October 16, 2012
Currently I am employed as an information security consultant with a large entity. As part of my compensation program, I earn a quarterly bonus based upon the achievement of utilization targets and billable hours. Our company has done well over the past five years, and my bonus has become quite predictable. Over the course of the year, it amounts to about 30% of my base salary and close to 20% of my overall compensation.
About a year ago, one of my peers left the company to strike out on his own. During that time, he has grown a small boutique consulting company that specializes in my area of expertise, GRC product implementation. While I am familiar and comfortable with the person as a peer, I am not fully comfortable with him as a business owner. He has recently made me an offer to join his team.
The position comes with a little more authority than I currently have, alone with a flashier title (From reading the blog, I know how much weight you put on this.) The salary is a small increase from my current salary, but the bonus appears to be more substantial. He has told me that, based on the corporate formula that they utilize, it could equate to about 50% of my base salary. This would be a sizeable increase, and potentially give me additional freedoms.
There is one problem that I have; I do not fully trust that this money is going to be there. I base this on the fact that I do not know what kind of businessperson he is and do not know if I can rely on the bonus to be there. If it does not materialize as promised, I will be taking about a 10-15% decrease in earnings, and I risk leaving a safe and comfortable situation.
Any advice would be appreciated?
While your question appears to be complex, fortunately, the answers are quite simple. By asking your potential new employer a few key questions, you will be able to figure out your answers about his business ethics, believability, and the health of the company.
Here are some easy simple steps:
1) Before accepting the position, ask the new employer if you can speak to some of your potential peers who have been working with the company for at least three months. During these discussions, ask these folks how their bonus has been, has it been paid, has it been paid on time, and if it was paid as stated in their offer.
This is your first line of defense. It will provide you with at least some history in seeing if your new employer is true to his word.
2) If this checks out, then I would want you to call your new employer directly before accepting the offer. When you speak with them, I want you to ask them to guarantee the bonus for the first six months of employment at the target rate. In essence, I want you to ask him to treat it as salary. Anyone in business who is adding additional people to their services team should have at least six months of visibility into their revenue stream and client base. He should not hesitate to honor this request. If he does, my antennae would go up.
You are entitled to request this based on the following factors that apply to your situation:
1) You are a known commodity. The employer sought you out. Knows your work, and knows what they are getting. There is huge value in this to them.
2) The business is a small business and it is their responsibility to help you manage your risk – since you are the one that is taking a chance on them. (As a side note, a company that has been in business for a while would not do this, and should not be expected to.)
3) They are recruiting you. You have a good job where you are content. You have some leverage in this situation so use it. All you are asking is for them to guarantee their promise. It should be a simple request.
(Note: As the audience reads this, understand all three factors need to apply. Do not think you can require this of a large fortune sized entity, an established security consultancy, or a stable security product vendor.)
In closing, my best advice is to trust your gut instincts. After these discussions, if there is something telling you not to trust the new entity, stay put. Tell the employer you would like to revisit the opportunity in 3-6 months. I am pretty confident that if this particular opportunity is indeed a good one, it will still be good six months from now.
Hope this helps.
October 9, 2012
I know tat you are a baseball fan, so I wanted to ask a themed question now that the baseball post season is upon us. The question I have is very simple, relates to interview mechanics and interview positioning.
From what I understand, for many senior level information security positions companies will interview between three and six people, I wanted to know if you felt that there was any advantage or disadvantage as to what order that you interview.
Some people have told me that it is best to go first, some say it is best to go last, some people say that it does not matter, I would like to know what you think.
Dear Mr. October,
Very good question and one that many people have differing opinions on. The question you ask is really, when it is the most beneficial to interview? I am going to tell you that in the end, there is probably no real difference when it comes down to decision making, but let me give you some strategies on what could be the best mindset depending on where you sit in the order.
1) Leading Off- If you are set up to interview first, you need to understand that you are setting the standard for all other candidates who will be interviewed for the role. The key to going first is to go into the interview with the goal for the hiring manager to decide that you are the best candidate for the role, and cancel the others. Although this will likely not happen, you can try your best to help them arrive at this decision, by making a memorable impression. The best way to do this is to excel at some of the intangibles – focusing on your alignment with the company’s culture, your appearance, and your communication skills. In essence, when you go first you will need to emphasize style as much as substance. The reason for this, is by the end of the process the interview team may get confused because all of the candidates will have good skills, however, the sharper communicator, the candidate with the best executive presence, and the best fit with the culture will be more memorable.
