Career Advice Tuesday – “Making A Deal With the Devil?”

October 25, 2011

Dear Infosecleaders:

I would like to ask you a question about a current situation that I find myself in regarding making a possible job change.

I am currently gainfully employed as a network security engineer, working in a consulting capacity (full time), where I am working for a large company in the DC area.   I also hold a security clearance, which is valuable in this market. 

My current employer treats me well, and I have comfort in my job stability, however it is accepted that the company pays about 80-85% of what the market should bear for the skills that me and my fellow information security professionals possess.   In the past, that has been fine, but currently my bills are beginning to pile up.  I have new expenses that come with a growing family (clothes, school, youth sports, etc) where the extra $15,000-$20,000 would come in handy. 

A fellow information security pro and ex-coworker recently reached out to me about joining a company that would agree to pay about 10-15% more than market rates, for my skills.  This would translate to an increase of somewhere between 25-35% of  my current compensation (considering I am 15-20% below market), which would be very helpful.  

It sounds like a no brainer, but here comes the catch(es):

First of all, the company is only adding to its staff because it has won a new government contract and has overpromised resources that it cannot deliver.  The company has not ever performed work for the entity, so there is a chance that they will not be able to deliver to the clients satisfaction.  

Secondly,  I have done my due diligence on the owner of the new company, and what I have learned has not been favorable.  I have heard from more than 5 people who have worked with this person at previous company that there business practices are questionable.  This includes making snap decisions about firing employees, occasionally missing pay roll, and mistreating business partners.

Here lies my question -  I really could use the money, but something inside is telling me that this new situation is not a good one for me.   My fear is that I will leave my “safe” position, and in a short while I will find myself in a precarious situation.

I really feel that I am making a “deal with the devil”

Any advice.



Dear Faust:

The best advice that I can give you is to listen to your gut.  If your gut is telling you that there is danger ahead, and that you may be making a “deal with the devil” you most likely are.

It appears to me that you have a great deal of responsibility to your family, and as you progress in your career (and life) these responsibilities are increasing and they are causing financial pressure.  While it is a “no brainer” that $30,000 more per year will ease some of that burden, but you may want to think about what you are really signing up for.

In essence, you are not signing up for a position with career progression and professional development, you are signing up for a 1099 contract position with an employer that is only interested in hiring you because it benefits them financially.  If the new employer fails on this contract,  you are going to find yourself without a pay check, without employment, and a difficult event to explain on your resume – that may make others question your competency or your judgment.

However, if you do decide that the extra money is worth the risk, then I would ask you to take the following precautions and steps:

1)   Before you accept the position, you should sit down with your current employer who has been good to you, and let them know of your financial situation and your need.  I would give them the opportunity to provide you with the additional income, prior to joining this new company.   You never know, they may decide that your skills merit this type of increase.

2)   I would ask you to ask the new employer for some sort of severance plan, in case the contract is lost, not as a result of your performance.  I would figure that it would take about 45 days for you to find a new role in DC with a clearance (at your old pay) so ask them for 6 weeks, and negotiate down to 30 days.   There response should provide you with more information about how they may value their employees.

3)   If they balk at this request, and you still decide to take the job, what I want you to do is to live on your old compensation, for the first six months, and save the rest.  After about 6 months, you will have about 6 weeks of emergency money saved up, which will serve as the funding of your own severance plan.    This will give you some comfort, if things do not go according to plan.

Again, without knowing all the details I can’t provide you with a definitive answer, however I find in most cases that the character and reputation of your employers are generally earned – both positively and negatively.   You should not believe that your experience would be any different than others who have come before you.

Best of luck,

Lee and Mike

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Compensation, Planning, Position Selection | Comments Off 

Career Advice Tuesday – “Out of Control”

October 18, 2011

Dear Infosecleaders:

Recently I have be a part of a corporate downsizing at my company, and I am in need of information security employment.  I was formerly a Director of Information Security Compliance, and was earning over 125K. 
Once I was “let go”, I began to panic.  I went home that night and over the weekend and put my resume up on all of the job boards, changed my linked in profile, and began applying to anything that I thought resembled a good opportunity.

On Monday, I was inundated with phone calls and e-mails (some auto responses) from recruiters and companies about my background.  I was initially encouraged.  However, after returning the first set of calls, I realized that these people did not understand what I did, the role that I was searching for, or had any concern about my career or future – just submitting
my resume.  

I feel that I have lost control, and I do not have much chance of “Winning”


Charlie Sheen


Dear Charlie –

We recognize that you that being told that your talents are no longer needed can be a devastating blow to your ego, your check book, and your sanity.  However, it is important that if you are placed in this situation you take some time to reflect, and
think about a job search in terms of quality as opposed to quantity.

