Career Advice Tuesday– “Managing Compensation Risk”

October 16, 2012

Dear Infosecleaders:

Currently I am employed as an information security consultant with a large entity.  As part of my compensation program, I earn a quarterly bonus based upon the achievement of utilization targets and billable hours.  Our company has done well over the past five years, and my bonus has become quite predictable.  Over the course of the year, it amounts to about 30% of my base salary and close to 20% of my overall compensation.

About a year ago, one of my peers left the company to strike out on his own.  During that time, he has grown a small boutique consulting company that specializes in my area of expertise, GRC product implementation.    While I am familiar and comfortable with the person as a peer, I am not fully comfortable with him as a business owner.   He has recently made me an offer to join his team.  

The position comes with a little more authority than I currently have, alone with a flashier title  (From reading the blog, I know how much weight you put on this.)   The salary is a small increase from my current salary, but the bonus appears to be more substantial.   He has told me that, based on the corporate formula that they utilize, it could equate to about 50% of my base salary.  This would be a sizeable increase, and potentially give me additional freedoms.

There is one problem that I have; I do not fully trust that this money is going to be there.   I base this on the fact that I do not know what kind of businessperson he is and do not know if I can rely on the bonus to be there.   If it does not materialize as promised, I will be taking about a 10-15% decrease in earnings, and I risk leaving a safe and comfortable situation.

Any advice would be appreciated?


InfoSec Actuary


Dear Actuary:

While your question appears to be complex, fortunately, the answers are quite simple.  By asking your potential new employer a few key questions, you will be able to figure out your answers about his business ethics, believability, and the health of the company.

Here are some easy simple steps:

1)   Before accepting the position, ask the new employer if you can speak to some of your potential peers who have been working with the company for at least three months.  During these discussions, ask these folks how their bonus has been, has it been paid, has it been paid on time, and if it was paid as stated in their offer.

This is your first line of defense.  It will provide you with at least some history in seeing if your new employer is true to his word.

2) If this checks out, then I would want you to call your new employer directly before accepting the offer.  When you speak with them, I want you to ask them to guarantee the bonus for the first six months of employment at the target rate.  In essence, I want you to ask him to treat it as salary.   Anyone in business who is adding additional people to their services team should have at least six months of visibility into their revenue stream and client base.   He should not hesitate to honor this request.  If he does, my antennae would go up.

You are entitled to request this based on the following factors that apply to your situation:

1)   You are a known commodity.   The employer sought you out.  Knows your work, and knows what they are getting.  There is huge value in this to them.

2)   The business is a small business and it is their responsibility to help you manage your risk – since you are the one that is taking a chance on them.  (As a side note, a company that has been in business for a while would not do this, and should not be expected to.)

3)   They are recruiting you.  You have a good job where you are content.  You have some leverage in this situation so use it.   All you are asking is for them to guarantee their promise.  It should be a simple request.

(Note:  As the audience reads this, understand all three factors need to apply.  Do not think you can require this of a large fortune sized entity, an established security consultancy, or a stable security product vendor.)

In closing, my best advice is to trust your gut instincts.  After these discussions, if there is something telling you not to trust the new entity, stay put.  Tell the employer you would like to revisit the opportunity in 3-6 months.   I am pretty confident that if this particular opportunity is indeed a good one, it will still be good six months from now.

Hope this helps.

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Compensation, Position Selection, Recruiting | Comments Off 

Career Advice Tuesday – “Am I Just ‘Changing Golf Shirts’?”

August 7, 2012

Dear Infosecleaders:

I am currently working as a penetration tester for a pretty large company.   Prior to this, I worked for another large company, doing similar work.   My current job is going well, I have a very good mentor, my company has been supportive of my professional development, and I like my hiring manager – as I feel that we have established an open line of communication.   

I do have two complaints.  First of all, I believe I can do more.  Secondly, I believe that I travel way more than necessary to perform my duties.

I recently completed an interview process with a much smaller company that is in the middle of a growth spurt.  Although they are much less structured, the people are very smart, and they have some focus in an area that interests me a great deal, Mobile Security.  I believe that it is set up to enable me to take some leadership in this area.  The position does not require a great deal of travel, and it will allow me more time to get involved in my local professional community.

