Career Advice Tuesday – “Making Them Wait”

May 29, 2012

Dear Infosecleaders:

I am in the process of making my first job change and I am looking for some advice.  I have spent the past five years of my career working at a corporate information security position, and I am looking to transition to the world of large consulting – for both the experience, the exposure and the compensation.

I decided to interview with a few consulting firms who have advertised similar openings.  One of the firms whom I interviewed with, I really liked.  They have dynamic leader, a solid market presence, and they offered me a competitive compensation package.  On its own merits, it is definitely an offer that I would accept and be happy with.

Toward the end of my process with them, I was the contacted by another large consulting firm, and I went on an initial interview with them – and it also went well.  Although the roles are similar, the second firm is a bit more “prestigious” than the first, and in my opinion has a better external brand.   After the initial interview, the internal recruiter told me that the remainder of the process would take an additional two weeks to complete.

My offer with the initial firm is roughly a week old and is approaching expiration.

I would like to know what my boundaries are here.  I do not want to jeopardize my offer with the first firm, but I do not want to accept the role without hearing the second firm our, and reviewing their offer.   Is asking them to wait an additional two weeks an option?  Am I in jeopardy of “burning bridges”?

Any help would be appreciated.


Mr. Heinz 


Dear Mr. Heinz –

What your are really asking is how long is an acceptable time to “Make Them Wait” for your decision, without burning a bridge.

First some guidelines – an acceptable time to evaluate an offer is a week.  If you were more senior, I could even see that 10 days could be acceptable, maybe even 2 weeks,  especially if it involved a relocation.  But at your level, a week is ample time – anything else is excessive and somewhat disrespectful.

The best thing that I can share with you, is that you definitely have the right to evaluate all of your options before making a job change, you have to remember that the practice leaders of these firms (who will be your managers and bosses) are highly competitive and have a good amount of pride (or else they would not be in charge).  In addition, what would make losing this recruitment battle worse, is the fact that they would be losing out to one of their competitors.

So you need to be careful.

To give you some perspective, I want to introduce a scenario to you, that should be able to provide you with clarity:

You go out an interview with a company.   You interview well and the company states that they like you – and they believe you are a good fit.   At the end of the interview process, they basically say this – Mr. Heinz – you are an excellent candidate, have all the skills to do this job correctly, and we would want you on our team – however, in three weeks we are expecting to interview another candidate with very similar skills, compensation requirements, and personality -  we would like for you to wait three weeks – so that we can compare them to you – and so that we can elect to move forward with either you or the other candidate.

How would you feel?  How would you view the opportunity?  Would you feel good about going to work at an employer where they have essentially told you that you may be a second choice, or a fall back option?

Chances are, your feelings would be hurt.  All of the good will would be sucked out of the interview process and you would want to consider working at other places – not because of the role, but because how you were treated.

This is how the hiring manager at the other firm feels as a result of your actions and intentions.

My advice would be to accept the position with the first firm.

The roles are basically the same.  You are going to gain very similar experiences.  The compensation packages are going to be very similar in the end as well (within about 5K).  The first firm treated you well, you were comfortable, and you liked the environment – essentially what more could you want.  Large information security consulting firms basically have similar brands – and are looped together – there is essentially no branding difference between consulting firms that offer a broad range of security consulting services.

If you turn this position down, you are essentially going to “burn the bridge” because of how you handled the process.

In the future, the way to avoid this is to let all of the firms that you are interviewing with know that you are looking to make a decision by a specific date.  You can tell them that you would like to have all offers by a certain date, so that you can evaluate them side by side.  By setting this expectation, you demonstrate that you are a good communicator, you are well thought out in your approach, and you establish ground rules so that they can control the timeline of your hiring process

In closing, you are a first time job changer, so you should be forgiven for this.  But in the future, you need to learn from this, so that you do not find yourself in this situation again in the future.

Hope this helps,

Lee Kushner


Posted by lee | Filed Under "The Other Side of The Desk", Advice, Behavior, Career Advice Tuesday, Interviewing, Position Selection, Recruiting | 2 Comments 

Career Advice Tuesday – “A Little Nudge”

May 22, 2012

Dear Infosecleaders:

I have been searching on my own for employment as an information security architect for the past couple of months, and I am hoping that you can help me with the mechanics of my job search.

First of all, in a former life I ran security architecture for a notable financial services institution and most recently served as an technical security architect for a professional services and information security product company.  My skills are current, my compensation requests are reasonable, and I have very good references.

The main reason that I am looking for work is that the travel associated with my current role is just no longer conducive to my family situation and the life that my wife and I would like to lead with our young children.

