February 27, 2012
Good morning Infosecleaders community!
I am looking forward to an exciting two days at Security BSides, and meeting many of you whom I have communicated with about your Information Security careers over the past year(s).
If you are not in attendance, you can view my presentations and all of the content at #BSidesSF live stream:
Track 1 - http://www.ustream.tv/channel/bsidessf-track1
Track 2 – http://www.ustream.tv/channel/bsidessf-track2
My presentations are scheduled as follows:
Monday (Today) February 27 - Track 1 – 9:40PST/12:40 EDT – 10:00PST/ 1:00PST
B-Sides Welcome Address –
It is such an honor to have been asked by the folks at B-Sides to give the welcome address. I plan to share some of my thoughts about the importance of community in the development of a successful Information Security Career.
Lenny Zeltser and I take a look at the recruitment and hiring process from two unique angles – the hiring manager (Lenny) and the information security professional/ job candidate (Lee). The presentation is designed to provide the attendees some insight into the minds of the other party – in the simultaneous pursuit of talent and opportunity.
Tuesday – February 28th Tracks 1 and 2 Career Advice Tuesday – Live
12 noon PST/3:00PM EDT – 1PM PST/4:00PM EDT
This is the opportunity to ask your information security career questions live. You can ask them either as yourself or anonymously – and I will answer them live. If you would like to ask your questions prior to the sessions - follow these instructions – or come see me at BSides today.
Enjoy the Conference. Make the Most of It!
February 26, 2012
Would like the Infosecleaders community to know that I will be hosting a session of Career Advice Tuesday – “Live” – from SF Security B-Sides. The session will take place at 12:00 noon (PST) on Tuesday, February 28th.
In addition to accepting questions from the B-Sides attendees, I would like to give any Infosecleaders community members the opportunity to ask their career related questions, so that they may be shared with the audience. From what I understand the session will be streamed live from B-Sides.
Questions can included any Information Security career related topics – career planning, position selection, professional development, career investments, brand building, compensation, relationship with management– or anything else that may be appropriate.
Questions can be asked any of the following methods:
If you would like for your question to be asked anonymously, or if you would like to create your own pseudonym (as many of you have) please feel free to do so.
Thank you in advance for your participation. If you are in attendance at either B-Sides or RSA (Booth 650), please make sure that you come by and introduce yourself.
February 21, 2012
I am writing to you as my last sounding board, as I believe that I have made the decision to leave the world of “employee” for the career of “1099 information security consultant.”
I have arrived at my decision due to the fact that I am frustrated working at my current employer. I worked for a boutique professional services firm, where I am the only person who delivers my specific type of technical information security services – application security and code review. All of my co-workers do a lot of policy, compliance and governance work – and my firm has a pretty large PCI practice.
My company likes to tell its customers that we are adept at performing technical security assessments, web application tests, and code review – but in this case, in essence the “firm” is “me.” When our sales team sells work, my phone rings off the hook. This means that I am responsible for additional travel, RFP’s, delivery, and reports – much more than my other colleagues whose skills are repeatable and more plentiful. Although I am unique, my compensation is not, and I do feel underpaid.
My thought is to start my own business, leave my current employer and offer them to use my services to their customers as a 1099. This should enable me to earn additional monies and give me some flexibility on the projects I want to work on. Upon completion, my plan would be to partner up with some others independent consultants, and try to find additional work.
I figure that in the end, if it does not work out, I can always get another job with a services firm similar to my current employer.
Do you have any words of wisdom for me? I have always wanted to be the president of a company, even if I am its only employee.
Dear Mitt –
The first thing that I will do is to agree with you. If you decide that you want to leave your current consulting company, to begin your own venture, you most likely will have very little risk. If you decide after a short period of time that you do not like working as an independent, you can always go back to the work force and attempt to find a job.
However, I am going to caution you to think through your decision a little bit more thoroughly and begin to think of the bigger picture, which is your career. A decision to leave traditional employment and enter the world of independent contracting is great, when your skills are in demand and the market is hot – but good times do not always last forever. If you decide to take this route, you need to be cognizant of this – and make sure that you continue to invest in yourself and your career, and make sure that you remain on the leading edge of your subject matter expertise.
