CAT – “Enough About Certifications- Show Me The Data!”

February 22, 2011

Dear Infosecleader Readers:

This week’s Career Advice Tuesday is going to serve as a formal announcement for our recently launched InfoSecLeaders Certification Survey.

Over the past two years as we have been answering questions, giving career centric presentations, writing articles, and doing podcasts, the one topic that just will not go away is “The Value of Certifications.”  

Many information security professionals have different views on the topic – some are completely anti-certification and some will do anything in their power to acquire more letters to place after their names.  Some hiring managers look at certifications as validation of skill, where some hiring managers completely overlook certifications, and focus solely on work experience and formal education.

Plain and simple, we thought it was about time to collect some heterogeneous data on this topic, to provide some real information to the information security community, on how you, the Information Security Professional feel about Certifications.

As always our survey is open to all information security professionals and is hosted on Surveymonkey.   Anyone who responds to the survey will have the ability to receive the final results when they are released, by submitting an e-mail address.  As always, the e-mail address is unrelated to the data that has been inserted – so your responses are not linked – the survey is anonymous.

Some other facts about the survey:

Participants – The survey is open to all Information Security Professionals.  Whether you hold security certifications or do not, your opinions are welcomed and appreciated.

Time Frame: The survey was launched at RSA , and will run until around July 1.

Duration – Probably about 10 minutes to complete

Survey Topics – Background, Are You Certified, Opinions and  Motivations for Certification,  Certifications as Career Investments, Certifications and the Hiring Process, Value of Certifications in Comparison to other Skills

Results - We are planning to announce the results around the time of Black Hat and DefCon.  We will submit a presentation to both conferences about the results.

Sponsorship -As always, none.  This survey is not sponsored by any one trade organization, magazine, membership organization, or product/services venue.   This is the creation of Infosecleaders.

Promotion - We will be promoting the survey by all means necessary in attempts to collect the most number of responses.   We will agree to any and all interview and pod cast requests.  We will promote this on our blog, mailing lists,  our Twitter feed, social media, mailing lists, or any other related forms.  We will enlist the help of all career minded security media partners to help create awareness.

In addition, we will be reaching out to all major industry associations, membership groups, and certification bodies to promote the survey to their memberships.   We are hopeful that they will support this research effort – however it is our experience that most (definitely not all)  will elect  not do so, unless they have control.  (One of the reasons behind our desire to create the survey) Nonetheless, we will ask them. 

We Need Your Help:   Our goal is to receive as many responses as possible – in order to do this, we need your help.  Please introduce the survey to any information security professional who has an opinion on this topic.   Feel free to publicize this on any mailing list, blog, industry group, or social media outlet that you believe would be relevent.    We trust you!


At the RSA Conference, ISC2 announced their sponsored global workforce study (by Frost and Sullivan),  and they had over 10,000  (10,413 to be exact) respondents (which is significant).  72% were ISC2 members, while 28% were non-members.  However, I think that as a broader community, and with  a strong grass roots effort,  we (collectively) can do better.  

10,000 respondents would be a lofty goal, considering our lack of financial resources, however we are willing to bet that as a community we can rival this. 

It will be interesting to see if the data collected and attitudes reflected in this heterogenous survey would be consistent with some of the data collected in the ISC2 sponsored survey

The questions are thought provoking  and may border on controversial.    When the results are published, we are hopeful that we can share the attitudes of the community – and either reinforce the current state, or  inspire some meaningful change around this topic.

As always, the data will reign supreme.

Thanks for your help,

Lee and Mike

Posted by lee | Filed Under Behavior, Career Advice Tuesday, Personal, Planning, Security Industry, Skills | Comments Off 

Career Advice Tuesday – “Traveling For Dollars”

February 15, 2011

Dear Infosecleaders:

I am an information security professional who is currently in the process of a job search outside my current company.   I have been interviewing for the pat two months, and I find myself in a situation where I have two opportunities in front of me, and I would like some advice on how to make my decision.

First some background.  I am a happily married husband and father of one, and we are currently expecting our second child (in August).  My wife is a stay at home mom, and I am the sole provider of income for our family.   We both have roots in the area, and are involved in community activities (through our church, youth sports, and others.  One of the main reasons behind my job search was to earn additional money, considering that our family is growing.  The earning potential at my current (soon to be past) employer, is limited at best.