2) The Middle – No one likes the middle, but I don’t think that this is a disadvantage if you have some goals going into the discussions. To me, the goal of a “middle” candidate is to exclude the candidate or candidates who have previously interviewed. In essence, the candidate should go into the interview with a competitive attitude, since based on the fact that there is more than one candidate, this is now officially a competition and the interviewing team by nature will compare candidates. Once piece of advice would be to ask the interviewers questions about what qualities will make the person successful in the role, and continuing to ask questions geared to understanding the ideal fit, what is missing, and what are the key problems that need solving. By doing this, you may be able to get the interview team to reveal some of the shortcomings of previous candidates or to describe what attributes an ideal candidate will possess. Once you have your answers, it is your duty to demonstrate value and to emphasize your strengths in this context – effectively blowing out the competition and positioning yourself in a way where the decision should be clear, no matter who walks in the door next.
3) Hitting Clean-Up – or Going Last – I know that many people like this position, but it definitely has its drawbacks. If you go last, and the previous candidates are strong (see above) the interviewing team may view your candidacy as a nuisance and may not be fully engaged. However, when you go last in the interview process you have the ability to make a lasting impression and be top of mind during the evaluation process. You also have the ability to address any of the interviewers concerns about the role and the other candidate’s deficiencies. So, the best way to attack this interview is to combine the approach of the first two suggestions – combine both style and substance, and most of all compete! However, there is one thing that you can do if you interview in this position, than the others, you can “Close the Deal”. When I say “Close the Deal”, what I mean is that you can let the interviewers know that you want the job, and leave little or no doubt that if offered you will accept it. Not that you cannot do this in the other interviewing positions (and you should), but when you interview last, it is most powerful.
There is some additional piece of mind for the interviewing team to know that they will have their position filled, after the long interview process. By leaving the interviewers with the confidence that they are not going to leave the process empty-handed could be a huge advantage. Everyone likes a sure thing, and if they believe that you embody that, that could bode very well in the final decision making process.
Ideally there is no right or wrong answer here. In the end, in most interview processes talent usually wins out. But remember, that all interviews are competitive situations, and you need to be prepared to successfully compete against your peers no matter when your meetings are scheduled.
Hope this helps – Enjoy the playoffs!
September 12, 2012
Currently I am at the end of a job search. The interviews have gone great, I really like the company, and I am on the verge of becoming a CISO for the first time in my career. For about 95% of the process, I have been on “Cloud Nine”.
Unfortunately, my process may have hit a snag, and I really need your advice to potentially avert a catastrophe.
On the company’s application they asked me to list my current professional certifications. I listed my CISSP and my CISA, which I know are current, but I also listed a couple of technical information security certifications that I received earlier in my career. My assumption was that these certifications were current.
I received a call the other day from the background check company asking me to provide some proof of these certifications. I did some checking, and I do have the actual certificates, however the during my discovery I learned that these certifications have definitely expired.
Here is my issue; technically, I have misrepresented myself on the background check form, which I know speaks to my credibility. At the same time, these certifications are not even applicable to my hiring or the qualifications that this information security leadership role requires.
Do you have any advice on how I should handle this situations, to preserve this opportunity? On one hand I want to come clean and let them know of my oversight, on the other hand, since these certs are secondary, they may not even be verifiable, which would mean I would draw attention to something that will be irrelevant.
If you could let me know, that would be great.
My advice is simple but it is two-fold. It will be short but sweet.
First of all, “tell the truth”. What you need to do is to be in front of the story and to let them know that you made a mistake, and you want to bring it to their attention. You can let them know that your assumption was that these certifications were granted for life, and to your knowledge you did not need to renew them. If they question your sincerity, you can point to both your CISSP and your CISA, which are both current and in good standing, to demonstrate that renewing your certifications is a standard operating procedure for you. In addition, the fact that you can produce the actual certificate as proof, will at least demonstrate to your new employer and their background check company that you did actually achieve the certification and your initial statement was indeed accurate.
