Career Advice Tuesday – “Am I Just ‘Changing Golf Shirts’?”

August 7, 2012

Dear Infosecleaders:

I am currently working as a penetration tester for a pretty large company.   Prior to this, I worked for another large company, doing similar work.   My current job is going well, I have a very good mentor, my company has been supportive of my professional development, and I like my hiring manager – as I feel that we have established an open line of communication.   

I do have two complaints.  First of all, I believe I can do more.  Secondly, I believe that I travel way more than necessary to perform my duties.

I recently completed an interview process with a much smaller company that is in the middle of a growth spurt.  Although they are much less structured, the people are very smart, and they have some focus in an area that interests me a great deal, Mobile Security.  I believe that it is set up to enable me to take some leadership in this area.  The position does not require a great deal of travel, and it will allow me more time to get involved in my local professional community.

The money for the position is very similar to my current role, however the position offers some stock, which is a exciting to me.

I have listened you’re your advice in the past about avoiding jobs that just provide the opportunity to “Change Golf Shirts”.  Would like to know if you think I am doing this if I join the new company and accept the offer?

Any advice would be appreciated.


“Tiger Woods”


Dear Tiger:

Based on your description above, I do not think you are “Changing Golf Shirts” at all, in fact, I think that these two opportunities are unique and very different.

Here are my thoughts:

1)   First of all, the company you are joining appears to be a “Start-Up”, and it does not appear that you have any of that experience.   Having the experience working at a “Start-Up” is unique, and I think that if you enter into that environment you will learn things about yourself that you would not have in the larger companies that you have worked for.

2)   The new company appears to have some good alignment with your interests, which is great.  Not saying that your current employer doesn’t, but it appears that you will be able to take more of a leadership role in this area in the new company.  Smaller companies are great for this experience.  Where in a larger company, there are more resources to compete with, a smaller company provides more opportunities to create more of a “Professional Brand.”

3)   You are going to work with “Smart People”.   Not that you do not already, but the only thing better than “Smart People” you know, is “Smart People” you do not know – because if you take this job, your “network of Smart People” just got much larger.

4)   You have some earning potential with the stock options.  No, you probably will not retire, but stock options provide some upside earning potential that you are not getting in your current role.  As a “Pen Tester” there is a standard comp range that you are restricted to, based on the market – so compensation for a new job, is never going to be that significant of an increase, in that case, Stock Options provide you with a possible accelerator of you earnings.  Even if they are worth nothing, there is no risk for you – as your compensation is going to be equivalent.

5)   You can always go back to the big company.  Even if your current company will not have you back, there will be another big company that will take you back, and they will probably be willing to pay you a little more money to go work there, again you do not have any risk.

My feeling to you is to take a shot on the new company, and see where it goes.  Use the opportunity of not traveling to become more involved in your local community, become known to more people, and really sink your teeth into your interest in “Mobile Security” – and become more visible.

If you maximize this opportunity, it will be much better than trading for a  “New Golf Shirt.”

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Branding, Career Advice Tuesday, Compensation, Interviewing, Position Selection, Recruiting, Security Industry, Skills | 1 Comment 

Career Advice Tuesday – No Confidence in the New Regime

June 19, 2012

Dear Infosecleaders:

I am an information security engineer, and about six months ago I decided to change employers.   The main reason for accepting the role was based on the connection and confidence that I had developed with the CISO., during the interview process.

When I initially interviewed for the role, I was on the fence about accepting the offer.  However, I had a dinner with the CISO and we spent the time together speaking about professional development and he assured me of his commitment to expose me to more of the business side of information security.   The trade off was that I had to give him 12-18 months in a security engineering capacity.   During this meeting he even shared with me about his own progression and how he had a mentor who helped him along the way in his professional development and ultimate transition form techie to Info Sec leader.

Well I bought in. 

About a month ago, I learned that corporate decided to make a decision and they have forced him to resign.  In his place, they have brought in someone internally, who is not an information security professional  (we will leave it at that) – and while he understands the company, he has demonstrated to me (and others) that he just does not understand the perspective of information security professionals or relate to them.    I know that many of my peers are actively interviewing and others have “checked out” hoping that the new leader fails.

