Last week I was pleasantly surprised when my employer presented me with a year end bonus of $10,000, which is more than 15% of my current salary.  I know that this should be a reason to smile, but let me tell you about my predicament..

I am currently toward the end of an interview process with another company, for a position that mirrors my current one.  I will say that the main reason that I was looking was that I felt that I was underpaid in my current role, and in my exploration of the market, I found my assumptions to be correct.   However, if it was not for the money, I would stay at my current employer – they treat me well, I have flexibility, and I am able to pursue some of my interests in information security research.

In addition to the bonus, the President of the company called me into his office, and told me that they are in the process of reviewing their compensation programs, and that he hoped that I would view the “Surprise Bonus” as a demonstration that they were taking a proactive approach to compensation of their key employees. 

My question to you, is how should I handle my current interview process?  Should I let my employer know that I was looking?   Do you think it is possible to maximize my employer’s current generosity to get additional compensation benefits? 

Look forward to hearing back from you,

Sincerely,

Jack Pot

Dear Jack –

First of all, congratulations!  No matter what the reason, it is always good to receive money that you were not expecting based upon recognition of your performance and your contributions.

To address your questions, in order:

Question 1)   I think at this point it is wise for you to continue on in your interview process, for the simple reason that you have already invested your time, and you have the right to attempt to reach a conclusion and truly understand your external market value.  That being said, if you are offered a position, I believe that I would think long and hard about accepting it, based upon your employers recent actions.

The simple reason for this, is that I really do not think that it is a great career move to move jobs just for the simple reason of money – unless you are being taken advantage of, or your life situation dictates the immediate need (like having a child or financial obligations).   The way that you described your job search, it appears that your move would be lateral in nature – and your job responsibilities would not change much at your new employer.

Questions 2&3 : I do think that you should utilize this situation to your best advantage, and by that I mean that you should take this as the opportunity to open up the lines of communication with your employer.  Their actions have demonstrated that your contributions are valued, so that should translate as they care about your opinions.

I would tell your employer that the compensation situation was a great source of concern to you, and their gesture could not have come at a better time.   You can let them know that you are regularly contacted by recruitment firms and members of your professional community about other job opportunities., and that recently you have been giving them more consideration.

You can even let them know that at the time you received the “surprise bonus”, you were in the process of interviewing for another position, purely based on finances.   You can even let them know that the other employer was offering to pay you an additional (X%) salary..   At the same time, you should be clear to your employer how much you enjoy working there – due to the nature of the work, how you are treated, and your ability to explore your independent research and participate in the information security community.

Having this conversation will serve two purposes.  First, it will demonstrate your loyalty.  I know that this sounds strange, but by letting your employer know that you were looking based solely on compensation – you will provide them with validation that they made a wise business decision (by proactively giving you the surprise bonus) and will show them that you will be honest with them and that they can trust you.

Revealing to your employer that you have been looking can be risky, but under these conditions, it may be a risk that can be worth taking.  Considering that they by giving you this money that they have shown that they want to retain your services, your risk of being fired is almost zero – ( in the worst scenario – your ongoing interview process is your contingency plan, and your $10,000 can serve as a short term severance) .   The additional upside to sharing this with your employer, is that it should enable you to get other “requests” on the table beyond compensaiton – maybe for additional training, professional development, or the pursuit of your career goals.

I would tell you that you are in a good position and you have all of your bases covered – both internally and externally.  I would tell you that outside of unique circumstances, I would give your current employer the benefit of the doubt and remain with your current firm.

It appears that you have a bright future, and they recognize it!

Hope this helps,

Lee Kushner

I am a talented penetration tester and have been perfecting my craft for over a decade in both corporate and consulting work environments.  I have spoken at some of the major InfoSec conferences, have authored chapters of books, and have spent a good deal of time and energy in the development of my personal brand. 

Based on my industry reputation, I have been solicited directly by an internal recruiter of a technology firm that has a well-documented information security issues.  They would like for me to interview to lead their internal penetration testing initiative. 

 After the initial interview with the hiring manager, they have asked me to come in and perform a practical application assessment, prior to learning more about the position and the company.  Generally speaking, I have some issue with this – as they sought me out for the role, based n my credentials.

I guess what I am asking is if I should be putt off by being asked to “audition” for the role.  I kind of feel that I am at a point in my career where I should not need to “audition”, and I find this to be quite insulting. 

Do you think that I am over reacting?  Would it be appropriate to tell the employer that I am not willing to be a part of their practical “experiment”? 

