Career Advice Tuesday – Rats and Ships

March 29, 2011

Dear Infosecleaders, 

I’m part of the ops team for a mid-sized technology business. This week, a coworker was laid off due to “financial cutbacks.” In the same timeframe, a respected manager has left the company for what seems like a lesser or equal position at a new company in the same market.

My question is: what are some warning signs that my company is failing, and how do I tell if I’m next on the chopping block?

“Sticking his neck out”

Dear SHNO,

Up front, I think you have the answer to your question (at least for your specific case): sounds to us like things are getting a tad ugly around there.  And I would bet that you have other indications that things are going badly that you haven’t mentioned here… the symptoms you mentioned are usually later indicators that things are going bad.

That said, let’s talk about the more general case.  Here are five (perhaps counterintuitive) things to look for to determine whether your company may be in serious trouble (special thanks to Melina Murray for her HR expertise on some of these):

  1. Significant Executive Turnover: One of the first signs that a company is going south is that the executive position in charge of managing the core business goes through major turnover without a turnaround.   In the product / consulting space, most companies that are going badly will jettison their VP of Sales first – if that doesn’t turn the company around and they end up getting rid of another one, it’s likely that the problems are more systemic and bad things are to follow.  As a similar example, Lehman Bros went through two CFOs in the year before its bankruptcy.
  2. Loss of Focus: Companies that are on the way down often tend to try to get revenue however they can.  This can lead them to attempt to radically diversify into whatever area seems to be “hot”, regardless of whether they have the staff/resources that can execute in that area.  This flailing often hastens their decline.
  3. Communication Style Changes: If you’re at a company that normally has a lot of communication from the executive team and that changes, watch out.  Similarly, companies that are normally less communicative can sometimes become overly communicative in the hope of placating employees.  Whenever the tenor of communication from executives to the rank-and-file changes radically, it usually indicates that something worth watching is going on.
  4. Tightness of Resources: While it’s a good practice to keep a tight rein on expenses, when a company starts to go south it often places restrictions on “mundane” resources first.  If you used to be able to just pick up a box of pens in the supply room and now have to go through six pages of justification for why you need red ballpoints, you should probably keep your eyes open.
  5. Limiting Social Interaction: As a co-point to the previous, companies that are having trouble often cancel social interactions among the first wave of cuts.  If your company has always had a Friday evening happy hour that suddenly gets cancelled, it could spell some trouble.

None of these by themselves are indicative, but if you start to notice a few of them (along with key employees leaving and other layoffs/cutbacks as in your situation), you’ve got a pretty strong indication that something is likely going wrong and you might want to have a contingency plan for a potential “career incident”.

Mike & Lee

Posted by mmurray | Filed Under Career Advice Tuesday | Comments Off 

Infosecleaders at OWASP NJ/NJ – Tuesday and Wednesday

March 28, 2011

Wanted to let everyone know that I will be presenting the “CEO of You, Inc. – Your Career Is Your Business” presentation at OWASP NYNJ Metro chapters on Tuesday and Wednesday of this week.  On Wednesday, I will be speaking toward the beginning fo the agenda – so definitely get there early if you can.

The presentation is designed to help you, the information security professional manage your career as if it were your business, and you were the CEO.  

Here is the full abstract:

The information security profession is becoming increasingly competitive. In the employment market place of the future,certifications and education alone will not be enough to ensure achievement of your long term career goals. The increasing popularityof the profession and the competence of your competition will require that you take the reins of your career.

As companies focus more on profits and revenues, they are diverting resources away from the development of their employees. This attitude has greatly impacted the shared loyalty between employee and employer. In the future, the more effective you are in the management of your information security career, the greater the likelihood that you will achieve professional satisfaction. In essence, your career will be your business, and you will be the CEO.

The goal of this session will be to provide you with a framework for managing your information security career. By relating the different components of career management to traditional business functions, you will get a detailed understanding of how your career should be managed and how you can move past your peers by more than just luck. Subjects covered will include career planning, career investments, effective career marketing and branding, position selection and compensation negotiation.

You will leave the session with a solid foundation to enable you to better achieve your long term career goals and increase your satisfaction with both your current job and with the jobs you select in the future.

I will be happy to take questions during the meeting and after my presentations, provided that time allows.

Hope to see you all there.


