June 28, 2011
I just graduated college, and was lucky enough to get a great job as an information security analyst. It’s essentially a job I figured I’d have to work towards for two or three more years to get, but somehow I lucked out.
After several months, I now have an opportunity to go back to school for an MBA, as well as study Information Assurance with some really great advisors. My grad degree would be completely paid for, plus a bit for living expenses, as they do not want me to work during school-time. This would have been the perfect option had I not already gotten the perfect high salary job.
I ask, “To School or Not To School”
I often like to begin to discuss advice like this by saying that you are very fortunate to have a decision on your hands, not a dilemma. This is an excellent position that you find yourself in, and I am going to answer your question by posing some additional questions for you to consider as you are attempting to arrive at your own conclusion.
1) Do you have enough maturity to fully maximize the “Masters Degree” experience?
Plain and simple, a Masters degree, especially an MBA is a lot more involved than just attending classes and getting good grades. A Masters degree will often introduce concepts that have more value when you can apply them to practical experiences, as opposed to just “school experience” – many people advise to go get work experience prior to pursuing an advanced degree, however, you have to figure out which situation works best for you, and often that comes being honest with yourself.
2) Your personal financial situation? Are their any conditions attached to the money?
Having the opportunity for a third party to pay for your degree in full is a great benefit. It is logical that a Masters degree could often cost up to $100,000, not including the time off of work. This is a great deal of money to walk away from and this has to be a strong part of your decision making process, and weigh strongly on the direction you decide to take.
Additionally, in my experience a gift like this – a full education, and living expenses, rarely comes without strings attached. If there are strings attached which creates an “indentured servant” type of environment, where you are forced into a direction that may take you on a detour, away from your near term career goals, this needs to be given strong weighting as you make your decision.
3) How good is your current job and what are you learning?
I know that you said you had a well paying job, but lets forget about the money for a moment, and consider the skills that you are learning in your day-to-day role. It is most likely that your near term career opportunities are going to come from your practical experience as opposed to an advanced degree. If you are gaining good experience, have a plan for additional training, and have a manager that fosters your career development, this can turn out to be more valuable than a Masters Degree. Again, it is up to you to evaluate these components of your current opportunity and honestly assess them.
4) Finally, what is your gut telling you?
When you make any decision, the best thing to do is to trust your own judgment and stay true to yourself. Considering that you cannot go wrong either way- that is you can always find another job, and the last time I checked, Masters Degree programs are not closing their doors any time soon – you really can not go wrong.
You are fortunate to have this opportunity chances are you are a bright young person with a big future ahead of you, so you will most likely have more opportunities in the future. This decision has a great deal of magnitude, however it is not a “make or break” type of decision. There really is no wrong answer.
As the holder of your own destiny, you ultimately hold the responsibility for your career – you will reap the rewards for good decisions, and have to address the consequences of incorrect ones.
Follow your gut, follow your heart, listen to smart people, and do not look back!
Let us know what you decide,
Lee and Mike
June 21, 2011
Hi Mike & Lee,
I’ve been in IT as a help desk professional for a little while, and recently I’ve started to take a little more interest in internet security and ‘ethical hacking’. I’ve come to realize that I like problem solving and troubleshooting more than I actually like programming. I’m not really sure where to go from here. I’m just looking for some focus as to what I should be learning and playing around with.
I appreciate any insight or input you can provide.
Newbie Ethical Hacker
Mike here – I’m writing this one almost completely on my own. Most people who start out in information security come at it from one of two ways: either because they want to learn to hack, or because they’re an IT professional already and end up gravitating to the particular problems that security provides. And most good security professionals end up learning both sides of that equation at some point in their career, because it’s hard to be good on offense if you don’t understand defense, and vice versa.
In short, if you want to be in security, it’s a good place to start.
I’ll be honest, however: learning to hack is an incredibly difficult thing to do. It requires a very deep and broad understanding of the way that systems and networks work. There are a large number of potential attack surfaces, and each of them requires a very different but very deep set of knowledge in that particular area: for example, becoming adept at attacking web applications is a wildly different skillset than becoming skilled at attacking the network itself, or performing attacks against systems themselves.
Here’s my advice (and I’m biased, as I run a site called The Hacker Academy where we train people on this type of skills): find someone who is able to do what you’re looking to do and find out how they learned what they know. Have them teach you a little bit at a time. This may or may not be a training company, but don’t get fooled by all the companies offering to teach you hacking in a 5-day bootcamp – you can’t learn to be an ethical hacker in a week, any more than you can learn how to be a doctor in a week. Find a training program that lasts for as long as you want to continue learning and continues to grow.
If you want more advice on this one, feel free to email me. I can give a lot more specifics if I know what you know and what you want to learn.
Mike (and Lee)
Posted by mmurray | Filed Under Career Advice Tuesday | Comments Off
June 14, 2011
Currently I work as an Application Security Consultant where I have been engaged on a long term contract with a Fortune 1000 company. The current engagement that I am working on, came about as a result of being laid off from a professional services firm during 2009. I have approached the current client about becoming a full time employee, and they just do not have the ability to bring on a full time employee due to mandates that extend beyond information security and are dictated by the business at large.
Recently I was approached through a friend about an opportunity to become a Senior Application Security Engineer for a “Web 2.0” company. There is no doubt that the work would be exciting and I would learn a great deal, and on the surface the company seems like it is on good footing. However, due to my past experiences I am not sure.
My current situation is a good one – I am paid well (more than the full time opportunity), I know that there is plenty of work for me, however there is not any real “career” opportunity because I am a consultant (and they will not make me an employee). I think that for this reason, I would like to take the job with the “Web 2.0” company, but there is a voice inside of my head telling me that I should try to protect myself.
I am thinking about asking for a “2 year contract” in order to accept the role. Is this possible? If so, how should I ask the employer for this addition to the offer?
Unfortunately for you, the rules that apply to highly talented all-star basketball players do not translate to highly skilled information security professionals. The idea of a company extending a “2 year contract” to a senior engineer would be a new one for me.
To provide you with a point of reference, in 15 years of recruiting information security professionals, I have never been a party to a search assignment that contained an employment contract like the one that you are requesting. In fact, the longest severance package I have ever seen an employer offer was one-year, and that was offered to a CISO who was relocating his family to an area that he was unsure of moving to.
I am not sure that this will make you feel better, but in essence we are all free agents, and employees “at –will.” As members of today’s information security work force, the development, maintenance , an constant enhancement of our skills serve as the fabric of our personal employment “contracts”.
Getting back to your current situation I do think that you should do some due diligence on your new employer and the role that you are considering. I think that you should make sure for your own sanity that you do two things prior to accepting the role :
1) Make sure that you are comfortable with the career path that they have outlined for the position. The reason I say this, is that if you do not think that the career path will help you grow your skills and prepare for the future, then stick with the contracting role – since the career path would be the main reason for leaving the world of contracting.
2) Make sure that you will excel at your new job. Plain and simple, you are going to want to come in and make an impact – not struggle. You want to make sure that you can exceed expectations and shine –not just be average. Just being average will make you “another employee”, and in that case your career acceleration chances decrease.
Again, career acceleration and progression should be key, you want to make sure that you fee confident that these elements of your new role exist, and you can maximize them when they avail themselves to you.
Hope this helps,
Lee and Mike
June 8, 2011
Lee & Mike,
Posted by mmurray | Filed Under Career Advice Tuesday | Comments Off