Career Advice Tuesday – “Unhappy Passover”

April 26, 2011

Dear Infosecleaders:

I’m current a Security Tester at a small-size company, with some offices around the globe.   I also have some certifications and Security background. However, since I’ve started working for this company as Automation Testing Engineer I started to change the Security posture of the company.   I’ve proposed for the board the creation of a security area, I’ve originated the company’s Security Committee; I integrated a Risk Assessment and Vulnerability Management process and developed the company Security Dashboard.

The good news is that due primarily to my efforts and perseverance my employer has finally created the Security Manager position. The bad news is that the person selected for this position was an existing IT Manager, and not me.

Needless to say that I am very disappointed and have been left unmotivated after learning of their decision and I have started looking for a new job.

A Fortune 100 company interested in hiring me contacted me to work with them as a Security & Compliance Coordinator.  This company does not have Information Technology as their core business. They are in a different industry.

I’m hesitant to go to a new company where the core business is not related with Information Technology and it’s growing at a slower rate than my current employer.   That being said, I am very interested in the opportunity in front of me, and it effectively enables me to leverage my current technical skills to gain experience related to compliance, which is a direction that aligns with my long term career goals.

The dilemma I have is that I am unsure if leaving my company for this opportunity is a good career move?


“Unhappy Passover”


Dear Mr. Heston:

You ask a complex question so we are going to dissect them in equal parts.

The first thing is that it is never a good feeling to learn why you were “Passed-Over” for this Security Manager opportunity.  You have every right t feel let down considering that you believe that it was your efforts that led to the creation of the role.  Before you do anything drastic, my advice would be to set up a meeting with the person who made the decision, and ask them why the selected the other internal candidate.    Granted you may not agree with their answer, but it is possible that their decision was based on some logic or a key “skill gap” that may prevent you for performing the role as it was designed.   If they point out a skill gap, you may need to do some self assessment to see if their analysis has merit.  If you believe it does, you should ask your employer to help you find a way to gain this experience so that you may develop your skills.  At that point, if your employer does not provide you with a clear answer, or you can not come to terms with their thought process, then my suggestion is that you need to move on, especially if you believe you can not find the passion and motivation that enabled you to be effective in your security testing role.

The next question that you ask is that if you should leave your IT based employer to work for a company in a non-IT based industry.  My answer to this question is that industry alone should not be a determining factor – for this decision.  There are many non-IT businesses that have excellent commitment and business alignment with the information security function.   Historically, financial services has always been a prime example of this, however recently companies in retail, manufacturing, healthcare, and other industries have become more invested in information security and building “world class” information security functions.

The questions you should be asking yourself are two-fold – is the new company committed to building a first class information security function (you should understand the drivers and the security functions leadership)  and if you have an interest in learning about the business/industry of your new prospective employer.  If the answer to both is “yes”, you should not hesitate to explore the opportunity in greater detail.

Your third question regarding building new skills aligned with your interests and career plan is an easy one.  By all means, if the new employer enables you to leverage your existing skills, to build and develop new ones, I would jump at that opportunity – especially if this opportunity does not exist at your existing employer.

You close by saying that you have a dilemma – and I would disagree.  It appears that you have some very good skills, a strong passion for information security, and the ability to influence others – these are the foundations of successful Information Security leaders.

Dilemmas are situations where you do not have any good choices.  What you have is a decision to make – which when it comes to managing your information security career is always a good thing.

Hope this helps.

Happy Passover,

Lee and Mike


Posted by lee | Filed Under Advice, Career Advice Tuesday, Planning, Position Selection, Skills | 1 Comment 

Career Advice Tuesday – “The Bird In The Bush”

April 19, 2011

Dear Infosecleaders:

Currently I am an unemployed information security professional and I have been actively interviewing for two opportunities.   Both of the opportunities are better than being unemployed but one is clearly better than the other.

The lesser of the two opportunities was brought to my attention by a fellow information security professional who endorsed me to their supervisor.  That interview process has been completed and they have told me that they want to offer me a position.

The better of the two opportunities has completed their interview process, have provided me with positive feedback, but has yet to make me an offer of employment.  This is the opportunity that I really want however it may be an additional week before I have a firm commitment.

My predicament is that I do not want to be unemployed, but I also do not want to accept the “lesser” opportunity and then go back on my word, leaving my friend who did me a favor in a bad spot.  However, although it looks promising there is no guarantee that the “greater” opportunity will come to fruition and I will be offered the job.