Secondly, whenever you speak about this, and to whomever you discuss it with, make sure that you do not make this a “big deal”. You should not send e-mails, or contact the senior members of the interview team – you should just deal with the background check company – and should do so via the phone, so that nothing can get forwarded to people with decision making authority for your hiring, who may have dogmatic views about this violation/oversight.
If you make it a big deal, it looks like you are attempting to cover it up and you got caught. If you make it like it is just an honest mistake, you may get them to overlook it altogether and it will most likely become a foot note, and not even become an issue.
What can be learned from this is that when filling out an application, less is more. Only include things that are essential and you know your can verify. If you can not be 100% accurate, omit it, you can always complete it at a later date.
Hope this helps and it works out for you.
August 14, 2012
I have been working in the IT industry for many years and have been dabbling in the Information Security realm for about 5 years now, but am having a hard time getting the experience I would like
I was recently asked by a friend to help with a side job which required a Security Assessment to be performed. I have never had to perform a Security Assessment so I am a little hesitant making the jump because if I accept the assignment, I want to do it correctly.
I’m not one of those guys that will take the job, if I do not believe I can perform it correctly. I do not want to be put in a position where I do a crappy job due to the fact that I do not know what I am doing.
How do I get the experience I would like, so I can take “jobs” like this one with confidence? I have a good reputation and I want to keep it that way.
Any advice you could give, I would be grateful.
“Biting Off More Than I Can Chew”
Dear “Big Mouth”:
I agree with your sentiments. You only have one reputation and anything that you do that detracts from your reputation will only stay with you through the course of your career. In the end, your work is a reflection of you, and it eventually will define you and become your “brand”.
I give you a good deal of credit for having the integrity to know that this position maybe beyond your scope of knowledge and “more than you can chew” at this point in your career.
I can offer you a couple of different options –
1) I would ask your friend if you would be open to “sub contracting” the assignment to someone that you trust. If they say that is OK – what you could do is to ask around your network or on Twitter – if anyone is interested in a consulting assignment – with the caveat that if they take the job – that they will let you shadow them on the assignment and teach you. This could be the best way to get practical experience – in essence you can learn – and someone else would get the revenue from the assignment. This would be viewed as quite an even trade!
2) Another option would be to get formalized hands on training. Now, I do realize that if you did take training, you would not be ready for this current assignment – however, with some foresight this could possibly give you the confidence to know that you would do a good job the next time that you get the opportunity to perform this type of work.
The key to this is to get “hands-on” training – not just some certification – that will give you the confidence that you will do the job correctly. Understand that you are doing for yourself, not someone else evaluating the value of the certification and utilizing that to judge your competency. In this case, you need to overcome your fear of failure – practical experience, even in a training or lab environment should enable you to simulate a real world “assessment”. It may not be live – but it is the next best thing.
With the right training, you should be able to do a “good job” on future assessments, and when you do, you can be sure that you will get additional opportunities to practice your craft.
Hope this helps,
July 31, 2012
For the past two months I have been in the middle of an interview process, for what I believe to be a pretty senior role. The role was a promotion from my current duties, and it was to provide me with a larger team of people, a bigger scope of responsibilities, and a larger compensation package.
During the interview process, I confirmed that the scope of the role was larger with both the hiring manager, and the hiring manager’s manager. This was confirmed both on the phone and via e-mail. I also had detailed discussions with the human resources person at the onset of the interview process about my compensation requirements and what it would take for me to give up my current role (where I am quite happy). I received assurances that this would not be an issue.
Well, I finished the interview process and the offer was incredibly disappointing. First of all, the role on the offer was for a lower level (similar to my current job) and the compensation was for 20K salary less than I requested.
The hiring manager told me that I should “trust them”, and they just had to smooth things over with the incumbents before they made the announcement. They also blamed the whole compensation thing on the HR team, stating that “they’d see what they could do”, but could not go much higher than the initial offer
Do you have any advice for me? Should I trust them? I feel so deflated as this was a job that I saw as the next step in my career and I feel that I have been “bait and switched” and taken for a fool.