Through a colleague, I was introduced to the hiring manager at a pretty well known company with some interesting technologies that align with my skills.   Upon introduction, I both spoke and met with the hiring manager within a week, was told that that I was a good fit, and that I would be engaged by HR to complete the interview process.   A week later, I had a brief 15 minute phone call with HR, which went well (not much was discussed), and was told that a final interview would be scheduled for the following week.

Well, that was about 30 days ago.   I have not heard back from them.  But, I have heard from another company (a distant second choice) and I have been told that they are going to be making an offer within the next week.

Do you have any advice as how to (re)-engage the initial firm and help get me to the finish line – and to understand if they are going to want t hire me or not?


The Waiting Place


Dear Mordecai van Allen O’Shea:

The answer to your question is simple -  you need to write an e-mail to the hiring manager explaining the situation and ask for their help and guidance.  In the letter you should state the following:

1)   Your last discussion with HR was 30 days ago

2)   It was left that you would be contacted about setting up a final interview

3)   You have a real interest in the role

4)   You have another suitor, who albeit worthy, is not your first choice

5)   You will need to make a decision in the next 10 business days.  (This gives them time to react)

First, the reason that you send the e-mail (initially) is so that the note may be forwarded to others in the company.   (You should follow up with a phone call, for a personal touch)  Second, there is nothing wrong in giving your potential employer the courtesy of a reminder of your candidacy, and providing them with an understanding that you will not be waiting around forever for them to execute.  Finally, the goal of this letter is to inspire an action – either a message that they will be scheduling the final interview,  or some notification that you are no longer in consideration.    By gaining an understanding of this, you can figure out how to deal with the other suitor, and manage the remainder of your job search.

I guess the best thing to share with you is that sometimes people get sidetracked, interview processes get mismanaged, and recruiting takes a back seat to other pressing issues.

You should not be offended by this, and do not take this personally.

Sending a friendly and polite reminder, to inspire an action, is perfectly acceptable, especially if it is handled with tact and respect and gets you to the Places That You Want to Go!

Hopefully this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Position Selection, Recruiting, Uncategorized | Comments Off 

Career Advice Tuesday – Why Info Sec Position Go Unfilled

May 15, 2012

Dear Infosecleaders Readers-

Below you will find the unedited version of my latest article for Tech Target/Search Security – Information Security Magazine.  The article is designed to shed some light as to why companies have such a difficult time in filling information security roles.

Let me know what you think.

Lee Kushner


Why Information Security Positions Go Unfilled


While the national unemployment rate has been steadying between 8-9%, information security professionals have been enjoying newfound prosperity.   Until recently, the information security function primarily held importance to industries whose success and market perception were tied directly to their customer’s trust, like financial services, and the federal government.  Due to a unique combination of technological innovation, increased regulatory scrutiny, external threat, and social activism, corporations in industries who have traditionally ignored information security,  have began to realize that the development of a competent information security function is a worthwhile and necessary investment.


When companies recognize that they are going to make this type of organizational commitment, their first order of business is to find competent information security talent to bridge their talent gap to address these issues.   However, finding and attracting competent information security professionals to a new position is a lot more difficult than it appears.   Companies quickly learn that the same strategies and processes that they apply to filling more generic business and technology roles, do not necessarily translate to the recruitment of information security professionals.    It is important for organizations and information security leaders to comprehend why information security positions go unfilled, so that they can make the proper adjustments to attract and hire this talent is a reasonable time frame.


The primary impediment to filling information security positions is geography.   In many cases, the talent and skills alone would be difficult to find, however the need for an employee to based in a certain location significantly impacts the depth of the candidate pool.   For example, although the NY Metro area is filled with companies, positions based in locations like Long Island, Central New Jersey, and Southern Connecticut will greatly reduce the candidate pool due to commuting time.  Conversely, there are many information security professionals who would not want to incur the additional cost of commuting into Manhattan.  In the past, companies were much more amenable to relocating candidates to fill positions, however the economic events and the housing bubble has greatly reduced the ability for people to relocate or companies willing to subsidize these costs. In general, companies relocation packages have become less encompassing, saddling the candidate with additional expenditures if they decide to accept an opportunity and relocate.   In these instances, the candidate can simply not afford to accept the position, even though it aligns with their career plan and professional development.


