Career Advice Tuesday – “Infosec Leaders Need To Be Good Recruiters”

December 27, 2011

Today I am sharing an article that we wrote that appeared in Tech Target’s Infomraiton Security Magazine.  The topic focuses on life on “The Other Side of the Desk”- becoming an effective recruiter in the building of your information security team.  The article scratches the surface of some important attributes that all solid information security leaders should possess in the acquiring the necessary talent in order to provide them with a better chance of success.

The original article was edited by our frien Michael Mimoso at Tech Target.

The article can be found here –

Happy New Year,

Lee and Mike

Posted by lee | Filed Under "The Other Side of The Desk", Advice, Behavior, Career Advice Tuesday, Interviewing, Networking, Recruiting | 5 Comments 

Career Advice Tuesday – “Surprise Bonus”

December 20, 2011

Dear Infosecleaders:

Last week I was pleasantly surprised when my employer presented me with a year end bonus of $10,000, which is more than 15% of my current salary.  I know that this should be a reason to smile, but let me tell you about my predicament..

I am currently toward the end of an interview process with another company, for a position that mirrors my current one.  I will say that the main reason that I was looking was that I felt that I was underpaid in my current role, and in my exploration of the market, I found my assumptions to be correct.   However, if it was not for the money, I would stay at my current employer – they treat me well, I have flexibility, and I am able to pursue some of my interests in information security research.

In addition to the bonus, the President of the company called me into his office, and told me that they are in the process of reviewing their compensation programs, and that he hoped that I would view the “Surprise Bonus” as a demonstration that they were taking a proactive approach to compensation of their key employees. 

My question to you, is how should I handle my current interview process?  Should I let my employer know that I was looking?   Do you think it is possible to maximize my employer’s current generosity to get additional compensation benefits? 

Look forward to hearing back from you,


Jack Pot


Dear Jack –

First of all, congratulations!  No matter what the reason, it is always good to receive money that you were not expecting based upon recognition of your performance and your contributions.

To address your questions, in order:

Question 1)   I think at this point it is wise for you to continue on in your interview process, for the simple reason that you have already invested your time, and you have the right to attempt to reach a conclusion and truly understand your external market value.  That being said, if you are offered a position, I believe that I would think long and hard about accepting it, based upon your employers recent actions.

The simple reason for this, is that I really do not think that it is a great career move to move jobs just for the simple reason of money – unless you are being taken advantage of, or your life situation dictates the immediate need (like having a child or financial obligations).   The way that you described your job search, it appears that your move would be lateral in nature – and your job responsibilities would not change much at your new employer.

Questions 2&3 : I do think that you should utilize this situation to your best advantage, and by that I mean that you should take this as the opportunity to open up the lines of communication with your employer.  Their actions have demonstrated that your contributions are valued, so that should translate as they care about your opinions.

I would tell your employer that the compensation situation was a great source of concern to you, and their gesture could not have come at a better time.   You can let them know that you are regularly contacted by recruitment firms and members of your professional community about other job opportunities., and that recently you have been giving them more consideration.

You can even let them know that at the time you received the “surprise bonus”, you were in the process of interviewing for another position, purely based on finances.   You can even let them know that the other employer was offering to pay you an additional (X%) salary..   At the same time, you should be clear to your employer how much you enjoy working there – due to the nature of the work, how you are treated, and your ability to explore your independent research and participate in the information security community.

Having this conversation will serve two purposes.  First, it will demonstrate your loyalty.  I know that this sounds strange, but by letting your employer know that you were looking based solely on compensation – you will provide them with validation that they made a wise business decision (by proactively giving you the surprise bonus) and will show them that you will be honest with them and that they can trust you.

Revealing to your employer that you have been looking can be risky, but under these conditions, it may be a risk that can be worth taking.  Considering that they by giving you this money that they have shown that they want to retain your services, your risk of being fired is almost zero – ( in the worst scenario – your ongoing interview process is your contingency plan, and your $10,000 can serve as a short term severance) .   The additional upside to sharing this with your employer, is that it should enable you to get other “requests” on the table beyond compensaiton – maybe for additional training, professional development, or the pursuit of your career goals.

I would tell you that you are in a good position and you have all of your bases covered – both internally and externally.  I would tell you that outside of unique circumstances, I would give your current employer the benefit of the doubt and remain with your current firm.

It appears that you have a bright future, and they recognize it!

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Compensation, Interviewing, Position Selection, Security Industry | Comments Off 

Career Advice Tuesday- ” Help! New CISO Has A Bad Reputation”

December 13, 2011

Dear Infosecleaders:

About three weeks ago, I accepted a new position with a company, where I am going to be reporting to a new CISO.  During the interview process I was told by the CISO that my position was going to be the “first key hire” as the company begins to revamp their information security program.   However, since the interview process concluded and I accepted my position I have found out differently.