Any help would be appreciated.

“Brad Pitt”

Dear Mr. Pitt:

The best thing that I can tell you is not to let your ego get in the way of a good career opportunity.

One of the primary knocks against information security professionals – especially penetration testers – that their egos get in the way of their ability to conform to corporate cultures – this may be your opportunity to dispel this perception.

I would tell you that your willingness to conform to the company’s interview process and “audition” for the role, should be based on your level of interest in the opportunity and the knowledge of “what you are playing for”.    If you are genuinely interested in the company, the position represents a good career move, and the compensation is attractive to you – then I believe you should go through with the “audition”.

But before you do, I would tell you that you should adjust your attitude prior to participating in the exercise.  Instead of looking at the “audition” as a test of your talents, I would look at it as a puzzle or as a challenge like a miniature “capture the flag”.   What I would do is to use this scenario as a way to showcase not only your skills but also your thought process and problem solving abilities.  You should demonstrate your creativity in finding ways to discover vulnerabilities and maybe even point out solutions.

By raising the bar, you may create a greater desire to hire you for the role and this could even lead to some additional leverage in your compensation negotiations.

In closing, get over yourself, have fun with it, and understand that even the most proven talents have to audition – as the producers always have the final say!

Good luck,

Lee and Mike

I would like to ask you a question about a current situation that I find myself in regarding making a possible job change.

I am currently gainfully employed as a network security engineer, working in a consulting capacity (full time), where I am working for a large company in the DC area.   I also hold a security clearance, which is valuable in this market. 

My current employer treats me well, and I have comfort in my job stability, however it is accepted that the company pays about 80-85% of what the market should bear for the skills that me and my fellow information security professionals possess.   In the past, that has been fine, but currently my bills are beginning to pile up.  I have new expenses that come with a growing family (clothes, school, youth sports, etc) where the extra $15,000-$20,000 would come in handy. 

A fellow information security pro and ex-coworker recently reached out to me about joining a company that would agree to pay about 10-15% more than market rates, for my skills.  This would translate to an increase of somewhere between 25-35% of  my current compensation (considering I am 15-20% below market), which would be very helpful.  

It sounds like a no brainer, but here comes the catch(es):

First of all, the company is only adding to its staff because it has won a new government contract and has overpromised resources that it cannot deliver.  The company has not ever performed work for the entity, so there is a chance that they will not be able to deliver to the clients satisfaction.  

Secondly,  I have done my due diligence on the owner of the new company, and what I have learned has not been favorable.  I have heard from more than 5 people who have worked with this person at previous company that there business practices are questionable.  This includes making snap decisions about firing employees, occasionally missing pay roll, and mistreating business partners.

Here lies my question -  I really could use the money, but something inside is telling me that this new situation is not a good one for me.   My fear is that I will leave my “safe” position, and in a short while I will find myself in a precarious situation.

I really feel that I am making a “deal with the devil”

Any advice.

Faust

Dear Faust:

The best advice that I can give you is to listen to your gut.  If your gut is telling you that there is danger ahead, and that you may be making a “deal with the devil” you most likely are.

It appears to me that you have a great deal of responsibility to your family, and as you progress in your career (and life) these responsibilities are increasing and they are causing financial pressure.  While it is a “no brainer” that $30,000 more per year will ease some of that burden, but you may want to think about what you are really signing up for.

In essence, you are not signing up for a position with career progression and professional development, you are signing up for a 1099 contract position with an employer that is only interested in hiring you because it benefits them financially.  If the new employer fails on this contract,  you are going to find yourself without a pay check, without employment, and a difficult event to explain on your resume – that may make others question your competency or your judgment.

However, if you do decide that the extra money is worth the risk, then I would ask you to take the following precautions and steps:

1)   Before you accept the position, you should sit down with your current employer who has been good to you, and let them know of your financial situation and your need.  I would give them the opportunity to provide you with the additional income, prior to joining this new company.   You never know, they may decide that your skills merit this type of increase.

2)   I would ask you to ask the new employer for some sort of severance plan, in case the contract is lost, not as a result of your performance.  I would figure that it would take about 45 days for you to find a new role in DC with a clearance (at your old pay) so ask them for 6 weeks, and negotiate down to 30 days.   There response should provide you with more information about how they may value their employees.

