Career Advice Tuesday – “Experience vs. MBA”

June 28, 2011

Dear Infosecleaders:

I just graduated college, and was lucky enough to get a great job as an information security analyst.  It’s essentially a job I figured I’d have to work towards for two or three more years to get, but somehow I lucked out.

After several months, I now have an opportunity to go back to school for an MBA, as well as study Information Assurance with some really great advisors.  My grad degree would be completely paid for, plus a bit for living expenses, as they do not want me to work during school-time.  This would have been the perfect option had I not already gotten the perfect high salary job.

I ask, “To School or Not To School”




Dear Hamlet:

I often like to begin to discuss advice like this by saying that you are very fortunate to have a decision on your hands, not a dilemma.  This is an excellent position that you find yourself in, and I am going to answer your question by posing some additional questions for you to consider as you are attempting to arrive at your own conclusion.

1) Do you have enough maturity to fully maximize the “Masters Degree” experience?

Plain and simple, a Masters degree, especially an MBA is a lot more involved than just attending classes and getting good grades.  A Masters degree will often introduce concepts that have more value when you can apply them to practical experiences, as opposed to just “school experience” – many people advise to go get work experience prior to pursuing an advanced degree, however, you have to figure out which situation works best for you, and often that comes being honest with yourself.

2) Your personal financial situation?  Are their any conditions attached to the money?

Having the opportunity for a third party to pay for your degree in full is a great benefit.  It is logical that a Masters degree could often cost up to $100,000, not including the time off of work.  This is a great deal of money to walk away from and this has to be a strong part of your decision making process, and weigh strongly on the direction you decide to take.

Additionally, in my experience a gift like this – a full education, and living expenses, rarely comes without strings attached.  If there are strings attached which creates an “indentured servant” type of environment, where you are forced into a direction that may take you on a detour, away from your near term career goals, this needs to be given strong weighting as you make your decision.

3) How good is your current job and what are you learning?

I know that you said you had a well paying job, but lets forget about the money for a moment, and consider the skills that you are learning in your day-to-day role.   It is most likely that your near term career opportunities are going to come from your practical experience as opposed to an advanced degree.   If you are gaining good experience, have a plan for additional training, and have a manager that fosters your career development, this can turn out to be more valuable than a Masters Degree.  Again, it is up to you to evaluate these components of your current opportunity and honestly assess them.

4) Finally, what is your gut telling you?

When you make any decision, the best thing to do is to trust your own judgment and stay true to yourself.  Considering that you cannot go wrong either way- that is you can always find another job, and the last time I checked, Masters Degree programs are not closing their doors any time soon – you really can not go wrong.

You are fortunate to have this opportunity chances are you are a bright young person with a big future ahead of you, so you will most likely have more opportunities in the future.  This decision has a great deal of magnitude, however it is not a “make or break” type of decision.  There really is no wrong answer.

As the holder of your own destiny, you ultimately hold the responsibility for your career – you will reap the rewards for good decisions, and have to address the consequences of incorrect ones.

Follow your gut, follow your heart, listen to smart people, and do not look back!

Let us know what you decide,

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday, Compensation, Planning, Position Selection | Comments Off 

Career Advice Tuesday: So you want to be a hacker

June 21, 2011

Hi Mike & Lee,

I’ve been in IT as a help desk professional for a little while, and recently I’ve started to take a little more interest in internet security and ‘ethical hacking’. I’ve come to realize that I like problem solving and troubleshooting more than I actually like programming. I’m not really sure where to go from here.  I’m just looking for some focus as to what I should be learning and playing around with.

I appreciate any insight or input you can provide.

Newbie Ethical Hacker


Mike here – I’m writing this one almost completely on my own.  Most people who start out in information security come at it from one of two ways: either because they want to learn to hack, or because they’re an IT professional already and end up gravitating to the particular problems that security provides.   And most good security professionals end up learning both sides of that equation at some point in their career, because it’s hard to be good on offense if you don’t understand defense, and vice versa.

In short, if you want to be in security, it’s a good place to start.

I’ll be honest, however: learning to hack is an incredibly difficult thing to do.  It requires a very deep and broad understanding of the way that systems and networks work.   There are a large number of potential attack surfaces, and each of them requires a very different but very deep set of knowledge in that particular area:  for example, becoming adept at attacking web applications is a wildly different skillset than becoming skilled at attacking the network itself, or performing attacks against systems themselves.

Here’s my advice (and I’m biased, as I run a site called The Hacker Academy where we train people on this type of skills): find someone who is able to do what you’re looking to do and find out how they learned what they know.   Have them teach you a little bit at a time.  This may or may not be a training company, but don’t get fooled by all the companies offering to teach you hacking in a 5-day bootcamp – you can’t learn to be an ethical hacker in a week, any more than you can learn how to be a doctor in a week.  Find a training program that lasts for as long as you want to continue learning and continues to grow.

If you want more advice on this one, feel free to email me.  I can give a lot more specifics if I know what you know and what you want to learn.

Mike  (and Lee)


Posted by mmurray | Filed Under Career Advice Tuesday | Comments Off 

Career Advice Tuesday – “InfoSec Pro Seeks Long Term Deal”

June 14, 2011

Dear Infosecleaders:

Currently I work as an Application Security Consultant where I have been engaged on a long term contract with a Fortune 1000 company.  The current engagement that I am working on, came about as a result of being laid off from a professional services firm during 2009.   I have approached the current client about becoming a full time employee, and they just do not have the ability to bring on a full time employee due to mandates that extend beyond information security and are dictated by the business at large.