I learned that one of my friends and industry colleagues was contacted by a similar position at the same company – he was told almost exactly the same thing that I was – that this position was the “first key hire”.   When he learned of this, he played dumb.   My friend (who is a little better connected than I am) called a couple of his Linked IN connections who were directly connected to the new CISO (my new boss) and he told me that what he learned was less than complimentary.

He told me that the CISO left his last employer in a mess, there was a mutiny from the staff, and that the guy has a reputation of being self-serving and has questionable ethics. 

What makes matters worse for me is that I have already resigned my job.  I am relocating to accept this position, and I fee that I am walking into a bad situation. 

What should I do?


JJ Blackheart


Dear JJ:

There is no question that you should value the opinions of others whom you trust, however it is often a mistake to accept their opinions without first hand experience and extensive validation from multiple sources.

The first thing that I would do, would be to try to locate someone from the CISO’s former employer, who was a direct report to the CISO.  I would pick up the phone and introduce myself, explain my situation, and ask them if they have any helpful hints on how to succeed under your new boss’ management style.     It is possible that this person can provide you with some new perspective, it is also possible that this person will decline your request to share any details – and in that case  – a red flag should go up.

I would tell you that if you do not feel comfortable with your decision you can do the following – contact your old employer back, and ask them if they would let you take back your resignation (this is why it is always good to leave on positive terms) and have your old position back, or contact others in your geography to see if you could locate a position similar to your old one (quickly).  If neither of these works, begin work at your new employer.

If you decide to begin your new job, you need to suspend all of your relocation activities, immediately.  The reason for this is that you do not want to compound your mistakes.  In addition, if you received a relocation package, you do not want to be in a situation where you have to return your relocation monies, if you decide that you do not want to remain at your new job.

Once in your new job, I would begin to look for things that would either validate or refute your earlier suspicions.  I would look for ways that your new CISO manages, how he communicates with subordinates, and for the consistency of his/her messages.   You should use the first 90 days of your employment to see if you could work with this person long term and evaluate the prospects of a satisfying work relationship.

Simultaneously, you should continue to look for suitable opportunities in your former location, as a contingency plan.  If one of those opportunities comes to fruition, you can compare it with your current position at your new employer, and then make a decision.

My advice would be to either put an end to this before it starts, or within 90-120 days after you begin work.

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Leadership, Position Selection, Recruiting | 1 Comment 

Career Advice Tueday – “On The Road Again?”

December 6, 2011

Dear Infosecleaders:

About six months ago, I accepted an information security position that was presented to me with a 20-25% travel requirement.   I felt that the position was a good match for me, as I would be able to use some of my past skills, and pick up some new experience in security technologies that included GRC and SIEM tools.

For the first three months of my new position, the travel requirement held true.  I was traveling on average about five days away from home per month.  In addition, a good bulk of the travel was geared toward attending training on the newer technologies.   All was good.

However, in month four my new company won a large engagement to help a Fortune 500 client implement some of these new tools.  The location is about two hours away from my home, so given the work hours it is impossible to commute on a regular basis.   I find myself staying away from home – a minimum of three days a week – or about 60-70% of the time.

I reminded my manager who hired me about the discussion we had about the travel requirements and his response was less than satisfying.  He told me that this was the only client that I could be placed on, and that if I did not want to travel – that I could commute, if I desired.

The long and short of it, is that although I like learning the new skills, I feel that I was lied to.  Technically, they may be correct, and I do not have to “travel”, but in essence I feel they misrepresented the opportunity.

Being on the road for extensive time periods takes me away from my family, lessens my quality of life, and just does not work for me.

Any suggestions would be appreciated.


Willie Nelson


Dear Willie –

The best advice that I can give you is to use the job to pick up as many skills as possible, and begin to plan your exit strategy.   The fact is that if you are building information security skills in the areas of GRC and SIEM technology, you are developing experience that has external market value that can serve as your parachute to new opportunity.

I will tell you (and others who are reading) that a big mistake for anyone going into a professional services environment or consulting environment is the illusions that you can limit your travel to less than 50% or that you can control the location of your future customers.    The only exception to this would be is your consulting position enables you to do a bulk of your work remotely  – like penetration testing.

The nature of the professional services business is client service.  Clients dictate the engagements and they dictate the requirements.  Your main value to your employer is your utilization and chargeability.   In the end, if you are restricted in your ability to travel, and this is the only work where you can be utilized, you are placing yourself in an unsustainable situation, which will not end happily.

Getting back to your situation Willie, I think that your manager reaction is the real indicator of the company’s attitude about your request to reduce your travel.   From what you have shared this is not a battle that you can win.

In the end, when accepting a new position it is essential that you understand all of the requirements that can effect your quality of life – commute, travel, compensation, work hours – and the personal sacrifices you are willing to undertake in order to perform the position requirements correctly.

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Personal, Planning, Position Selection | Comments Off