July 28, 2011
On Thursday, August 4th, at 1:45 PM PST, as the first part of our Professional Development Workshop at Black Hat, we are going to announce the full results.
We were very happy to receive 1349 respondents to the survey, and from reviewing the background of the respondents we find it to be a very good sampling of the Information Security industry:
2/3 of the respondents have worked in information security for more than 6 years
25% of the respondents have worked in the industry for more than 12 years
1000 of our respondents either hold or have held an information security certification (Yes, exactly 1000)
699 of the respondents hold or have held the CISSP (667 current/ 32 no longer)
50% percent of the respondents earn 100K or more
35% have a long term career goal of becoming a CISO or CSO, an additional 10% aspire to be a CTO or CIO – (Competition should remain fierce for these roles!)
25% of the respondents said that they had a Written Career Plan – (which means that we are making progress)
These results are just the tip of the iceberg – you will have to come to our session at Black Hat if you want the full release. Anyone who is not in attendance at the conference and would like a copy of the results after the conference, you can sign up at Infosecleaders – Research – shortly after the release.
A special thanks to all of those who participated. Thanks for making this a great success. Stay tuned for our next industry survey!
Lee and Mike
July 27, 2011
Dear Infosecleader Community:
For the past couple of years Mike and I have written about information security career topics and spoken about the importance of leadership, in all forms. One of the things that we have suggested in many of our posts, has been to find opportunities to demonstrate leadership outside of the work environment.
Recently, I have decided to follow my advice, and take a leadership role in the origination of a charity event that blends a number of things that I am passionate about: Children, Community, and Athletics.
For the past three years I have been playing in an over-35 fast pitch softball league, called MVP Softball, where I play on the Central Jersey Trees. About a year ago, we began discussing the concept of joining together and putting together a softball charity event that could benefit needy, local families and children in our community.
After agreeing on the idea, we began thinking about charities that we could support that could accomplish our mission. In the end, we decided upon two charities – the Monmouth County Challenger Leagues (Freehold and CYSP of Lincroft) and The Chariot Riders.
Here is a brief synopsis - The Challenger Sports Programs are designed to provide sports programs and activities for children who are both physically and mentally challenged. The local challenger programs participate in sports that include baseball, basketball, soccer, tennis, golf, and cheer leading.
The Chariot Riders program provides therapeutic horseback riding for physically and mentally challenged children and adults to improve the quality of their physical, emotional, mental and social well-being.
After selecting our charities, we partnered with a local volunteer organization named Play2Win Foundation, who has a mission statement that aligns with our event. Play2Win is a 5013c entity, and takes absolutely no money in administrative fees. They have been instrumental in providing us with the infrastructure and operational help to pull the event together.
The Event itself is titled the Extrainnings Classic. The event has 4 key components -
2) A Youth Skills Competition Called “The Baseball/Softball Olympics” – where children of all abilities, including the Challenger Athletes, will compete side by side in a series of baseball/softball skills challenges – in hitting, running, and throwing events. We received sponsorship from a local baseball facility to help with the operations and the coaching.
3) The Challenger Baseball Exhibition – both of the Challenger Leagues will participate in an hour long exhibition that showcases the abilities of these special athletes. The game will be the showcase of the event.
4) The Home Run Derby – where some of the leagues big hitters will test their skills in a “All-Star” Game style Home Run Derby - as a point of note – I have been installed as the morning line favorite.
The main purpose behind this blog entry is to ask for your help in supporting these events. Personally, I have made it a goal of mine to raise up to $5000 for the event – and the only way that I can accomplish this is with your support.
I would like to ask anyone who received some good, useful advice from the blog or from our research to help me support these great causes, and pledge a donation – per inning of the softball game. (Very similar to sponsoring someone per mile for a marathon or bicycle race)
$1 per inning = $100
$.50 per inning = $50
$.25 per inning = $25
$.10 per inning $10
My goal is to raise $2500 in contributions, and then I will write a matching check to the charities for any amount that is donated.
All donations are tax deductible to the fullest extent allowed by law – (disclaimer – I am not an accountant).
Donations can be made by clicking on my donation page on the Extrainnings Classic website, through either a CC or PayPal account. If you would prefer, you could always write a check to Play2Win Foundation, and mail it to my office at 36 West Main Street, Suite 302, Freehold NJ 07728.
I really appreciate any support that you can provide for these worthy charities, the families, and most importantly the children.
Thank you for listening,
Central Jersey Trees, 1st Base, #33
July 26, 2011
For today’s Career Advice Tuesday – we wanted to share a more detailed look at our Black Hat Professional Development workshop. The workshop will take place on Thursday afternoon – from 1:45 – 6:00PM. Anyone in attendance can come to either any individual session or stay for the whole program.