Posted by lee | Filed Under Branding, Compensation, Interviewing, Planning, Presentation, Security Industry | 1 Comment 

Career Advice Tuesday – “Know What Signal You’re Giving”

March 22, 2011

Dear Mike & Lee,

What are your thoughts regarding college degrees from online sources (ie: Phoenix Online) vs real colleges (ie: University of {Insert State Here})?

I have been in the IT field for close to 15 years and in the InfoSec field for the last three.  I have several certifications with the most recent being the CISSP certification.

While I have some college experience, I never actually completed my degree.  Recently I’ve been thinking about how to complete my degree.  The easiest way will probably be through an online school.  However, I know there used to be a stigma that online schools were not nearly as good as real world schools.  Has this changed?  What are your thoughts regarding online schools?

Potential Scholar


The usefulness of a degree is entirely in what you’re going to use it for.   Degrees are signals that should tell a potential employer something about you.  When it comes to degrees, there are a few common things that having a degree can signal:

  • Level of Competence: A degree can often signify that you have achieved a level of competence within a given region. For example, someone who has a degree in Computer Science is likely to have some amount of knowledge about algorithms, programming and computer architecture.
  • Ability to Persist / Complete: While not often the top of mind, one of the biggest signals that a degree signifies is that the holder actually accomplished what they set out to do.  This is the largest difference in signalling between one who went to school and got a degree and someone who went to all the classes but never received a degree.
  • Common Pedigree: Graduates from a given school often share similarities - Harvard graduates differ from Berkeley graduates in more ways than the coast they went to school on.
  • Competitiveness with one’s Peers: Those who have graduated from a “top school” are often perceived to have a higher ranking among their peers than those from lesser schools.

There are other common signals around degrees, but for the sake of the conversation, these are the ones we’ll throw out there today.  (Readers: feel free to leave other signals that come to mind in the comments.)

Our question to you is simple: what are you trying to accomplish by getting your degree?  Is it just to show that you have a certain level of knowledge and that you can complete it?   If so, the University of Online Diplomas is probably sufficient.  Is it to show a Fortune 100 that you’re a member of the “Old Boys Club”?  Then we’d suggest getting your applications to Yale and Harvard ready.   Or is it to show people where you’re from that you’re one of them?   For example, if you’re from Texas, a degree from one of the local schools (UT, Texas Tech, etc.) would be better at suggesting that you’ll fit in to a local company than being one of those “uppity Ivy Leaguers”.

Realize, we’re talking in stereotypes because signaling IS about stereotypes to some extent.  The investments you make in your career are going to label you in ways that people are going to perceive through their own filters – the filters of a Harvard graduate about the University of Phoenix will be very different than those of a fellow University of Phoenix graduate.

And, when choosing an investment, it’s those filters that you need to take in to consideration.  The question you’re asking isn’t precise enough: some people will have a stigma about online schools.  But we don’t know enough about who you’re planning on working for or where you’re hoping to go in your career to know whether you’re likely to encounter said stigma.

If you know, great.  If you don’t, then we’d encourage you to think about what you’re hoping to show potential employers through you having a degree and choose the path that gets you there most effectively.

Mike & Lee

Posted by mmurray | Filed Under Career Advice Tuesday | 3 Comments 

Value of Certification Survey – Update

March 18, 2011

Mike and I want everyone to know that we are off to a very good start for the “Value of Certification Survey   We are steadily approaching 750 responses, but we have lofty goals.  The data that we have collected so far, the responses have been very interesting and eye-opening.

Again, the survey is independent and open to any and all information security professionals, at any stage of their infosec career.   All opinions are welcomed – whether you hold information security certifications or do not.

We are hoping that our readers will continue to promote the survey to their peers, on their blogs, twitter feeds,podcast,  and mailing lists – so that we can provide as much relevant data as possible, when we reveal the results around Black Hat.

If anyone would like an interview, podcast, or additional information, please contact either Mike mmurray@infosecleaders.comm  or me

Thanks for your continued support,

Lee and Mike

Posted by lee | Filed Under Behavior, Personal, Security Industry, Survey | Comments Off 

CAT – “Convincing My Spouse I Should Accept My New Job”

March 15, 2011

Dear Infosecleaders:

It appears that my work life and my home life have officially collided.  

I am an information security professional by trade and have been working in my field for close to 8 years.   I am also happily married, we have a daughter – and have a very good relationship with my spouse, who also has a career.  I am a little further advanced in my career than my spouse is – however my spouse has more traditional education. 

