Career Advice Tuesday – “Do I Get On The Plane For The Final Interview?”

June 26, 2012

Dear Infosecleaders:

I am in the middle of an interview process and I am looking for some guidance. 

I was approached about an opportunity from a past co-worker, about joining his new company.  The role that he approached me about was basically similar to my current role as a GRC consultant, but it was a bit different.    My friend’s new company paid about 10% more, had better benefits, provided more training budget, and would allow me to travel less.   When I first learned about the opportunity, I was quite excited, and I felt that this would be the best of both worlds.

For the past three weeks I have been going through a series of preliminary interviews that have all gone reasonably well.  The interviews have tested my expertise and have provided me with opportunities to ask questions.    The answers to my questions have been consistent, and nothing that I have learned has been negative.   Based on my performance and my friend’s recommendation, the company has invited me out for an in-person interview.

Initially, I consented to go on the interview, but I am now second-guessing my decision making process.   After giving greater thought to the opportunity, I have come to the conclusion that there is nothing truly unique about it.  It is essentially the same job, in a smaller environment, but my responsibilities will almost be the exact same.  

At this point I am thinking about changing my mind and not going out to the interview.  What do you think about this?  Do I have anything to gain by getting on the plane?


“Window Seat”


Dear “Window Seat”:

My advice is to definitely get on the plane , and here is my main reason:

You have absolutely nothing to lose and everything to gain,  In essence, you are playing with house money.(Well, the only thing you have to lose is a vacation day – and the assumed risks associated with air travel)


First of all, you have already participated in the new employer’s part of the interview process, and have passed.  You have established your credibility, have answered their questions, and have gone through a process that they have dictated.  In essence, if all of these phone conversations were to assess your skills, the in person interview is going to provide you with the opportunity to assess the new company and the opportunity, and learn first hand the answers to your questions.

They should include the following:

1)   Is this new employer truly better than my current employer?

2)   What freedoms and opportunities can I get in my new job that I cannot receive in my current position?

3)   What is the opportunity for growth?

4)   Is the compensation increase going to be significant?

5)   Is my quality of life going to improve?

While your in person interview is still a test for your skills and abilities, the balance of power has definitely shifted slightly to your favor, as the new company is not incurring the expense to interview you if they don’t believe that it is more than likely you will be an asset to their company

By placing yourself in the situation to ask questions that are important to you – and were the initial reason for your interest in the role – you will enable yourself to truly vet the opportunity.  Gaining a first hand look at the opportunity, and having your questions answered is really the only way that you can truly determine if the position, the company, and the management team will provide you with the framework for an improved career and quality of life.

Once you receive the information and are able to process it first hand, you may arrive at one of three conclusions -  you should remain at your job,  you should join the new company, or you should join the new company if the compensation/offer terms warrant it.

In any of these cases, the decision will be in your hands and you will have the data to make the best decision possible.

Enjoy the complimentary pretzels  (do they still do that),

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Position Selection, Recruiting | Comments Off 

Career Advice Tuesday – No Confidence in the New Regime

June 19, 2012

Dear Infosecleaders:

I am an information security engineer, and about six months ago I decided to change employers.   The main reason for accepting the role was based on the connection and confidence that I had developed with the CISO., during the interview process.

When I initially interviewed for the role, I was on the fence about accepting the offer.  However, I had a dinner with the CISO and we spent the time together speaking about professional development and he assured me of his commitment to expose me to more of the business side of information security.   The trade off was that I had to give him 12-18 months in a security engineering capacity.   During this meeting he even shared with me about his own progression and how he had a mentor who helped him along the way in his professional development and ultimate transition form techie to Info Sec leader.

Well I bought in. 

About a month ago, I learned that corporate decided to make a decision and they have forced him to resign.  In his place, they have brought in someone internally, who is not an information security professional  (we will leave it at that) – and while he understands the company, he has demonstrated to me (and others) that he just does not understand the perspective of information security professionals or relate to them.    I know that many of my peers are actively interviewing and others have “checked out” hoping that the new leader fails.

As part of the transition, I had a meeting with him , and I shared with him the commitment that the former leader made to me to help develop my career beyond information security engineering.,  Although he was polite, my feeling was that he was not going to honor the ex-CISO’s promise to me.

Do I need to begin looking for a new job?  Any advice?


Vote Of No Confidence


Dear Voter:

One of my favorite sayings is that in the end you do not work for companies but you work for people.   In essence the company provides the framework but your manager has the real impact on your success and happiness.

You seem to be experiencing this first hand!

I think that what is particularly hard for you is that your decision to leave a good position was based upon the promises that your ex CISO made to you, and your assumption that these promises are going to be ignored.    It also appears that you do not have any confidence that the new CISO is going to make good decisions which are conducive to the development of the information security program and in essence your career.

Right now, the best advice that I can share with you is that you should give this person a chance.  Considering that your new manager is going to be evaluating your contributions to the company, you should in turn be evaluating their performance as well , as it relates to the development of your career.   Considering that the person is new to the role, and not an infosec professional -  my advice is to be the best information security engineer possible – and really demonstrate your talents, your passion, and your willingness to make positive contributions.   I would make it a point to really embrace the new leader, and demonstrate that you are their to support them.

Given the attitude of your peers, your positive attitude and work ethic should really stand out!

After doing this for ninety days or so, ask for a meeting.  At that meeting, you should revisit your conversation and your career goals.  At that point, you should see how receptive the new leader is.

If the new leader is receptive, you may have found a way to accelerate your career.  Keep working hard and contributing and see if you can produce some measurable results.