Lets face it, you can only hold one job at a time – so itis important that it is the correct one for you , and provides you with a
framework for success and satisfaction.  Applying to everything and anything often causes a distraction, and makes you lose your focus.    You will spend a lot of time speaking with both recruiters and companies who would like to place you in opportunities that
are not suitable for you.   In fact, the more senior you are, and the more money you earn, this becomes more evident.

In addition to this, once you have applied to a corporate website, you will tie the hands of any experienced recruiter who has a
relationship with the company that you are interested in.  Almost all of the time, if you have submitted a resume via a web positing to a company directly, this will hinder or eliminate an external recruiter’s ability to represent you for a role.   Quite often an external recruiter can help you streamline your recruitment process through the use of developed relationships and trust.

Unfortunately for you, the cat is out of the bag, and you may have a hard time in gaining back control.
The first thing that I would do would be to take your resume off –line,  you are an Information Security Leader – you need to act like one.    The next thing that I would do would be to make some phone calls who people who know your talent and are part of your professional network, and let them know of your status.  Ask them if they either have open positions, know of companies who are looking, and if they can offer any introductions that you may find useful.  At the same time, begin looking at job postings that you believe will meet your criteria –responsibility, location, compensation, quality of life (travel) – and once you have identified ones that fit, see if you can get a real introduction to the hiring manager.   You can do this by utilizing your network, social media, or even good old fashion social engineering.

I can tell you from my past experience, that a haphazard approach many times leads to temporary solutions and mismanaged time.  While taking a strategic approach to solving this problem will more likely lead to a better long term fit in your next role.

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Position Selection, Recruiting | Comments Off 

Career Advice Tuesday – ” Yom Kippur Addition”

October 11, 2011

Dear Infosecleaders:

My question deals with a touchy topic. I am an IT and Infosec veteran with a 16 year old felony for crimes related to moral turpitude (theft). The state I was convicted in does not have any mechanisms for expungement, short of a pardon.

I won’t make excuses, and never have but suffice to say that I made some stupid mistakes as a kid in the military and have learned my lesson. I’ve been fortunate enough to work for a few employers in state and local government who saw fit to give me a chance and I have really excelled. I’m active in the infosec community, have earned a college degree and a ridiculous number of certifications and have started to develop a name for myself in the community. My personal branding strategies seem to be really taking off.

The issue I’m running into is that I’m looking for greater challenges and my background has created some roadblocks for me. I’ve been turned down for a few opportunities but my fear is that if I apply and get turned down at too many more I will start to develop a “rep” as that felon who thinks he can work in IT security. The information security community is relatively small and this would create significant challenges for me. I interview extremely well and I have recruiters beating down my door, at least 12 unique hits every week but the my past becomes a real stumbling block.

Should I count myself fortunate to have a job at all even if I’m not happy there or run the risk of further exposure with employers and the development of a “rep”? At this point I’m starting to get discouraged. Yes I made a mistake 16 years ago but I could really use some advice for moving forward with my career.


A. Tony Ment


Dear Tony:

I would tell you that the first thing that I would do, would be to think of myself as an Information Security professional, who made a mistake early in their lives, as opposed to a felon, who has taken up information security as a profession.

From a self esteem perspective, I do not think it is healthy to view yourself this way, especially with how far that you have come in the past 16 years.

From what you have shared, you have a great deal to be proud of – including your education, your certification, the development of your personal brand, and industry standing.   My feeling is that you should be more focused on your accomplishments as opposed to your transgressions, and you should use this as an opportunity to demonstrate personal and professional development to others whom you encounter.

That being said, I understand how a previous mistake that you made as a younger person, can come back to haunt you in the development of your professional career, and can become an obstacle in your pursuit of loftier information security career goals.

Here are some things that you may want to consider along your way to minimize this:

1)    Do Not Worry About Group Think -  Plain and simple, I do not believe that many people in the information security community will ostracize  you for a mistake you made in the past.  First of all, most of the information security pros that I know are not that judgmental and are a pretty accepting bunch.  Secondly, many of them are going to be understanding, as they were young once, and may have done some things that could have been construed as “grey” hat, in their earlier days.  The only thing that may differentiate you from them, is the fact that you got caught –and fortunately their actions went unnoticed.

2)    Control Your External Exposure -  When someone tells me that they have their resume posted and that they have been contacted by over a dozen recruiters, my first reaction is that they are not effective in managing their careers.   Placing yourself in the public eye, forces you to create a more public persona, and reveal both favorable and unfavorable attributes to  larger audiences.  In your case, this is not a good thing, because many recruiters who’s primary source of candidates are “job boards” and “social networks” – are not adept enough to handle your specific situation or to address it with people empowered to make a decision about your future as an information security professional.  You need to manager your job search process, and that means utilizing someone who understands how to manage and communicate your profile to others, including your felony.

