Career Advice Tuesday – “Using Website Data In Determining Compensation”

March 27, 2012

Dear Infosecleaders:

I would like to know your thoughts on websites like and as data points for compensation negotiations.

Do you feel that the accuracy of these sites take into consideration outside factors such as clearances?  What would the baseline salary be for someone with a CISSP, TS Clearance, and Masters Degree?

Better yet, how should the information gathered utilizing these tools be applied to your current compensation and desired compensation if searching for a new position.


Billy Shatner


Dear Billy:

C’mon Billy, I would think that you, of all people, would know a thing or two about negotiating price on the internet!

As an information security professional, you cannot negotiate your salary or determine your market value based on the information that you glean on these types of websites.  It is simply impossible.  The data is baseless, as these sites are more focused on generalities as opposed to the many nuances which may determine compensation in an information security professionals role.

I have my own opinions on some of the market intelligence and salary scales that corporations utilize when it comes down to assigning compensation for information security professionals.   Considering that the information security industry is comprised of both generalists and specialists, it is very difficult to apply this type of salary information broadly

For example, if you are an identity management specialist with a CISSP, a Masters Degree, and a TS Clearance – with a highly technical skill set, you will earn considerably more than someone with similar experience who has the same credentials that focuses on Certification and Accreditation work, or policy development.

The best way to determine your market worth is to ask your peers who hold similar positions, have similar experiences, and who work for similar types of organizations within your geography.   If you can get a sample of the compensation of people who share your background, you will find that your compensation should fit within the range of these numbers.   It is very rare that information security professionals have compensation packages that are outliers and anomalies – we just are not that type of industry,

I would tell you and the infosecleaders audience that the factors that determine compensation usually combine skill, responsibility, location, company size, quality of life and industry type.  In addition, companies that have greater commitments to the protection of their information, generally have a slightly higher scale than others.

In the future, forget sites that claim to have this information.   They do little more that build misconceptions and create false expectations that are not based in reality.

Hope this helps,

Lee Kushner






Posted by lee | Filed Under Advice, Career Advice Tuesday, Compensation, Interviewing, Recruiting, Security Industry, Skills | 1 Comment 

Career Advice Tuesday – “The Silent Treatment – Executive Style”

March 20, 2012

Dear Infosecleaders:

I have recently engaged in an interview process for a Senior Information Security leadership role through the help of a retained executive search firm.   This is the first time that I have even been considered by one of these types of entities, and I can tell you that the process has been quite elaborate. 

Before I even had a chance to speak with the company, I had to go through three rounds of interviews with the executive search firm so that I could be vetted.  This included in person interviews, a personality profile, and a series of video conferences.

After that battery of tests, I was invited to fly out to the company’s headquarters where I had to commit to two full days of interviews.  The interviews consisted of a range of corporate executives including the CFO, COO, CIO, General Council, Business Unit Leads, and various technical SME’s.  

The days were exhausting, and I left the meetings feeling that I did “OK”, but quite frankly I do not really believe that I would want the position if offered.    I provided feedback to the executive search firm and I have yet to hear back.

That was roughly a month ago. 

In that time, I have lobbed some calls in to the search firm and sent some e-mails but I have not heard anything back from them.  At this point, I am assuming that I was not selected, however, I believe that I am entitled to understand why.  

First, I believe it would be good from a learning perspective, to understand which skills that I am lacking and need to develop.  Secondly, I believe that I am entitled to some closure and some courtesy.  I mean, I have taken about five days to go through this interview process, and I believe I deserve this decency.

Any help can be appreciated.


“Hear No Evil”


Dear “Hear No Evil”:

Believe it or not, I would not assume that you have not been selected for the position.  I know that this may sound strange, but many executive search processes take extended periods of time, due to the fact that it is difficult to coordinate calendars of both the interviewers and the candidate pools.

Understand that in a true “Executive Search” process, it is likely that a company will interview as many as five or six candidates on site, before they are able to build comparisons, rank the candidates, and come to some conclusions.  In addition, in some cases after interviewing the candidate pool, they may come to the conclusion that they have designed the role incorrectly, and they want to engage a candidate pool with a different collection of skills.

You should also understand that many (I will not speak for all) executive search firms believe that their only client is the one paying the bills – not the candidate they are sending into the interviews.    In an executive search process, the recruitment fees are quite significant, and I can image that for the position that you are applying for that the fee could approach $100,000 – $200,000.

The search firm in this case is being paid more as a “Consultant” – and for their elaborate process and guidance in the search process, as opposed to the hiring of the candidate.  In fact, they will be paid a majority of this fee ( and it is likely that  they will be paid the entire fee) , whether they fill the position or not.

Considering that their allegiance is to the company that is paying their bills they are going to carry out their wishes.  One of those wishes may be to not communicate with the candidates until all of the interviews have been completed.

Now that you have a better understanding of the process, let me get back to your question…..

You definitely have a right to get some feedback from your efforts.  However, understand that you may not get this.  I would continue to attempt to engage the executive search firm to get this feedback through a pattern of phone calls and e-mails.  However, I would not be too persistent or too pushy, as they will be “judging” you by the method and the delivery of your attempts.

It would be good to determine if you want to keep a relationship with the executive search firm.   My advice is that you should, even though you may not like the process.  The next time that you do engage, you should ask the executive recruiter to map our their process, their time lines, and their feedback process.   At that time, you can determine if  the Information Security leadership position is worth exposing yourself to this type of process.