If you are at Black Hat, please come by and introduce yourselves.
InfoSec 2001 – A Career Odyssey
The Professional Development workshop is a half-day program that is designed to inspire the Black Hat attendee to think about their career as an information security professional and assist them in their journey towards the achievement of their long term career goals.
The Professional Development workshop will be divided into five (5) unique information security career topics that will be linked by a common theme – Skill Development and Differentiation.
The program will consist of the following:
1) “The Value of Information Security Certifications Survey” – Research Revealed – 1350 information security professionals responded to an independent survey on the topic – the research will be revealed
2) “Second Place Sucks” – A presentation geared toward differentiating yourself from your peers (and your competition)
3) The Information Security Leader of The Future” - a presentation that will outline the skills that employers are looking for when identifying and selecting their information security leaders.
4) “The Other Side of The Desk” – a panel that will explore the different attitudes and beliefs by job applicant and employer during the interview process
5) “Future Predictions” and “Career Advice Tuesday- Live” – Future trends will be discussed and explored – and attendees will have the opportunity to ask questions about infosec related career topics
The workshop is designed as an interactive forum that should inspire some shared thought and debate between audience members and the presenters.
Attendees should understand that they can elect to either participate in the entire workshop, or to pick and choose from select sessions that have a particular interest to them.
Session 1 – 1:45 – 3:00
“The Value of Information Security Certifications Survey”
Presenters – Mike Murray and Lee Kushner – Infosecleaders.com
In February of 2011, Infosecleaders.com launched an independent survey on the value of information security certifications. The value of InfoSec certifications is a highly debated topic in the industry, and this is the first independent survey that asks questions to information security professionals (certified or not) – their opinions on topics that include – the motivations for certifications, the impression of the certification bodies, the value of skills vs. certifications, and certifications effect on employment. With over 1350 respondents, the results should be revealing and eye-opening.
Second Place Sucks -
Presenter – Mike Murray
So, if certifications are no longer the magic bullet to get you to your career goals, then what is. The topic of strategic career investments and personal branding will be the focus of this presentation. The presentation will be spent on how you can plan and execute on career investment strategies that will enable you to differentiate from your peers and successfully compete for promotions and external information security leadership opportunities.
(15 minute break)
Session 2 – 3:15 – 4:45PM
3:15 – 3:45PM
“The Information Security Leader of the Future” –
Presenter – Lee Kushner
The skills for information security leaders are changing quite rapidly. As many companies are aligning information security with their core business and branding, information security professionals will need to evolve as well. The presentation will break down the core skill components of what information security professional will need to acquire and demonstrate to be considered for leadership roles in the future.
3:45PM – 4:45PM
The Other Side of the Desk – Different Perspectives on the Interview Process
Moderator – Mike Murray
Candidate Perspective – Lee Kushner
Hiring Managers Perspective –
There are two parties involved in every interview process, the information security professional (the applicant) and the hiring manager (the decision maker). While in essence, both parties ultimately desire the same outcome, their motivations lie in different places. This portion of the presentation will present to the audience the perspective of the candidate and the perspective of the hiring manager, in a way that will educate both parties and enable them to social engineer the interview process, to work to their personal advantage.
Bill Phelps is an Executive Director in Accenture’s security practice, and has spent the past 25 years in technology services. In the past decade, Bill has been a practice leader, company founder, board member and trusted advisor helping organizations with complex management and technology challenges in the areas of information security, data center transformation and technology strategy. Bill currently has overall responsibility for Accenture’s security business in North America. Bill is aggressively growing Accenture’s security team, and plans to hire over security 200 professionals in the coming year.
Justin Somaini is the Chief Information Security Officer at Yahoo! where he’s responsible for all aspects of Yahoo!’s Information Security strategy. With over 15 years of Information Security experience he’s seen as a leader in industry by promoting an evolution of the security and risk management models. Through his public speaking and industry involvement he’s given extensive talks and interviews on the threat landscape, public policy, security management and risk management. Prior to joining Yahoo!, Justin was the CISO at Symantec. Justin has also held security leadership roles at VeriSign, Charles Schwab and PricewaterhouseCoopers LLP.
4:45 – 6:00PM
Predictions for the Future and Career Advice Tuesday – “Live”
Presenters – Lee Kushner and Mike Murray
The employment market is dramatically changing – and the closing session will begin with information security employment predictions (based on experience and research) for the next ten years. Once completed, this will be followed by a version of “Career Advice Tuesday” – “Live”. All attendees can have their personal information security career questions answered in an open forum. Topics will include skill development, compensation negotiation, career investments, career planning, and anything else you want to ask about your Information Security Career.