My issue is this, I have been offered an external opportunity that really moves me closer to my long term career goal as a CISO, and my spouse does not want me to take the job.   The reason given is that my spouse believes that I will be required to work more hours, travel a little more (about 10%), and have more stress.   

My spouse’s lack of support is a very big setback.

I know that the opportunity is not without downside risk, but it is the job that I need to advance my career and it is with a company that I feel very good about joining.  The job does pay more money – but it does require more time and sacrifice.  I do not think that this is a once in a lifetime opportunity –but I do believe it is a real career accelerator.

Can you help me convince my spouse to support my decision?


“Two Worlds Colliding”

Dear TWC:

This is the first time that we have been called on for some marriage therapy – so please understand that we do not claim to be experts in this area.   

Our initial thought is very simple; it is much easier to find a good information security opportunity, than it is to find a good life partner/spouse.

This being said, I think that your question lies in the extent of sacrifice that you are willing to take to achieve your long term career goals.  It is clear that you personally understand what is necessary to be successful in your career pursuits and are willing to go after them, however your spouse does not seem to share your willingness to sacrifice.

What you may or may not realize that in a committed relationsip, sacrifice is shared and collective.

One thing that you mentioned is that your spouse also has a career, and just like your career is valuable to you – your spouse’s career is valuable to them.  Your spouse may think that the extra commitment that you have in your role, may detract from their ability to maximize their career goals and aspirations.  It could also be that they feel that you will have additional responsibilities – and the burden of the home front will fall on their shoulders.

The problem that you are dealing with is a situation that many dual income families have to deal with, when they are balancing both of their careers and their parental and marital responsibilities.  

The best advice that we can give you is to talk things through with your spouse and appeal to them on a very personal  level and explain to them why the job is important and critical.  You may also provide your spouse with some recourse if the job does change your home life, and commit that you will find another role if this new position affects your relationship with each other and your child.  

In the end, if your spouse objects strongly, and provides you with logic that you can live with, then I would respect their opinion, and turn down the opportunity.  However, before you do, you should ask your spouse to provide you with acceptable criteria that you can apply to a future job search.

This way, you will have their buy in and support from the beginning.

 Hope this helps,

 Mike and Lee

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Personal, Planning, Position Selection, Uncategorized | Comments Off 

A Framework for Info Sec Career Success

March 9, 2011

We recently wrote an article that is featured in the March issue of Information Security Magazine about developing a framework for success in your current Information Security position.  The article points out 4 particular concepts that can be applied to any information security role – whether you are a CISO or you are in an entry level information security position.

Let us know what you think.  Follow up questions can be answered on Career Advice Tuesday.

Lee and Mike

Posted by lee | Filed Under Advice, Personal, Skills | Comments Off 

CAT- “Finding Your First InfoSec Job – A New Approach (To An Old Question)”

March 8, 2011

Dear Infosecleaders:

My question for you is how does someone who is just starting out gain the experience that is need to land their first job in Info sec. Currently I work as a web producer and have for the past five years. I am currently going to school for a bachelor degree with a major in Information security and computer forensics. I would like to get a security+ and CISSP certifications.

I have interests in pen testing, encryption and computer forensics. I’m really just starting so not to sure what area i would like to become proficient in. I have laid out a career plan as best I could and would like to be in the role of a CSO for a company one day.

I unfortunately am unable to get an internship since I am a family man. Any advice you can give I would appreciate.


“Lets Get It Started”

Dear MC Hammer :

It has been a while since we have answered a question about getting started as an information security professional, but your question has helped me think about an avenue for you, and other information security professionals to jump start their information security career, and get paid for doing it,

The best way to do this is to leverage your current skills of value, to develop new ones.   In fact, this advice is applicable to both aspiring information security professionals and experienced professionals looking to build new skills and develop new areas of expertise.

In your particular case, you have 5 years of experience as a Web Producer.  Without really knowing you, my thoughts would be that you have programming experience in Web based languages, you understand the composition of Web Applications, and you have some understanding in regards to the SDLC. (for Web Apps).   If my assumptions are correct, then you have some marketable skills that many companies need – just not in security.

The advice that I would give to you would be to look for employment in a larger, security conscious, regulated company that has a need for your skills in these areas.   When interviewing, you can utilize your interest in security – and producing secure web applications – as a point of differentiation.     Hopefully, based upon that experience you can get a job, that can pay you the money necessary to take care of your family.