Is there any advice you can give me to manage this situation.


“The Bird In The Bush”

Dear  “Tweety”:

I am a firm believer that the people that you answer too are first yourself and then the ones that love you and count on you.   So, the first thing that I can tell you is that you have to make your decision based on what you can live with.   The next thing I will tell you is that you have to have a handle on your financial and personal responsibilities, and factor that into your equation.

All of that being said, the best advice that I can give you is to speak to your friend who introduced the “lesser” opportunity to you, and let him know what you are thinking.  Honesty being the best policy, this should at least clear your conscious and at best, provide you with some advice on how to deal with this new potential manager through this process.

Simultaneously, I would contact either the hiring manager, the human resources person, or your recruiter – and make them aware of your situation and ask if it is possible to expedite their decision making process.    You should make it clear to them that the opportunity at their company is preferred and that if offered (and provided fair compensation) you would accept it.  You can also share with them that ethically you are torn, and you do not want to accept the other opportunity out of need, only to go back on your word.    This may provide them with an insight and more validation on what type of person that they are getting if they hire you.

I would appeal to their personal sense, and tell them if they are not interested, that is fine, but to please be candid with you so that you can move forward with the other opportunity.

Really, let’s hope that the “better” opportunity gets back to you soon – so that you can move forward and avoid this type of decision.

Let us know how this turns out.

Hope this helps,

Lee and Mike


Posted by lee | Filed Under Advice, Career Advice Tuesday, Interviewing, Position Selection, Recruiting, Uncategorized | Comments Off 

Career Advice Tuesday – The Value of College

April 12, 2011

Dear Infosecleaders,

I am currently a Junior in high school and have been looking into the information security field. I am supposed to start looking for colleges soon and applying for them. I live in {a midwest state} and was looking to stay in state to do school–unless I would gain a huge advantage going out of state. I’m not exactly sure what exact position I would like to actually work in, so currently I am open for anything.

My first question is: Is it worth going to college? Is spending that money on college going to good use? I hear about everybody getting all these different certifications and I am not sure if I should waste money on college and certifications. I don’t want to be stuck paying for college for a long time. Do infosec jobs pay well enough that you can say that college was really worth it?

I heard that colleges throw stuff together just to “add” another major to their lists. What colleges actually have good courses that are worth paying for? I would like to go to school in {my state}, but I don’t know how to compare which schools actually are better.


Hey PF,

When I was growing up, all that my parents, teachers and everyone else drilled in to my head was the importance of going to college.  From the time I was young, it was “get a good education and you’ll be successful.”  So, unlike you, I never questioned the value of a college education.

Of course, times are different now.  I know a vast many people with college degrees working in low-paying retail jobs and being a Barrista at Starbucks.  Not exactly the “success” that my parents envisioned when I was growing up.

In fast moving fields like security, it can seem even worse – we see a huge number of people succeed in IT and information security without a college degree.  And, whenever I hear someone mention the importance of college, someone else is there to point out that Bill Gates was a dropout.

So, let’s talk about what a college degree actually gives you so that you can make an informed decision.

First and foremost, college is a networking experience.  If you go to college, you’ll meet a lot of like-minded people who are interested in the same subject as you.  And, for many people, those connections will stay relevant throughout their lives as they enter the professional world.  (Note: this is especially true in graduate programs.  The MBAs that I know will often cite the networking benefits as the key reason for having an MBA).

Additionally, college provides you with a lot of experience in getting things done.  College can act as a buffer between the hand-holding that most of us get in high-school (I still resent my 10th grade teacher for forcing me to show my work) and the “on your own” experience that most of us get in the real world.   You’re forced to learn to live in a somewhat independent world without the “sink or swim” experience that you may get in the “real world”.  (FYI – it’s for this reason that I usually suggest going out of state for college, as you get a little more of that experience when you can’t go home on weekends to have Mom do your laundry.)

Finally (and most importantly), a college degree acts as a signal of those two things.  It says that you are “part of the club”, so to speak – this is especially true if you go to a college with a strong reputation.  Knowing that someone has a Harvard MBA says something about them.   That degree can stand in as a representative for acquiring a certain type of knowledge  from a certain set of people.  And having the degree suggests that they knew how to complete that task.

Note that nowhere here have I said anything about getting a job.  What college does NOT do is prepare you to be a useful worker.  That’s a fallacy that is thrust upon us by an out-dated idea of work.  When we hire people, we spend a lot of time training them – it’s that training that makes them effective at their jobs, not what they learned from the books in college.  So, I urge you not to focus on the course-work beyond the reputation that it has – if a school has a reputation for being solid within an industry (e.g. the Harvard MBAs I keep using), it will most-likely provide the real benefits above effectively.