As part of the transition, I had a meeting with him , and I shared with him the commitment that the former leader made to me to help develop my career beyond information security engineering.,  Although he was polite, my feeling was that he was not going to honor the ex-CISO’s promise to me.

Do I need to begin looking for a new job?  Any advice?


Vote Of No Confidence


Dear Voter:

One of my favorite sayings is that in the end you do not work for companies but you work for people.   In essence the company provides the framework but your manager has the real impact on your success and happiness.

You seem to be experiencing this first hand!

I think that what is particularly hard for you is that your decision to leave a good position was based upon the promises that your ex CISO made to you, and your assumption that these promises are going to be ignored.    It also appears that you do not have any confidence that the new CISO is going to make good decisions which are conducive to the development of the information security program and in essence your career.

Right now, the best advice that I can share with you is that you should give this person a chance.  Considering that your new manager is going to be evaluating your contributions to the company, you should in turn be evaluating their performance as well , as it relates to the development of your career.   Considering that the person is new to the role, and not an infosec professional -  my advice is to be the best information security engineer possible – and really demonstrate your talents, your passion, and your willingness to make positive contributions.   I would make it a point to really embrace the new leader, and demonstrate that you are their to support them.

Given the attitude of your peers, your positive attitude and work ethic should really stand out!

After doing this for ninety days or so, ask for a meeting.  At that meeting, you should revisit your conversation and your career goals.  At that point, you should see how receptive the new leader is.

If the new leader is receptive, you may have found a way to accelerate your career.  Keep working hard and contributing and see if you can produce some measurable results.

If the new leader is giving you lip service, ignoring you, and dismissing your requests – it is time to look for another role.   If the new leader does not recognize or appreciate you and your loyalty during this transition, it is likely that they are never going to connect with you or support your career development efforts.

At best you will be pleasantly surprised, at worse you can dust off the resume!

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Branding, Career Advice Tuesday, Leadership, Planning, Position Selection, Skills | 1 Comment 

Career Advice Tuesday – “ The Artist Formerly Known As “QSA”

June 5, 2012

Dear Infosecleaders:

My question centers around my resume and my application for an information security position. 

First some background.  I used to work as an information security consultant at one of the largest PCI consulting firms.  When I worked at the company, I was a QSA and held other related PCI Certs.  When I left that firm, I went to work in a consulting firm that was not a QSA, so I had to allow my QSA to lapse. 

Recently I have decided to leave consulting in order to locate a position at a corporation, where I can help them with their governance, risk, and compliance initiatives.  I have located an opportunity with a retailer, who has posted for such a position, but the job description states that all applicants must be QSA Certified.

I know that I can do the job.  My skills as a QSA have not lapsed.  Quite frankly they were not that difficult to acquire.   However, I cannot claim that I am currently a “QSA”.   

I think that I have two options – either to list it on my resume, and explain it later – or to list on my resume that I am a former “QSA” – however, I feel that this could be received negatively by the internal screener.

Can you provide me some advice?


“The Artist Formerly Known As “QSA”


Dear “Artist”:

This is a very interesting situation.

Your example points out the exact problem with key word screening criteria, and job descriptions written by the uniformed.   What may also be funny is if the internal screener was also screening out candidates who currently work at consulting firms – which in essence would eliminate the entire candidate pool and leave the position unfilled.

First of all, you can never ever misrepresent the truth on a resume.  This is a show- stopper, a red flag, and questions your integrity and ethics.  Companies will check your certifications, and when it comes up that you do not hold the QSA, your interview process will come to an abrupt end.

The best advice that I can give you is to list on your resume: “Former QSA”  – Your Certification Number – and the Years You Held The Certification.  You can also list your other PCI related certifications as well with a similar format. 

Underneath your certifications and in the body of your resume, you should explain in one sentence or bullet point as to why your QSA certification lapsed.   You need to show the screener – that it is impossible to maintain a QSA without working at a Certified Assessor.   If necessary – you can link a website –that could reference this, so that they can validate it.

