Nothing Says “ I Love You” Like an Information Security Career Development Seminar – RSA -Feb 14, 2011

January 7, 2011

The RSA Conference is traditionally known as one of the marquee information security conferences in the United States.  This year, the conference organizers have decided to create a pre conference seminar that is focused exclusively on the information security professional’s career development. The seminar is included with all paid conference admissions.  Personally I was honored when the program committee asked me to co-host the event and contribute to the content of the agenda.

Different then past RSA events, the Seminar is scheduled outside of the main conference tracks, where it does not compete with the highly technical presentations or the key notes.  By doing this, they have enabled all delegates to dedicate time to focus on their careers – and to learn how to best maximize their current positions and strive to attain their long term career aspirations.  The program is designed to take the Information Security professionals through a journey that will provide them with both content and context for managing their careers.

The Seminar will take place on Monday afternoon, February 14th from 12:30 – 5:00PM.

On  the upcoming Fridays leading up to the conference, The InfoSec Leaders blog will feature an in depth abstract and preview to the content of the panels and the individual presentations.

The agenda for the seminar will be as follows:

A panel discussion, moderated by seminar co-host Mike Gentile, that will address  current state of the information security market, the skills that employers are looking for, and trends in today’s employment market.

An individual presentation from InfoSecLeaders’ Mike Murray on Career Planning.  This presentation will help guide the attendees through some basic steps to create a career plan tailored to achieving their long term information security career and life goals.

A presentation given by Jeff Combs focusing on differentiation and personal brand development.  Jeff will utilize his decade long experience as an Information Security executive recruiter to illustrate to the attendees how to make themselves more marketable and attractive – to both their current employers and future ones.

A presentation by me, Lee Kushner, that will focus on the skill requirements for the CISO of the future.  From our Infosecleaders survey we learned that 37% of the respondents aspired to become a CSO/CISO.  This presentation will outline the real skills that company’s are requiring and demanding from their Information Security Leaders of the future.

The seminar will then conclude with a panel discussion (moderated by me) of three current Information Security Leaders – Stephen Scharf, CSO Experian, Patrick Heim, CISO Kaiser Permanente, and John Kirkwood, Global CISO of Royal Ahold who will discuss their own careers paths and progressions, how they select and identify future information security leaders, what skills and attributes they search for in employees, and where they are heading next in their careers.  The panel will allow questions from the audience.

Posted by lee | Filed Under Behavior, Branding, Networking, Planning, Security Industry, Skills, Uncategorized | Comments Off 

Career Advice Tuesday – “Listing Polarizing Interests on a Resume”

November 30, 2010

Dear Infosecleaders:

Wanted to ask a question about my resume and including my outside of work activities.   Without getting into specifics – I take part in some outside activities that some may consider to be polarizing.  Although I know that this site is anonymous, I would like to keep them to myself – however, for arguments sake, lets say that they fall into categories that would include one of the following:

1) My Political Beliefs

2) My Religious Beliefs

3) My Sexual Preference

4)My Ethnicity

I have followed your advice, and not only am I a member of this group, but I am also a leader.  My group has raised a great deal of money, performed good work in the community, and I am very proud of the work that we have done.   My participation in these groups have enabled me to develop and refine some additional skills that benefit me in my job as an information security professional.

I ultimately would like to list them on my resume, because I believe that they reflect well.  However, I have learned from reading your site that when it comes to employment and selection of candidates - ”beauty is in the eye of the beholder”. 

My fear is that by listing these activities, I will do more harm than good, and  I will close more doors than I will open. 

Do you have any advice? 

Signed,

“Wanna B. Free”

Dear Wanna:

Your question is a good one and I think that the answer that you are searching for can fall into two categories – 1) Focusing on your Goal  (Getting a Better Job) and 2) Being Honest with Yourself.

If the goal of the resume is to get a better job, I think that you are taking a big risk in featuring your outside activities on your resume, if you believe that they are as polarizing.  By including these items on a resume, you begin to eliminate your audience and you enable people to make prejudgments about you as a person.  Granted if some of the employers share the same interests or beliefs, that may give you a leg up in the process, however since many people will be viewing your resume, you become more likely that you will encounter someone who may disqualify you based exclusively on this activity. 