The money for the position is very similar to my current role, however the position offers some stock, which is a exciting to me.

I have listened you’re your advice in the past about avoiding jobs that just provide the opportunity to “Change Golf Shirts”.  Would like to know if you think I am doing this if I join the new company and accept the offer?

Any advice would be appreciated.


“Tiger Woods”


Dear Tiger:

Based on your description above, I do not think you are “Changing Golf Shirts” at all, in fact, I think that these two opportunities are unique and very different.

Here are my thoughts:

1)   First of all, the company you are joining appears to be a “Start-Up”, and it does not appear that you have any of that experience.   Having the experience working at a “Start-Up” is unique, and I think that if you enter into that environment you will learn things about yourself that you would not have in the larger companies that you have worked for.

2)   The new company appears to have some good alignment with your interests, which is great.  Not saying that your current employer doesn’t, but it appears that you will be able to take more of a leadership role in this area in the new company.  Smaller companies are great for this experience.  Where in a larger company, there are more resources to compete with, a smaller company provides more opportunities to create more of a “Professional Brand.”

3)   You are going to work with “Smart People”.   Not that you do not already, but the only thing better than “Smart People” you know, is “Smart People” you do not know – because if you take this job, your “network of Smart People” just got much larger.

4)   You have some earning potential with the stock options.  No, you probably will not retire, but stock options provide some upside earning potential that you are not getting in your current role.  As a “Pen Tester” there is a standard comp range that you are restricted to, based on the market – so compensation for a new job, is never going to be that significant of an increase, in that case, Stock Options provide you with a possible accelerator of you earnings.  Even if they are worth nothing, there is no risk for you – as your compensation is going to be equivalent.

5)   You can always go back to the big company.  Even if your current company will not have you back, there will be another big company that will take you back, and they will probably be willing to pay you a little more money to go work there, again you do not have any risk.

My feeling to you is to take a shot on the new company, and see where it goes.  Use the opportunity of not traveling to become more involved in your local community, become known to more people, and really sink your teeth into your interest in “Mobile Security” – and become more visible.

If you maximize this opportunity, it will be much better than trading for a  “New Golf Shirt.”

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Branding, Career Advice Tuesday, Compensation, Interviewing, Position Selection, Recruiting, Security Industry, Skills | 1 Comment 

Career Advice Tuesday – “The Ol’ Bait and Switch”

July 31, 2012

Dear Infosecleaders:

For the past two months I have been in the middle of an interview process, for what I believe to be a pretty senior role.   The role was a promotion from my current duties, and it was to provide me with a larger team of people, a bigger scope of responsibilities, and a larger compensation package.

During the interview process, I confirmed that the scope of the role was larger with both the hiring manager, and the hiring manager’s manager.  This was confirmed both on the phone and via e-mail.   I also had detailed discussions with the human resources person at the onset of the interview process about my compensation requirements and what it would take for me to give up my current role (where I am quite happy).  I received assurances that this would not be an issue.

Well, I finished the interview process and the offer was incredibly disappointing.  First of all, the role on the offer was for a lower level (similar to my current job) and the compensation was for 20K salary less than I requested.  

The hiring manager told me that I should “trust them”, and they just had to smooth things over with the incumbents before they made the announcement.  They also blamed the whole compensation thing on the HR team, stating that “they’d see what they could do”, but could not go much higher than the initial offer

Do you have any advice for me?  Should I trust them?  I feel so deflated as this was a job that I saw as the next step in my career  and I feel that I have been “bait and switched” and taken for a fool.


“Cadillac Man”


Dear “Cadillac Man”:

Beware, if you take this job, you are going to get a “Clunker”

There is absolutely no excuse for two hiring manager’s to tell you something in writing about a position, and then not be able to back it up in writing and in an offer.  The concept of “Trust Me” should be applied to minor details of a job offer – like a work at home policy, or extra vacation – but for something as important as the core reason that you were interested in the job, NO WAY!

Secondly, think about the organization that you are heading to.  The hiring manager blamed the HR person.  Whether that is true or not, this is very telling of their personal style and the corporate culture you will be heading into .

At this level of a search, if you were a key hire and being recruited for a “Senior” role then compensation should be something that should be able to be worked out if both sides are reasonable.   Without having the details, maybe a request for 20K more than they offered was a bit aggressive – but I would figure that they would have taken a much different approach.