Unfortunately, we live in a world where not all involved in the decision making process understand the nature of qualifications for information security roles.  Considering that many in the HR field are trained to exclude on “key words” and not to investigate further, it is very possible to be overlooked for a role for which you are qualified and are an excellent candidate.

I would like to reiterate to all of the Infosecleaders in the audience, that it is in your best interest to assist your HR team members and educate them when you are enlisting their help in recruiting for an experienced information security professional.

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Branding, Career Advice Tuesday, Interviewing, Resume, Skills | Comments Off 

Career Advice Tuesday – “Double Agent Dilemma”

May 8, 2012

Dear Infosecleaders:

I have a question that should be right up your alley and I believe you can provide me with the best advice.

About a week ago, I was contacted by an executive recruiter about a position that interested me.  Although I have never worked with the recruiter before, (or new of their firm) they told a good story about their client and the role, how they found me (via LinkedIn) and they seemed professional.   During our conversation, they claimed that they were retained and exclusive on the opportunity.  

Even though I had not worked with them in the past, I consented to my interest and sent them my resume.   I did not do so without hesitation, but I figured since they were “retained” and “exclusive” this would be my only avenue for introduction. 

Two weeks went by nothing has happened.  I never received an interview.  My phone calls were not returned, and I have had nothing but “dead air” and I thought the opportunity was dead.

Last week, I received a call from an information security recruiter whom I have worked with in the past (Taking your advice, I do work with folks outside of LJ Kushner) and whose opinion I have grown to respect.   He called me to introduce the same opportunity that I had been previously introduced to. 

He shared with me that the client did not retain him that the role had been open for more than 90 days and they had not seen any candidates that were interesting to them

I shared with them my experience and that I had been exposed to the opportunity by another firm.   Since I trust this recruiter,and I believe that they have some solid access into the client/opportunity, I asked if they could represent me.

They told me that they would be able to. 

Is this accurate?  Can I have two recruiters working for me for the same opportunity?  Can I be hurting myself in anyway?  What should I say to the first recruitment firm?


Maxwell Smart


Dear  Maxwell:

I will say that I believe you find yourself in a bad situation and I am not sure if you are getting real good advice or guidance from either of your recruitment firms.

First of all, if the initial client were exclusive to the opportunity there would not be any way that another firm would have access to the position.   When a company grants an executive search firm exclusivity they are doing because of expertise and simplicity.  Having a single point of contact on a senior position is a benefit so that messages can be kept consistent, timelines can be managed, and for simple efficiency.

Based on this, I think you were tricked into sending and consenting to send your resume to the unfamiliar firm who found you on LinkedIn.

Secondly, once you are submitted to an opportunity by a one recruitment firm, you should not consent to be submitted by another recruitment firm.  The fact that your other recruiter advised you that this would not be a problem on a contingency assignment is incorrect.  This is the case for the following reasons:

1)   Almost all of the time companies will honor (and pay) the first firm that submits a candidate’s resume to them.  No matter what the relationship, in the end they want to only pay one recruitment fee, and honoring a second submission would place them in a bind.  This would be the kind of thing that would cause a corporate recruiter to potentially lose their job.

2)   If your resume comes to a company from two sources it is a poor reflection on you and your ability to communicate.   By allowing two firms to submit you to the same opportunity it makes it appear that you are disorganized, non selective, and that your interest in not necessarily sincere.  These are not qualities that many companies look for in their information security leaders.

What you can do is the following; keep calling the first firm until they answer.  When you get them on the phone, confirm that they are exclusive (and what their definition of this term is) and then explain to them that you are asking because another firm about the same role contacted you and that you wanted to make them aware.   Their reaction should be telling.

To the second firm, simply state that you have already been presented the opportunity and that you do not wish to complicate matters.   You can simply share with them that you appreciate them contacting you, and hope that they will do so again in the future about a similar or better role.

