November 29, 2011
I am a talented penetration tester and have been perfecting my craft for over a decade in both corporate and consulting work environments. I have spoken at some of the major InfoSec conferences, have authored chapters of books, and have spent a good deal of time and energy in the development of my personal brand.
Based on my industry reputation, I have been solicited directly by an internal recruiter of a technology firm that has a well-documented information security issues. They would like for me to interview to lead their internal penetration testing initiative.
After the initial interview with the hiring manager, they have asked me to come in and perform a practical application assessment, prior to learning more about the position and the company. Generally speaking, I have some issue with this – as they sought me out for the role, based n my credentials.
I guess what I am asking is if I should be putt off by being asked to “audition” for the role. I kind of feel that I am at a point in my career where I should not need to “audition”, and I find this to be quite insulting.
Do you think that I am over reacting? Would it be appropriate to tell the employer that I am not willing to be a part of their practical “experiment”?
Any help would be appreciated.
Dear Mr. Pitt:
The best thing that I can tell you is not to let your ego get in the way of a good career opportunity.
One of the primary knocks against information security professionals – especially penetration testers – that their egos get in the way of their ability to conform to corporate cultures – this may be your opportunity to dispel this perception.
I would tell you that your willingness to conform to the company’s interview process and “audition” for the role, should be based on your level of interest in the opportunity and the knowledge of “what you are playing for”. If you are genuinely interested in the company, the position represents a good career move, and the compensation is attractive to you – then I believe you should go through with the “audition”.
But before you do, I would tell you that you should adjust your attitude prior to participating in the exercise. Instead of looking at the “audition” as a test of your talents, I would look at it as a puzzle or as a challenge like a miniature “capture the flag”. What I would do is to use this scenario as a way to showcase not only your skills but also your thought process and problem solving abilities. You should demonstrate your creativity in finding ways to discover vulnerabilities and maybe even point out solutions.
By raising the bar, you may create a greater desire to hire you for the role and this could even lead to some additional leverage in your compensation negotiations.
In closing, get over yourself, have fun with it, and understand that even the most proven talents have to audition – as the producers always have the final say!
Lee and Mike
November 22, 2011
I recently went on an interview for an information security engineer position. During the interview, I met with five different people, from human resources to the Chief Information Security officer. After each interview I asked each interviewer for their business card and contact information, for the purpose of writing them thank you notes.
The day after the interview, I sent a thank you note to the group. I sent one e-mail, and CC’ed everyone whom I met with expressing my gratitude for their time, my interest in the position, and some additional information.
It has been a week since I went on the interview, I have not received any definitive feedback from the human resources person, just a “We’ll get back to you” and not one of the additional interviewers have sent me a response to my thank you note.
Can you let me know how I should interpret this? Do you think there was something wrong with my “Thank You” note?
To answer your question, I am pretty confident that you did not get the role. I can say this because no one has responded to you at all, and even provided you with positive reinforcement from your interview. The fact that the HR person did not share anything substantial with you is a subtle way of saying – “ I want to be careful what I say, so I do not get myself in trouble. I do not want to provide you with feedback, especially in writing, because if I say the wrong thing, I may get fired.” Technically you may be still “under consideration” – but that is only until you get a form letter in the mail or via e-mail.
The reason that you have not heard from many or any of the information security staff is likely for the same reason; the company likely has a policy that states all negative responses are to come from Human Resources, for the very reasons stated above – that a non “PC” response could expose the company legally.
It is definitely a shame that no one had the personal courtesy to respond to your note, even if it was a simple, “Thank you for interviewing us. I enjoyed the time we spent together”, but unfortunately that is the world that we live in. Although that would not provide you with any substance, it would at least provide you with some confirmation that your note was received.
All those things aside, I will tell you that writing a group “Thank You” is probably an error on your part. By sending one thank you note, as opposed to five separate ones, can be interpreted in many ways. The first would be is that you are lazy – that you could not even write five short notes. The second is that you value all of your conversations the same, and could not address the specific levels of the conversations that you had. Finally, by addressing the group, it does not allow you to connect with anyone interviewer in a one-on-one manner. Since the group knows that you sent everyone the same thank you, they may feel that they cannot respond to you “anonymously”.