Dear “Cadillac Man”:
Beware, if you take this job, you are going to get a “Clunker”
There is absolutely no excuse for two hiring manager’s to tell you something in writing about a position, and then not be able to back it up in writing and in an offer. The concept of “Trust Me” should be applied to minor details of a job offer – like a work at home policy, or extra vacation – but for something as important as the core reason that you were interested in the job, NO WAY!
Secondly, think about the organization that you are heading to. The hiring manager blamed the HR person. Whether that is true or not, this is very telling of their personal style and the corporate culture you will be heading into .
At this level of a search, if you were a key hire and being recruited for a “Senior” role then compensation should be something that should be able to be worked out if both sides are reasonable. Without having the details, maybe a request for 20K more than they offered was a bit aggressive – but I would figure that they would have taken a much different approach.
Also, at this level, if they really want you and you really wanted the job, this process of compromise would be easy.
The translation of their offer is as follows:
We liked you a great deal. We feel that you would be good for the role/level where you are currently performing at (at your other company). We do not mind paying you a little more to do that role at our company. It is possible that you will have the ability for a larger role, but it will not be on DAY ONE! You are welcome to try out for that role once you are an employee and prove yourself in our organization.
However, they have elected to be dishonest with you and try to sway you otherwise. I can assure you that if you accepted the offer to work for this company, that this would not be the last of the unwelcome surprises.
Hope this helps,
July 24, 2012
Currently I am an Chief Information Security Officer at a medium size company. About a month ago, I engaged in an interview process to be a CISO at a much larger company, and I was offered the position. The role was quite appealing, but after some deliberation with my family, we decided that the location was not going to be right for us, so I called the hiring manager (CIO) and told them that I would have to decline.
He understood, but he was obviously disappointed and a little frustrated.
Well, time has passed and I just can’t seem to get the opportunity out of my head. I really think that it was a very good career move, the money was good, the relocation package was solid, and my husband has become more receptive to the idea, finding certain elements of the location that would appeal to him both personally and professionally.
My question to you would be how could I reengage them? Is it possible? Have a ruined my chances?
“On Second Thought”
Dear “Second Thought”:
The answer to your question is – “No, you have not ruined your chances” and “Yes, it is possible to reengage them, and due to the reasons that you provided, and the way you have handled it (as stated), it may be welcomed.
How you reengage them is important, so here are some steps to follow:
1) Inform your source of introduction. If you worked with a recruiter, you need to let them know, as they may have some more knowledge on the current status of the search. They also may be able to get a better feel for how the company really felt about your original decline of their offer.
2) Call the hiring manager directly. I am a big believer in going to the source. The fact that you called the hiring manager to decline the offer, should work to your advantage this way – as it created a communication channel. When you call them, make sure that you explain to them that the reason for changing your mind is that your family is now receptive to the move, and that was the only reason you declined the role in the first place. Explain to them why they have come around, and you can include something like : “My husband knew that I wanted this job, and it has all that I have talked about since I declined. He is fully supportive.”
3) Do not renegotiate anything: You lost this privilege when you declined the offer, so do not even attempt to do so, as this will take away all good feeling. (Conversely, if they contacted you to reengage, you may have some leverage – but in this case you don’t.)
4) Give them a quick start date. Let them know that you could be out there in three weeks or less. This will show them you are serious, and ready to go.
Sometimes many of the best career decisions have been the result of an elongated decision making processes. Give yourself some credit for rethinking your original decision.
Let me know how it turns out. Hope this helps.
July 23, 2012
As always, I am very excited to be heading out to Las Vegas for the Black Hat Briefings and Security B-Sides. Although, having been to every Black Briefings (as either an attendee, a presenter, or just hanging out) it does make me feel older, however catching up with people whom I have worked with throughout their careers, on their way to achieving their professional goals, is truly a great personal pleasure.
Black Hat and B-Sides also provides a great opportunity to meet new people, which is one of the best things about my profession. While there aren’t any presentations on my agenda, I am going to be at Caesar’s from Monday – Friday, and will most likely be at B-Sides on Wednesday morning.
If anyone in the Infosecleaders community would like to say “Hello” or talk about their career or ask a questions, either send me an e-mail (firstname.lastname@example.org or email@example.com ) or send me a DM on Twitter (@ljkush) and I will try my best to get together and spend some time.
If you have my mobile, feel free to call – just remember not that early!