Also, at this level, if they really want you and you really wanted the job, this process of compromise would be easy.

The translation of their offer  is as follows:  

We liked you a great deal.  We feel that you would be good for the role/level where you are currently performing at (at your other company).  We do not mind paying you a little more to do that role at our company.  It is possible that you will have the ability for a larger role, but it will not be on DAY ONE!   You are welcome to try out for that role once you are an employee and prove yourself in our organization.

However, they have elected to be dishonest with you and try to sway you otherwise.  I can assure you that if you accepted the offer to work for this company, that this would not be the last of the unwelcome surprises.

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Compensation, Interviewing, Position Selection, Recruiting | Comments Off 

Career Advice Tuesday – “20 Percent Increase = Bad Assumption”

May 1, 2012

Dear Infosecleaders:

 I am planning on moving back to the USA this fall, as I am currently living in Eastern Europe. As you may or may not know, the standard of life is poorer/lower than at the states. As I have heard on one of your presentations, one should ask for a salary maximum 20% of their current earnings. But the 20% would be not even close to what I would be satisfied with, or the standard for job class.

Do you have an opinion/recommendation on approach I should take, to get the salary I want and or deserve, regardless of my current pay?


 Is Twenty Plenty?


Dear TP:

Before I address your question, I want to make this very clear to all of the Infosecleaders audience:



Now to your question:

The real question about compensation can only be answered by understanding the market place value for your skills and experiences in your employer’s industry and geographic location.    The best way to understand your marketplace value is to either survey your peers, (with similar skills) or people with industry knowledge (hiring managers and info sec recruiters) who can provide you with a benchmark of how you should be compensated.

Many information security professionals believe that the compensation for their individual specific skills should be treated differently than the market at large.   This is a bad assumption and often leads to poor decision making about compensation expectations.

In general, compensation for similar skills in the same market will only fluctuate by about 10-20%.  This fluctuation will be determined by seniority, alignment with the business need, urgency, the demands of the work environment and industry.

Given the above, your current salary is irrelevant to your future one, considering your change of location and the cost of living differences inherent to your move.   However, before you embark on your job search you should get a better understanding of how your skills will be valued, and set some baselines and parameters with perspective employers as you begin your interview process.

Upon their assessment of your skills and your performance in the interview process they should be able to determine a suitable salary in their attempt to acquire your services.   If you would like to keep them honest, interview with two companies simultaneously to see if the compensation they offer is similar.

My guess that the difference will be not much greater than 10%.

Hope this helps,
Lee Kushner




Posted by lee | Filed Under Advice, Career Advice Tuesday, Compensation, Interviewing, Position Selection, Recruiting, Skills | Comments Off 

Career Advice Tuesday – ” Better Job, Less $$$”

April 24, 2012

Dear Infosecleaders:

I wanted to ask a question about compensation as it relates to an opportunity that I am currently pursuing.  First I would like to describe my current situation –

Right now I have a position that I do not enjoy very much.  I work as an identity and access management consultant where I implement enterprise technologies at large companies.  I have been working in this capacity for the past five years.  I travel a great deal (about 80%) – basically every Monday through Thursday.

Due to a combination of my technical skills, my willingness to travel, and my ability to communicate to senior management at my clients I have been paid quite well.  My current compensation is about 200K.  In addition, since I have been traveling so much, I have been able to reduce my living expenses considerably allowing me to save about 300K.

Recently my life has changed a bit.  I have met someone and I want to settle down and find a position that allows me to stay in one place and at the same time challenges me.   Through my network of friends and colleagues, I have located a position that accomplishes these objectives.

There is one catch.  The compensation.

The position pays  a salary of 135K and does not have a bonus. 

I would really like to accept the position but I am having a hard time getting over this hurdle.  In addition, I am not sure how to answer the employers question about my willingness to accept 1/3 less compensation than my current role. 

Any advice would be appreciated,

Settling Dan


Dear Dan:

Let me answer your second question first – the best way to answer your future employer about your willingness to accept considerably less compensation is honestly.    I would explain to them very simply that you understood that your past role was more of a 1099 assignment as opposed to a full time position – where you were receiving a 33% premium for your skill and willingness to live on an airplane.