In the future, send individual notes. Each note should have the same general message, but you should draw some specifics from each interview and potential working relationship, to reflect the context of the interview. Doing this will demonstrate that you were listening to each interview, and it will personalize the discussions. You may even create more of a bond with one of the interviewees – and the thank you note may strike a personal chord, that may help them champion your cause during any deliberation. In addition, you may choose to “connect” with them on Linked IN – or in some other industry group or social network that you may share, that may provide another personal “link” and common point of interest.
In closing, do not take it personally that they did not respond. Think carefully the next time you send a Thank You note- and never forget to check your spelling!
Chalk this up as a learning experience, and good luck on your interviews with your next potential employer.
Have a Happy Thanksgiving!
Lee and Mike
November 15, 2011
I have a question that is more for Lee, than for Mike, given that it has to do with a recruitment process that I am currently involved in.
About three weeks ago, I was contacted by an information security recruiter who whom was referred to me by a close colleague, about an opportunity in my geography that I found interesting. I spent a good deal of time with the recruiter, asking questions about the company, the hiring manager, and the position. The recruiter suggested that I revise my resume to help address some of the specifics of the opportunity, to align more closely with the needs of the position.
During the time that I was reformatting my resume, I got contacted on Linked IN, by a recruiter whom I had never interacted. The recruiter sent me a job description, similar to the one that I had learned about from the other recruitment professional. This individual refused to share with me the name of the company that they were representing, and pressured me to send a generic resume.
My gut feeling is that it is the same position – do you have any advice on how I should handle my discussions with both parties? Is there anything that could jeopardize my recruitment process?
Any help would be appreciated.
Well, it is good to know that you are popular – so you have that going for you. The first thing that I will say is that many recruitment firms (including LJ Kushner and Associates) utilize LinkedIn as a form of candidate profiling. Although many people think that we know “everyone” in the industry, it is just not possible, and Linked IN provides recruitment firm’s access to information security professionals (job candidates) that we do not have deep relationships with.
That being said, the first thing that I would tell you would be that you should never trust a recruitment firm that is not willing to share the name of their client with you. The two main reasons for this are as follows – first, it shows that they do not trust you. If they share the name of their client with you – there is an outside chance that you will go to the client directly, and cut them out of the recruitment process – so they are going to wait until they have your resume, to spring this on you. Personally, I find this very shady – it is akin to saying – “Please trust me with your career and your livelihood” – but “I am not going to return that trust by sharing the company where the job is located”.
Secondly, by not sharing the name of their client, you give up control of the dissemination of your resume. By providing you with a generic, broad base job description, you are basically giving them carte blanche to send your resume anywhere. This could mean that your resume could wind up in the hands, of somewhere that you have already worked for (it makes you look foolish), somewhere you already interviewing with (it makes you look unorganized and unprofessional), and even possibly your current employer (which can be a disaster for obvious reasons)
Don’t laugh, this does happen – and in the aftermath is not pretty.
In regards to your current situation, you should work with the recruitment firm that you trust the most and the one that you believe has the best chance of helping you navigate the interview process for the specific job and company that you are interested in. In your case, it appears to be the first one that you spoke with.
What I would do with the second recruiter, would be to first call them and ask them whom the opportunity is with. If they refuse to share this with you, I would tell them politely that you are not interested in working together with them. If they do share the information, and it is the same company that the other firm introduced, then I would simply tell them that you are already engaged on the opportunity, are being represented by another recruitment firm, and that your resume has already been submitted for consideration. You could end the conversation, by saying that if they have other opportunities, and are willing to reveal the name of the employers, you would be happy to consider them.
I will say in closing that the “Rules of Engagement” for determining candidate representation are very tricky, and it is very important that you control your resume when you conduct any interview process. Selecting the wrong recruitment firm, or “representation” – can greatly affect the perception of your candidacy for any opportunity.
As a rule, your caliber of representation is a reflection of your brand, and your level of professionalism.
Hope this helps,
PS – “Derek Fisher” is a reference –not the name of the advice seeker
November 8, 2011
After about eight years at the same employer, I recently left my position (about five months ago) to begin a new position, as the head of information risk management at a fairly large health care company. This career decision coincided with the completion of an advanced degree (MBA) from an well-thought of local university. The new role is going great. I very much like the people. All of the things that they promised during the interview process have materialized, and I have had some early “wins” which has helped me establish credibility and the foundation of a strong internal brand.