3)   If they balk at this request, and you still decide to take the job, what I want you to do is to live on your old compensation, for the first six months, and save the rest.  After about 6 months, you will have about 6 weeks of emergency money saved up, which will serve as the funding of your own severance plan.    This will give you some comfort, if things do not go according to plan.

Again, without knowing all the details I can’t provide you with a definitive answer, however I find in most cases that the character and reputation of your employers are generally earned – both positively and negatively.   You should not believe that your experience would be any different than others who have come before you.

Best of luck,

Lee and Mike

On the surface, that should be great news.  However, with choices come decisions.    With decisions come mistakes.   It is our goal at Infosecleaders, to provide you with information and frameworks, to minimize your risks, and maximize your rewards!

Thanks to Jeff, Ping, and the folks  at Black Hat, today we have a platform to do this.

This afternoon, at the Black Hat Briefings in the Florentine Room – Mike and I are going to share our collected data on InfoSec Certifications (The Value of Cert Survey), help you beat out your competition for the “Good Jobs”  (Second Place Sucks),  provide you with a road map for developing your “future skills” (Infosec Leader of the Future), shed insight into the real world of hiring, recruiting, and interviewing  (The Other Side of The Desk), and  provide an open forum for you to ask your Information Security Career Questions (Career Advice Tuesday – Live – (in Vegas, it is always someone’s Tuesday).

Schedule- Florentine Room

1:45 – 3PM – Value of Certification Results & Second Place Sucks

3:15 – 4:45PM – InfoSec Leader of the Future & Other Side of the Desk

4:45 – 6PM – Career Advice Tuesday Live  and Predictions for the Future

We hope that if you are attending Black Hat, you choose to spend some of your afternoon with us, and take something away from the conference that you can apply to your professional growth and career development.

Look forward to seeing you,

Lee and Mike

The other day I learned that my information security program will be going through a reorganization. 

The good news is that as a result, I am receiving increased responsibility, visibility and exposure.  The bad news is that I am getting more work, more headaches, and I am not receiving any additional compensation.   

Needless to say, I am angry.

I really like my employer, but I consistently fight battles with management and human resources about my compensation.   Last year I received an “over market” increase (according to HR), which from my perspective was underwhelming, and did not reflect may contributions.    When I brought them “data” about compensation, they dismissed it.

Here I am again.  The pattern is repeating itself.   I am planning on putting my thoughts down in writing, in  a very direct letter to both may management and human resources, documenting and reflecting my feelings.

Do you approve of this approach?

Sincerely,

“Caesar Chavez”

Dear Caesar:

Before you decide to put your thoughts down in paper or in an e-mail, you need to ask yourself, “How good of a writer am I?”  By writing a note, your thoughts are going to be contained forever, and can always be referenced.  If your note takes an angry tone,  it can be viewed as a line in the sand to your current manager and employer, and it can force an action – which may or may not be worth the risk.

Personally, I believe that you should express your opinions verbally, in a meeting setting with both your manager and human resources present.  I think that you should set the tone of the meeting, by first letting them know that you appreciate their recognition of your contributions, by providing you with additional responsibility.

Once this point is conveyed, you should let them know that your expectation would be that once your prove yourself in this new capacity, that you be compensated commensurate with others across the organization who hold the same titles and responsibility.   During this meeting, you should ask your manager to establish specific metrics on how your performance will be evaluated.  In front of HR, you should ask for a follow up meeting so that these can be reviewed, and set up a timetable for an initial review (6 months may be ample time).  In these 6 months, you should work your butt off, to overachieve, to show them that they made the correct choice in giving you this opportunity.

By handling it this way, you are demonstrating maturity in your approach.  It is a common mistake for people to ask for money once given an “opportunity”, but the fact is that the extra money is earned once you prove that you can perform at this newly elevated level.

When the review cycle comes around, one of two things will happen – you will either be happy with you new position and increase, or your will be polishing off your resume, looking for an employer that appreciates your experience and newly learned skills.

Hope this helps,

Lee and Mike

If you are at Black Hat, please come by and introduce yourselves.

InfoSec 2001 – A Career Odyssey

The Professional Development workshop is a half-day program that is designed to inspire the Black Hat attendee to think about their career as an information security professional and assist them in their journey towards the achievement of their long term career goals.

The Professional Development workshop will be divided into five (5) unique information security career topics that will be linked by a common theme – Skill Development and Differentiation.