One thing that you may or may not be aware of is how good your skills are in comparison to the remainder of the market. In your company, since you are the only one who does what you do, you may be the “big fish” in the “little pond.” Your skills may only be viewed as “outstanding” because of what they can be compared to.
In order to truly be successful as an independent consultant – you have to be exceptional and unique.
Before deciding to step out on your own, my advice would be to join a firm that has an area of specialty that aligns with your core competency of application security and software review. I would select one of the smaller boutique firms – maybe one that has between 10-30 people – who are known in the industry for their expertise in this area. The first indication of your talent should be your success in the interview process. These firms traditionally hold a high bar for talent, passing these obstacles with a good degree of ease, should be the first indication that you have talent. Then, upon joining the firm – I would treat your employment like it was your own business and incorporate all of the elements into it – delivery, customer management, and sales.
See how this goes for a year or so, and see how successful you are, in all of the stated components. You should be able to have enough data to understand if you would be happier in this type of environment or out on your own as an independent. At the end of this experiment, you will definitely be able to make a more informed decision about your future.
Regardless of your choice, you are always the President of your own career, and the CEO of You, Inc.
February 14, 2012
I am looking for some help in my current situation and hoping that you can provide me some guidance.
Currently I am working as a senior information security engineer for a Fortune 1000 company. I work for a company that has recently awoken to the importance of information security, due to a security incident a year or so back.
At the time of the incident, I was the only information security engineer at the company, since then we have begun to hire some other information security talent to augment my efforts. Although the additional resources have been helpful, I am still viewed as the go to person by both my CISO and some of the other business and technology leaders. Because of this, many of the key projects fall on my plate.
I am pulled in many different directions, work about 60 hours a week, and have been consistently told by many that I am doing a good job. There is no shortage of love to go around, and I definitely feel appreciated. During the year, I spoke with my CISO that the workload was getting to me, and he asked me to “hang in there” and assured me that I “would be taken care of.”
I had no reason not to believe him, as he has always been honest with me.
The other day I was called into his office, where we had a scheduled meeting regarding my review and my compensation for the upcoming year. During the meeting he explained to me that the company had a down year, so my bonus would not be great. In almost the same breath, he revealed to me that my salary increase would be about 4% – slightly above cost of living.
I left the meeting disappointed and feeling both betrayed and mislead. I was expecting my boss and the other managers who sang my praises to fight for additional compensation for me, considering the value I provided to them.
Quite frankly, I am not looking for love any more, what I am looking for is money.
Do you have any advice for me? How can I get them to show their love in dollars?
Your help is appreciated,
I can understand why you feel the way that you do. It is clear that you take a great deal of pride in your work as an information security leaders, and that you feel that you have gone the extra mile in demonstrating both our passion and commitment to both your CISO and the other managers that you have supported.
I also understand that you had some personal expectations in terms of financial reward in terms of the personal sacrifice that you gave your employer by working additional hours and delivering results to the people who counted on you.
Feeling betrayed because they did not return the favor, is only logical.
One thing that I can tell you is that you are fortunate that your employers let you know that you are important and appreciated, however, talk is cheap. If your account of your extra effort and results are indeed factual, then you are justified for feeling that your managers should have fought harder for you when it came time to reward your performance monetarily – in terms of both your bonus and your raise.
That being said, here is some advice that you may find useful:
First of all, you mentioned that your information security organization is not that mature and that information security has not figured prominently until a little more than a year ago. When organizations are in this transition phase, one of the things that usually lags in compensation for its staff members. This is probably one of the reasons that the new members of your information security team have not significantly reduced the workload placed on you. While your fellow workers are probably competent – they probably represent the best that your company could afford, not the best available talent. This is an organizational and human resources issue – that cannot be fought by one person, but you have the ability to help influence this by how you address your situation.
I would tell you that you should set up a meeting with your manager, and let him know in advance the subject of your meeting is your disappointment about compensation. Prior to the meeting, I would spend some time and write down all of the accomplishments that you have had in your role over the past year. In addition to this, I would pull all e-mails from either your boss or the other managers that have sung your praises over the past year. What I would also do, is put together your interpretations of the business impact made by your contributions.
