Career Advice Tuesday – “Fork In The Road”
August 30, 2011
Due to the Hurricane, we are publishing a Career Advice Tuesday that we wrote for Tech Target – and our monthly advice column. Below you will find the unedited version of our column.
Dear InfoSec Leaders:
I am writing to you with the hope of getting some career advice. I am consultant for one of the leading security vendors’ GRC products. I help customers set up their compliance programs with the product as the backbone. It’s been about 4 years of doing this and I now feel it’s time for a change. My career goal is to become a CISO someday and want to work towards that. I have two very different job opportunities and would like your thoughts as to which one aligns well with my goals.
One is that of a Product Manager with the same vendor for the same product. The position will give me immense exposure to senior security management folks across customers. I will also help me gain understating of their GRC efforts and pain points. The other position is that of a Security Architect with a large retailer. This team has been recently formed in the organization and is doing some exciting stuff. This position could possibly give me exposure across different security areas beyond GRC. Both these positions have pros and cons, for e.g. I’m not sure if staying with a vendor is a good career move or is the other side of the table a better option.
As you can tell, I have a lot of questions and very few convincing answers. I’m not sure if I should specialize in the GRC space (via the vendor) or gain exposure to have a holistic view of security.
I’d appreciate any words of wisdom you can send my way.
“Fork in the Road”
Please understand that before we start, the advice that we are giving is based exclusively on the information that you have provided to us in your note, and that we do not have any additional background.
Based on your career goal to become a CISO, we believe that it would best for you to leave the product arena and accept the job as an Information Security Architect with the large retailer that has been recently formed. Our answer is based on the following reasons, that coincide with your long term career goal.
1) The group is newly formed
When someone tells us this, the first thing that comes to my mind is opportunity. Newly formed information security functions generally provide environments for information security professionals opportunities to leverage their current areas of expertise (in your case GRC) to develop broader skills in other areas. The biggest mistake that many infosec pros make when entering into a organization in this state, is to limit their contributions to their “job description”, and opportunity like one the one that you described should provide you with the framework to push yourself to develop new areas of expertise, as opposed to limiting yourself to the world of GRC.
2) Retail experience should be valuable in the future
Due to the importance of PCI, many retailers and e-tailers are placing increased emphasis and dedicating additional resources toward information security programs. Currently, many retailers are not making past “retail” experience a job requirement, however this will most likely change in the next few years. Having this industry knowledge as part of your skill matrix, could become a differentiating factor when looking at the next step in your career.
3) Product Management is not a requirement to become a CISO
There is no doubt that working as a Product Manager will help you develop skills that could be advantageous as a CISO – included customer skills, presentation skills, sales skills, market knowledge, and subject matter expertise. However, when making a transition toward a CISO career path, you will encounter people in the hiring process who will have built in prejudices against hiring candidates who come from the “Product/Vendor” side at a high entry point. For you to make this direct transition, you are going to have to find yourself a forward thinking CISO who will value this experience, and believe that the skills as a Product Manager will directly translate to their environment. Our belief is that if you remain as a Product Manager , you will eventually have to make the transition toward an internal infosec role, (in your case – architect) at some point in time, so why delay. You have the opportunity in front of you, now is the time to determine if transitioning to corporate information security function is right for you.
Again, our advice is based exclusively on the information that you have provided from your note, and based on generalities.
If you would like to contact us directly via phone to discuss your particular circumstances we welcome you to do so.
Good luck in making your decision.
Lee and Mike