In some ways, this probably leaves you more confused than a straight answer, but I’ll encourage you thus: all large companies and government agencies still value a college degree as a useful signal.  For that reason alone, college degrees are worth attaining as you’ll probably want to work with them at some point.

-Mike & Lee



Posted by mmurray | Filed Under Career Advice Tuesday | 2 Comments 

Would You Trade a Cup of Coffee for Career Advice?

April 7, 2011

Lee and I often get asked for career advice. And (assuming we’re in the same location) my answer is often that we should go grab coffee and talk about whatever the question is that the person has on their mind.

I recently got the crazy idea in my head that I thought I wanted to check out what it’s like to publish a book for the Kindle and I wanted to price it at a crazy low price-point.   So, I took the e-book that I wrote a few years back and completely updated and revamped it to fit in the Kindle format.

And, akin to going out for coffee, I priced it at $2.99.

It’s over 119 pages of the best career advice that I’ve got.  Want to buy me a cup of coffee? ;-)

Posted by mmurray | Filed Under Advice | 4 Comments 

Career Advice Tuesday – “A Sense of En-”TITLE”-Ment”

April 5, 2011

Dear Infosecleaders:

I am in the middle of contemplating a job change and I am looking for some guidance.   The new opportunity is really an ideal one for me, with the exception of one component, the job title.

For the past three years, and currently I hold the title of Manager.  The “Manager” title refers to the fact that I manage technical security projects, but in a hands on capacity.  I do not have direct staff (matrixed), I cannot hire or fire, and I do not have budget responsibility – but nonetheless, I am still a Manager.    I consider myself a technical security professional – and have some strong architecture experience and some detailed knowledge in working with information security tools.   However, one of my long-term goals is to become more involved with risk management and compliance.  I am happy in my job, but the future for professional growth is questionable.

This brings me to my new opportunity.

The new role is to become one of the lead junior security architects for this company.  The company has just hired a new dynamic CISO (whom I met with), has a big commitment to security, and there is a great deal of opportunity.   They have even offered me a position that has increased my total compensation by 15%.    In addition to this, the CISO told me that after 18 months, I would be given the opportunity to transition to the “GRC” side, if I chose to and could prove that I was capable.

There is one catch.  The title of the job is “Senior Engineer”.

I asked HR if they could change the title and they told me that the work that I would be doing in their organization was one of “Senior Engineer” and not one of Manager.  The CISO said that if I could prove my skills at a Manager level, he would be happy to promote me when I was successful in demonstrating this.

This is a big dilemma for me.  The job is great – but I feel I am heading in their wrong direction.  Can you help me?


“Working Title”


Dear “WT”:

I do not know how to be more clear when I say this but “Take The Job!”

Titles are probably the least significant attribute of a successful career.   Most people place way too much stock in their title, because of what they believe others will think – this group includes their peers, co-workers, friends, and family.

The fact is that titles are not transferable.  Different organizations have different titles that apply to their organization or industry.  (My guess is that you are not just changing jobs, but changing industries as well.)  This is done primarily to create standardization within the HR function.   I would think that Senior Engineer would apply to all IT skills – including security, software development, infrastructure, etc.

Here are the things that you have told me that I believe make this job good:

1)   You are entering an opportunity where they are building an information security program.  There is always a good amount of opportunity in this environment that will appear once you begin working.

2)   The CISO is progressive – and told you first hand that if you want to expand your skills, he would provide you with the opportunity.

3)   The CISO is honest.  He said that you would have to prove your skills as a Manager in order to be promoted.  He did not promise you a promotion, he promised you the opportunity.   By making a statement based on conditions, it means that he will value effort and results.   The rest is up to you.

4)   They are paying you 15% more as a Senior Engineer than your current company is as a Manager.  That should speak clearly about commitment.

5)   You said that your future for professional growth is questionable.  (That should be enough on its own.)

Very simple, you have many of the components of what appears to be a great opportunity.  Do not let your preconceived notions or pride get in the way, for something as meaningless as a job title.

In the end, you will get your next role (internally or externally) and accelerate your career based on what you have done, not what you are called.

Hope this helps,

Lee and Mike


Posted by lee | Filed Under Advice, Branding, Career Advice Tuesday, Interviewing, Position Selection, Skills | 2 Comments