My two opportunities are as follows –

1)   The first is a position with a local company as part of their information security team.  It is a more senior version of my current role, and it has the same demands (commute, work hours, etc.)  The salary is about 10% more – and I have a bonus opportunity for an additional 10% more – so collectively I can make 20% additional.

2)   The second is a position with a professional services firm.  It appears that I have some specific skills (SIM implementation) that are in really high demand because of the experience I have with a particular product.   The company has offered me a salary that is 30% more than I am earning, and I have the ability to earn 20% more in bonus that are paid quarterly.   There is a catch.  I will be expected to travel 80-100% of the time – meaning that I will leave on Monday morning – and expected to be on site until Thursday, possibly Friday (every week)

I am really torn.  The extra money will be a huge help – the ability to earn 50% more than my current compensation will have some dramatic effects on the financial aspects of our lives.  However I am fearful of the effect that the travel will have on my relationship with my family,

Do you have any guidance that you can share with me?

Thanks for your help,

“Up In The Air?”

Dear Mr. Clooney:

“Life is a series of tradeoffs”  (Not sure whom we should credit, but it is definitely applicable)

You are faced with an interesting decision – and find yourself in an interesting position.  First of all, it is good that you have a decision and have some choices – so you are already ahead of the game.

Through 15 years of experience, I have come to learn one thing about recruiting – and that travel is the ultimate life changer.  There are some people who have learned to manage their lives and their personal relationships around business travel, and they have successful careers and home lives that work for them.  On the other hand, people who have never had to travel generally do not understand the impact of extensive time away from home, until it has had a negative effect on their personal relationships.  Sometimes, the effects on a family are disastrous and irreparable.

Based on what you described, my advice is to take your first option.  You will still earn possibly 20% more, and you will be able to be home to be with your growing family.   Although the other opportunity is substantially more lucrative, I think that you may be making a Faustian deal, trading some short term earnings for some big time life changes, which I think could have significant effect on your overall happiness.

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday, Compensation, Interviewing, Position Selection, Skills | 1 Comment 

RSA Professional Development Seminar – “The Top Of The Pyramid – Meet The CISO’s”

February 11, 2011

We are down the home stretch now, and the Professional Development Seminaris only a weekend away.   I can tell you that both Mike and I are very much looking forward to being a part of the program, and are expecting a great turn out.  If you plan to attend, please make sure to arrive early – we have been told that there has been a great deal of interest.

The Seminar will take place as follows:

Monday, February 14th , 12:30 – 5:00PM, Moscone Center – Orange Room 305

Then final panel will follow immediately after my presentation- – which begins at 3:30 – and will conclude at 5:00Pm.

The final presentation is really the showcase for the event.  The panel discussion will feature three accomplished Information Security Leaders, who will guide the audience through the evolution of their information security career, and provide insight and guidance to the audience on how to accelerate their own careers.

The participating CISO’s represent a variety of industry’s and have some very unique career progressions.  They include the following :

Patrick Heim - CISO Kaiser Permanente, former CISO McKesson

John Kirkwood- CISO Royal Ahold, fomer CISO American Express

Stephen Scharf - Global CISO Experian , former CSO Bloomberg

The topics that we will cover will include the following :

1) Key career decisions that impacted and accelerated their careers

2) How they select talent?  What they look for in interviews?  How they determine who gets promotions and more responsibility?

3) Their own professional development – through industry involvement, certifications, and advanced education and training

4) What the future holds for them?  What they see on the horizon?

5) General Advice to aspiring Information Security Leaders

All I can say is that it is very exciting to bring this panel to the RSA audience.  The opportunity to gain insight into the careers of successful information security leaders, and in an open forum where the audience can receive unfiltered advice and guidance is a unique opportunity.

For all of the aspiring information security leaders out there, this panel is worth the price of admission alone.

Look forward to seeing you all.  Safe travels!

Lee and Mike

Posted by lee | Filed Under Advice, Networking, Personal, Presentation, Recruiting, Security Industry, Skills, Uncategorized | Comments Off 

Career Advice Tuesday – How do you Plan Your Career?

February 8, 2011

Hi Lee & Mike,

I’ve decided to make 2011 a year of Career planning and Goal achieving. My dilemma is that I am but a young grasshopper.

