Career Advice Tuesday – “Programming My Future”

October 23, 2012

Dear Infosecleaders:

I write to you seeking career advice. I graduated from college in 2005 with a B.S. in Computer Science (programming). I was unable to timely find a job in my field of studies, so I accepted an offer to become an IT Auditor. I’ve been an IT Auditor ever since in two different business environments (banking and government).

Because of my background in programming, I absolutely enjoy undertaking tasks that are related to business analytics, data mining, re-performance, etc. However, my current line of work does not require or provide for that. In addition, I have become greatly interested in security, but while I feel that I am very capable of learning effectively and efficiently, I do not have a strong foundation on networks.

In order to push myself to strive for more, I have looked at the option of becoming CISSP certified. However, I am not sure if the SSCP would be a better choice for me based on my knowledge level.

I am currently CISA certified and know that having another, more technical certification, will better position me in my job or others.

What would you suggest? Thanks in advance for your help.

Sincerely,

Programming My Future

 

Dear “Programmer”:

The best suggestion that I have for you is not to pursue any certifications for the sake of positioning yourself in your current role or others.     The certification alone will not help you, finding an environment where your skills are valued for their unique combination is the best way to further your career.

To begin with you have a degree in Computer Science and a background in programming.   Next, you have 5-7 years of real world experience in IT Audit and you are a CISA.  On top of that, you have an interest in security, and you have a history of gravitating to more technical projects.

The combination of these skills and your interests are unique.   Your skills have a great deal of value to an organization who realizes how to utilize them and leverage them for their benefit.

Recently we have been engaged in a number of searches that are looking to find technical information security professionals to work in IT Audit environments.  The primary reason for this is that corporations are recognizing that it is critical for these two business functions to understand each other, and the key to this is to either have audit minded security professionals or technically and security astute IT Auditors.

This being said, it is good that you recognize that your lack of networking experience is a shortcoming and a potential skill gap.  My feeling would be for you to find a way to work on developing this skill and knowledge.  This could begin by reading some books on the topic, taking some vendor based training, and maybe eventually getting a certification that demonstrates and reinforces this knowledge.

If successful, this may be  2-3 year undertaking. If you begin down this road and it “does not take”, then I would suggest you refocus your energies on you’re the enhancement of your strengths – and maybe learn some new programming languages, application security, code review, or other related skills.

If you are interested in learning about some of these blended opportunities, do not hesitate to contact us at LJ Kushner (lee@ljkushner.com) . If you do so, in your e-mail please mention – Career Advice Tuesday!

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Career Advice Tuesday, Career Investments, Planning, Position Selection, Security Industry, Skills | 1 Comment 

Career Advice Tuesday– “Managing Compensation Risk”

October 16, 2012

Dear Infosecleaders:

Currently I am employed as an information security consultant with a large entity.  As part of my compensation program, I earn a quarterly bonus based upon the achievement of utilization targets and billable hours.  Our company has done well over the past five years, and my bonus has become quite predictable.  Over the course of the year, it amounts to about 30% of my base salary and close to 20% of my overall compensation.

About a year ago, one of my peers left the company to strike out on his own.  During that time, he has grown a small boutique consulting company that specializes in my area of expertise, GRC product implementation.    While I am familiar and comfortable with the person as a peer, I am not fully comfortable with him as a business owner.   He has recently made me an offer to join his team.  

The position comes with a little more authority than I currently have, alone with a flashier title  (From reading the blog, I know how much weight you put on this.)   The salary is a small increase from my current salary, but the bonus appears to be more substantial.   He has told me that, based on the corporate formula that they utilize, it could equate to about 50% of my base salary.  This would be a sizeable increase, and potentially give me additional freedoms.

There is one problem that I have; I do not fully trust that this money is going to be there.   I base this on the fact that I do not know what kind of businessperson he is and do not know if I can rely on the bonus to be there.   If it does not materialize as promised, I will be taking about a 10-15% decrease in earnings, and I risk leaving a safe and comfortable situation.

Any advice would be appreciated?

Signed,

InfoSec Actuary

 

Dear Actuary:

While your question appears to be complex, fortunately, the answers are quite simple.  By asking your potential new employer a few key questions, you will be able to figure out your answers about his business ethics, believability, and the health of the company.

Here are some easy simple steps:

1)   Before accepting the position, ask the new employer if you can speak to some of your potential peers who have been working with the company for at least three months.  During these discussions, ask these folks how their bonus has been, has it been paid, has it been paid on time, and if it was paid as stated in their offer.

This is your first line of defense.  It will provide you with at least some history in seeing if your new employer is true to his word.

2) If this checks out, then I would want you to call your new employer directly before accepting the offer.  When you speak with them, I want you to ask them to guarantee the bonus for the first six months of employment at the target rate.  In essence, I want you to ask him to treat it as salary.   Anyone in business who is adding additional people to their services team should have at least six months of visibility into their revenue stream and client base.   He should not hesitate to honor this request.  If he does, my antennae would go up.