All was going smoothly until…. I received a call from a colleague from my MBA program, about an opportunity to interview for a position as the Chief Information Security officer role of a similar size company. The background that they are searching for, is directly in line with my past experiences, the pay package is about 20% greater (stated), and the commute would be about 30 minutes shorter each way, from my current job.
I am really interested in the role, and if I was presented this opportunity along side my position, I would have selected it, for the reasons stated. However, I am not a job hopper, and after being at a role for only five months, my question is should I pursue the role.? And if I happen to get it, how would this look on my resume?
Please help me figure this out (quickly),
Very simple, my advice is to go on the interview.
One of the many things that information security professionals and other corporate employees do not have control of is the presentation of opportunities. Therefore, it is important that you understand that your responsibility is to yourself, your significant others, and your career – and unfortunately not the corporation that you work for.
I know that this sounds harsh – but for a majority of US based corporations, employees are “employees at will” and therefore can be terminated or relieved of their duties without any explanation or notice. The reason I bring this up, is that if your current employer had a massive lay off, went out of business, or was acquired shortly after you joined, how do you think they would have treated you? Do you think that they would say, well we just hired her/him, so we need to keep paying them, although they are not useful anymore? Of course they would not. They would place their own interests and the interests of their shareholders ahead of you and your family.
So, go on the interview and investigate the opportunity. You have nothing to lose and everything to gain. Once you have had a chance to get the initial interviews out of the way, I want to make sure you let the manager of the interview process know (either HR/the hiring entity/or the executive recruiter) to make sure that there is not any issue with you leaving your employer quickly – to engage in the process.
It would be good to get this out on the table, as early as possible, to avoid wasting any time. If they raise objection, you can point to the past history and your long tenure of employment with past employers.
If you want to, you can say, to them … “Look, if I accept this position, I am going to have to make it work, because I could not afford to have two short terms of employment” That may provide them with some validation of your self awareness, and the fact that you are thinking about this role as a long term career decision.
In closing, if you do wind up taking this role, you should expect to hang in there for a while. Everyone is allowed one “short term decision”, a second one is indicative of a “pattern”, that could create future obstacles.
We wish you good luck on the interview. Let us know how it goes.
Hope this helps,
Lee and Mike
November 1, 2011
I am in the middle of a job search and I was recently extended a verbal offer to work as an information security engineer at a boutique consultancy. While I have not received the offer in writing, one of the contingencies of the offer is that I begin work within two weeks. The financial terms are acceptable, but I have not been able to view all of the other elements of the offer package, and because the company is small (less than 20 people) I have some concerns about health care, 401K, etc .
In addition, I am still investigating another opportunity that maybe a better fit for my long term career goals. Also, it is very possible that I decide to not leave my company after all, as they may provide me a counter offer.
Can you please give me some advice on how to handle this,
“Trick or Treat”
Dear “Trick or Treater” –
Your questions has many elements so I will address them in how I would prioritize them –
1) Your verbal offer is just that- a verbal offer. You should not resign or notify your current employer of your intention to leave, unless you have had a chance to review the written terms of the offer letter, have the ability to ask questions about the terms and conditions, and are comfortable with all of the contingencies (start date, background check, etc.)
2) I would be concerned about any company that utilizes a “start date” as a contingency of the offer. At your level, companies are within bounds to ask for a start date within three weeks (maybe four) for beginning work. They should not demand for you to give less than 2 weeks, just as you should not ask them to extend their terms beyond 30 days for transition. That is an excessive transition period, for a non manager/director level infosec leader.
3) If you have another offer that you feel may be better for you, you should figure out a way to achieve resolution. Either positive or negative, you should press the other company to determine if they are going to move forward with your candidacy, and what the timetable for completion of your interview process will be. Once you receive it, then you should be able to make your decision if you are going to take the risk of waiting or not.
4) I think that counter offers are a bad idea in general. I think that if you have to threaten to leave you job, to get what you want – you have either not developed a good relationship with your manager, or your organization has proactively listened to your requests to advance your career – or even worse, do not think you are qualified.
In the end, the most important thing to take away is that you should not feel pressured to accept the offer and resign from your current position without having it in “writing” – and with a full understanding of all terms and conditions of employment at your new company.
Hope this helps,
Lee and Mike