Career Advice Tuesday- Negotiating Tips For The Unemployed (and Underpaid)

March 6, 2012

This question was taken from last week’s Career Advice Tuesday live session at Security BSides SF.

Dear Infosecleaders:

I was recently let go from my position as a penetration tester and I am actively interviewing.   During my interviews, I am constantly asked two questions – 1) Why was I let go?  2) What was I earning?

The actual answer to the first question is an easy one to answer, as there were some issues with the management of my company and the flow of information security work.   For lack of better terms, we could not sell enough work to keep me busy. 

The second question is difficult for me to address.  First of all, I believe that I was underpaid for my skills.  Secondly, I feel that if I provide any of my suitors with this information they will base their offer on this data – and leave me in the same financial situation.

Do you have any advice for how to address this?

Thanks,

D, Trump

 

Dear Mr. Trump:

Rest assured, you are not alone.

In my fifteen plus years of working in this industry, I have yet to meet an information security professional who believed that they were overpaid.  The fact that you think you were underpaid at your previous employer, places you in the majority.

That being said, without knowing the details, I cannot really comment if you are paid fairly for your skills and contributions, but I can help you with some guidelines on how to answer the question about compensation.

First of all, when you are asked this question, the most important thing that you can remember is to be accurate in your response.   Although you may not agree with the number, the facts are the facts.  In today’s world, many employers validate past compensation during a background check, so if you are grossly inaccurate in sharing these numbers, you run the risk of being denied employment.

Secondly, I would follow up the answer to the questions with a statement – letting your perspective employer know that you are actively searching for employment and are interviewing for similar positions.   When you provide this information, you can provide a range of compensation that have been associated with the job postings,

When you do this, I think that it is important to provide a range – giving a low number and a high number.  By providing a range, you give the perspective employer two things – 1) knowledge  and 2) flexibility.  The compensation range will enable your suitor to evaluate your talents and your interview based upon the numbers that you provided, and will enable them to make a judgment on your value to their organization.    In addition by giving the employer the range, you provide yourself the foundation for your final negotiation (if you are offered the role).

Let’s say that the employer offer’s you an amount towards the bottom of the range, you can let them know that although you like the position and opportunity, that you were hoping for a more competitive number that was near the middle of the range you provided.  You can even let them know that although they are not the highest offer, that their opportunity is more appealing, and if they could adjust their offer upward to be in line with the others, that you will accept their offer.

On the other hand, if in the end you only have the one offer in your possession, you may just decide to accept the offer as is, and ask the employer when your compensation would be evaluated, and on what criteria will you be judged.

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Compensation, Interviewing, Position Selection, Recruiting | 1 Comment 

Career Advice Tueday “RFQ” – Request For Questions – Streaming Live From #BSidesSF

February 26, 2012

Would like the Infosecleaders community to know that I will be hosting a session of Career Advice Tuesday – “Live” – from SF Security B-Sides. The session will take place at 12:00 noon (PST) on Tuesday, February 28th.

In addition to accepting questions from the B-Sides attendees, I would like to give any Infosecleaders community members the opportunity to ask their career related questions, so that they may be shared with the audience. From what I understand the session will be streamed live from B-Sides.

Questions can included any Information Security career related topics – career planning, position selection, professional development, career investments, brand building, compensation, relationship with management– or anything else that may be appropriate.

Questions can be asked any of the following methods:

Go to the Infosecleaders Website and go to “Ask Lee and Mike”
Tweet or DM to @ljkush or @SecurityBSides
E-mail : lee@infosecleaders.com

If you would like for your question to be asked anonymously, or if you would like to create your own pseudonym (as many of you have) please feel free to do so.

Thank you in advance for your participation. If you are in attendance at either B-Sides or RSA (Booth 650), please make sure that you come by and introduce yourself.

Posted by lee | Filed Under Advice, Career Advice Tuesday, Presentation, Security Industry, Social Media | 1 Comment 

Career Advice Tuesday – “So You Want To Be the President?”

February 21, 2012

Dear Infosecleaders:

I am writing to you as my last sounding board, as I believe that I have made the decision to leave the world of “employee” for the career of “1099 information security consultant.” 

I have arrived at my decision due to the fact that I am frustrated working at my current employer.  I worked for a boutique professional services firm, where I am the only person who delivers my specific type of technical information security services – application security and code review.   All of my co-workers do a lot of policy, compliance and governance work – and my firm has a pretty large PCI practice.   