Posted by lee | Filed Under "The Other Side of The Desk", Advice, Behavior, Branding, Career Advice Tuesday, Compensation, Interviewing, Networking, Planning, Position Selection, Presentation, Recruiting, Resume, Security Industry, Skills, Survey, Uncategorized | 1 Comment
July 19, 2011
This is a continuation from last week’s question from a first time attendee at Blackhat and Defcon.
Tip #2 – Start Preparing Early
Once you’ve got a plan for the conference all figured out, it’s time to start getting prepared. Long before we wrote these posts, we had already started contacting people who were on our plan for this year’s conference to make sure that we had set up some time to meet. Mike’s schedule is already quite full from Sunday evening of that week all the way through our Thursday afternoon talk with people that he wants to see and events that he plans to attend. Lee’s is the same.
Yours should be as well. Start reaching out now to the people who you want to spend a few minutes with and make sure that you get on their calendar. This is especially true if you know that the people who you want to meet up with are going to be busy at the show (esp. if they’re speakers at one of the various events).
Tip #3 - Skip Most of the Talks
This may seem counter-intuitive – most people think that conferences are entirely about the talks. While this may have been true in 1998, it’s not nearly as true in 2011. This tip can all be summed up by a single quote that we overheard at last year’s conference: ”They record the presentations. They don’t record the hallway conversations.”
When you go to a conference like Blackhat, you get a CD of all of the presentation materials and recordings of all of the talks are uploaded online. You can get that material anywhere. What you can’t get is the information and relationships that you get from each of the million conversations you’ll have at lunch, during the breaks, and at the parties in the evening.
Far too many people get up early to go to all of the talks and skip the parties because they have to work. Here’s our advice: if you’re going to do work, do it from the talk itself. Take your laptop, pop your 3G card in (which is better than most Vegas hotel connections), and get your work done while speakers are talking. You won’t miss anything that you can’t go back and re-watch later.
Then, make sure that you go to a bunch of the parties. Meet the people who are on your plan and have a drink with them.
This is how you’ll make many life-long friendships and professional connections.
As we’ve pointed out before, it’s how Lee and Mike met in the first place.
So… with those three tips in hand, get a stack of at least 250 business cards and pack your bags. And come find each of us when you get there – we’ll be the ones not attending the talks and talking to all of our favorite people.
Lee & Mike
July 14, 2011
There is a good deal of discussion on this site about the lack of good “entry” level opportunities in the information security professional. Recently, we were just engaged on a role that I think would be excellent for a “Future Infomration Security Leader” – who may be long on passion, but short on experience.
The role has all the elements for career development and success -fair compensation, training budget, education assistance (which is getting more rare nowadays), good benefits, and a stable/socially responsible organization.
In addition, I know the CISO for about a decade, he is a class act, down to earth, and is committed to developing his people.
Below, you will find the description.
New York City – Midtown –
The person that I am looking for would have about 2-4 years of work experience, and have an appetite for learning. Ideally they would come from a technical background – in either security,consulting, systems administration, development, etc – but have a real passion for information security – and be open to learning/operating – information security tools (DLP, Vuln Management, Encryption, etc.) – and have a desire to eventually learn more about risk assessment, risk management, governance and compliance.
Compensation is fair – about 75-90K with a small bonus. No Travel.
10K annually in tuition reimbursement – for undergrad or masters. Very good healthcare benefits.
CISO will support one major training/conference a year – SANS/BH etc, and anything local to NY (OWASP/ISSA/CitySec) Vendor/Product training as well.
If anyone, who meets these qualifications and currently lives in commuting distance of mid-town NYC, is interested, please e-mail our office = email@example.com with NY Security Position – in the subject line.
Anyone whose resume reflects the qualifications contained in the e-mail, will be contacted within 2 business days of receipt – by either me or one of my Senior Information Security recruitment professionals.
July 12, 2011
I had a quick question. Blackhat and Defcon are coming up and I get to go for the first time. Do you have any advice on what I can do to get the most out of my conference experience?
It’s definitely conference time for much of the information security industry. Recon was last weekend, the big Blackhat / Defcon / BSidesLV triumverate is coming up, and there are a bunch more coming up in August and September that are worth going to as well. And we’re really glad you asked this one, as it’s definitely something that far too few people actually think about: most people just show up at the conference, follow along with the good time that they’re having, and come away with whatever stories that they come away with.