Recently I was approached through a friend about an opportunity to become a Senior Application Security Engineer for a “Web 2.0” company.   There is no doubt that the work would be exciting and I would learn a great deal,  and on the surface the company seems like it is on good footing.  However, due to my past experiences I am not sure.

My current situation is a good one – I am paid well (more than the full time opportunity), I know that there is plenty of work for me, however there is not any real “career” opportunity because I am a consultant (and they will not make me an employee).    I think that for this reason, I would like to take the job with the “Web 2.0” company, but there is a voice inside of my head telling me that I should try to protect myself.

I am thinking about asking for a “2 year contract” in order to accept the role.  Is this possible?  If so, how should I ask the employer for this addition to the offer?




Dear LeBron:

Unfortunately for you, the rules that apply to highly talented all-star basketball players do not translate to highly skilled information security professionals.   The idea of a company extending a “2 year contract” to a senior engineer would be a new one for me.

To provide you with a point of reference, in 15 years of recruiting information security professionals,  I have never been a party to a search assignment that contained an employment contract like the one that you are requesting.   In fact, the longest severance package I have ever seen an employer offer was one-year, and that was offered to a CISO who was relocating his family to an area that he was unsure of moving to.

I am not sure that this will make you feel better, but in essence we are all free agents, and employees “at –will.”   As members of today’s information security work force, the development, maintenance , an constant enhancement of our skills serve as the fabric of our personal employment “contracts”.

Getting back to your current situation I do think that you should do some due diligence on your new employer and the role that you are considering.   I think that you should make sure for your own sanity that you do two things prior to accepting the role :

1) Make sure that you are comfortable with the career path that they have outlined for the position.    The reason I say this, is that if you do not think that the career path will help you grow your skills and prepare for the future, then stick with the contracting role – since the career path would be the main reason for leaving the world of contracting.

2) Make sure that you will excel at your new job.   Plain and simple, you are going to want to come in and make an impact – not struggle.  You want to make sure that you can exceed expectations and shine –not just be average.  Just being average will make you “another employee”, and in that case your career acceleration chances decrease.

Again, career acceleration and progression should be key, you want to make sure that you fee confident that these elements of your new role exist, and you can maximize them when they avail themselves to you.

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday, Compensation, Position Selection, Recruiting, Security Industry | 1 Comment 

Career Advice Wednesday (oops): Getting Off the Horse

June 8, 2011

Lee & Mike,

I came across your names while watching old Defcon videos and I thought you might be the guys who can help me.  I’ve spent the past couple of years learning everything there is to learn in books.   I’ve worked in IT for a few years and I have security certifications, but I still can’t get a job in the industry.

I’m finding myself at a bit of a crossroads.  I’m trying to determine whether or not I should continue to pursue a job in security or just stay in the career path I’m in now.

Making it harder is that the jobs I do seem to find that I think I could get, I would have to take a major pay cut to get.  And I can’t really afford that.

What should I do?


Mr. Crossroads,

First of all, we have to apologize for being late on this one.  Sometimes life gets in the way of our weekly advice entry [Aside: though not nearly as often when it's Lee writing the entry].    But better late than never (we hope).

I remember a movie from a few years back called “Wag the Dog” in which a politician character was running on the slogan: “Don’t change horses in midstream”.  The idea was that even if you’ve made a decision you’re not happy with, you should stick with it.
There’s a reason that movie was a parody.  Life’s too short to spend a large part of it wishing that you had made a different decision.

Clearly, you’ve spent the past couple of years preparing (especially if you were watching through old Defcon talks) for a career in security.  Now, it’s time to prepare yourself for the next step.  If all you can get is a junior level job (with the corresponding pay), perhaps you have to spend the next few months (or longer depending on your financial situation) putting away cash in a savings account so that you have an extra cushion while you’re making the transition.

The other thing you can do is attempt to get a job that’s aware of your talent and dedication and compensates you based on that (even if your skill level isn’t quite there yet).  How do you do that, you ask?  Well, that’s not usually possible through the standard “send in a resume, get a job” process that most people do.  You need to reach out through your network and find people who get to know you for who you are, and who also are looking to hire high-potential people and grow them.

Those jobs aren’t ever advertised for.  You have to go find them in your network from people who know you .  And the more people you know who are doing the things you want to be doing, the more likely you are to find someone like that.

A great piece of advice on how to get better known in this way is in a post that Martin McKeay wrote yesterday about Twitter.  It’s some great advice on this kind of networking.

I know we rambled a bit there, but the short answer is simple:  life’s too short not to go for what you want.  If you can’t do it now, prepare yourself to do it later.  Or reach out to the people who believe that you’ll get there, and see if they can hire you today.

Mike & Lee

P.S. As an aside, in case you think that I’m making this up: I’ve hired a whole bunch of people throughout my career as a manager and business owner with this intent – all of them have been hired because I knew them rather than because I knew their resumes.  And almost all of them didn’t have the skills on paper for the jobs I hired them for, but rewarded me as a hiring manager handsomely for taking the risk on them.  I know that Lee has done the same with many people that he has hired over the years as well.

Posted by mmurray | Filed Under Career Advice Tuesday | Comments Off