PS. Career Advice Tuesday will Return this week. I will post three new CAT’s this week, to make up for the one’s I recently skipped while enjoying some time away with my family.
June 26, 2012
I am in the middle of an interview process and I am looking for some guidance.
I was approached about an opportunity from a past co-worker, about joining his new company. The role that he approached me about was basically similar to my current role as a GRC consultant, but it was a bit different. My friend’s new company paid about 10% more, had better benefits, provided more training budget, and would allow me to travel less. When I first learned about the opportunity, I was quite excited, and I felt that this would be the best of both worlds.
For the past three weeks I have been going through a series of preliminary interviews that have all gone reasonably well. The interviews have tested my expertise and have provided me with opportunities to ask questions. The answers to my questions have been consistent, and nothing that I have learned has been negative. Based on my performance and my friend’s recommendation, the company has invited me out for an in-person interview.
Initially, I consented to go on the interview, but I am now second-guessing my decision making process. After giving greater thought to the opportunity, I have come to the conclusion that there is nothing truly unique about it. It is essentially the same job, in a smaller environment, but my responsibilities will almost be the exact same.
At this point I am thinking about changing my mind and not going out to the interview. What do you think about this? Do I have anything to gain by getting on the plane?
Dear “Window Seat”:
My advice is to definitely get on the plane , and here is my main reason:
You have absolutely nothing to lose and everything to gain, In essence, you are playing with house money.(Well, the only thing you have to lose is a vacation day – and the assumed risks associated with air travel)
First of all, you have already participated in the new employer’s part of the interview process, and have passed. You have established your credibility, have answered their questions, and have gone through a process that they have dictated. In essence, if all of these phone conversations were to assess your skills, the in person interview is going to provide you with the opportunity to assess the new company and the opportunity, and learn first hand the answers to your questions.
They should include the following:
1) Is this new employer truly better than my current employer?
2) What freedoms and opportunities can I get in my new job that I cannot receive in my current position?
3) What is the opportunity for growth?
4) Is the compensation increase going to be significant?
5) Is my quality of life going to improve?
While your in person interview is still a test for your skills and abilities, the balance of power has definitely shifted slightly to your favor, as the new company is not incurring the expense to interview you if they don’t believe that it is more than likely you will be an asset to their company
By placing yourself in the situation to ask questions that are important to you – and were the initial reason for your interest in the role – you will enable yourself to truly vet the opportunity. Gaining a first hand look at the opportunity, and having your questions answered is really the only way that you can truly determine if the position, the company, and the management team will provide you with the framework for an improved career and quality of life.
Once you receive the information and are able to process it first hand, you may arrive at one of three conclusions - you should remain at your job, you should join the new company, or you should join the new company if the compensation/offer terms warrant it.
In any of these cases, the decision will be in your hands and you will have the data to make the best decision possible.
Enjoy the complimentary pretzels (do they still do that),
June 19, 2012
I am an information security engineer, and about six months ago I decided to change employers. The main reason for accepting the role was based on the connection and confidence that I had developed with the CISO., during the interview process.
When I initially interviewed for the role, I was on the fence about accepting the offer. However, I had a dinner with the CISO and we spent the time together speaking about professional development and he assured me of his commitment to expose me to more of the business side of information security. The trade off was that I had to give him 12-18 months in a security engineering capacity. During this meeting he even shared with me about his own progression and how he had a mentor who helped him along the way in his professional development and ultimate transition form techie to Info Sec leader.
Well I bought in.
About a month ago, I learned that corporate decided to make a decision and they have forced him to resign. In his place, they have brought in someone internally, who is not an information security professional (we will leave it at that) – and while he understands the company, he has demonstrated to me (and others) that he just does not understand the perspective of information security professionals or relate to them. I know that many of my peers are actively interviewing and others have “checked out” hoping that the new leader fails.
As part of the transition, I had a meeting with him , and I shared with him the commitment that the former leader made to me to help develop my career beyond information security engineering., Although he was polite, my feeling was that he was not going to honor the ex-CISO’s promise to me.
Do I need to begin looking for a new job? Any advice?
Vote Of No Confidence
One of my favorite sayings is that in the end you do not work for companies but you work for people. In essence the company provides the framework but your manager has the real impact on your success and happiness.