The program will consist of the following:

1)    “The Value of Information Security Certifications Survey” – Research Revealed – 1350 information security professionals responded to an independent survey on the topic – the research will be revealed

2)   “Second Place Sucks” – A presentation geared toward differentiating yourself from your peers (and your competition)

3)   The Information Security Leader of The Future” -  a presentation that will outline the skills that employers are looking for when identifying and selecting their information security leaders.

4)   “The Other Side of The Desk” – a panel that will explore the different attitudes and beliefs by job applicant and employer during the interview process

5)   “Future Predictions” and “Career Advice Tuesday- Live” – Future trends will be discussed and explored – and attendees will have the opportunity to ask questions about infosec related career topics

The workshop is designed as an interactive forum that should inspire some shared thought and debate between audience members and the presenters.

Attendees should understand that they can elect to either participate in the entire workshop, or to pick and choose from select sessions that have a particular interest to them.

Session Previews:

Session 1  – 1:45 – 3:00

“The Value of Information Security Certifications Survey”

Presenters – Mike Murray and Lee Kushner – Infosecleaders.com  

In February of 2011, Infosecleaders.com launched an independent survey on the value of information security certifications.   The value of InfoSec certifications is a highly debated topic in the industry, and this is the first independent survey that asks questions to information security professionals (certified or not) – their opinions on topics that include – the motivations for certifications, the impression of the certification bodies, the value of skills vs. certifications, and certifications effect on employment.  With over 1350 respondents, the results should be revealing and eye-opening.

Second Place Sucks -

Presenter – Mike Murray

So, if certifications are no longer the magic bullet to get you to your career goals, then what is.  The topic of strategic career investments and personal branding will be the focus of this presentation.  The presentation will be spent on how you can plan and execute on career investment strategies that will enable you to differentiate from your peers and successfully compete for promotions and external information security leadership opportunities.

(15 minute break)

Session 2 – 3:15 – 4:45PM

3:15 – 3:45PM

“The Information Security Leader of the Future” –

Presenter – Lee Kushner

The skills for information security leaders are changing quite rapidly.  As many companies are aligning information security with their core business and branding, information security professionals will need to evolve as well.  The presentation will break down the core skill components of what information security professional will need to acquire and demonstrate to be considered for leadership roles in the future.

3:45PM – 4:45PM

The Other Side of the Desk – Different Perspectives on the Interview Process

Moderator – Mike Murray

Candidate Perspective – Lee Kushner

Hiring Managers Perspective –    

Bill Phelps, Executive Director Accenture  

Justin Somaini, CISO at Yahoo!

Abstract:

There are two parties involved in every interview process, the information security professional (the applicant) and the hiring manager (the decision maker).   While in essence, both parties ultimately desire the same outcome, their motivations lie in different places.   This portion of the presentation will present to the audience the perspective of the candidate and the perspective of the hiring manager, in a way that will educate both parties and enable them to social engineer the interview process, to work to their personal advantage.

Bill Phelps:

Bill Phelps is an Executive Director in Accenture’s security practice, and has spent the past 25 years in technology services.  In the past decade, Bill has been a practice leader, company founder, board member and trusted advisor helping organizations with complex management and technology challenges in the areas of information security, data center transformation and technology strategy.     Bill currently has overall responsibility for Accenture’s security business in North America.  Bill is aggressively growing Accenture’s security team, and plans to hire over security 200 professionals in the coming year.

Justin Somaini:

Justin Somaini is the Chief Information Security Officer at Yahoo! where he’s responsible for all aspects of Yahoo!’s Information Security strategy.  With over 15 years of Information Security experience he’s seen as a leader in industry by promoting an evolution of the security and risk management models.  Through his public speaking and industry involvement he’s given extensive talks and interviews on the threat landscape, public policy, security management and risk management.  Prior to joining Yahoo!, Justin was the CISO at Symantec.  Justin has also held security leadership roles at VeriSign, Charles Schwab and PricewaterhouseCoopers LLP.

4:45 – 6:00PM

Predictions for the Future and Career Advice Tuesday – “Live”

Presenters – Lee Kushner and Mike Murray

The employment market is dramatically changing – and the closing session will begin with information security employment predictions (based on experience and research) for the next ten years.  Once completed, this will be followed by a version of “Career Advice Tuesday” – “Live”.   All attendees can have their personal information security career questions answered in an open forum.   Topics will include skill development, compensation negotiation, career investments, career planning, and anything else you want to ask about your Information Security Career.

I just graduated college, and was lucky enough to get a great job as an information security analyst.  It’s essentially a job I figured I’d have to work towards for two or three more years to get, but somehow I lucked out.