In addition, today the legal environment in the workplace is more risk adverse than ever.  Granted, companies preach the concept of diversity, however at the same time they try to prevent the work place becoming the “soap box” for the expression of people’s personal beliefs, especially if they may offend others or pose a distraction.   Sometimes no matter how talented the candidate, companies simply do not want to take this risk.  

To compound on this, many times hiring managers will ultimately choose an alternate candidate, simply due to the fact that they may be exposing themselves if they hire someone that may be more of an outlier, as opposed to someone who is viewed as a safer choice.  Remember, they have a job too!

2) Being Honest With Yourself – I think that you have to determine if this outside interest, you bring into the work place.   Many people cannot separate their avocations from their vocations, and their outside interests consume them in all environments.   If you recognize that you fall into this category, my advice would be to list it. 

The reason for this, is that this outside interest speaks to exactly who you are.  And if this is the case, the company should know it, and you should feel comfortable that they are accepting of you (in your totality).   I think that by being honest with yourself- and your employer – you set a strong foundation for a long lasting relationship.  However, if by being honest you repel the employer and are not hired, you may experience short some initial remorse.  However,  in the long run you will benefit for not having to work in an environment that does not embrace you or your extracurricular activities.

In the end, I think that resumes in general are not an ideal form of communication, so I do believe that it would be best to list your interest, but soften it a bit so that it is not viewed as polarizing, but still provides a potential platform for discussion.     If you eventually get selected for an interview, you should figure out if you want to bring this up with members of the interview team during a discussion.  In this form of communication, it may be easier for you to articulate your external interests and demonstrate how they have effected your personal and career development in a positive way.

Thanks for asking the question.  Many people struggle with this.  Hope that the answers are useful to you and to others.

Lee and Mike

Posted by lee | Filed Under Advice, Branding, Career Advice Tuesday, Resume | Comments Off 

Career Advice Tuesday – Getting Typecast

October 20, 2009

Sometimes, it’s worth publishing a long letter because it’s an issue that many, many people have. The letter below is indicative of many of the questions we get, and it’s just such a good example that we can’t pass it up.

Dear Lee and Mike,

I’ve had an interest in infosec since I was 14 and I have been working in IT for 10 years, ever since I started my own consulting business at 16. My business was based around servicing companies’ desktops, servers and networks and this led to a full time system administration job and subsequently into an IT Manager role. I was finally given a chance to work in security full-time when I moved on to a role as a 3rd level Firewall Engineer

My next role involved helping setup the network security infrastructure at two new data centres – I stayed on as Network Lead and eventually moved up as the Network Team Lead (with my team managing hundreds of devices and dozens of firewalls).

Still I felt it was not the right move for me. I began to look for a different job and had dozens of calls weekly and several interviews. One call was from a recruiter for a small company in Switzerland. I flew down for the interview and accepted a role as a Network Security Engineer. There were lots of promises about what the role was supposed to be like but few of them ended up being true. My job at this company is maybe 40% security and 40% network support, server support, data centre management and 20% network, system and data centre design. All of the things I can do and am good at but not what I want to do.

My true passion is identifying risks in systems and networks. I have had hands on experience securing systems and have coupled this with constant study of various IT security books for the past 10 years; I’ve obtained the SSCP, CISSP and the CISA. All of my experience and studying has given me a ‘gut’ instinct about where there are security problems not only with technology but also with business processes. My goal is to use these abilities in the role of an infosec consultant doing security assessments.

Making a career change from my more operational background has been a tremendous problem for me. The Big Four that I have applied to have rejected me because, I think, I do not fit into their hiring profiles. Other security consulting companies I have been in touch with are initially very positive, returning my calls and promising interviews but then going silent.

Is it even possible for me to change from operations into a consulting role or have I been typecast?

What can I do to sell myself better and convince potential employers that I can do the job of a consultant?