During the meeting, I would let your manager know that the praise was appreciated, but that your skills have a great deal of market value outside of the company. You can share with your employer that you have turned down countless overtures from recruiters and other companies in the area, promising bigger roles and more money, based on the promises that you would be “taken care of” for your efforts over the past year. You can also share with your boss that you were counting on the bonus and the increase, and were personally let down and hurt by this decision.
I would let your boss know that you do not regret your decision to stay, because you accomplished a great deal, that you enjoy working at the company, and that you have been building marketable skills. However, you should let them know that you would hope that they may reevaluate their decision about your compensation and assess your skills versus the market. (Before you do so, make sure that you know the answer, and that you are paid either “at” or “below” your market value. ) You may ask them to do a market study of what it would take for them to refill your position and contributions if they had to replace you.
Ask your manager if you could meet again in a about a week or two (not longer) and ask them to reconsider their stance on both compensation components.
Taking this tact will allow you to speak your mind in a non-threatening situation. At no point do your threaten to quit or leave – but you imply that you have had other opportunities, have developed marketable skills, and that it may cost significantly more to replace you. You have allowed your employer and your manager to make a business decision based on fact and value, not based on threat and emotion.
Hopefully this will help you and your employers will realize that they have made a mistake in judgment.
When they do, make sure that you “Show them the love,” when they “Show you the Money”.
Hope this helps,
February 7, 2012
I have a specific question regarding my personal situation. I am an information security professional and I am currently working in the US on an H1-B Visa. I have recently grown dissatisfied with my current company and I am looking for new challenges.
From listening to my colleagues (also working on H1-B Visa’s) discuss their personal information security job search experiences, I have learned that many companies are unwilling to sponsor or transfer the sponsorship of candidates working on H1-B Visa’s due to corporate human resources policy.
What I wanted to ask you, was when should I reveal my work status to perspective employers? My feeling is that I should wait until I am deep in the interview process, so that they can judge me for my skills and not work status. Am I wrong to think that with the right skills, I can convince a company to change their policies.
Dear “Temp Res”
I will be the first person to tell you that I am not an expert on H-1 B and Visa issues. However, over the course of my career I have worked with many candidates who have had to face this issue at some point during their recruitment process and their careers.
Basically, when we work with clients looking for talent, they fall into two distinct categories, those who are willing and equipped to sponsor candidates, and those who are unwilling to do so. In my years of doing this, while I have seen many instances where clients who were willing to sponsor candidates, decide that they no longer would, there has only been one instance where I have witnessed a client augment their policy to enable a candidate to be sponsored. In this situation, the candidate was a noted authority on a specific subject matter, had written books on the topic, and the CISO was fully empowered to make this exception. When they did apply for the exception, the CISO had to make a business case and the exception had to be approved by the corporation’s global head of human resources.
With this in mind, my best guidance for you would be to reveal your work status at the onset of the interview process, and that you will require sponsorship. I believe this for two key reasons – the value of time and integrity. Plain and simple, timing is a key element of any interview process. If you find yourself focusing on opportunities that cannot come to fruition (based on a known factor), then you may be distracting yourself from opportunities that could be both interesting and possible. I also think that for candidates in your situation it is important to join companies that have hiring processes that embrace employees who are not US Citizens. Companies that have cultures that encourage this type of hiring, often are more knowledgeable of these issues, are more supportive in the Green Card process, and have employees in leadership positions that have been through this very same process.
In addition, as an information security professional you are often judged on integrity, honesty, and openness. Failing to inform a prospective employer of your work status, may be considered a form of misrepresentation. I use the work “may”, because, like in all processes, you are at the whim of the opinions of the decision maker or makers. Letting everyone know at the onset that this is a potential issue, enables the prospective employer to plan accordingly, budget the necessary costs, and engage the proper internal parties. By doing this, you set the foundation for a future work relationship, by letting your future employer know that sponsorship is an important issue for you, and a critical component to your future career.
Again, there are many more experienced in these matters, so please treat my response that way. Independent, I do know that no one ever lost an opportunity for being too honest and forthcoming!