In closing, be leery of people reaching out to you who you do not know or do not have trusted relationships with.   Before submitting your resume, you can always do two things – validate the track record of the firm that the person is contacting you from, or run the opportunity by a recruiter you have worked with in the past, and trust, and see if they are working on the role.  If indeed they are, you may ask for them first why they did not contact you on the opportunity, and if you remain interested, ask them if they would be open to representing you.

Please make sure that you control distribution of your resume and manage your job search process.  These are key first impressions and reflections on you.

Hope this helps,

Lee Kushner


Posted by lee | Filed Under Advice, Behavior, Branding, Career Advice Tuesday, Interviewing, Position Selection, Recruiting, Social Media | Comments Off 

Career Advice Tuesday – “Selecting Proper Representation”

November 15, 2011

Dear Infosecleaders:

I have a question that is more for Lee, than for Mike, given that it has to do with a recruitment process that I am currently involved in.

About three weeks ago, I was contacted by an information security recruiter who whom was referred to me by a close colleague, about an opportunity in my geography that I found interesting.  I spent a good deal of time with the recruiter, asking questions about the company, the hiring manager, and the position.  The recruiter suggested that I revise my resume to help address some of the specifics of the opportunity, to align more closely with the needs of the position.

During the time that I was reformatting my resume, I got contacted on Linked IN, by a recruiter whom I had never interacted.  The recruiter sent me a job description, similar to the one that I had learned about from the other recruitment professional.  This individual refused to share with me the name of the company that they were representing, and pressured me to send a generic resume.

My gut feeling is that it is the same position – do you have any advice on how I should handle my discussions with both parties?  Is there anything that could jeopardize my recruitment process? 

Any help would be appreciated.

“Derek Fisher” 


Dear “Derek”:

Well, it is good to know that you are popular – so you have that going for you.   The first thing that I will say is that many recruitment firms (including LJ Kushner and Associates) utilize LinkedIn as a form of candidate profiling.  Although many people think that we know “everyone” in the industry, it is just not possible, and Linked IN provides recruitment firm’s access to information security professionals (job candidates) that we do not have deep relationships with.

That being said, the first thing that I would tell you would be that you should never trust a recruitment firm that is not willing to share the name of their client with you.  The two main reasons for this are as follows – first, it shows that they do not trust you.  If they share the name of their client with you – there is an outside chance that you will go to the client directly, and cut them out of the recruitment process – so they are going to wait until they have your resume, to spring this on you.   Personally, I find this very shady – it is akin to saying – “Please trust me with your career and your livelihood” – but “I am not going to return that trust by sharing the company where the job is located”.   

Secondly, by not sharing the name of their client, you give up control of the dissemination of your resume.  By providing you with a generic, broad base job description, you are basically giving them carte blanche to send your resume anywhere.  This could mean that your resume could wind up in the hands, of somewhere that you have already worked for (it makes you look foolish), somewhere you already interviewing with (it makes you look unorganized and unprofessional), and even possibly your current employer (which can be a disaster for obvious reasons)  

Don’t laugh, this does happen – and in the aftermath is not pretty. 

In regards to your current situation, you should work with the recruitment firm that you trust the most and the one that you believe has the best chance of helping you navigate the interview process for the specific job and company that you are interested in.    In your case, it appears to be the first one that you spoke with.

What I would do with the second recruiter, would be to first call them and ask them whom the opportunity is with.  If they refuse to share this with you, I would tell them politely that you are not interested in working together with them.  If they do share the information, and it is the same company that the other firm introduced, then I would simply tell them that you are already engaged on the opportunity, are being represented by another recruitment firm, and that your resume has already been submitted for consideration.  You could end the conversation, by saying that if they have other opportunities, and are willing to reveal the name of the employers, you would be happy to consider them.

I will say in closing that the “Rules of Engagement” for determining candidate representation are very tricky, and it is very important that you control your resume when you conduct any interview process.  Selecting the wrong recruitment firm, or “representation” – can greatly affect the perception of your candidacy for any opportunity.   

As a rule, your caliber of representation is a reflection of your brand, and your level of professionalism.