You should explain to them that you had come to terms with yourself that you were going to sacrifice your personal life in exchange for the ability to save money and develop skill.  In addition, you can explain to them that by being financially responsible you have put yourself in a situation where you could focus on your career – and not be as concerned about money.    If you would like, you could also explain to them that you have met a significant other, and your desire to spend more time with your partner outweighs your desire to earn an additional 65K

This being said, you need to make sure that you are careful to let your future employer know that your drive and your desire to produce excellent results remains with you, and that your work ethic will not change, although you have more of a financial cushion.  The best way to do this would be to demonstrate some examples from your past that can illustrate this characteristic in both personal and professional environments.

To answer your question about money, my feeling is that this is a very personal choice and one that you, yourself will need to deal with and come to terms with .  65K is a large sum of money, however the only positions that will enable you to maintain your compensation will be ones that place you in the same environment as your current role.

If you are offered the role, (before you accept it) – I would like for you to make a list of the things in your life that you will be able to take advantage of with the new role, and to make a list of the things that you will be giving up without the 65K.  In addition, you should also look five and ten years into the future, to see if by accepting this new role, you can place yourself on a trajectory to recapture these earnings in the future.

In the end, if you want to, you can always get back on the airplane, and do the consulting.  My advice is to make the most of your relationship, and to see if you can excel in a new environment better suited for your new life.

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Career Advice Tuesday, Compensation, Position Selection, Skills, Uncategorized | Comments Off 

Career Advice Tuesday – “Using Website Data In Determining Compensation”

March 27, 2012

Dear Infosecleaders:

I would like to know your thoughts on websites like and as data points for compensation negotiations.

Do you feel that the accuracy of these sites take into consideration outside factors such as clearances?  What would the baseline salary be for someone with a CISSP, TS Clearance, and Masters Degree?

Better yet, how should the information gathered utilizing these tools be applied to your current compensation and desired compensation if searching for a new position.


Billy Shatner


Dear Billy:

C’mon Billy, I would think that you, of all people, would know a thing or two about negotiating price on the internet!

As an information security professional, you cannot negotiate your salary or determine your market value based on the information that you glean on these types of websites.  It is simply impossible.  The data is baseless, as these sites are more focused on generalities as opposed to the many nuances which may determine compensation in an information security professionals role.

I have my own opinions on some of the market intelligence and salary scales that corporations utilize when it comes down to assigning compensation for information security professionals.   Considering that the information security industry is comprised of both generalists and specialists, it is very difficult to apply this type of salary information broadly

For example, if you are an identity management specialist with a CISSP, a Masters Degree, and a TS Clearance – with a highly technical skill set, you will earn considerably more than someone with similar experience who has the same credentials that focuses on Certification and Accreditation work, or policy development.

The best way to determine your market worth is to ask your peers who hold similar positions, have similar experiences, and who work for similar types of organizations within your geography.   If you can get a sample of the compensation of people who share your background, you will find that your compensation should fit within the range of these numbers.   It is very rare that information security professionals have compensation packages that are outliers and anomalies – we just are not that type of industry,

I would tell you and the infosecleaders audience that the factors that determine compensation usually combine skill, responsibility, location, company size, quality of life and industry type.  In addition, companies that have greater commitments to the protection of their information, generally have a slightly higher scale than others.

In the future, forget sites that claim to have this information.   They do little more that build misconceptions and create false expectations that are not based in reality.

Hope this helps,

Lee Kushner






Posted by lee | Filed Under Advice, Career Advice Tuesday, Compensation, Interviewing, Recruiting, Security Industry, Skills | 1 Comment 

Career Advice Tuesday- Negotiating Tips For The Unemployed (and Underpaid)

March 6, 2012

This question was taken from last week’s Career Advice Tuesday live session at Security BSides SF.

Dear Infosecleaders:

I was recently let go from my position as a penetration tester and I am actively interviewing.   During my interviews, I am constantly asked two questions – 1) Why was I let go?  2) What was I earning?

The actual answer to the first question is an easy one to answer, as there were some issues with the management of my company and the flow of information security work.   For lack of better terms, we could not sell enough work to keep me busy. 

The second question is difficult for me to address.  First of all, I believe that I was underpaid for my skills.  Secondly, I feel that if I provide any of my suitors with this information they will base their offer on this data – and leave me in the same financial situation.