If the new leader is giving you lip service, ignoring you, and dismissing your requests – it is time to look for another role.   If the new leader does not recognize or appreciate you and your loyalty during this transition, it is likely that they are never going to connect with you or support your career development efforts.

At best you will be pleasantly surprised, at worse you can dust off the resume!

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Branding, Career Advice Tuesday, Leadership, Planning, Position Selection, Skills | 1 Comment 

Career Advice Tuesday – “Flooded By LinkedIN”

June 12, 2012

Dear Infosecleaders:

A few weeks back,  I was informed by my manager that my company was looking for an information security engineer to help us round out our team.   In a team meeting, my peers and I were asked if we would be willing to recommend someone for the role.   During the meeting, we were asked if we could publicize this opening to our professional networks, specifically LinkedIN.

As a good employee and team player I have done this, and posted the position to both my networks and the LinkedIN groups where this type of role would be suitable.   My initial thought was that this would be quite easy, as my positing would net a couple of qualified folks, and the hiring process would be smooth.

This has not been the case.  In fact it has been a nightmare.

Since positing the role, I have received over 70 inquiries about the position.  This has included many people who are either not qualified for the role, do not live anywhere near the position’s location, have greatly surpassed this type of position, and some whom I know well enough to know that I would not want to work with  them.    The responses have included resumes being sent to my personal address, phone calls off hours, and other intrusions that really lay outside the context of my role.  I simply do not have time to respond to all of these people, am unsure of the proper etiquette and I feel that in doing so, I may damage some of my relationships

I wanted to raise this point out to the Infosecleaders community and wanted to see if you had any advice for me – to help relieve me from the burden of my current situation.




Dear Noah:

You are witnessing first hand that it is not that there are a lot of personal obligations that go along with engaging your network, especially in the context of recruiting.

Let me give you two pieces of advice that may help you alleviate your current pain:

1)   The first is to change the LinkedIN posting or take it down.   If you decide to take it down, make sure you speak with your manager, and let them know why you are doing so, and the problem this has caused you.   If you do decide to keep it up, what I want you to do is to attach a line to the bottom of the positing that states:


Something like this should help you draw some clear guidelines and remove you from the communication loop.

2)   What I would do would be to collect the e-mail addresses of all 70 folks that have responded to this posting and write an e-mail with a confidential distribution list that states the following – (please make sure that the distribution list is confidential)

Thank you all for your response to my posting.  I have sent all of your responses to our human resources representative who is responsible for the recruitment process for this position.   Your credentials will be reviewed by the hiring manager (which is not me!) and if there is interest, you will be contacted to engage in our interview process.   I wish you all well in your pursuit of this opportunity.  As you progress deeper in the interview process, I would be happy to share with you my personal experiences as an employee of _______________________ and as a member of the Information Security team.

Hopefully this advice will alleviate this burden and help you return your focus to your role as an information security professional and your recruitment career will be a brief one!

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Recruiting, Security Industry, Social Media | 1 Comment 

Career Advice Tuesday – “ The Artist Formerly Known As “QSA”

June 5, 2012

Dear Infosecleaders:

My question centers around my resume and my application for an information security position. 

First some background.  I used to work as an information security consultant at one of the largest PCI consulting firms.  When I worked at the company, I was a QSA and held other related PCI Certs.  When I left that firm, I went to work in a consulting firm that was not a QSA, so I had to allow my QSA to lapse. 

Recently I have decided to leave consulting in order to locate a position at a corporation, where I can help them with their governance, risk, and compliance initiatives.  I have located an opportunity with a retailer, who has posted for such a position, but the job description states that all applicants must be QSA Certified.

I know that I can do the job.  My skills as a QSA have not lapsed.  Quite frankly they were not that difficult to acquire.   However, I cannot claim that I am currently a “QSA”.   

I think that I have two options – either to list it on my resume, and explain it later – or to list on my resume that I am a former “QSA” – however, I feel that this could be received negatively by the internal screener.

Can you provide me some advice?


“The Artist Formerly Known As “QSA”


Dear “Artist”:

This is a very interesting situation.

Your example points out the exact problem with key word screening criteria, and job descriptions written by the uniformed.   What may also be funny is if the internal screener was also screening out candidates who currently work at consulting firms – which in essence would eliminate the entire candidate pool and leave the position unfilled.

First of all, you can never ever misrepresent the truth on a resume.  This is a show- stopper, a red flag, and questions your integrity and ethics.  Companies will check your certifications, and when it comes up that you do not hold the QSA, your interview process will come to an abrupt end.

The best advice that I can give you is to list on your resume: “Former QSA”  – Your Certification Number – and the Years You Held The Certification.  You can also list your other PCI related certifications as well with a similar format. 

Underneath your certifications and in the body of your resume, you should explain in one sentence or bullet point as to why your QSA certification lapsed.   You need to show the screener – that it is impossible to maintain a QSA without working at a Certified Assessor.   If necessary – you can link a website –that could reference this, so that they can validate it.

Unfortunately, we live in a world where not all involved in the decision making process understand the nature of qualifications for information security roles.  Considering that many in the HR field are trained to exclude on “key words” and not to investigate further, it is very possible to be overlooked for a role for which you are qualified and are an excellent candidate.

I would like to reiterate to all of the Infosecleaders in the audience, that it is in your best interest to assist your HR team members and educate them when you are enlisting their help in recruiting for an experienced information security professional.

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Branding, Career Advice Tuesday, Interviewing, Resume, Skills | Comments Off