Hope this helps.

Lee Kushner

Posted by lee | Filed Under "The Other Side of The Desk", Advice, Behavior, Career Advice Tuesday, Interviewing, Leadership, Recruiting | 1 Comment 

Career Advice Tuesday – “Interview +1″

March 13, 2012

Dear Infosecleaders:

I am writing you because I find my professional and my personal life colliding and I would like some advice on how to handle this.

I am currently engaged in an interview process with a company that is based in Northern California.  The opportunity itself is based where I live – but the final interview will take place at the corporate headquarters.   The plan is for me to fly out on a Thursday and interview on Friday. 

When my girlfriend learned of this, the wheels began turning.  She has always wanted to go to San Francisco and she thought that this would be a great opportunity to do so, considering that my airfare would be paid, and that one night in the hotel would be taken care of by the company.   She is very excited about the trip – but unfortunately I am growing concerned.

The opportunity that I am interviewing for would be a pretty big step for me in my career.  I am currently an engineer and the role is to be an information security architect.  I expect the interviews to be very technical and I know that I am going to need to be at the top of my game in order to successfully compete.

Having my girlfriend with me on the plane, planning our “leisure activities” and just distracting me – is something that I just do not need, if I am going to give myself the best chance of success. 

Do you have any advice on how I can handle this in a way that will keep me happy both professionally and personally. 


Travel Companion
Dear TC:

Good for you for realizing that this is a bad idea.

Without question there is a different mindset for a business trip (which this is) and a vacation (which is what your girlfriend is planning).

My suggestion and response is very simple and should address your problem so that you can accomplish both your goals.

Ask your girlfriend to fly out on Friday – so that she lands about the time that your interview is completed   You may even want to give yourself some time if you are invited for a “happy hour” or team activity afterwards.

I would then arrange for an additional vacation day for Monday and possibly Tuesday, so that you will be able to give yourself the necessary time to enjoy San Francisco with your girlfriend and so that your vacation extends longer than if she came with you as originally planned.

I would also advise to change hotels – just to make sure that there are not any possible “overlaps” of business and personal expenses.   Also, I would make sure that you could have the option of switching your plane ticket – or subsidizing the cost of the difference in fares., for the same reasons.

I also think that you should explain to her that this is important to your future and possibly your collective futures together, and ask her to be supportive and to think about the bigger picture.  Let her know that you will have the opportunity to do all of the things that she would like to do during your time in San Francisco.

Hopefully this will enable you to go to the interview with a clear head and that your girlfriend will be happy with your suggested compromise.

If she gives you a hard time, don’t take her at all.  In addition, you may want to think about finding another girlfriend, if she cannot understand where you are coming from.

(But please do not look for that kind of advice from me, that is way outside of my core expertise!)

Let me know how it turns out – on both fronts!


Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Personal, Recruiting | 2 Comments 

Career Advice Tuesday- Negotiating Tips For The Unemployed (and Underpaid)

March 6, 2012

This question was taken from last week’s Career Advice Tuesday live session at Security BSides SF.

Dear Infosecleaders:

I was recently let go from my position as a penetration tester and I am actively interviewing.   During my interviews, I am constantly asked two questions – 1) Why was I let go?  2) What was I earning?

The actual answer to the first question is an easy one to answer, as there were some issues with the management of my company and the flow of information security work.   For lack of better terms, we could not sell enough work to keep me busy. 

The second question is difficult for me to address.  First of all, I believe that I was underpaid for my skills.  Secondly, I feel that if I provide any of my suitors with this information they will base their offer on this data – and leave me in the same financial situation.

Do you have any advice for how to address this?


D, Trump


Dear Mr. Trump:

Rest assured, you are not alone.

In my fifteen plus years of working in this industry, I have yet to meet an information security professional who believed that they were overpaid.  The fact that you think you were underpaid at your previous employer, places you in the majority.

That being said, without knowing the details, I cannot really comment if you are paid fairly for your skills and contributions, but I can help you with some guidelines on how to answer the question about compensation.

First of all, when you are asked this question, the most important thing that you can remember is to be accurate in your response.   Although you may not agree with the number, the facts are the facts.  In today’s world, many employers validate past compensation during a background check, so if you are grossly inaccurate in sharing these numbers, you run the risk of being denied employment.

Secondly, I would follow up the answer to the questions with a statement – letting your perspective employer know that you are actively searching for employment and are interviewing for similar positions.   When you provide this information, you can provide a range of compensation that have been associated with the job postings,

When you do this, I think that it is important to provide a range – giving a low number and a high number.  By providing a range, you give the perspective employer two things – 1) knowledge  and 2) flexibility.  The compensation range will enable your suitor to evaluate your talents and your interview based upon the numbers that you provided, and will enable them to make a judgment on your value to their organization.    In addition by giving the employer the range, you provide yourself the foundation for your final negotiation (if you are offered the role).

Let’s say that the employer offer’s you an amount towards the bottom of the range, you can let them know that although you like the position and opportunity, that you were hoping for a more competitive number that was near the middle of the range you provided.  You can even let them know that although they are not the highest offer, that their opportunity is more appealing, and if they could adjust their offer upward to be in line with the others, that you will accept their offer.

On the other hand, if in the end you only have the one offer in your possession, you may just decide to accept the offer as is, and ask the employer when your compensation would be evaluated, and on what criteria will you be judged.

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Compensation, Interviewing, Position Selection, Recruiting | 1 Comment