I have completed a 4 year IT degree at a University, my CCNA, ITIL certification and 2 years of level 1-3 Support/administration experience. I also have >8 years leadership experience.

Like most here I have great ambition and drive, however I am completely stumped as to how I should progress from here. I wish to pursue a future in IT Security which will ultimately lead to a CISO position, however I am very unsure as how to achieve this.

I guess essentially what I’m asking is if you could start over how would you plan out your career path? What certifications would you benefit most from and which the least.

I know there is no right or wrong answer, but from your experience, what would produce the best result?

Thank you so very much for your help!

Young Grasshopper.

Ahh, Grasshopper…

I had to pick today to answer your question, as it fits perfectly with my topic next week at RSA.  I’ve spent a lot of time pondering this type of question as RSA approaches, and I have much advice to give  (My first advice is to come to my talk at RSA next week.)

Here’s the thing about career planning – it’s a relatively simple process.  The difficult parts are two: first, choosing what you want out of the numerous possible choices of things that you could do.  And, second, realizing that your career plan won’t survive intact through the years, and that you’ll have to be flexible while using it to keep your eye on the ultimate goal.

The good news is that you’ve already done the first (and often hardest) step of the plan – you’ve chosen that your ultimate end goal is to be a CISO (like 37% of your peers, according to our 2008 research survey).

In our experience, there’s no “one path” to becoming a CISO.  Unlike becoming a CFO (which usually involves starting in accounting, etc.), CISOs start in varied fields – some of them even start their careers outside of the information security landscape (but with a broad background in other forms of risk management) and learn the information security skills as they go.  If you want to see what these varied paths look like, I encourage you to go on LinkedIn and look up various CISOs to understand how they ended up where they are. (And, if you’re going to be at RSA, this is where Lee’s talk is going to come in – he’ll be talking about the skill profile of the future CISO.)

Because of the varied paths taken, this is where you have to play to your strengths as well as your interests.  Try and imagine a path to arrive at the skillset of a CISO that takes in to account what you love to do.  You intuit that having a broad background of the fundamentals of computing will help you be a well-rounded security professional – I agree with that approach.  However, a CISO is much more a business-focused role than a technical one, so start to plan out how you’re going to arrive at the business skills that you need – the CISO spends orders of magnitude more time writing budgets, staffing plans and powerpoint presentations than they do writing code.

To answer your final question, Grasshopper… it’s not about certification, especially at the CISO level.  It’s about having all of the skills and having a long history of demonstrating them.  And, were I to restart my career path, it would look very different than yours – you and I have different aptitudes, different things we wouldn’t accept (dealbreakers), and different ways of interacting with the world.

My career path would be instructive to you only in the way that a travel book is instructive to someone who visits a country: you might think “Oh, I want to go there”, but our experiences of “there” would be totally different.

I hope that we are lucky enough to see you at RSA next week.


Posted by mmurray | Filed Under Career Advice Tuesday, Planning | Comments Off 

RSA Session Preview – “The CISO of the Future”

February 4, 2011

Session Logistics: Monday, Febrary 14th –  Time :  3:30-4:10PM  Location:  Orange Room 305

To many, the position of Chief Information Security Officer represents the pinnacle of our profession.  Achieving this title and this level of responsibility is the ultimate career destination for many security professionals.  In fact, when Infosecleaders conducted our survey of close to 1000 information security professionals, 37% responded that this was their ultimate career goal.  When any goal is viewed as this popular, it becomes increasingly difficult to achieve.

But what does it take to get there?

Many information security professionals believe that they have acquired the skills and experiences necessary to achieve this position, but few truly understand the skill matrix that companies search for in recruiting and locating this level of information security leader.   It may be shocking to learn, that many security professionals who believe they are qualified for these CISO roles, cannot even land an interview for consideration.  After this presentation, they will learn these answers.

The presentation at the RSA Conference is designed to give the attendees a view into the skill requirements for this role – not only for today, but in the future.  During the presentation, I will go over the key components of the CISO’s Skill Matrix and introduce to the audience strategies to build their own skills and enhance their changes of achieving this milestone.   Together, I will guide the audience through the creation of an actual job description for the CISO of the future.   Upon leaving the presentation, attendees should have a better understanding of what it actually takes to compete at this level of the information security food chain.