Hope this helps,

Lee Kushner

PS – “Derek Fisher” is a reference –not the name of the advice seeker

Posted by lee | Filed Under Advice, Behavior, Branding, Career Advice Tuesday, Interviewing, Planning, Recruiting | Comments Off 

Career Advice Tuesday – “Change In Command”

October 4, 2011

Dear Infosecleaders:

I recently have found myself in a precarious situation and I am hoping that you can help me get through this.

Recently, about four months ago, I accepted a Director of Information Security position, reporting into the CISO of a 10,000 person company.    The position that I left to accept the role, Manager of Policy and Compliance, I held for 18 months.  While I was not looking for a new job at the time, the Director role was too good to pass up, both from a career and a financial perspective. 

Six weeks ago, I received an e-mail from the General Counsel letting me know that the CISO, who just hired me, was “relieved” of his duties and would no longer be working at the company.  The CISO was one of the main reasons that I accepted the position, and in a short time I had established a good working relationship and I respected his management style. 

The search for the new CISO is currently underway, and they are interviewing potential successors. – both internal and external.  I have met the final two candidates, and quite frankly I am not pleased with either of the options.  Their backgrounds and views on information security are much different than mine and I just do not get a good vibe.

Additionally, I am well aware that if they get hired, they will most likely be able to select their teams and their direct reports, so my time here is probably limited. 

Any advice on how I can deal with this situation?  If I am forced to leave, how can I explain the fact that my last two jobs lasted for such a short period of time?


Gomer Pyle


Dear Gomer:

The best thing that I can tell you is that you need to accept that change is coming, and you need to figure out a way to deal with it and make the best of things.  The way that I would look at this is as an opportunity to hone your interpersonal communication and relationship skills.

The truth is that at your level of seniority, you cannot really afford another short stint of employment, especially after an implied promotion.  If you can not show some accomplishments in this current role, future employers will most likely look at this as a failure, no matter how you spin it.  (Personally, I think this is unfair, but those are the rules of the game that we play by – and perception is often viewed as reality)

Whomever they decide to hire, I think that you should embrace and support with your fullest ability.  I think that a good way to demonstrate this is to attempt to relate to your new manager (CISO) on a personal level, letting them know that you are both in the same boat (as new employees), and by demonstrating as much willingness and flexibility as possible to help them out.   The best way to do this is to go outside your job description, and take on additional responsibilities that may be in your current sphere of knowledge, or from previous professional experience.

In addition, you should plan to demonstrate your work ethic, your integrity, and support at any opportunity.  This should include coming early, staying late, accepting unpopular assignments, whatever it takes.   By demonstrating this level of leadership and commitment, you are going to win this new person over – and they will have no other choice to view you as a valuable asset.

If you can win them over, and convince the new manager (CISO) that you make his job and his life easier, he will have no choice but to keep you.

If you are able to accomplish this, you will not have to explain your short duration of employment.  If it is all right with you, we will save that question/answer for another Tuesday.

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Advice, Branding, Career Advice Tuesday, Leadership, Planning, Position Selection | 1 Comment 

Career Advice Tuesday – “Resume Hurdle”

September 27, 2011

Dear Infosecleaders:

I am writing to see if you can help me with a situation that seems to be haunting me as I look for a new job.

I have been working as an information security engineer for the past 10 years, mostly on long term contracts.  Each of my contract assignments for the past five years are through the same contracting firm.  During these past five years, I have supported over 8 different Fortune 500 customers, in the implementation of various security technologies ranging from IDS, Firewalls, SIEM, DLP, etc.  Each of the assignments have spanned from 4 months (shortest) to 16 months (longest).    On my resume, I outline each of these projects, listing the customer, the scope fo the project, the duration, and the impact of my efforts.  

Now that I am looking for a full time job, in my opinion my resume makes my employment look inconsistent, although I have been working for the same employer (contracting agency) for the past five years. 

Do you have any tips on what I can do to overcome this hurdle?


Edwin Moses


Dear Edwin:

This may turn out to be our shortest response, but your answer is a simple one.

What you need to do is to create a resume entry, before the projects, demonstrating that you worked with the same company for the past five years.   (2-3 lines).  Underneath the employer and the date,, you should write a short term description about the company and the nature of your work as a security consultant servicing Fortune clients.