My company likes to tell its customers that we are adept at performing technical security assessments, web application tests, and code review – but in this case, in essence the “firm” is “me.”  When our sales team sells work, my phone rings off the hook.  This means that I am responsible for additional travel, RFP’s, delivery, and reports – much more than my other colleagues whose skills are repeatable and more plentiful.  Although I am unique, my compensation is not, and I do feel underpaid. 

 My thought is to start my own business, leave my current employer and offer them to use my services to their customers as a 1099.  This should enable me to earn additional monies and give me some flexibility on the projects I want to work on.  Upon completion, my plan would be to partner up with some others independent consultants, and try to find additional work.

I figure that in the end, if it does not work out, I can always get another job with a services firm similar to my current employer.

Do you have any words of wisdom for me?  I have always wanted to be the president of a company, even if I am its only employee.

Sincerely,

Mitt Santorum

 

Dear Mitt –

The first thing that I will do is to agree with you.  If you decide that you want to leave your current consulting company, to begin your own venture, you most likely will have very little risk.  If you decide after a short period of time that you do not like working as an independent, you can always go back to the work force and attempt to find a job.

However, I am going to caution you to think through your decision a little bit more thoroughly and begin to think of the bigger picture, which is your career.   A decision to leave traditional employment and enter the world of independent contracting is great, when your skills are in demand and the market is hot – but good times do not always last forever.   If you decide to take this route, you need to be cognizant of this – and make sure that you continue to invest in yourself and your career, and make sure that you remain on the leading edge of your subject matter expertise.

One thing that you may or may not be aware of is how good your skills are in comparison to the remainder of the market.  In your company, since you are the only one who does what you do, you may be the “big fish” in the “little pond.”  Your skills may only be viewed as “outstanding” because of what they can be compared to.

In order to truly be successful as an independent consultant – you have to be exceptional and unique.

Before deciding to step out on your own, my advice would be to join a firm that has an area of specialty that aligns with your core competency of application security and software review.   I would select one of the smaller boutique firms – maybe one that has between 10-30 people – who are known in the industry for their expertise in this area.     The first indication of your talent should be your success in the interview process.  These firms traditionally hold a high bar for talent, passing these obstacles with a good degree of ease, should be the first indication that you have talent.   Then, upon joining the firm  – I would treat your employment like it was your own business and incorporate all of the elements into it – delivery, customer management, and sales.

See how this goes for a year or so, and see how successful you are, in all of the stated components.   You should be able to have enough data to understand if you would be happier in this type of environment or out on your own as an independent.  At the end of this experiment, you will definitely be able to make a more informed decision about your future.

Regardless of your choice, you are always the President of your own career, and the CEO of You, Inc.

Good luck,

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Planning, Position Selection, Resume, Skills | 11 Comments 

Career Advice Tuesday – “Forget the Love, Show Me the Money”

February 14, 2012

Dear Infosecleaders:

I am looking for some help in my current situation and hoping that you can provide me some guidance. 

Currently I am working as a senior information security engineer for a Fortune 1000 company.  I work for a company that has recently awoken to the importance of information security, due to a security incident a year or so back. 

At the time of the incident, I was the only information security engineer at the company, since then we have begun to hire some other information security talent to augment my efforts.   Although the additional resources have been helpful, I am still viewed as the go to person by both my CISO and some of the other business and technology leaders.    Because of this, many of the key projects fall on my plate. 

I am pulled in many different directions, work about 60 hours a week, and have been consistently told by many that I am doing a good job.   There is no shortage of love to go around, and I definitely feel appreciated.   During the year, I spoke with my CISO that the workload was getting to me, and he asked me to “hang in there” and assured me that I “would be taken care of.” 

I had no reason not to believe him, as he has always been honest with me.

The other day I was called into his office, where we had a scheduled meeting regarding my review and my compensation for the upcoming year.   During the meeting he explained to me that the company had a down year, so my bonus would not be great.  In almost the same breath, he revealed to me that my salary increase would be about 4% – slightly above cost of living.

I left the meeting disappointed and feeling both betrayed and mislead.  I was expecting my boss and the other managers who sang my praises to fight for additional compensation for me, considering the value I provided to them.     

Quite frankly, I am not looking for love any more, what I am looking for is money. 