Do you have any advice for how to address this?


D, Trump


Dear Mr. Trump:

Rest assured, you are not alone.

In my fifteen plus years of working in this industry, I have yet to meet an information security professional who believed that they were overpaid.  The fact that you think you were underpaid at your previous employer, places you in the majority.

That being said, without knowing the details, I cannot really comment if you are paid fairly for your skills and contributions, but I can help you with some guidelines on how to answer the question about compensation.

First of all, when you are asked this question, the most important thing that you can remember is to be accurate in your response.   Although you may not agree with the number, the facts are the facts.  In today’s world, many employers validate past compensation during a background check, so if you are grossly inaccurate in sharing these numbers, you run the risk of being denied employment.

Secondly, I would follow up the answer to the questions with a statement – letting your perspective employer know that you are actively searching for employment and are interviewing for similar positions.   When you provide this information, you can provide a range of compensation that have been associated with the job postings,

When you do this, I think that it is important to provide a range – giving a low number and a high number.  By providing a range, you give the perspective employer two things – 1) knowledge  and 2) flexibility.  The compensation range will enable your suitor to evaluate your talents and your interview based upon the numbers that you provided, and will enable them to make a judgment on your value to their organization.    In addition by giving the employer the range, you provide yourself the foundation for your final negotiation (if you are offered the role).

Let’s say that the employer offer’s you an amount towards the bottom of the range, you can let them know that although you like the position and opportunity, that you were hoping for a more competitive number that was near the middle of the range you provided.  You can even let them know that although they are not the highest offer, that their opportunity is more appealing, and if they could adjust their offer upward to be in line with the others, that you will accept their offer.

On the other hand, if in the end you only have the one offer in your possession, you may just decide to accept the offer as is, and ask the employer when your compensation would be evaluated, and on what criteria will you be judged.

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Compensation, Interviewing, Position Selection, Recruiting | 1 Comment 

Career Advice Tuesday – “Forget the Love, Show Me the Money”

February 14, 2012

Dear Infosecleaders:

I am looking for some help in my current situation and hoping that you can provide me some guidance. 

Currently I am working as a senior information security engineer for a Fortune 1000 company.  I work for a company that has recently awoken to the importance of information security, due to a security incident a year or so back. 

At the time of the incident, I was the only information security engineer at the company, since then we have begun to hire some other information security talent to augment my efforts.   Although the additional resources have been helpful, I am still viewed as the go to person by both my CISO and some of the other business and technology leaders.    Because of this, many of the key projects fall on my plate. 

I am pulled in many different directions, work about 60 hours a week, and have been consistently told by many that I am doing a good job.   There is no shortage of love to go around, and I definitely feel appreciated.   During the year, I spoke with my CISO that the workload was getting to me, and he asked me to “hang in there” and assured me that I “would be taken care of.” 

I had no reason not to believe him, as he has always been honest with me.

The other day I was called into his office, where we had a scheduled meeting regarding my review and my compensation for the upcoming year.   During the meeting he explained to me that the company had a down year, so my bonus would not be great.  In almost the same breath, he revealed to me that my salary increase would be about 4% – slightly above cost of living.

I left the meeting disappointed and feeling both betrayed and mislead.  I was expecting my boss and the other managers who sang my praises to fight for additional compensation for me, considering the value I provided to them.     

Quite frankly, I am not looking for love any more, what I am looking for is money. 

Do you have any advice for me?  How can I get them to show their love in dollars?

Your help is appreciated,


Infosec Romeo


Dear Romeo:

I can understand why you feel the way that you do.  It is clear that you take a great deal of pride in your work as an information security leaders, and that you feel that you have gone the extra mile in demonstrating both our passion and commitment to both your CISO and the other managers that you have supported.

I also understand that you had some personal expectations in terms of financial reward in terms of the personal sacrifice that you gave your employer by working additional hours and delivering results to the people who counted on you.

Feeling betrayed because they did not return the favor, is only logical.

One thing that I can tell you is that you are fortunate that your employers let you know that you are important and appreciated, however, talk is cheap.  If your account of your extra effort and results are indeed factual, then you are justified for feeling that your managers should have fought harder for you when it came time to reward your performance monetarily – in terms of both your bonus and your raise.