The session will be followed by a panel of leading CISO’s  – John Kirkwood, Royal Ahold, Patrick Heim, Kaiser Permanente, and Stephen Scharf, Experian – who will reflect on their own skill matrix, challenges and strategies for professional development reaching their own levels of professional success.

Posted by lee | Filed Under Advice, Interviewing, Planning, Presentation, Recruiting, Skills | Comments Off 

Career Advice Tuesday – “Help Me Find My Interview Mojo”

February 1, 2011

Dear Infosecleaders:

I think that I may have lost my mojo.  Plain and simple, I have been interviewing for information security positions and I have been politely rejected in my last three attempts to secure my next position.   What makes this worse, is that for the first 10 years of my career, I never interviewed for a position that did not result in an offer for employment.

To give you more background, I am a highly technical information security professional with (what I think) is a very good background in both application security and network security.   I have about 2 years of people management experience, and have led some technical teams in these initiatives.  I think that I am fairly well paid for what I currently do, but my current position has gotten stale, I am out of new challenges, and quite frankly I want to transition to more of a management type of role.  These are the positions that I have been looking for.

During these interview processes, I easily make it by the technical screen, but I seem to have trouble when the interview advances to the more senior levels of both the information security team and in speaking with the business..

In the end, I get vanilla feedback like – “We went another direction.”, “We just did not thing you were the right fit”, “Another candidate had more experience.” Or simply radio silence.

Can you help me get my mojo back?


Dear Austin:

I can tell you that the hardest part of my job as a recruiter is giving qualified people the news that they were not selected for a particular position.  No matter what your profession, facing rejection is not an easy thing for anyone to accept, especially if you have been successful in the past.

I will say that information security professionals as a group are going to have to accept that being rejected in pursuit of an information security position, may become the new normal.  Lets face it, the competition has increased, many others have your same career goals, and it is very likely that may be more qualified and have more relevant experience as it relates to the position that you are pursuing.

Listening to your situation I can give you a couple of reasons that you may be failing:

1)   Your strength may be in your technical knowledge and you are pursuing managerial roles. Many highly technical information security pros believe that a transition to management is a natural one.  This is not an accurate assumption.   Management roles require different skills and it is often challenging for highly technical security pros to demonstrate this, at the level that an interviewer is expecting.

2)   You are highly paid. These future employers may see your required compensation level to not represent the value for the role they are recruiting for.  For example, it is possible that as a technical resource, your skills may represent the value of your compensation, but as a manager, your skills would command a lower salary (as compared to other managers in their organization, with similar managerial experience)

3)   Finally, it is possible that you are too overconfident considering your past success. Look, you would not be the first information security professional with a bit of an ego (hey that probably is one of the things that made you successful in the first place), but you may need to honestly assess yourself and ground yourself.   There is a fine line between confident and arrogant – and you may be crossing it.

Here are some suggestions:

1) Take some time to think about your career path and the positions that you are pursuing.  It is OK to “reach for the stars” – but if you have lofty goals, they may be harder to achieve considering that they are most likely shared by others.

2) Play to your strengths. Since it is clear that you are still technically competent,  use that as an advantage.  You can search for a hybrid position that requires deep technical expertise, but has a management component. In this type of role, your technical skills are what the employer would be after, and your strength in this area will play to your advantage.  Once you land a role like this, you can focus on the development of your management skills – through practice and career investment.

3) Ask for feedback. I hope that you will have a past manager that you respect, if so, invite them for lunch and ask them for their advice.  Since they know you, and you view them as a successful manager, they may have some good advice as it relates to you (personally) to address your skill gap, and hopefully they will be honest with you regarding the skills you need to develop and project during an interview process.

The best piece of advice that I can give you during an interview process is to be yourself.  Focus on the value that you can provide an employer, not necessarily the role, title, or org structure.  During the interview, put these skills in context of the immediate problems the employer is trying to solve.   Once you have convinced them of your value, you can then speak about some of your aspirations for future growth and professional development.

Keep your head up – don’t get discouraged!  Your mojo will return.

Good luck in your pursuits!

Mike and Lee

Posted by lee | Filed Under Advice, Career Advice Tuesday, Interviewing, Recruiting, Skills | Comments Off