Career Advice Tuesday – “Graduate’s First Career Decision”

May 31, 2011

Dear Infosecleaders:

I am a recent graduate of a Masters program with a concentration in Information Security and I am trying to make a decision about selecting my first job.

To give you some background, I have an undergraduate degree in Computer Science and have been coding since I am about eight years old.  During the course of my undergraduate studies I discovered information security, and I was hooked.  During undergrad I found internships that were centered on software development, but found myself looking for information security related problems to solve.

Upon graduation, I decided to pursue a Masters degree to learn more about information security, which I have.  The program has focused on some of the non-technical areas, which has really opened my eyes to some of the types of issues that I would like to focus on.

Now that I am about to graduate, I have two different opportunities to choose from – the first is a software development role (at one of the company’s where I interned) that has some components of information security.  The pay for the position is $75,000 and they will pay for relocation.  Also, the role is in an area of the country where the cost of living is relatively low, so the money will go further.

The second opportunity is to work in the information security function of a Fortune sized company, where I will work on security governance, risk, and compliance initiatives, in support of a Director.  That position pays $45,000, the relocation package is not as comprehensive, and the cost of living is much greater.   The upside is that the area has a thriving information security community, and I should be able to meet many other information security professionals.

One other point, I have student loans, no additional financial support from my parents, and a car that has about 160,000 miles.

All of my friends and parents have told me to take the higher paying job and get on my feet, but there is something inside me that tells me that the other job is better suited for my interests.

Any advice would be appreciated.




Dear Mr. PIB:

The best advice that I can give you is to follow your gut and follow your passion.  Wherever the destination you choose, make the best of it, and maximize its value.

While I am not going to give you an answer to your question – I am going to point out some facts that I think you should apply to your framework for decision making:

1)   You came to the realization through the years that Information Security is the direction you would like for your career to lead.

2)   You spent two years of your time and money attending graduate school to learn about information security.

3)   You have already worked in the environment (via internship) in the software development role, so you have some first hand experience on how they feel about information security and if you will be able to utilize your knowledge.

4)   It appears that your policy job is in an area where there is a thriving community and many other information security opportunities.  The software development job appears to be located in a more remote location without many other suitable employers.

5)   Only you know your financial issues, and can appreciate the effect that they will have on your living situation.   (We were all there once.)

Some other things that I will share from experience:

1)   You are at a point in your life where you have personal freedom and can follow your dreams.  As you get older, you will be forced to make decisions based on external factors, so my advice is to take advantage of this freedom – before you know it, it will be gone.

2)   As long as you keep your hard “technical” skills, you will be able to find employment.   For example, if the policy job does not work out, I am pretty confident you could call the other company and ask if they would hire you as a software developer.

3)   Dismiss the opinions of anyone who tells you to take the job that pays the best, exclusively on that criteria.  (This logic alone validates that they are amateurs, and do not understand a thing about your professional options)  This can be your parents, your significant other, or even a professor, at this stage in your life, money is a component of your decision, but should not be the driver.

4)   Whatever you decide, make the most out of it.  Work your butt off.  Meet as many people as you can – internally or externally – so that you grow your skills , your network and develop  your interests in information security.

5)   Don’t second guess yourself – try not to wonder “what if” – you decided differently, it may only make you crazy.

Like I said, I am not going to give you an answer on what I would select.  Now is about the time that all of your great education should come in handy!

Best of luck,

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday, Compensation, Planning, Position Selection, Skills | 2 Comments 

Career Advice Tueday – “Advice for Job Hoppers”

May 24, 2011

Dear Infosecleaders:

I have been working in a company for over two (2) years now, and for the last eighteen months I have been focused on Privacy Controls Implementation.

Plain and simple, I find this work to be boring.  I have a difficult focusing on my current job and I feel that my work is suffering due to my lack of enthusiasm and the loss of passion.

My initial goal would be to remain with my company, but my manager is not open to my request and simply told me to “keep my head down” and focus on my current project.

I would really like to begin a search for another employer, and to find an opportunity that lets me shift my focus, and let me utilize some of my other skills as an information security professional.   However, I have a history of changing positions every two years, and I have run into the obstacle of being labeled as a “job hopper”.