Thanks,
Ops Guy

Dear Ops Guy,

Where to start. First, by my rudimentary math skills, you’re 26 years old. If you’re typecast at 26, we’re all in very deep trouble. Mike’s father started his first business in his mid-50s, so I think there’s hope for you yet.

That said, you’re coming up against problems that many security professionals face on a daily basis: you’re doing work that doesn’t fit what you want to do, and you don’t know how to transition out of that. You don’t fit the profile for most of the consulting firms that you’re talking to and you’re not sure what to do to fit the profile.

First things first: many, many consultants come from an ops background. Mike is one himself – his first jobs were system administration jobs (you can even find articles he wrote in the early part of the decade in the “Sys Admin Magazine”) and he transitioned in to consultant roles.

The majority of this issue comes down to a branding problem: we talked in our recent Search Security column about the steps that you can take to enhance and build your personal brand. In this case, you need to seek out others who have done what you’re trying to do and figure out how they did it. You know what you want to be known for and where you want to end up – now it’s just a matter of working to create the brand that you want.

Additionally, it seems like you might be having trouble interviewing, but that’s a subject for another week.

Mike & Lee

Posted by mmurray | Filed Under Branding, Career Advice Tuesday | Comments Off 

Everyone Has A Personal Brand

June 18, 2009

Wanted to share a personal experience that has a great deal to do with the concept of “personal branding,” but has nothing to do with Information Security.

Here is some back-story. In December 2007, we bought a fifteen year old home. The previous home owner had neglected most of the maintenance for the past year. One item included in the sale was a 12 year old “hot tub” that is embedded into an outdoor deck. Needless to say, when we first attempted to turn on the hot tub, it did not work. I called the local spa company and they agreed to send a repairman.

It is now about 2 hours past the time that he was supposed to arrive, and a truck comes into my driveway. Out steps a sixty year old man named Jerry. It was clear from the greeting that he gave me, that arriving two hours late did not bother Jerry. He offered no apologies for his tardiness as we walked to the backyard. As we walked, I looked at Jerry’s wrist, as I expected, he did not wear a watch.

Soon after arriving at the hot tub, it did not take long for Jerry to convince me that he was the right man for the job!

He quickly deduced the exact model of the hot tub and told me about the manufacturer’s history of product development. He then told me that when my model came out, he regularly spoke with the lead engineer at corporate, who helped him troubleshoot and resolve specific issues with the hot tubs. Jerry even told me that he diagnosed some problems that they were unaware of, and that corporate often called him and asked him for advice.

It was no time before Jerry had his “a ha” moment. With the combination of a little elbow grease, the reattachment of some wires, and a wave of his magic elecrtical wand – the tub was working again.

I offered Jerry a cold drink and he happily accepted. I told him how impressed I was with his knowledge and efficiency. He gave me some history regarding his personal backgrund. He was a licensed electrician, who became involved fixing hot tubs by accident. He told me that he liked the work because, as he stated, “there are no real emergencies that involve a hot tub.” It was clear to me that Jerry earned a living to satisfy his lifestyle. He liked making his own hours. He was not interested in promotions or additional responsibility. He enjoyed his work.

Jerry was not going to be managed by anyone, and he did not want the headaches of running his own business. He took tremendous pride in his work product and his ability to solve the customer’s problem. You could tell he liked to be needed, and have people depend on him. He had no worries regarding his future, he knew that there would always be hot tubs to fix.

All of these items defined Jerry’s personal brand. The characteristics that comprised his skill set included deep knowledge and expertise, a commitment to customer service, and professional pride. If Jerry was also punctual, he would clearly have his place in the “Hall of Fame.”

Recently, we had another hot tub issue. I called the store, and asked for Jerry, and only Jerry. They told me that it would take a week longer and that Jerry would be by on Sunday morning. I said, “No problem.”

His car pulled up this Sunday at 3:00PM in the afternoon.

Just as I expected.

Posted by lee | Filed Under Branding, Personal, Story | Comments Off 

« Previous Page