Your resume should read no different then a person who has worked as an information security consultant for for a large consultancy – like a Big X or a large systems integrator – with the exception of being able to demonstrate career progression or titles.

If you are able to place this experience under the larger umbrella, it will let employers know that you are both loyal and have a good deal of diverse information security experience.

That should lift some of your hurdles and help you in your transition.

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Advice, Branding, Career Advice Tuesday, Interviewing, Resume, Skills | 1 Comment 

Career Advice Tuesday – “Advice For Starting An Infosec Consultancy”

August 16, 2011

Dear Infosecleaders:

I hate to bring up what seems to be the elephant in the room within information security and penetration testing in particular, but how exactly are people getting the gigs doing this.  Personally, I have tons of training, 15+ years experience in the realm, business experience to match and every time I ask this question, nobody seems to want to answer/discuss it.

It is a known fact that the big companies (IBM, the Big X, large telcos,etc) sell it as a service to existing companies but there are A LOT of two-three man pen testing teams that seem to stay busy constantly. I understand that people don’t want to give out there client attraction methods and strategy but I have yet to see this topic covered. There has to be a lot of others with the necessary experience asking the same thing.

Anyway, just can’t seem to tackle the elephant in the room. Nobody wants to cover it. 

Thanks guys and unique blog for the infosec community.


The ZooKeeper


Dear Zookeeper-

To be candid, I had to look at your question a number of times before I was able to formulate a response.  It is my interpretation that the crux of your question is, how do you begin your own information security consulting business – particularly in the field of penetration testing.  In addition, you would like to know why others are successful,  and why some (you) can’t seem to get off the ground.

First of all, I should start by telling you that all businesses are similar – and beginning a penetration testing consulting business is no different than starting any other services business – such as lawn care, pool service, or home painting.   When people decide to buy any service, they look for certain elements – experience, competency, price, and reliability.    Anyone who has been successful in beginning a small information security business has been able to personally demonstrate these qualities in their previous life, prior to forming their own company.  It is from this reputation and personal brand, that they are able to attract some of their initial customers, which provide them with experience and references, which they should be able to leverage into new business opportunities.

Another essential component of any business (and career) is the ability to sell and market ones services and one’s self.   It is this skill that often separates the successful from the remainder of the pack.  Selling ones talents and branding ones skills in the marketplace and information security is often overlooked as the key factor in determining success.   Many information security professionals have focused their professional development on their technical skills, but at the same time they have neglected to attempt to develop their business/sales/presentation skills.

Long and short, there are many technical “rock stars” that have failed on their own as business people, but once partnered with competent business people, have achieved great things.

I have learned over the years that business is about surrounding yourself with great people who compliment your strengths.  Maybe it would be best for you to find someone who can help “open some doors” and help sell your talents.  Or, maybe you need to reevaluate your assessment of your business skills, and try to honestly assess some of the obstacles that are standing in your way in getting your business off the ground.

Understand that it is easy to prove technical competency, but in the world of business, the proof of competency solely lies in the color of the ink – “red” or “black”.

In closing, our note does not mean to come across as harsh, but it is meant to be direct.

Hopefully some of this advice and insight helps, and your infosec consulting business will get off the ground soon.

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Advice, Branding, Career Advice Tuesday, Security Industry, Skills, Uncategorized | Comments Off 

Career Advice Tuesday – “Black Hat Preview – Professional Development Workshop”

July 26, 2011

For today’s Career Advice Tuesday – we wanted to share a more detailed look at our Black Hat Professional Development workshop.  The workshop will take place on Thursday afternoon – from 1:45 – 6:00PM.    Anyone in attendance can come to either any individual session or stay for the whole program.

If you are at Black Hat, please come by and introduce yourselves.


InfoSec 2001 – A Career Odyssey

The Professional Development workshop is a half-day program that is designed to inspire the Black Hat attendee to think about their career as an information security professional and assist them in their journey towards the achievement of their long term career goals.