For the record – I have worked for six companies in my 14 year information security career.

I am not sure how to overcome this obstacle, and progress toward my career goal.   Do you have any suggestions on how I can implement a strategy to change roles and overcome the perception of my lack of commitment?

Any ideas would be welcomed.


“Frog Man”


Dear “Froggy”:

Unfortunately, we do not have much help for you.   The best that I can offer is to utilize your experience to help others, so that they can utilize this as a learning tool for their own careers.

The fact is that history is a very good predictor of future results, and to any new employer it is logical for them to assume that you will only remain at your current position for two years (or slightly more) at a time.   The fact that this is a repeatable pattern – not just once, twice or three times – but six times – is a good indication that you will not stay with your next employer much longer.

In this day and age, hiring managers are facing greater scrutiny when hiring external resources, and if they decide to provide you with an opportunity for employment it is likely that their judgment is going to come into question by their managers.   Many hiring mangers are unwilling to take this risk, as the competition for their jobs is greater.

Therefore your dilemma, Froggy.

If any of you beginning information security professionals are reading this, this should be a lesson and a situation that you need to avoid.   You have to understand that your career and your career choices tell a story, and are a reflection of your decision making, your intangibles, and your personal make-up.   It is often very easy to pick up and leave your employer, however the decision that provides you with instant gratification, often has longer term implications.  This will limit your choices and create an obstacle that you may not be able to overcome.

Take a lesson from Froggy – and try to make sure that you exhaust all internal options prior to making a career decision.   Understand that when you decide to change jobs, try to determine if there is room for growth, and work with your manager to determine the best way to develop your skills and create opportunities for yourself that challenge you and grow.

Back to you Froggy – you are going to have to grit it out- and try your best to convince your manager to provide you with an opportunity that will renew your passion.  You need to demonstrate this by finding it within yourself to become the best Privacy Controls Implementation professional possible, and seek out opportunities that allow you to leverage this expertise into new roles with your current employer.

Give yourself an additional year to do this, and see how it turns out.    In the meantime, take the year to make some personal career investments that may align with your future goals.   When the time is right to go for another interview, you can tell a better story – about how you “stuck it out”,  “tried your best to make it work” – and rededicated yourself to your career -  that is a powerful story that any progressive hiring manager will like to hear – and can sell to their management when asked about your employment history and ”job hopping”.

Write us in a year, let us know how this turns out.

Wish we could be more immediate help,

Lee and Mike


Posted by lee | Filed Under Advice, Behavior, Branding, Career Advice Tuesday, Planning, Position Selection, Uncategorized | 2 Comments 

Career Advice Tuesday – “SOC-Sessful”

May 17, 2011

Dear Infosecleaders:

Currently I work in security operations for a Managed Security Service provider, and I am responsible for our company’s largest customer.  Supporting a customer like this requires 7X 24 effort – and I am often called upon for late nights and weekends.

Recently, my manager called me into his office, and let me know that our company’s sales team has acquired another “flagship” client, and we are going to need to provide them with the same level of support and client service.   The manager has informed me that they are going to want me to be the main point of contact for the client.

I first asked who would be taking over my previous responsibilities, and he remarked that nothing would change and I would be now expected to manage both clients.    When he told me this, my expectation was that this increase in responsibility (and time commitment) would coincide with a salary increase, but as the meeting drew to a close, it was clear that this was not on the table.

After thinking about this, I feel that I am taking advantage of.  The increase in work means more time away from my family, more weekends, more responsibility, and lets face it, more pressure.

Not quite sure that I want to take on all of this without any additional financial incentive.   I have flirted with leaving the company in the past, but like working here and believe in our mission.  In fact, the client that I am supporting has approached me a number of times to come work for them – and I know that this option is open to me.

Do you have any advice for me?





Dear “SOC-Sessful”:

First of all, congratulations for doing a good job and being recognized for additional responsibility by your manager and employer.  The fact that they have demonstrated this to you by attempting to give you additional responsibility provides you with an indication that you are valued and subsequently provides you with some leverage in these future discussions.