You seem to be experiencing this first hand!
I think that what is particularly hard for you is that your decision to leave a good position was based upon the promises that your ex CISO made to you, and your assumption that these promises are going to be ignored. It also appears that you do not have any confidence that the new CISO is going to make good decisions which are conducive to the development of the information security program and in essence your career.
Right now, the best advice that I can share with you is that you should give this person a chance. Considering that your new manager is going to be evaluating your contributions to the company, you should in turn be evaluating their performance as well , as it relates to the development of your career. Considering that the person is new to the role, and not an infosec professional - my advice is to be the best information security engineer possible – and really demonstrate your talents, your passion, and your willingness to make positive contributions. I would make it a point to really embrace the new leader, and demonstrate that you are their to support them.
Given the attitude of your peers, your positive attitude and work ethic should really stand out!
After doing this for ninety days or so, ask for a meeting. At that meeting, you should revisit your conversation and your career goals. At that point, you should see how receptive the new leader is.
If the new leader is receptive, you may have found a way to accelerate your career. Keep working hard and contributing and see if you can produce some measurable results.
If the new leader is giving you lip service, ignoring you, and dismissing your requests – it is time to look for another role. If the new leader does not recognize or appreciate you and your loyalty during this transition, it is likely that they are never going to connect with you or support your career development efforts.
At best you will be pleasantly surprised, at worse you can dust off the resume!
Hope this helps,
June 12, 2012
A few weeks back, I was informed by my manager that my company was looking for an information security engineer to help us round out our team. In a team meeting, my peers and I were asked if we would be willing to recommend someone for the role. During the meeting, we were asked if we could publicize this opening to our professional networks, specifically LinkedIN.
As a good employee and team player I have done this, and posted the position to both my networks and the LinkedIN groups where this type of role would be suitable. My initial thought was that this would be quite easy, as my positing would net a couple of qualified folks, and the hiring process would be smooth.
This has not been the case. In fact it has been a nightmare.
Since positing the role, I have received over 70 inquiries about the position. This has included many people who are either not qualified for the role, do not live anywhere near the position’s location, have greatly surpassed this type of position, and some whom I know well enough to know that I would not want to work with them. The responses have included resumes being sent to my personal address, phone calls off hours, and other intrusions that really lay outside the context of my role. I simply do not have time to respond to all of these people, am unsure of the proper etiquette and I feel that in doing so, I may damage some of my relationships
I wanted to raise this point out to the Infosecleaders community and wanted to see if you had any advice for me – to help relieve me from the burden of my current situation.
You are witnessing first hand that it is not that there are a lot of personal obligations that go along with engaging your network, especially in the context of recruiting.
Let me give you two pieces of advice that may help you alleviate your current pain:
1) The first is to change the LinkedIN posting or take it down. If you decide to take it down, make sure you speak with your manager, and let them know why you are doing so, and the problem this has caused you. If you do decide to keep it up, what I want you to do is to attach a line to the bottom of the positing that states:
“PLEASE DO NOT CONTACT ME DIRECTLY. AS PER CORPORATE POLICY I AM NOT AT LIBERTY TO PROVIDE ANY ADDITIONAL INFORMATION ABOUT THIS OPPORTUNITY BEYOND THE POSTING. PLEASE ADDRESS ALL INQUIRIES TO- (ENTER YOUR HR BUSINESS PARTNER’S EMAIL ADDRESS)”
Something like this should help you draw some clear guidelines and remove you from the communication loop.
2) What I would do would be to collect the e-mail addresses of all 70 folks that have responded to this posting and write an e-mail with a confidential distribution list that states the following – (please make sure that the distribution list is confidential)
Thank you all for your response to my posting. I have sent all of your responses to our human resources representative who is responsible for the recruitment process for this position. Your credentials will be reviewed by the hiring manager (which is not me!) and if there is interest, you will be contacted to engage in our interview process. I wish you all well in your pursuit of this opportunity. As you progress deeper in the interview process, I would be happy to share with you my personal experiences as an employee of _______________________ and as a member of the Information Security team.
Hopefully this advice will alleviate this burden and help you return your focus to your role as an information security professional and your recruitment career will be a brief one!
Hope this helps,