Do you have any advice for me?  How can I get them to show their love in dollars?

Your help is appreciated,

Signed,

Infosec Romeo

 

Dear Romeo:

I can understand why you feel the way that you do.  It is clear that you take a great deal of pride in your work as an information security leaders, and that you feel that you have gone the extra mile in demonstrating both our passion and commitment to both your CISO and the other managers that you have supported.

I also understand that you had some personal expectations in terms of financial reward in terms of the personal sacrifice that you gave your employer by working additional hours and delivering results to the people who counted on you.

Feeling betrayed because they did not return the favor, is only logical.

One thing that I can tell you is that you are fortunate that your employers let you know that you are important and appreciated, however, talk is cheap.  If your account of your extra effort and results are indeed factual, then you are justified for feeling that your managers should have fought harder for you when it came time to reward your performance monetarily – in terms of both your bonus and your raise.

That being said, here is some advice that you may find useful:

First of all, you mentioned that your information security organization is not that mature and that information security has not figured prominently until a little more than a year ago.    When organizations are in this transition phase, one of the things that usually lags in compensation for its staff members.    This is probably one of the reasons that the new members of your information security team have not significantly reduced the workload placed on you.  While your fellow workers are probably competent  – they probably represent the best that your company could afford, not the best available talent.    This is an organizational and human resources issue – that cannot be fought by one person, but you have the ability to help influence this by how you address your situation.

I would tell you that you should set up a meeting with your manager, and let him know in advance the subject of your meeting is your disappointment about compensation.   Prior to the meeting, I would spend some time and write down all of the accomplishments that you have had in your role over the past year.    In addition to this, I would pull all e-mails from either your boss or the other managers that have sung your praises over the past year.    What I would also do, is put together your interpretations of the business impact made by your contributions.

During the meeting, I would let your manager know that the praise was appreciated, but that your skills have a great deal of market value outside of the company.  You can share with your employer that you have turned down countless overtures from recruiters and other companies in the area, promising bigger roles and more money, based on the promises that you would be “taken care of” for your efforts over the past year.    You can also share with your boss that you were counting on the bonus and the increase, and were personally let down and hurt by this decision.

I would let your boss know that you do not regret your decision to stay, because you accomplished a great deal, that you enjoy working at the company, and that you have been building marketable skills.   However, you should let them know that you would hope that they may reevaluate their decision about your compensation and assess your skills versus the market.  (Before you do so, make sure that you know the answer, and that you are paid either “at” or “below” your market value. )  You may ask them to do a market study of what it would take for them to refill your position and contributions if they had to replace you.

Ask your manager if you could meet again in a about a week or two (not longer) and ask them to reconsider their stance on both compensation components.

Taking this tact will allow you to speak your mind in a non-threatening situation.  At no point do your threaten to quit or leave – but you imply that you have had other opportunities, have developed marketable skills, and that it may cost significantly more to replace you.   You have allowed your employer and your manager to make  a business decision based on fact and value, not based on threat and emotion.

Hopefully this will help you and your employers will realize that they have made a mistake in judgment.

When they do, make sure that you “Show them the love,” when they “Show you the Money”.

Hope this helps,
Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Compensation, Recruiting, Security Industry, Skills | 1 Comment 

Career Advice Tuesday – “Timely Disclosure”

February 7, 2012

Dear Infosecleaders:

I have a specific question regarding my personal situation.  I am an information security professional and I am currently working in the US on an H1-B Visa.   I have recently grown dissatisfied with my current company and I am looking for new challenges.

From listening to my colleagues (also working on H1-B Visa’s) discuss their personal information security job search experiences, I have learned that many companies are unwilling to sponsor or transfer the sponsorship of candidates working on H1-B Visa’s due to corporate human resources policy. 

What I wanted to ask you, was when should I reveal my work status to perspective employers?  My feeling is that I should wait until I am deep in the interview process, so that they can judge me for my skills and not work status.  Am I wrong to think that with the right skills, I can convince a company to change their policies.

Signed,

“Temporary Resident”

 

Dear “Temp Res”

I will be the first person to tell you that I am not an expert on H-1 B and Visa issues.  However, over the course of my career I have worked with many candidates who have had to face this issue at some point during their recruitment process and their careers.