The next major component in the breakdown of a recruitment process is in the area of compensation. When corporations are determining the compensation value of their job openings they traditionally consult specialized market research firms that provide them with this information.  This compensation information generally equates to what the candidate, with the skills, already in the position should be paid.  While this should serve as a good baseline, it does not take into consideration the recruitment premium that an information security professional, currently performing a similar role at a similar organization would need to leave the comfort of their existing environment.  For example, if a Senior Information Security Architect is earning “X” in their current role, the market data may be correct and instruct you to price the position at “X”.  However, in order to be successful in attracting the Senior Security Architect to your team, your will need to price that position at “X + 10- 20%” In addition, many times compensation packages neglect to address existing financial and non-financial benefits associated with tenure at a current employer.    Because money is fungible, financial benefits are more easily replaceable, however non-financial benefits are often more difficult to address. Information security professionals can place greater value on vacation time, flexible work hours, and telecommuting, and may be unwilling to relinquish these benefits.  Corporate human resource policies may not allow you the flexibility to provide alternatives for these privileges.


An additional compensation based reason that information security positions go unfilled is due to internal equity.   Internal equity is the belief that any new employee’s compensation cannot be significantly more than their functional or organizational peers.   It is the information security leader’s responsibility to both address this within their teams and to educate their human resources staff  about the uniqueness of the skill combinations that they are attempting to recruit.


Before any major recruitment initiative, the information security leader must partner with human resources and perform a market based assessment of the skills and functions already performed by current information security team members.  The question that should be asked is, “If I had to replace that person, what would I have to pay them?”  In addition, the information security leaders should be aware of the value of their employee’s skills in the market place, and be proactive in their approach to aligning their compensation with both their internal contributions and external value.


In addition, it is common place for human resources teams to align information security compensation with other technical functions like network engineers, systems administrators, or software developers.   It is essential for information security leadership to sit down with human resources and articulate to them why the skill combinations associated with the roles that they are attempting to fill are more complex and scarce, than these technical resources.  The information security leader should have a great deal of incentive to win this argument, because if the compensation packages are insufficient, positions will remain open for long period of time or will be filled with substandard talent.


While these factors contribute to unsuccessful recruitment processes, the primary reason that positions go unfilled is the failure of the information security leader (hiring authority) to think like the candidate that they are attempting to attract.   All information security leaders at one time had to interview for a job.  It can be assumed that when they contemplated their last job change, they created a list of criteria that become key factors in their decision making process.    Some of these factors will include the commitment of the organization, the level of responsibility associated with the role, the career path for the position, professional development opportunities, title, and compensation.  In summary, most likely they changed positions because the new opportunity represented increased opportunity and personal satisfaction. Often, information security leaders forget their own motivations, and ignore the fact that their applicant pool are driven by similar forces.


One of the biggest mistakes is that hiring managers only focus on their organizational “need” as opposed to taking into consideration what the applicant “wants”.   When information security leaders begin designing their job descriptions, it is essential that they understand the appeal of the opportunity and what types of candidates it will attract.  When they conduct their interview process, they should be taking into the consideration the candidate’s point of view, and determine if the position and the environment can serve as the framework for their candidate to accomplish their professional goals and develop their information security career.   By viewing the position form the candidate’s perspective, information security leaders will find themselves prepared to communicate the merits of the position during a recruitment process, which should make a positive impact on the candidate’s interpretation of the career opportunity.


One of the best way to evaluate leadership is by the caliber of the people with whom they surround themselves.  Attracting top information security talent to your team can be both time consuming and frustrating.  Building an effective recruitment strategy, addressing potential obstacles, building organizational partnerships and understanding the motivations of your future employees are key ingredients to efficiently filling your information security openings.

Posted by lee | Filed Under Advice, Career Advice Tuesday, Interviewing, Leadership, Recruiting, Security Industry, Skills, Uncategorized | 5 Comments 

Career Advice Tuesday – “Double Agent Dilemma”

May 8, 2012

Dear Infosecleaders:

I have a question that should be right up your alley and I believe you can provide me with the best advice.

About a week ago, I was contacted by an executive recruiter about a position that interested me.  Although I have never worked with the recruiter before, (or new of their firm) they told a good story about their client and the role, how they found me (via LinkedIn) and they seemed professional.   During our conversation, they claimed that they were retained and exclusive on the opportunity.  

Even though I had not worked with them in the past, I consented to my interest and sent them my resume.   I did not do so without hesitation, but I figured since they were “retained” and “exclusive” this would be my only avenue for introduction. 

Two weeks went by nothing has happened.  I never received an interview.  My phone calls were not returned, and I have had nothing but “dead air” and I thought the opportunity was dead.

Last week, I received a call from an information security recruiter whom I have worked with in the past (Taking your advice, I do work with folks outside of LJ Kushner) and whose opinion I have grown to respect.   He called me to introduce the same opportunity that I had been previously introduced to. 

He shared with me that the client did not retain him that the role had been open for more than 90 days and they had not seen any candidates that were interesting to them

I shared with them my experience and that I had been exposed to the opportunity by another firm.   Since I trust this recruiter,and I believe that they have some solid access into the client/opportunity, I asked if they could represent me.