Hope this helps,
February 1, 2012
Instead of the traditional Career Advice Tuesday, I wanted to use the blog today to let the information security community and the Infosecleaders.com audience, why events like B-Sides are important to me, and why I made the decision to provide the event the necessary financial support to insure that it would take place as planned.
1) Attending Information Security Conferences Made A Huge Impact on My Own Career.
While attending my first information security conferences, DefCon 5 (at the old Aladdin) and RSA 1997 (where it rained all week), I learned very quickly that information security professionals were an accepting bunch. Although I was a recruiter (or “job whore”/”talent pimp”- as some called me) I found that as long as I had something meaningful to say or a unique perspective to share, that most of the attendees would include me in their conversations. Being included in these discussions and “allowing” me to ask questions and listen to the responses (without ridicule), provided me with the foundation for my professional education. Still to this very day, I often reference these experiences when training new employees for my team, or speaking with information security professionals about the value of opening themselves up to new professional relationships.
2) Some of the most important personal relationships I have made in my life happened because of information security conferences.
At that first DefCon, I was briefly introduced to a sharp guy, who was very smart and quite blunt. In traditional “hacker” style, he was skeptical of my motivations, and may have actually introduced me to the term “talent pimp.” During the following years, we ran into each other at other DefCon’s. The conversations were never long, but we always acknowledged each other. He then became an employee at one of my clients, and we got to know each other better personally. After the company he worked at was sold, I was able to help him locate a good position at a company. Through that process, we became friends. It is now fifteen years later, and I consider him family. In no other universe would our worlds have collided, but thanks to this industry, in Ralph Logan, I have a “brother” whom I can count on for anything.
In addition to this, I met Mike Murray, the co-founder of Infosecleaders, in an elevator at the Mirage, and as we walked over to Black Hat. Through our friendship, (and Infosecleaders), Mike has taught me many things and has opened up my mind and challenged me on my thought processes. ( Mike, I hope that I have done the same) Although Mike and I could not have more opposite work styles and competencies, information security events have brought together our passions of helping people, and for this I could not be more thankful.
Finally, and most important, if it was not for Information Security conferences, I may have not met my wife Michele. In 1997 on my way back from RSA, I met a woman named Nicole Schmidt, who was the CIBC information security analyst, on my flight home. We struck up a conversation and exchanged numbers, and became friends. Seven years later, Nicole made a suggestion that I go on a date with her best friend Michele. Michele and I have been married for five years. We have a son, Brodie, who will turn 4 tomorrow. I am also known as “Uncle Lee” to Nicole’s little boy, Lucca.
3) In the end, the only thing that matters is “people”.
In the wake of the messages I saw on Sunday while checking my Twitter stream, the only thought racing through my mind was “what about the people.” The first “people” that I thought of were the organizers of B-Sides. I know Mike Dahn since he trusted me with his career about 8 years ago, and we have been friendly ever since. I know that B-Sides is run by members of the community, so I could only think of how all of the effort and energy of the volunteers could possibly go to waste, and that they may be facing a huge bill due to previously made financial commitments (as a business owner, I know some things about event contracts) .
My mind then jumped to all of the information security professionals that I know who are big fans of B-Sides and have made plans to come to the event. My assumption is that most of the B-Sides attendees are coming to try to better their careers – either through learning or networking. I also assume that the reason they choose B-Sides is the price – and due to the fact that their employers do not have ample training budgets. I assume that many have already taken vacation days and personally incurred the cost of travel. The thought of all of their plans being ruined, and their money lost, was not acceptable to me, and did not sit right.
When I got home, I called Mike and texted, I asked him how much money he needed to insure that the event would take place. The amount that he provided me was manageable. Knowing that Infosecleaders.com does not and has never had any involvement with the RSA Conference, I knew that I was in a position to help without any impediments or restrictions.
Over the last 24 hours, I have been blown away by the reaction, the e-mails, and the tweets. My only response to this is that I do not feel that I deserve any additional accolades. I believe that I only did what any other member of our community would have done, if they had the financial resources at their disposal. Having the opportunity to give back to our community and provide for others, is a “mitzvah” and a blessing.
It is with great pride that I consider myself a member of the information security community, and to have had the privilege of being associated with such a great collection of talent, personality, and passion.
Looking forward to seeing everyone at B-Sides.