Basically, when we work with clients looking for talent, they fall into two distinct categories, those who are willing and equipped to sponsor candidates, and those who are unwilling to do so.  In my years of doing this, while I have seen many instances where clients who were willing to sponsor candidates, decide that they no longer would, there has only been one instance where I have witnessed a client augment their policy to enable a candidate to be sponsored.  In this situation, the candidate was a noted authority on a specific subject matter, had written books on the topic, and the CISO was fully empowered to make this exception.  When they did apply for the exception, the CISO had to make a business case and the exception had to be approved by the corporation’s global head of human resources.

With this in mind, my best guidance for you would be to reveal your work status at the onset of the interview process, and that you will require sponsorship.  I believe this for two key reasons – the value of time and integrity.    Plain and simple, timing is a key element of any interview process.  If you find yourself focusing on opportunities that cannot come to fruition (based on a known factor), then you may be distracting yourself from opportunities that could be both interesting and possible.   I also think that for candidates in your situation it is important to join companies that have hiring processes that embrace employees who are not US Citizens.  Companies that have cultures that encourage this type of hiring, often are more knowledgeable of these issues, are more supportive in the Green Card process, and have employees in leadership positions that have been through this very same process.

In addition, as an information security professional you are often judged on integrity, honesty, and openness.  Failing to inform a prospective employer of your work status, may be considered a form of misrepresentation.  I use the work “may”, because, like in all processes, you are at the whim of the opinions of the decision maker or makers.   Letting everyone know at the onset that this is a potential issue, enables the prospective employer to plan accordingly, budget the necessary costs, and engage the proper internal parties.   By doing this, you set the foundation for a future work relationship, by letting your future employer know that sponsorship is an important issue for you, and a critical component to your future career.

Again, there are many more experienced in these matters, so please treat my response that way.   Independent, I do know that no one ever lost an opportunity for being too honest and forthcoming!

Hope this helps,

 

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Personal, Position Selection, Recruiting | 1 Comment 

Career Advice Tuesday – ” Noone Will Come Work For Me”

January 24, 2012

Dear Infosecleaders:

My question comes from a different angle than most of the questions that you address on your blog – I am an information security leader, and I have been trying to hire some key technical information security engineers for my team, and I have not had much luck.

I have been looking for these positions for close to six months, and the only thing that I have to show for it is three rejected offers of employment and a good deal of wasted time.  The candidates have rejected our offers for a variety of reasons:  compensation, expectations associated with the position, and one of the candidates never every responded to the offer. 

I think that my internal recruitment team has written the positions off and we do not have any budget to hire external search firms to help locate this talent.  I have posted these roles on internet websites, and I can not tell you how many resumes we have received which do not nearly resemble the skill combinations and experience which I outlined in the job description.

I guess I would like to know if you have any advice for me.  We are committed to hiring the right people for the roles, but I am at the point that I will settle for someone with a pulse and some passion.

Is there any advice that you can share with me to help me solve this issue and hire some future information security leaders.

Signed,

Looking for Mr. (or Ms.) Goodbar?

 

Dear Info Sec Leader:

There is no simple solution to hiring the correct talent for your information security team.  It appears from your note that you are resource constrained on many levels – compensation, internal support, and external budget.  Although these are substantial obstacles to overcome, they are not insurmountable.

The first thing that I would do would be to look at your job description, and determine which skills are absolutely necessary to perform the position that you are looking to fill.  Sometimes job descriptions are filled with a good number of “nice to have” bullets, and they overshadow the “need to have” requirements.   It is logical that the candidates that you have been interested in have a good amount of the experiences that you request,  but your budget simply cannot afford that level of resource.

What you should do is to winnow the amount of experience down to the skills and experience to reflect a level that you can actually afford.  You should understand that it is one thing to attract candidates, hiring them is completely different.    If you lessen some of your requirements, and require that candidates who lack certain experiences make up for it by displaying “passion” and “drive”, during your interviews, you should be able to locate a candidate that you can afford.

When you design a position to inspire professional growth and career acceleration, you will generally attract candidates who have a high level of motivation and professional pride.  So, what they lack in experience, they will make up in aptitude and “passion”.  It will be important that you screen for these intangibles in the interview process.   Constructing your position in the matter will truly turn it into an “opportunity” as opposed to what your past candidate pool has viewed it as; “a job.”