They told me that they would be able to. 

Is this accurate?  Can I have two recruiters working for me for the same opportunity?  Can I be hurting myself in anyway?  What should I say to the first recruitment firm?


Maxwell Smart


Dear  Maxwell:

I will say that I believe you find yourself in a bad situation and I am not sure if you are getting real good advice or guidance from either of your recruitment firms.

First of all, if the initial client were exclusive to the opportunity there would not be any way that another firm would have access to the position.   When a company grants an executive search firm exclusivity they are doing because of expertise and simplicity.  Having a single point of contact on a senior position is a benefit so that messages can be kept consistent, timelines can be managed, and for simple efficiency.

Based on this, I think you were tricked into sending and consenting to send your resume to the unfamiliar firm who found you on LinkedIn.

Secondly, once you are submitted to an opportunity by a one recruitment firm, you should not consent to be submitted by another recruitment firm.  The fact that your other recruiter advised you that this would not be a problem on a contingency assignment is incorrect.  This is the case for the following reasons:

1)   Almost all of the time companies will honor (and pay) the first firm that submits a candidate’s resume to them.  No matter what the relationship, in the end they want to only pay one recruitment fee, and honoring a second submission would place them in a bind.  This would be the kind of thing that would cause a corporate recruiter to potentially lose their job.

2)   If your resume comes to a company from two sources it is a poor reflection on you and your ability to communicate.   By allowing two firms to submit you to the same opportunity it makes it appear that you are disorganized, non selective, and that your interest in not necessarily sincere.  These are not qualities that many companies look for in their information security leaders.

What you can do is the following; keep calling the first firm until they answer.  When you get them on the phone, confirm that they are exclusive (and what their definition of this term is) and then explain to them that you are asking because another firm about the same role contacted you and that you wanted to make them aware.   Their reaction should be telling.

To the second firm, simply state that you have already been presented the opportunity and that you do not wish to complicate matters.   You can simply share with them that you appreciate them contacting you, and hope that they will do so again in the future about a similar or better role.

In closing, be leery of people reaching out to you who you do not know or do not have trusted relationships with.   Before submitting your resume, you can always do two things – validate the track record of the firm that the person is contacting you from, or run the opportunity by a recruiter you have worked with in the past, and trust, and see if they are working on the role.  If indeed they are, you may ask for them first why they did not contact you on the opportunity, and if you remain interested, ask them if they would be open to representing you.

Please make sure that you control distribution of your resume and manage your job search process.  These are key first impressions and reflections on you.

Hope this helps,

Lee Kushner


Posted by lee | Filed Under Advice, Behavior, Branding, Career Advice Tuesday, Interviewing, Position Selection, Recruiting, Social Media | Comments Off 

Career Advice Tuesday – “20 Percent Increase = Bad Assumption”

May 1, 2012

Dear Infosecleaders:

 I am planning on moving back to the USA this fall, as I am currently living in Eastern Europe. As you may or may not know, the standard of life is poorer/lower than at the states. As I have heard on one of your presentations, one should ask for a salary maximum 20% of their current earnings. But the 20% would be not even close to what I would be satisfied with, or the standard for job class.

Do you have an opinion/recommendation on approach I should take, to get the salary I want and or deserve, regardless of my current pay?


 Is Twenty Plenty?


Dear TP:

Before I address your question, I want to make this very clear to all of the Infosecleaders audience:



Now to your question:

The real question about compensation can only be answered by understanding the market place value for your skills and experiences in your employer’s industry and geographic location.    The best way to understand your marketplace value is to either survey your peers, (with similar skills) or people with industry knowledge (hiring managers and info sec recruiters) who can provide you with a benchmark of how you should be compensated.

Many information security professionals believe that the compensation for their individual specific skills should be treated differently than the market at large.   This is a bad assumption and often leads to poor decision making about compensation expectations.

In general, compensation for similar skills in the same market will only fluctuate by about 10-20%.  This fluctuation will be determined by seniority, alignment with the business need, urgency, the demands of the work environment and industry.

Given the above, your current salary is irrelevant to your future one, considering your change of location and the cost of living differences inherent to your move.   However, before you embark on your job search you should get a better understanding of how your skills will be valued, and set some baselines and parameters with perspective employers as you begin your interview process.

Upon their assessment of your skills and your performance in the interview process they should be able to determine a suitable salary in their attempt to acquire your services.   If you would like to keep them honest, interview with two companies simultaneously to see if the compensation they offer is similar.

My guess that the difference will be not much greater than 10%.

Hope this helps,
Lee Kushner




Posted by lee | Filed Under Advice, Career Advice Tuesday, Compensation, Interviewing, Position Selection, Recruiting, Skills | Comments Off