The Professional Development workshop will be divided into five (5) unique information security career topics that will be linked by a common theme – Skill Development and Differentiation.

The program will consist of the following:

1)    “The Value of Information Security Certifications Survey” – Research Revealed – 1350 information security professionals responded to an independent survey on the topic – the research will be revealed

2)   “Second Place Sucks” – A presentation geared toward differentiating yourself from your peers (and your competition)

3)   The Information Security Leader of The Future” -  a presentation that will outline the skills that employers are looking for when identifying and selecting their information security leaders.

4)   “The Other Side of The Desk” – a panel that will explore the different attitudes and beliefs by job applicant and employer during the interview process

5)   “Future Predictions” and “Career Advice Tuesday- Live” – Future trends will be discussed and explored – and attendees will have the opportunity to ask questions about infosec related career topics

The workshop is designed as an interactive forum that should inspire some shared thought and debate between audience members and the presenters.

Attendees should understand that they can elect to either participate in the entire workshop, or to pick and choose from select sessions that have a particular interest to them.

Session Previews:

Session 1  – 1:45 – 3:00

“The Value of Information Security Certifications Survey”

Presenters – Mike Murray and Lee Kushner –  

In February of 2011, launched an independent survey on the value of information security certifications.   The value of InfoSec certifications is a highly debated topic in the industry, and this is the first independent survey that asks questions to information security professionals (certified or not) – their opinions on topics that include – the motivations for certifications, the impression of the certification bodies, the value of skills vs. certifications, and certifications effect on employment.  With over 1350 respondents, the results should be revealing and eye-opening.

Second Place Sucks -

Presenter – Mike Murray

So, if certifications are no longer the magic bullet to get you to your career goals, then what is.  The topic of strategic career investments and personal branding will be the focus of this presentation.  The presentation will be spent on how you can plan and execute on career investment strategies that will enable you to differentiate from your peers and successfully compete for promotions and external information security leadership opportunities.

(15 minute break)

Session 2 – 3:15 – 4:45PM

3:15 – 3:45PM

“The Information Security Leader of the Future” –

Presenter – Lee Kushner

The skills for information security leaders are changing quite rapidly.  As many companies are aligning information security with their core business and branding, information security professionals will need to evolve as well.  The presentation will break down the core skill components of what information security professional will need to acquire and demonstrate to be considered for leadership roles in the future.


3:45PM – 4:45PM

The Other Side of the Desk – Different Perspectives on the Interview Process

Moderator – Mike Murray

Candidate Perspective – Lee Kushner

Hiring Managers Perspective –    

Bill Phelps, Executive Director Accenture  

Justin Somaini, CISO at Yahoo!


There are two parties involved in every interview process, the information security professional (the applicant) and the hiring manager (the decision maker).   While in essence, both parties ultimately desire the same outcome, their motivations lie in different places.   This portion of the presentation will present to the audience the perspective of the candidate and the perspective of the hiring manager, in a way that will educate both parties and enable them to social engineer the interview process, to work to their personal advantage.

Bill Phelps:

Bill Phelps is an Executive Director in Accenture’s security practice, and has spent the past 25 years in technology services.  In the past decade, Bill has been a practice leader, company founder, board member and trusted advisor helping organizations with complex management and technology challenges in the areas of information security, data center transformation and technology strategy.     Bill currently has overall responsibility for Accenture’s security business in North America.  Bill is aggressively growing Accenture’s security team, and plans to hire over security 200 professionals in the coming year.

Justin Somaini:

Justin Somaini is the Chief Information Security Officer at Yahoo! where he’s responsible for all aspects of Yahoo!’s Information Security strategy.  With over 15 years of Information Security experience he’s seen as a leader in industry by promoting an evolution of the security and risk management models.  Through his public speaking and industry involvement he’s given extensive talks and interviews on the threat landscape, public policy, security management and risk management.  Prior to joining Yahoo!, Justin was the CISO at Symantec.  Justin has also held security leadership roles at VeriSign, Charles Schwab and PricewaterhouseCoopers LLP.