As far as building your relationships with human resources and your internal recruitment team, my suggestion would be for you to schedule some time to reengage them and start anew.  During this time, you may be able to educate them on your new requirements, provide them some good screening questions, and adjust some of the elements of the job description to reflect less experience and more passion.  You can accomplish this by screening the candidates for things that reflect this, like conference attendance, industry involvement, and logical career investments.   I would then educate them on potential sources in your market for these skills, so that they may be able to do better in pre-screening resumes.   Try to schedule a weekly meeting with them to both provide status on their efforts, and to give them a regular opportunity to ask questions.    The more that you engage them in the process, the more they will want to help you.

Although you cannot use external agencies, you can still post the position on internal and external websites.   In posting the position, try to do so in a way that reflects the type of career opportunity that is available and the candidate profile you are attempting to attract.   I would use words that could possibly encourage more affordable and slightly more junior candidates to respond.  A good exercise would be to think back of your career, and think about the things that would attract you to a role like the one that you are offering.   When the candidate eventually comes to the interview, utilize these examples as selling points as to why this role will benefit their professional development and their career as an aspiring information security leader.

Feel comfort that your experience is not unique.  Do the best you can with what you have, and keep your expectations realistic.

Hopefully this helps, and you will fill your roles in the next 30 days.

Sincerely,

Lee Kushner

Posted by lee | Filed Under Advice, Career Advice Tuesday, Interviewing, Leadership, Recruiting, Security Industry, Skills | 2 Comments 

Career Advice Tueday – “Getting Past the Gate-Keeper”

January 17, 2012

Dear Infosecleaders:

I have recently applied for a position that I believe will advance my information security career.  In submitting my resume via the company’s internet posting, I tailored many of my accomplishments directly to the criteria of the position description.   I have to admit that I am a very skilled wordsmith, and may have taken some liberties in the description and the scope of the work that I have performed.

For example, I often serve as a team lead and project manager for technical engagements, but I have never managed people directly.  The role that I am applying for has direct reports.   Also, the position description calls for an understanding of some specific information security tools that the company uses – like data loss prevention and GRC compliance software.  While I have experience with these concepts and similar tools, in depth knowledge and experience with these particular tools has eluded me.    Finally, the position calls for the ability to travel 50% of the time.    I am really not interested in this amount of travel, but I have a friend that works there and she told me that she does not travel any more than 25%.

I am now scheduled to have my first conversation for the interview, a phone conversation with the human resources/internal recruiter – given the things that I have shared with you, do you have any advice on how I should handle her questions?  I know that she is going to read the JD verbatim, and ask me questions where my answers may exclude me from consideration.

I really want a chance to speak to the hiring manager and fellow info sec professionals in the group, to articulate my experiences and demonstrate that I have what it takes to be a viable candidate for the role.

Any words of advice.

Sincerely,

Michaele Salahi

 

Dear Michaele:

I would like to provide you with some advice that is two-fold for your exact situation.    First, is that some of the deficiencies that you have pointed our in your skill set may be deal breakers with the resident information security leader, so please tread carefully in your presentation in the skills that you have to offer.  There are many items in a job description that are truly requirements of a position, and no matter how great your ambition or creative your presentation, you may have to accept that your skills are going to fall short of expectations.

For example, the role may really need someone who has strong people management skills, which is not found in a “team lead” or “project manager”.  The utilization and knowledge of specific tools may be a success factor in the role, and although your friend only travels 25% in their role, this position may require double that amount of travel.

All that being said, I agree with you 100% that the decision should be placed in the hands of the hiring manager and not the internal recruiter/human resources professional.   Ideally, the Infosecleader and hiring manager are the ones that best understand their needs, and no matter how adept their level of communication, something get lost in translation – specifically granular job requirements.

You should understand that this misunderstanding is not the fault or responsibility of the internal human resources/recruiter, as it is nearly impossible for someone who works in a general capacity, to understand the nuances of what it takes to understand the specific nature of the role that you are pursuing.  However, there are certain elements of the role that HR will understand – the company’s definition of a “Manager”, the importance of specific tool knowledge (although they may not be able to make the jump from tool (i.e. Checkpoint) to concept (Firewalls)), or the amount of travel.

Independent, after doing my job for 15 years, I am of firm belief that it should be every information security professional’s goal to get to the decision maker during an interview process.  This is where your “sales skills” should come into play.   My advice for you would be to engage the internal recruiter, and leave them with enough confidence from your discussion to move you forward in the interview process.

