve some limited network monitoring.  I want to get the best combination of classes to fill in the gaps of my knowledge and possibly make up for some lack of specific experience.

Thanks for you help.

“Seeking Validation”

Dear “Validation Seeker”:

Thank you very much for your question.  It is very good to see that you are thinking along the right lines as to the direction that you would like to take your education and training.  By making the choice to purse education that will provide you with an educational foundation that will range beyond any certification, should prove to be a wise decision for your future and serve as a career accelerator – both as you enter the work force and as you progress in your information security career.

To fully validate your thoughts, we believe that you are correct in making the decision to pursue a path of education geared toward computer science.  By developing a better understanding of the concepts that you point out, you will build a foundation that can be applied to both current areas of information security and future ones ( that do not even exist yet).

I can tell you that from my personal experience in the information security recruitment field, the a majority of the more successful information security professionals that we placed in leadership roles, are ones that pursued knowledge first, and worried about certifications later (or never).

Just remember, if you are successful in your pursuit of  knowledge, you should be able to attain certifications when the situation warrants that you do.

Congratulations on making a good career decision.  Let us return the favor and thank you for providing us with validation that our message is being received.

Good luck and thank you for your service!

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday, Skills | Comments Off