After several months, I now have an opportunity to go back to school for an MBA, as well as study Information Assurance with some really great advisors.  My grad degree would be completely paid for, plus a bit for living expenses, as they do not want me to work during school-time.  This would have been the perfect option had I not already gotten the perfect high salary job.

I ask, “To School or Not To School”

Sincerely,

Hamlet

Dear Hamlet:

I often like to begin to discuss advice like this by saying that you are very fortunate to have a decision on your hands, not a dilemma.  This is an excellent position that you find yourself in, and I am going to answer your question by posing some additional questions for you to consider as you are attempting to arrive at your own conclusion.

1) Do you have enough maturity to fully maximize the “Masters Degree” experience?

Plain and simple, a Masters degree, especially an MBA is a lot more involved than just attending classes and getting good grades.  A Masters degree will often introduce concepts that have more value when you can apply them to practical experiences, as opposed to just “school experience” – many people advise to go get work experience prior to pursuing an advanced degree, however, you have to figure out which situation works best for you, and often that comes being honest with yourself.

2) Your personal financial situation?  Are their any conditions attached to the money?

Having the opportunity for a third party to pay for your degree in full is a great benefit.  It is logical that a Masters degree could often cost up to $100,000, not including the time off of work.  This is a great deal of money to walk away from and this has to be a strong part of your decision making process, and weigh strongly on the direction you decide to take.

Additionally, in my experience a gift like this – a full education, and living expenses, rarely comes without strings attached.  If there are strings attached which creates an “indentured servant” type of environment, where you are forced into a direction that may take you on a detour, away from your near term career goals, this needs to be given strong weighting as you make your decision.

3) How good is your current job and what are you learning?

I know that you said you had a well paying job, but lets forget about the money for a moment, and consider the skills that you are learning in your day-to-day role.   It is most likely that your near term career opportunities are going to come from your practical experience as opposed to an advanced degree.   If you are gaining good experience, have a plan for additional training, and have a manager that fosters your career development, this can turn out to be more valuable than a Masters Degree.  Again, it is up to you to evaluate these components of your current opportunity and honestly assess them.

4) Finally, what is your gut telling you?

When you make any decision, the best thing to do is to trust your own judgment and stay true to yourself.  Considering that you cannot go wrong either way- that is you can always find another job, and the last time I checked, Masters Degree programs are not closing their doors any time soon – you really can not go wrong.

You are fortunate to have this opportunity chances are you are a bright young person with a big future ahead of you, so you will most likely have more opportunities in the future.  This decision has a great deal of magnitude, however it is not a “make or break” type of decision.  There really is no wrong answer.

As the holder of your own destiny, you ultimately hold the responsibility for your career – you will reap the rewards for good decisions, and have to address the consequences of incorrect ones.

Follow your gut, follow your heart, listen to smart people, and do not look back!

Let us know what you decide,

Lee and Mike

Currently I work as an Application Security Consultant where I have been engaged on a long term contract with a Fortune 1000 company.  The current engagement that I am working on, came about as a result of being laid off from a professional services firm during 2009.   I have approached the current client about becoming a full time employee, and they just do not have the ability to bring on a full time employee due to mandates that extend beyond information security and are dictated by the business at large.

Recently I was approached through a friend about an opportunity to become a Senior Application Security Engineer for a “Web 2.0” company.   There is no doubt that the work would be exciting and I would learn a great deal,  and on the surface the company seems like it is on good footing.  However, due to my past experiences I am not sure.

My current situation is a good one – I am paid well (more than the full time opportunity), I know that there is plenty of work for me, however there is not any real “career” opportunity because I am a consultant (and they will not make me an employee).    I think that for this reason, I would like to take the job with the “Web 2.0” company, but there is a voice inside of my head telling me that I should try to protect myself.

I am thinking about asking for a “2 year contract” in order to accept the role.  Is this possible?  If so, how should I ask the employer for this addition to the offer?

Regards,

LeBron

Dear LeBron:

Unfortunately for you, the rules that apply to highly talented all-star basketball players do not translate to highly skilled information security professionals.   The idea of a company extending a “2 year contract” to a senior engineer would be a new one for me.

To provide you with a point of reference, in 15 years of recruiting information security professionals,  I have never been a party to a search assignment that contained an employment contract like the one that you are requesting.   In fact, the longest severance package I have ever seen an employer offer was one-year, and that was offered to a CISO who was relocating his family to an area that he was unsure of moving to.