This will enable you to get the real answers to your questions and demonstrate your level of competence to a knowledgeable party who has the ability to make an evaluation of your skills.   When you do get to that level of the interview, you have a responsibility to make it clear to the hiring manager, what your true capabilities are as it relates to the job requirements that they articulate during your discussion.

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Recruiting, Resume, Skills | Comments Off 

Career Advice Tuesday – “Three Experiences – One Resume”

January 10, 2012

Dear Infosecleaders:

I am embarking on a job search and I am looking for some help.  My first ten years of my information security career has placed me in some interesting environments – serving as a technical information security engineer, working as an information security professional services practice in the area of risk and compliance, and working as a pre-sales engineer for a large information security product vendor. 

The truth is, I have enjoyed all of these three roles, and I am interested in a wide variety of opportunities.  I feel that my experience and versatility is a good thing, and it allows me to investigate many different career paths.

The question that I have, relates to my resume.  Do you have any advice for me on how to craft my resume – to both illustrate my versatility and breadth of experience, and to accurately align my skills and qualifications simultaneously with different opportunities?

Sincerely,

Ralph Furley

 

Dear Mr. Furley:

Good for you for having three unique and successful career experiences at this point in your career.  I can only imagine that you have developed and maintained a set of skills that include technical expertise, customer skills, and persuasive communication and presentation skills.

If my assumption is accurate, you are correct that these skills are in high demand and will appeal to many diverse environments.    Since you will be applying to roles in these different types of environments – I will make two suggestions regarding your resume –

The first being that you can write three separate resumes – one tailored to internal information security engineering roles, one tailored to professional services/consulting opportunities, and one tailored to pre-sales opportunities.    If you decide to go this route, what I would do, would be to keep the qualifications of the position you are applying for in mind, as you create each resume and highlight the skills that you have acquired in your three different roles.    Ideally, each resume will have a “theme” to it, which will align with the specific role that you are attempting to pursue.

For example, if you apply for an internal technical information security position,  I would make sure that you make your bullets from your sales engineering role are technical in nature.  I would try to find a way to point out the depth of your technical skills in the context of that role.

The second option that you can have would be to utilize the same resume, but to write three unique objective statements that can align with the types of roles that you are applying for.   What I would do in each of these statements, would be to allude to the facts that your diverse experiences has provided you with unique perspectives on how information security problems are solved – from an internal perspective, from an external perspective, and with the aid of information security products.      By demonstrating these three different perspectives in the body of your resume, and associating your skills with each of your three roles, should create a consistent overall theme.

In closing, having three diverse experiences and perspectives as an information security professional is a very good thing, and provides you with a great foundation

The combination of a well-written resume, and an astute employer who can connect the dots, should provide you with access to many roles that could serve as a springboard to the next stage of your information security career.

Good luck in your job search,

Lee Kushner

Posted by lee | Filed Under Advice, Career Advice Tuesday, Planning, Position Selection, Resume, Skills | Comments Off 

CAT – Clearing Some Things Up – Advice and Predictions for 2012

January 3, 2012

Recently, I was cited in an article for Search Security , where I was asked about my opinions for the information security industry employment market for 2012 .   I will say that the author did not misquote me at all, however, upon reading the article I felt that it was necessary to clear up some things that I found inaccurate – and I wanted to make sure that the Infosecleaders.com audience knows exactly where I stand on the topics covered.

Here are my thoughts:

While I agree that Mobile Security is going to be an information security skill in demand, I do not believe it is the only skill that companies will look for in 2012.   Have no fear – companies will still have a high level of demand for knowledge in the areas of Cloud, GRC, SIEM, DLP, PCI, Software Security, Identity Management, and overall IT Risk Management.  In addition, while I do believe that it is a good idea to have a blend of technology and business skills, there is still a very strong market for information security professionals that have hard core technical skills – and that should never be forgotten or overlooked.  The technical information security professionals with developed knowledge and enterprise experience in securing networks, operating systems, applications and databases will do just fine as well.  Also, all of the penetration testers out there can sleep easy your skills will still be needed and remain in demand.
Below you will find my biggest objection – and probably the information that I find to be the most inaccurate.

Here are my disclaimers -

I would like to state that I do not personally know Mr. Snyder, nor have I had any dealings with him.  