You are entitled to request this based on the following factors that apply to your situation:

1)   You are a known commodity.   The employer sought you out.  Knows your work, and knows what they are getting.  There is huge value in this to them.

2)   The business is a small business and it is their responsibility to help you manage your risk – since you are the one that is taking a chance on them.  (As a side note, a company that has been in business for a while would not do this, and should not be expected to.)

3)   They are recruiting you.  You have a good job where you are content.  You have some leverage in this situation so use it.   All you are asking is for them to guarantee their promise.  It should be a simple request.

(Note:  As the audience reads this, understand all three factors need to apply.  Do not think you can require this of a large fortune sized entity, an established security consultancy, or a stable security product vendor.)

In closing, my best advice is to trust your gut instincts.  After these discussions, if there is something telling you not to trust the new entity, stay put.  Tell the employer you would like to revisit the opportunity in 3-6 months.   I am pretty confident that if this particular opportunity is indeed a good one, it will still be good six months from now.

Hope this helps.

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Compensation, Position Selection, Recruiting | Comments Off 

Career Advice Tuesday: “The Interview Batting Order; What Number Should I Hit?”

October 9, 2012

Dear Infosecleaders:

I know tat you are a baseball fan, so I wanted to ask a themed question now that the baseball post season is upon us.   The question I have is very simple, relates to interview mechanics and interview positioning.

From what I understand, for many senior level information security positions companies will interview between three and six people, I wanted to know if you felt that there was any advantage or disadvantage as to what order that you interview.

Some people have told me that it is best to go first, some say it is best to go last, some people say that it does not matter, I would like to know what you think.

Sincerely,

Mr. October

 

Dear Mr. October,

Very good question and one that many people have differing opinions on.   The question you ask is really, when it is the most beneficial to interview?    I am going to tell you that in the end, there is probably no real difference when it comes down to decision making, but let me give you some strategies on what could be the best mindset depending on where you sit in the order.

1) Leading Off-   If you are set up to interview first, you need to understand that you are setting the standard for all other candidates who will be interviewed for the role.   The key to going first is to go into the interview with the goal for the hiring manager to decide that you are the best candidate for the role, and cancel the others.   Although this will likely not happen, you can try your best to help them arrive at this decision, by making a memorable impression.    The best way to do this is to excel at some of the intangibles – focusing on your alignment with the company’s culture, your appearance, and your communication skills.  In essence, when you go first you will need to emphasize style as much as substance.   The reason for this, is by the end of the process the interview team may get confused because all of the candidates will have good skills, however, the sharper communicator, the candidate with the best executive presence, and the best fit with the culture will be more memorable.

2) The Middle – No one likes the middle, but I don’t think that this is a disadvantage if you have some goals going into the discussions.  To me, the goal of a “middle” candidate is to exclude the candidate or candidates who have previously interviewed.   In essence, the candidate should go into the interview with a competitive attitude, since based on the fact that there is more than one candidate, this is now officially a competition and the interviewing team by nature will compare candidates.   Once piece of advice would be to ask the interviewers questions about what qualities will make the person successful in the role, and continuing to ask questions geared to understanding the ideal fit, what is missing, and what are the key problems that need solving.   By doing this, you may be able to get the interview team to reveal some of the shortcomings of previous candidates or to describe what attributes an ideal candidate will possess.  Once you have your answers, it is your duty to demonstrate value and to emphasize your strengths in this context – effectively blowing out the competition and positioning yourself in a way where the decision should be clear, no matter who walks in the door next.

3) Hitting Clean-Up – or Going Last – I know that many people like this position, but it definitely has its drawbacks.   If you go last, and the previous candidates are strong (see above) the interviewing team may view your candidacy as a nuisance and may not be fully engaged.    However, when you go last in the interview process you have the ability to make a lasting impression and be top of mind during the evaluation process.   You also have the ability to address any of the interviewers concerns about the role and the other candidate’s deficiencies.   So, the best way to attack this interview is to combine the approach of the first two suggestions – combine both style and substance, and most of all compete!    However, there is one thing that you can do if you interview in this position, than the others, you can “Close the Deal”.   When I say “Close the Deal”, what I mean is that you can let the interviewers know that you want the job, and leave little or no doubt that if offered you will accept it.   Not that you cannot do this in the other interviewing positions (and you should), but when you interview last, it is most powerful.

There is some additional piece of mind for the interviewing team to know that they will have their position filled, after the long interview process.  By leaving the interviewers with the confidence that they are not going to leave the process empty-handed could be a huge advantage.  Everyone likes a sure thing, and if they believe that you embody that, that could bode very well in the final decision making process.

Ideally there is no right or wrong answer here. In the end, in most interview processes talent usually wins out.  But remember, that all interviews are competitive situations, and you need to be prepared to successfully compete against your peers no matter when your meetings are scheduled.

Hope this helps – Enjoy the playoffs!

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Planning, Recruiting | 2 Comments