Once the job is landed, the first thing that you want to do is to try to insert yourself into conversations and projects that involve security.   Information security departments in large companies work with all types of technology teams, to build more secure environments.  When you have the opportunity to interact with the security person assigned to your group, you should find the opportunity to engage with this person – and demonstrate your passion, interest, and some knowledge for security.  The best way to do this would be to speak about some current security issue facing the industry – ( for example – the HB Gary situation, a recent conference (B-Sides, DefCon, or ShmooCon, or the last OWASP meeting you attended)  Hopefully you will begin to build somewhat of a relationship, and the person from the security team will be glad to know that they have an advocate for their projects “on the inside.”  As the relationship develops, offer to help in your free time,  and ask if there is additional work (in a security group there always is)  Offer your services for a 3rd shift in an ops center, or to help out with incident response, or on a Web App pen test.

By doing this, you are actually interviewing for your first information security position.

Large companies are known for providing their internal employees opportunities to apply for internal roles, before they search externally.   Once a role is posted in the information security group, apply for it.  As a fact, companies would rather fill their roles with internal candidates because current employees already understand the culture, the recruitment process is more efficient, and the costs are considerably less ( I can tell you first hand that external recruitment services are not cheap).  Since you are now a known commodity in the infosec team, your interview process should be a formality, and the most difficult part of the transition will be informing your current manager that you are transferring groups.

In essence, what you are doing is creating your own opportunity – at that time you can continue to pursue additional certification, training, and gain experience in the areas you previously mentioned (pen testing, forensics, encryption).

At that point you can begin focusing on the development, refinement, and execution of your career plan.

Let us know how this turns out.  Hope this helps –

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday, Interviewing, Planning, Position Selection, Skills | Comments Off 

Career Advice Tuesday – The Rant Edition

March 1, 2011

Anybody who knows me knows that I tend to get ranty on occasion. I got a question lately that made me more than a little bit that way.

Before I post the question, a brief thought about the industry that anybody who has heard me talk about information security careers has heard before. I believe that information security has one of the single hardest career paths in the entire world. Not that it’s a difficult job – compared to any episode of Dirty Jobs, it’s a cake-walk.

But making a career in infosec is hard because we have to work a lot harder to keep up in our field than most. The reason is simple: security issues aren’t in the oldest technology. Once a technology has been around for a few years, the security issues get worked out and we move on.

As an example, think back to 2003: everyone was freaking out about wireless security issues. WEP was a mess, everyone was deploying wireless insecurely, and security people were talking about how “wireless security” and “wireless penetration testing” were the hot skills.

When was the last time you thought: “Man, I really should get a job as a wireless penetration tester.  That’s where all the good jobs are these days.“?

This is the case for almost every part of security – while it’s important now, in 10 years the Cloud Security Alliance is likely to look awfully anachronistic.

The problem with security as a career is that you have to CONSTANTLY learn new things. Our job (for anybody who wants to be relevant 10 years from now) is one of continual effort to keep up with the latest/newest technologies. And, because of that, it’s rarely going to be a traditional 40 hour/week job.

So… the question I got late last week from someone who is 3 years out of school:

I’m not interested in a job where it is essentially expected that one works for longer than the standard 40/week. I also want to be able to use whatever vacation time I earn without being guilt-tripped by the office culture.

In my interview process, could you suggest a good way to determine which jobs are going to be expecting long work-week commitments? And would you be able to recommend a tactful way of bringing up how much I value my personal time during an interview?

Here’s the thing: I’m all for work/life balance. But neither Lee nor I believe that it’s possible to succeed long-term in our industry with that mind-set, especially early in your career. It’s one thing to have built a broad and deep skill-set and decide to take a job for quality of life reasons – it’s another to attempt to build that broad and deep skill-set in a rapidly changing industry while attempting to maximize the amount of vacation you take (unless, like many of us, your ideal vacations include a bus ride with a man with a beard or a trip to a conference that happens beside other conferences).

There are LOTS of industries where this isn’t the case. I was a *nix admin more than a decade ago, and I could still be a passable one today even having not touched a CLI (other than on my macbook when I want to use grep or find) since.

Someone who was a security person in 1999 who hadn’t touched security (other than configuring their home router) for 10 years? They couldn’t talk about wireless security, web-app security, social media/cloud security, DLP, GRC, etc.

But they could probably tell you all about the benefits of stateful inspection and run Cybercop Scanner. If you don’t know what I’m talking about, I think I just made my point… And if you laughed, I definitely did.

Posted by mmurray | Filed Under Career Advice Tuesday, Security Industry | Comments Off