I have read his securityrecruiter.com blog on a number of occasions, and I find his perspectives to be both unique and entertaining.

To my knowledge, Mr. Snyder and my firm do not compete within any of my recruitment customers, and although we are in the same profession and industry, our paths do not seem to cross, except when quoted in articles about information security careers.

As per the author of the Tech Target article – please find a quote from Mr. Snyder -

“When companies are using a search firm to fill a position, then they’re going to usually expect that a candidate’s going to have industry experience,” he said. “In other words, if it’s a bank, they want someone who’s coming out of a bank; if it’s a retailer, they want someone coming out of retail; and if somebody’s going after that job on their own, then the bar isn’t usually sent quite as high.”  – Jeff Snyder

The Accuracy

The main point of the quote is accurate.  When companies are looking to find information security leaders, independent of the source, they ideally would like to locate people who possess applicable industry knowledge.  This is generally one of the core criteria of an information security leadership or CISO level search.

Like Mr. Snyder points out – a retail organization would ideally like to hire an information security professional who understands the information security challenges that a retail business faces and who has experience solving those problems.   You can apply the same logic to industries that include health care, high technology, manufacturing, financial services, media and entertainment, and any other business.

The Inaccuracy -

Mr. Snyder’s quote infers that a company has more stringent requirements when they engage an executive search firm.   His statement that  ” …..if somebody’s going after that job on their own, then the bar isn’t usually sent quite as high.”  - can be interpreted in a way that leads information security professionals to believe that they can afford to be less qualified, if they decide to apply for positions on their own – and not through an executive search firm.

THIS IS DEAD WRONG

First of all, the decision to engage an executive search firm is generally based on a company’s desire to insure that they get access to a qualified candidate pool in a time efficient manner.  The business decision to engage a search firm is the same type of decision making methodology that can be applied to engaging a professional services firm to provide a service that the company does not believe that they can perform effectively with internal resources.  The budgets for engaging executive search firms either come from a general corporate budget or from a specific business unit who can justify the value and the return on investment for the cost associated with the search firm’s fee.    In addition, the amount of the search fee does not have any impact on the compensation offered to the candidate.

Mr. Snyder is correct in his inference, that when companies engage an executive search firm, they are expecting to get value for their dollars.  This will take the form of, industry intelligence, compensation data, a professionally managed recruitment process, and eventually the placement of a successful candidate to fill the duties of the information security leadership role.   In exchange for money, the companies are going to expect an executive recruitment firm to deliver a candidate who is going to match the key criteria that they have outlined for the position.

Just like anyone who pays for a service, companies who engage executive search firms have the right to have realistic expectations of competence and results when retaining them to help fill a position.  However, in my 15 years of experience, I have never witnessed a situation where a company that is committed to recruiting the correct information security leader, will agree to hire a less competent candidate, solely because they were introduced to them directly, and not through an executive search process.

In 2012, and in the future, completion for Information Security leadership roles is going to intensify,  Companies are going to continue set the bar high for finding the correct  talent match, no matter what method they select to recruit for these positions.  In addition, the more influence and importance that an information security role has to an organization, the more detailed the requirements will be and the more demanding the interview process.

To all current and aspiring information security leaders, for 2012, I am urging you to take a proactive approach to developing a career plan, honing your skills, investing in yourself, and make wise choices about selecting the right positions to help accomplish your career and life goals.

Happy and Healthy New Year,

Lee Kushner

 

 

 

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Leadership, Recruiting, Security Industry, Skills, Uncategorized | 1 Comment 

Career Advice Tuesday – “Infosec Leaders Need To Be Good Recruiters”

December 27, 2011

Today I am sharing an article that we wrote that appeared in Tech Target’s Infomraiton Security Magazine.  The topic focuses on life on “The Other Side of the Desk”- becoming an effective recruiter in the building of your information security team.  The article scratches the surface of some important attributes that all solid information security leaders should possess in the acquiring the necessary talent in order to provide them with a better chance of success.

The original article was edited by our frien Michael Mimoso at Tech Target.

The article can be found here – http://tinyurl.com/6q8k8gk

Happy New Year,

Lee and Mike

Posted by lee | Filed Under "The Other Side of The Desk", Advice, Behavior, Career Advice Tuesday, Interviewing, Networking, Recruiting | 5 Comments 

« Previous PageNext Page »