3)    Be Up Front – But Not Too Upfront -  Personally, I think that there is a time and place to reveal an unflattering past, whatever it may be.  Usually, I believe this to be sometime shortly after a relationship has been developed – after one or two phone conversations.  This will enable the other party to be able to formulate an opinion based on facts and talent, as opposed to jumping to conclusions that are associated with a term, like “convicted felon.”   After that has been established, and before anything gets to far (i.e. a recruiter making an introduction, a first level interviewer introducing you to a supervisor, or the incurring of any expense (money or time) for an interview) you should reveal your “Scarlet Letter”.   When you reveal it, I would begin by letting the other party know that it took place over 15 years ago, but nonetheless it happened, and you have paid your debt and have  taken responsibility for your actions.

4)    Demonstrate “Community” Service -  This is my personal belief, but I think it is the most important thing that you can do.  It is one thing to attempt to improve your own life, but by helping others improve their’s, from the lessons learned by your own mistakes, takes it to another level.  What I would do, would be to figure out a way to do this on a regular basis – this can be in the form of speaking to youth groups (Hackid) , donating your time to information security causes (I Hack Charities, the EFF), or non Infosec causes that benefit some of the people that you may have previously hurt.   By doing this, it will show others that you are indeed remorseful for your actions and offers a form of restitution that can be measured and referenced.

In closing, these are some general ideas that may help you overcome this obstacle.  In the end, you will definitely encounter both individuals and companies whose policies will prohibit them from considering your candidacy.  Unfortunately, you will need to accept this.

That being said, over my years of working in the industry, using these methods, I have been able to secure employment for information security leaders who found themselves in similar situations.  The process is never easy, but it is definitely possible

Hope this helps,

Lee and Mike


Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Planning, Position Selection, Recruiting, Security Industry | 1 Comment 

Career Advice Tuesday – “Change In Command”

October 4, 2011

Dear Infosecleaders:

I recently have found myself in a precarious situation and I am hoping that you can help me get through this.

Recently, about four months ago, I accepted a Director of Information Security position, reporting into the CISO of a 10,000 person company.    The position that I left to accept the role, Manager of Policy and Compliance, I held for 18 months.  While I was not looking for a new job at the time, the Director role was too good to pass up, both from a career and a financial perspective. 

Six weeks ago, I received an e-mail from the General Counsel letting me know that the CISO, who just hired me, was “relieved” of his duties and would no longer be working at the company.  The CISO was one of the main reasons that I accepted the position, and in a short time I had established a good working relationship and I respected his management style. 

The search for the new CISO is currently underway, and they are interviewing potential successors. – both internal and external.  I have met the final two candidates, and quite frankly I am not pleased with either of the options.  Their backgrounds and views on information security are much different than mine and I just do not get a good vibe.

Additionally, I am well aware that if they get hired, they will most likely be able to select their teams and their direct reports, so my time here is probably limited. 

Any advice on how I can deal with this situation?  If I am forced to leave, how can I explain the fact that my last two jobs lasted for such a short period of time?


Gomer Pyle


Dear Gomer:

The best thing that I can tell you is that you need to accept that change is coming, and you need to figure out a way to deal with it and make the best of things.  The way that I would look at this is as an opportunity to hone your interpersonal communication and relationship skills.

The truth is that at your level of seniority, you cannot really afford another short stint of employment, especially after an implied promotion.  If you can not show some accomplishments in this current role, future employers will most likely look at this as a failure, no matter how you spin it.  (Personally, I think this is unfair, but those are the rules of the game that we play by – and perception is often viewed as reality)

Whomever they decide to hire, I think that you should embrace and support with your fullest ability.  I think that a good way to demonstrate this is to attempt to relate to your new manager (CISO) on a personal level, letting them know that you are both in the same boat (as new employees), and by demonstrating as much willingness and flexibility as possible to help them out.   The best way to do this is to go outside your job description, and take on additional responsibilities that may be in your current sphere of knowledge, or from previous professional experience.

In addition, you should plan to demonstrate your work ethic, your integrity, and support at any opportunity.  This should include coming early, staying late, accepting unpopular assignments, whatever it takes.   By demonstrating this level of leadership and commitment, you are going to win this new person over – and they will have no other choice to view you as a valuable asset.

If you can win them over, and convince the new manager (CISO) that you make his job and his life easier, he will have no choice but to keep you.

If you are able to accomplish this, you will not have to explain your short duration of employment.  If it is all right with you, we will save that question/answer for another Tuesday.

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Advice, Branding, Career Advice Tuesday, Leadership, Planning, Position Selection | 1 Comment