August 14, 2012
I have been working in the IT industry for many years and have been dabbling in the Information Security realm for about 5 years now, but am having a hard time getting the experience I would like
I was recently asked by a friend to help with a side job which required a Security Assessment to be performed. I have never had to perform a Security Assessment so I am a little hesitant making the jump because if I accept the assignment, I want to do it correctly.
I’m not one of those guys that will take the job, if I do not believe I can perform it correctly. I do not want to be put in a position where I do a crappy job due to the fact that I do not know what I am doing.
How do I get the experience I would like, so I can take “jobs” like this one with confidence? I have a good reputation and I want to keep it that way.
Any advice you could give, I would be grateful.
“Biting Off More Than I Can Chew”
Dear “Big Mouth”:
I agree with your sentiments. You only have one reputation and anything that you do that detracts from your reputation will only stay with you through the course of your career. In the end, your work is a reflection of you, and it eventually will define you and become your “brand”.
I give you a good deal of credit for having the integrity to know that this position maybe beyond your scope of knowledge and “more than you can chew” at this point in your career.
I can offer you a couple of different options –
1) I would ask your friend if you would be open to “sub contracting” the assignment to someone that you trust. If they say that is OK – what you could do is to ask around your network or on Twitter – if anyone is interested in a consulting assignment – with the caveat that if they take the job – that they will let you shadow them on the assignment and teach you. This could be the best way to get practical experience – in essence you can learn – and someone else would get the revenue from the assignment. This would be viewed as quite an even trade!
2) Another option would be to get formalized hands on training. Now, I do realize that if you did take training, you would not be ready for this current assignment – however, with some foresight this could possibly give you the confidence to know that you would do a good job the next time that you get the opportunity to perform this type of work.
The key to this is to get “hands-on” training – not just some certification – that will give you the confidence that you will do the job correctly. Understand that you are doing for yourself, not someone else evaluating the value of the certification and utilizing that to judge your competency. In this case, you need to overcome your fear of failure – practical experience, even in a training or lab environment should enable you to simulate a real world “assessment”. It may not be live – but it is the next best thing.
With the right training, you should be able to do a “good job” on future assessments, and when you do, you can be sure that you will get additional opportunities to practice your craft.
Hope this helps,
August 7, 2012
I am currently working as a penetration tester for a pretty large company. Prior to this, I worked for another large company, doing similar work. My current job is going well, I have a very good mentor, my company has been supportive of my professional development, and I like my hiring manager – as I feel that we have established an open line of communication.
I do have two complaints. First of all, I believe I can do more. Secondly, I believe that I travel way more than necessary to perform my duties.
I recently completed an interview process with a much smaller company that is in the middle of a growth spurt. Although they are much less structured, the people are very smart, and they have some focus in an area that interests me a great deal, Mobile Security. I believe that it is set up to enable me to take some leadership in this area. The position does not require a great deal of travel, and it will allow me more time to get involved in my local professional community.
The money for the position is very similar to my current role, however the position offers some stock, which is a exciting to me.
I have listened you’re your advice in the past about avoiding jobs that just provide the opportunity to “Change Golf Shirts”. Would like to know if you think I am doing this if I join the new company and accept the offer?
Any advice would be appreciated.
Based on your description above, I do not think you are “Changing Golf Shirts” at all, in fact, I think that these two opportunities are unique and very different.
Here are my thoughts:
1) First of all, the company you are joining appears to be a “Start-Up”, and it does not appear that you have any of that experience. Having the experience working at a “Start-Up” is unique, and I think that if you enter into that environment you will learn things about yourself that you would not have in the larger companies that you have worked for.
2) The new company appears to have some good alignment with your interests, which is great. Not saying that your current employer doesn’t, but it appears that you will be able to take more of a leadership role in this area in the new company. Smaller companies are great for this experience. Where in a larger company, there are more resources to compete with, a smaller company provides more opportunities to create more of a “Professional Brand.”
3) You are going to work with “Smart People”. Not that you do not already, but the only thing better than “Smart People” you know, is “Smart People” you do not know – because if you take this job, your “network of Smart People” just got much larger.
4) You have some earning potential with the stock options. No, you probably will not retire, but stock options provide some upside earning potential that you are not getting in your current role. As a “Pen Tester” there is a standard comp range that you are restricted to, based on the market – so compensation for a new job, is never going to be that significant of an increase, in that case, Stock Options provide you with a possible accelerator of you earnings. Even if they are worth nothing, there is no risk for you – as your compensation is going to be equivalent.
5) You can always go back to the big company. Even if your current company will not have you back, there will be another big company that will take you back, and they will probably be willing to pay you a little more money to go work there, again you do not have any risk.
My feeling to you is to take a shot on the new company, and see where it goes. Use the opportunity of not traveling to become more involved in your local community, become known to more people, and really sink your teeth into your interest in “Mobile Security” – and become more visible.
If you maximize this opportunity, it will be much better than trading for a “New Golf Shirt.”
Hope this helps,