That being said, here is some advice that you may find useful:

First of all, you mentioned that your information security organization is not that mature and that information security has not figured prominently until a little more than a year ago.    When organizations are in this transition phase, one of the things that usually lags in compensation for its staff members.    This is probably one of the reasons that the new members of your information security team have not significantly reduced the workload placed on you.  While your fellow workers are probably competent  – they probably represent the best that your company could afford, not the best available talent.    This is an organizational and human resources issue – that cannot be fought by one person, but you have the ability to help influence this by how you address your situation.

I would tell you that you should set up a meeting with your manager, and let him know in advance the subject of your meeting is your disappointment about compensation.   Prior to the meeting, I would spend some time and write down all of the accomplishments that you have had in your role over the past year.    In addition to this, I would pull all e-mails from either your boss or the other managers that have sung your praises over the past year.    What I would also do, is put together your interpretations of the business impact made by your contributions.

During the meeting, I would let your manager know that the praise was appreciated, but that your skills have a great deal of market value outside of the company.  You can share with your employer that you have turned down countless overtures from recruiters and other companies in the area, promising bigger roles and more money, based on the promises that you would be “taken care of” for your efforts over the past year.    You can also share with your boss that you were counting on the bonus and the increase, and were personally let down and hurt by this decision.

I would let your boss know that you do not regret your decision to stay, because you accomplished a great deal, that you enjoy working at the company, and that you have been building marketable skills.   However, you should let them know that you would hope that they may reevaluate their decision about your compensation and assess your skills versus the market.  (Before you do so, make sure that you know the answer, and that you are paid either “at” or “below” your market value. )  You may ask them to do a market study of what it would take for them to refill your position and contributions if they had to replace you.

Ask your manager if you could meet again in a about a week or two (not longer) and ask them to reconsider their stance on both compensation components.

Taking this tact will allow you to speak your mind in a non-threatening situation.  At no point do your threaten to quit or leave – but you imply that you have had other opportunities, have developed marketable skills, and that it may cost significantly more to replace you.   You have allowed your employer and your manager to make  a business decision based on fact and value, not based on threat and emotion.

Hopefully this will help you and your employers will realize that they have made a mistake in judgment.

When they do, make sure that you “Show them the love,” when they “Show you the Money”.

Hope this helps,
Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Compensation, Recruiting, Security Industry, Skills | 1 Comment 

Career Advice Tuesday – “Surprise Bonus”

December 20, 2011

Dear Infosecleaders:

Last week I was pleasantly surprised when my employer presented me with a year end bonus of $10,000, which is more than 15% of my current salary.  I know that this should be a reason to smile, but let me tell you about my predicament..

I am currently toward the end of an interview process with another company, for a position that mirrors my current one.  I will say that the main reason that I was looking was that I felt that I was underpaid in my current role, and in my exploration of the market, I found my assumptions to be correct.   However, if it was not for the money, I would stay at my current employer – they treat me well, I have flexibility, and I am able to pursue some of my interests in information security research.

In addition to the bonus, the President of the company called me into his office, and told me that they are in the process of reviewing their compensation programs, and that he hoped that I would view the “Surprise Bonus” as a demonstration that they were taking a proactive approach to compensation of their key employees. 

My question to you, is how should I handle my current interview process?  Should I let my employer know that I was looking?   Do you think it is possible to maximize my employer’s current generosity to get additional compensation benefits? 

Look forward to hearing back from you,


Jack Pot


Dear Jack –

First of all, congratulations!  No matter what the reason, it is always good to receive money that you were not expecting based upon recognition of your performance and your contributions.

To address your questions, in order:

Question 1)   I think at this point it is wise for you to continue on in your interview process, for the simple reason that you have already invested your time, and you have the right to attempt to reach a conclusion and truly understand your external market value.  That being said, if you are offered a position, I believe that I would think long and hard about accepting it, based upon your employers recent actions.

The simple reason for this, is that I really do not think that it is a great career move to move jobs just for the simple reason of money – unless you are being taken advantage of, or your life situation dictates the immediate need (like having a child or financial obligations).   The way that you described your job search, it appears that your move would be lateral in nature – and your job responsibilities would not change much at your new employer.