4:45 – 6:00PM

Predictions for the Future and Career Advice Tuesday – “Live”

Presenters – Lee Kushner and Mike Murray

The employment market is dramatically changing – and the closing session will begin with information security employment predictions (based on experience and research) for the next ten years.  Once completed, this will be followed by a version of “Career Advice Tuesday” – “Live”.   All attendees can have their personal information security career questions answered in an open forum.   Topics will include skill development, compensation negotiation, career investments, career planning, and anything else you want to ask about your Information Security Career.

Posted by lee | Filed Under "The Other Side of The Desk", Advice, Behavior, Branding, Career Advice Tuesday, Compensation, Interviewing, Networking, Planning, Position Selection, Presentation, Recruiting, Resume, Security Industry, Skills, Survey, Uncategorized | 1 Comment 

Career Advice Tueday – “Advice for Job Hoppers”

May 24, 2011

Dear Infosecleaders:

I have been working in a company for over two (2) years now, and for the last eighteen months I have been focused on Privacy Controls Implementation.

Plain and simple, I find this work to be boring.  I have a difficult focusing on my current job and I feel that my work is suffering due to my lack of enthusiasm and the loss of passion.

My initial goal would be to remain with my company, but my manager is not open to my request and simply told me to “keep my head down” and focus on my current project.

I would really like to begin a search for another employer, and to find an opportunity that lets me shift my focus, and let me utilize some of my other skills as an information security professional.   However, I have a history of changing positions every two years, and I have run into the obstacle of being labeled as a “job hopper”.

For the record – I have worked for six companies in my 14 year information security career.

I am not sure how to overcome this obstacle, and progress toward my career goal.   Do you have any suggestions on how I can implement a strategy to change roles and overcome the perception of my lack of commitment?

Any ideas would be welcomed.


“Frog Man”


Dear “Froggy”:

Unfortunately, we do not have much help for you.   The best that I can offer is to utilize your experience to help others, so that they can utilize this as a learning tool for their own careers.

The fact is that history is a very good predictor of future results, and to any new employer it is logical for them to assume that you will only remain at your current position for two years (or slightly more) at a time.   The fact that this is a repeatable pattern – not just once, twice or three times – but six times – is a good indication that you will not stay with your next employer much longer.

In this day and age, hiring managers are facing greater scrutiny when hiring external resources, and if they decide to provide you with an opportunity for employment it is likely that their judgment is going to come into question by their managers.   Many hiring mangers are unwilling to take this risk, as the competition for their jobs is greater.

Therefore your dilemma, Froggy.

If any of you beginning information security professionals are reading this, this should be a lesson and a situation that you need to avoid.   You have to understand that your career and your career choices tell a story, and are a reflection of your decision making, your intangibles, and your personal make-up.   It is often very easy to pick up and leave your employer, however the decision that provides you with instant gratification, often has longer term implications.  This will limit your choices and create an obstacle that you may not be able to overcome.

Take a lesson from Froggy – and try to make sure that you exhaust all internal options prior to making a career decision.   Understand that when you decide to change jobs, try to determine if there is room for growth, and work with your manager to determine the best way to develop your skills and create opportunities for yourself that challenge you and grow.

Back to you Froggy – you are going to have to grit it out- and try your best to convince your manager to provide you with an opportunity that will renew your passion.  You need to demonstrate this by finding it within yourself to become the best Privacy Controls Implementation professional possible, and seek out opportunities that allow you to leverage this expertise into new roles with your current employer.

Give yourself an additional year to do this, and see how it turns out.    In the meantime, take the year to make some personal career investments that may align with your future goals.   When the time is right to go for another interview, you can tell a better story – about how you “stuck it out”,  “tried your best to make it work” – and rededicated yourself to your career -  that is a powerful story that any progressive hiring manager will like to hear – and can sell to their management when asked about your employment history and ”job hopping”.

Write us in a year, let us know how this turns out.

Wish we could be more immediate help,

Lee and Mike


Posted by lee | Filed Under Advice, Behavior, Branding, Career Advice Tuesday, Planning, Position Selection, Uncategorized | 2 Comments 

Next Page »