What we would like for you to do is to schedule a meeting with your current manager to discuss the new responsibilities and requirements.  During this meeting, you should have your manager clearly express any new requirements that they will have on you – this should include their expectations of additional time, service, skill, and availability.   Once your manager expresses this to you, you should first let them know that you are happy to take on additional responsibility,  but your expectations would be that if you are successful your expectation would be that you would receive additional compensation – in terms of salary, bonus, and equity (if this is an option) .   You should ask your manager to review these items with you, six months from today – and even ask them to calendar the meeting when your are in your office.   In addition, at this time, you should inform your manager that, beginning with the new assignment,  you would like to have some more discretion over your vacation/PTO time – considering your time away from your family will increase.

By doing both of these things you are setting some precedent with your manager:

1)   You are letting your manager know that you are willing to take on more responsibility and are willing to prove yourself without immediate reward.   This is a sign of maturity – and should be recognized.  At the same time, you are also letting your employer now that you have an expectation for a financial reward, if you perform your job well.   This gives your manager the necessary time to plan with their management to budget for these financial outlays.

2)   By asking for discretion on vacation, you are demonstrating that you will demand additional benefits for increased workload.  This sets a precedent to your manager that they can not give you additional work, for nothing in exchange and that your time is valuable.   Giving you discretion over vacation is something easy for your manager to provide you, without any permission from their management.

What you have effectively done is make some demands on your management without “holding a gun” to their head.

Once you embark on this new assignment, ask your manager to review you in 60 days, and 120 days, leading up to your six month review.  This will provide you with a documented status, on your performance.   During these meetings you can remind your manager of your expectations of increased compensation.   You should have a pretty good understanding of what your manager thinks of your progress and performance.

If in six months, you do a good job, you will have that meeting with your manager, and you should have your increase.  If you do not receive your increase, keep your client’s number on speed dial, as if they do not financially reward you, you will have no other choice but to leave.

The reasoning is that by ignoring your request,  your company will have effectively set the precedent that they can give you more work, without any additional  pay – and if you accept this, they will continue to do so.

Hope this helps,

Lee and Mike


Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Compensation, Skills | 2 Comments 

Career Advice Tuesday – “Sub-Prime” Employment

May 10, 2011

Dear InfoSec Leaders:

About a year ago, I accepted an information security position that included a relocation package. The relocation package was quite comprehensive, and the total amount is equal to about $60,000 (which is about 50% of my salary). In order to accept the relocation package, I had to agree to a two year recovery clause on the relocation money. At the time, I thought that this was fair – especially considering that the company helped me get out from under a bad mortgage in a declining real estate market.

However, now that I am about 10 months into my new job, I am regretting the decision.

The company and the position that I am in has changed dramatically over the last six month due to some new leadership. My role that was designed to do one thing – has now been shifted to perform tasks that I am generally bored with, and accomplished three years ago.

I have a dilemma. I can’t afford to pay back the relocation money – and I can’t stay here 14 months without going crazy. If I leave after 2 months (my year anniversary) – I will still have to pay back $30,000.

Do you have any advice for me? How can I get out of this bind?


“Sub Prime” Employment

Dear “Sub-Prime”,

The only way to answer your question is to be blunt – you are in a bad situation. The best advice that we can give is to try to make the best out of it and arrive at a decision that you can live with.

The way we look at it, you have two choices – the first is that you can figure out a way to justify swallowing the $30,000 that you owe your current employer and find a new job. The next is that you come to peace with the fact you will be at your current role for 14 more months – and make the best of it.

There is a third option –which is to become so disruptive that they “ask you to leave” and one condition of you agreeing not to “pursue legal action” is for them to release you from your obligation. We do not recommend this – but it is definitely an option.

We think that you have to view this problem as two fold – first in a financial way, next is from a career perspective. $30,000 is not a small amount of money, but in the course of a career, it is really not all that much ($1,000 per year for 30 years of working) . The fact that you would have owed this money on your home – had the new company not rescued you from the housing crisis, you should look at this as “found money”.

What you need to think about is if your “happiness” and “job satisfaction” is worth $30,000? That is a question that only you can answer.