Questions 2&3 : I do think that you should utilize this situation to your best advantage, and by that I mean that you should take this as the opportunity to open up the lines of communication with your employer.  Their actions have demonstrated that your contributions are valued, so that should translate as they care about your opinions.

I would tell your employer that the compensation situation was a great source of concern to you, and their gesture could not have come at a better time.   You can let them know that you are regularly contacted by recruitment firms and members of your professional community about other job opportunities., and that recently you have been giving them more consideration.

You can even let them know that at the time you received the “surprise bonus”, you were in the process of interviewing for another position, purely based on finances.   You can even let them know that the other employer was offering to pay you an additional (X%) salary..   At the same time, you should be clear to your employer how much you enjoy working there – due to the nature of the work, how you are treated, and your ability to explore your independent research and participate in the information security community.

Having this conversation will serve two purposes.  First, it will demonstrate your loyalty.  I know that this sounds strange, but by letting your employer know that you were looking based solely on compensation – you will provide them with validation that they made a wise business decision (by proactively giving you the surprise bonus) and will show them that you will be honest with them and that they can trust you.

Revealing to your employer that you have been looking can be risky, but under these conditions, it may be a risk that can be worth taking.  Considering that they by giving you this money that they have shown that they want to retain your services, your risk of being fired is almost zero – ( in the worst scenario – your ongoing interview process is your contingency plan, and your $10,000 can serve as a short term severance) .   The additional upside to sharing this with your employer, is that it should enable you to get other “requests” on the table beyond compensaiton – maybe for additional training, professional development, or the pursuit of your career goals.

I would tell you that you are in a good position and you have all of your bases covered – both internally and externally.  I would tell you that outside of unique circumstances, I would give your current employer the benefit of the doubt and remain with your current firm.

It appears that you have a bright future, and they recognize it!

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Compensation, Interviewing, Position Selection, Security Industry | Comments Off 

Career Advice Tuesday – “Should I Audition?”

November 29, 2011

Dear Infosecleaders:

I am a talented penetration tester and have been perfecting my craft for over a decade in both corporate and consulting work environments.  I have spoken at some of the major InfoSec conferences, have authored chapters of books, and have spent a good deal of time and energy in the development of my personal brand. 

Based on my industry reputation, I have been solicited directly by an internal recruiter of a technology firm that has a well-documented information security issues.  They would like for me to interview to lead their internal penetration testing initiative. 

 After the initial interview with the hiring manager, they have asked me to come in and perform a practical application assessment, prior to learning more about the position and the company.  Generally speaking, I have some issue with this – as they sought me out for the role, based n my credentials.

I guess what I am asking is if I should be putt off by being asked to “audition” for the role.  I kind of feel that I am at a point in my career where I should not need to “audition”, and I find this to be quite insulting. 

Do you think that I am over reacting?  Would it be appropriate to tell the employer that I am not willing to be a part of their practical “experiment”? 

Any help would be appreciated.

“Brad Pitt”


Dear Mr. Pitt:

The best thing that I can tell you is not to let your ego get in the way of a good career opportunity.

One of the primary knocks against information security professionals – especially penetration testers – that their egos get in the way of their ability to conform to corporate cultures – this may be your opportunity to dispel this perception.

I would tell you that your willingness to conform to the company’s interview process and “audition” for the role, should be based on your level of interest in the opportunity and the knowledge of “what you are playing for”.    If you are genuinely interested in the company, the position represents a good career move, and the compensation is attractive to you – then I believe you should go through with the “audition”.

But before you do, I would tell you that you should adjust your attitude prior to participating in the exercise.  Instead of looking at the “audition” as a test of your talents, I would look at it as a puzzle or as a challenge like a miniature “capture the flag”.   What I would do is to use this scenario as a way to showcase not only your skills but also your thought process and problem solving abilities.  You should demonstrate your creativity in finding ways to discover vulnerabilities and maybe even point out solutions.

By raising the bar, you may create a greater desire to hire you for the role and this could even lead to some additional leverage in your compensation negotiations.

In closing, get over yourself, have fun with it, and understand that even the most proven talents have to audition – as the producers always have the final say!

Good luck,

Lee and Mike

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Compensation, Interviewing, Position Selection, Recruiting | 3 Comments 

Next Page »