That hasn’t ever been our approach to conferences. As two guys who run their own businesses, we can’t afford to just show up – conferences like Blackhat are where we do a lot of business, and making sure that we have a productive time is what allows us to succeed.
But that’s not just a business thing – we did that before we were running our own companies as well. To that end, we have three main tips to succeeding at conferences – and this post is going to be long enough that we’re going to spread it over two Tuesdays.
Tip #1 – Have a Plan
What far too few people do before they leave for a conference is to have a plan. They may know that they want to see a particular talk or go to a particular party, but far too few people that I’ve met go in to the conference with a legitimate plan.
You should approach every conference that you attend like a sales person – know what you want to get out of the conference. Sometimes, that’s information – you want to learn about a particular topic from a speaker or a trainer.
But most often, there’s something you want currently in your career: to move in a different direction, to get a new job, to move up the ladder at your current job, etc. And there is almost always going on or someone there who can help you out with that. But it requires that you actually sit down and figure out who / what that thing is and how you can get involved with them.
Networking expert Keith Ferrazzi said it best: “[G]et focused. Take time weeks before the conference to think through and write down why you are attending. What do you want to achieve? Who do you want to meet? The more clearly you articulate what you want and need from the conference, the more likely you can plan and execute your mission.”
This week, you should be sitting down and figuring out what your goal for your first time at each of these conferences is. Who do you want to meet? What experiences do you want to have? What talks do you want to see?
I promise, the conferences will be much more fun when you know in advance what you want to do.
As an aside, there’s something that you definitely should be doing on Thursday afternoon at Blackhat: We (and some special guest friends) are doing a full afternoon workshop on getting the most out of your information security career. It’s going to be full of all of our latest research (and the results of our 2011 Value of Certifications Survey) and some really great advice. As well as an opportunity to ask us questions live. Make sure that’s on your plan.
Once you have a plan, stay tuned for part II next week….
Lee & Mike
July 5, 2011
My company has recently hired a Chief Information Security Officer, and I have some big concerns about their competence and their ethics.
I was a part of the interview committee that interviewed them, and I did not believe that they had the knowledge of current issues that are facing our company to be an effective information security leader. In addition, I am a member of some closed on-line communities, where there has been postings about the individual’s ethics, including items like falsifying information, taking kick backs from vendors, and other claims that question his worthiness of being considered an information security professional, let alone a Chief Information Security Officer.
(The Question of course is Anonymous – Anyone get the reference)
The advice I am going to give you may be a bit unpopular, but my advice is to do nothing, wait it out, but have a contingency plan. In cases like this, if the allegations are correct, it will not be that long before your new CISO shows their true colors and incompetency. However, you may find it impossible to support their actions and follow their lead, and in that case you need to protect yourself and begin exploring your external options.
I also want to let you know that currently you do not have a shred of concrete evidence that your allegations of wrongdoing and poor ethics are accurate – just other people’s opinions. The only thing concrete you have is your appraisal and evaluation of their performance during your time together in their interview.
One thing that I will bring to light is the fact that your company ignored your feedback in the candidates interview process, which is something that you may want to think more deeply about.
Here is a series of questions that I would like for you to answer on your own:
First I will ask: “How may candidates did you have the opportunity to interview?”
If the answer is : “More than one” – the next question that I would ask is, how many of the candidates did you like?
If the answer is: “You liked others better“- Then you should begin to think about the skills that your company values in their leaders and in their information security professionals. When you have thought that through, you should think about your skills, and how they align. If there is a disconnect, then I think you should begin to polish your resume and look for external opportunities. It does not seem that you will see eye to eye with your new manager/boss, so you may want to get out before you are placed in any awkward situations.
If the answer to the question is, “You did not like any of the candidates;” – I would have to ask you if you felt that you should have been considered for the CISO job. If this is the case, your employers may have fully dismissed all of your feedback as “sour grapes”. If you feel that you should have been considered, you may need to take an honest look at your skills, and try to assess where your deficiencies are in accomplishing this step in your career . In any case, by ignoring your feedback and not considering you for the job, your employer has sent a clear signal that you are not in their future leadership plans. Again, I would polish up the resume and take a proactive approach.
If word gets out that you did not endorse your new boss, and their character is as advertised, your do not have a long future at your employer.
If you do wish to stay, your real hope is that the new CISO gets fired, before he can get rid of you.
I will close by saying that I am making a great deal of assumptions. This is a tricky situation, and unfortunately we rarely get a chance to pick our managers – this is one of the hazards of working as an information security professional in “Corporate America.”
Lee and Mike