From a career perspective, you need to really understand if you can “afford” working in a role where your skills are regressing. The opportunity cost of working in a position where you stagnate your professional development could cost you considerably more than $30,000 over the course of your remaining career- in terms of promotions or competing for new opportunities. You should figure out in the context of your current role if there are skills that you can build as you bide your time over the next year. It is quite possible the framework of this opportunity could enable you to develop a weakness or to find extra time to attend additional education or make career investments that can augment your current skills. If the opportunity does not provide you with this – you have to sit down and think if you can financially afford to take the hit and write the check.

Remember, the cash that you owe your employer is post tax (disclosure – we are not accountants), you will need to come up with roughly $40-45K in cash to pay for the 30K that you owe.

You have a difficult decision to make. Good luck as you attempt to find the best solution that works for you and your career.

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday, Compensation, Planning, Position Selection | Comments Off 

Career Advice Tuesday: Should I stay or should I go?

May 3, 2011

Dear Infosec Leaders,

I have a really difficult dilemma. I just got offered the perfect job for me. It’s everything that would be the perfect next step in my career at this point. Not only that, I was tired of what I’ve been doing and I’m ready to make a change.

The problem is that the job is in another state and I really like where I live right now.

How do you make the decision between a job you like and a place that you want to live?

Torn Between Two Cities

I’ve certainly lived this one myself, Torn. Anybody who knows me is familiar with my tendency to hop between cities – at this point, my wife and I have lived in 7 different places in the 10 years that we’ve been together. (San Francisco, Myrtle Beach, Toronto, Portsmouth NH, Chicago, San Francisco (again) and Las Vegas). And, with the exception of Las Vegas (where we live now), all of them were motivated by the opportunity to take on a new challenge and move forward in one of our careers.

Given that backdrop, you might think that my advice would be an unequivocal “Pack your Bags!”. But it’s not quite that simple, Torn… you have to consider what you’re giving up on each side.

One of the things that Lee likes to talk about most often is that life is a series of tradeoffs and sacrifices. You can’t both be the Center Fielder for the Boston Red Sox and live a quiet life with no travel. You can’t say you want to be a penetration tester and also never learn anything new after you leave college.

In the same way, the decision you’re making has within it a bunch of tradeoffs. The place where you live probably has a lot to offer: a social network, familiar patterns, favorite experiences (e.g. your neighborhood coffee shop, favorite bar or restaurant, etc.) and life patterns that all combine to allow you to reduce your stress level.

We often discount this level of stress reduction when considering a move, yet the research shows that moving imparts a level of life stress that is behind only a divorce or a death of a loved one in terms of its physiological and psychological impact. Even if you want to move, it’s an exhausting and stressful experience that lasts long after the moving truck has left the door and the boxes are unpacked (if, unlike me, you ever GET the boxes unpacked).

When you move, you have to rebuild many of those familiar structures that I mentioned above – you have to create new social networks, new life patterns and rediscover those benchmark experiences that allow you to live life relatively unconsciously. And this costs you a great deal in terms of psychological energy.

All this while you’re starting a new job. There is nothing easy about this task.

That said, you need to weigh your own capacity for adaptation to this type of stress – some people (me included) thrive on it. The first few weeks after relocation are a time of great creative energy for me – the extra demands on me to learn new patterns spark a great deal of creativity in me.

I also have friends who don’t adapt to it well. They survive best when they know all of their neighbors and all of their local haunts – the lack of certainty about their support structures leads to a nearly paralyzing anxiety that severely impacts their ability to react to their environment in the first 3-6 months of their relocation process.

Which type of mover are you? Do you need to have long-term stability close at hand? If so, the move might be a much bigger impact on you than it would have been on me.

That said… you have to balance this against the opportunity at hand. Your question doesn’t indicate how many opportunities you have where you are – can you find just as cool an opportunity in the city you’re in? If not, perhaps it’s time to bite the bullet and get the move out of the way now. That was certainly the case for me – with each move, the opportunity was one that I couldn’t find where I was and the move was the right decision.

I hope that helps… and I hope that the move (if you make it) is an enjoyable and creative opportunity for you.

Mike (and Lee)

Posted by mmurray | Filed Under Career Advice Tuesday | Comments Off