I am not sure that this will make you feel better, but in essence we are all free agents, and employees “at –will.”   As members of today’s information security work force, the development, maintenance , an constant enhancement of our skills serve as the fabric of our personal employment “contracts”.

Getting back to your current situation I do think that you should do some due diligence on your new employer and the role that you are considering.   I think that you should make sure for your own sanity that you do two things prior to accepting the role :

1) Make sure that you are comfortable with the career path that they have outlined for the position.    The reason I say this, is that if you do not think that the career path will help you grow your skills and prepare for the future, then stick with the contracting role – since the career path would be the main reason for leaving the world of contracting.

2) Make sure that you will excel at your new job.   Plain and simple, you are going to want to come in and make an impact – not struggle.  You want to make sure that you can exceed expectations and shine –not just be average.  Just being average will make you “another employee”, and in that case your career acceleration chances decrease.

Again, career acceleration and progression should be key, you want to make sure that you fee confident that these elements of your new role exist, and you can maximize them when they avail themselves to you.

Hope this helps,

Lee and Mike

I am a recent graduate of a Masters program with a concentration in Information Security and I am trying to make a decision about selecting my first job.

To give you some background, I have an undergraduate degree in Computer Science and have been coding since I am about eight years old.  During the course of my undergraduate studies I discovered information security, and I was hooked.  During undergrad I found internships that were centered on software development, but found myself looking for information security related problems to solve.

Upon graduation, I decided to pursue a Masters degree to learn more about information security, which I have.  The program has focused on some of the non-technical areas, which has really opened my eyes to some of the types of issues that I would like to focus on.

Now that I am about to graduate, I have two different opportunities to choose from – the first is a software development role (at one of the company’s where I interned) that has some components of information security.  The pay for the position is $75,000 and they will pay for relocation.  Also, the role is in an area of the country where the cost of living is relatively low, so the money will go further.

The second opportunity is to work in the information security function of a Fortune sized company, where I will work on security governance, risk, and compliance initiatives, in support of a Director.  That position pays $45,000, the relocation package is not as comprehensive, and the cost of living is much greater.   The upside is that the area has a thriving information security community, and I should be able to meet many other information security professionals.

One other point, I have student loans, no additional financial support from my parents, and a car that has about 160,000 miles.

All of my friends and parents have told me to take the higher paying job and get on my feet, but there is something inside me that tells me that the other job is better suited for my interests.

Any advice would be appreciated.

Thanks,

Mr. PIB

Dear Mr. PIB:

The best advice that I can give you is to follow your gut and follow your passion.  Wherever the destination you choose, make the best of it, and maximize its value.

While I am not going to give you an answer to your question – I am going to point out some facts that I think you should apply to your framework for decision making:

1)   You came to the realization through the years that Information Security is the direction you would like for your career to lead.

2)   You spent two years of your time and money attending graduate school to learn about information security.

3)   You have already worked in the environment (via internship) in the software development role, so you have some first hand experience on how they feel about information security and if you will be able to utilize your knowledge.

4)   It appears that your policy job is in an area where there is a thriving community and many other information security opportunities.  The software development job appears to be located in a more remote location without many other suitable employers.

5)   Only you know your financial issues, and can appreciate the effect that they will have on your living situation.   (We were all there once.)

Some other things that I will share from experience:

1)   You are at a point in your life where you have personal freedom and can follow your dreams.  As you get older, you will be forced to make decisions based on external factors, so my advice is to take advantage of this freedom – before you know it, it will be gone.

2)   As long as you keep your hard “technical” skills, you will be able to find employment.   For example, if the policy job does not work out, I am pretty confident you could call the other company and ask if they would hire you as a software developer.

3)   Dismiss the opinions of anyone who tells you to take the job that pays the best, exclusively on that criteria.  (This logic alone validates that they are amateurs, and do not understand a thing about your professional options)  This can be your parents, your significant other, or even a professor, at this stage in your life, money is a component of your decision, but should not be the driver.

4)   Whatever you decide, make the most out of it.  Work your butt off.  Meet as many people as you can – internally or externally – so that you grow your skills , your network and develop  your interests in information security.

5)   Don’t second guess yourself – try not to wonder “what if” – you decided differently, it may only make you crazy.

Like I said, I am not going to give you an answer on what I would select.  Now is about the time that all of your great education should come in handy!

Best of luck,

Lee and Mike

Currently I work in security operations for a Managed Security Service provider, and I am responsible for our company’s largest customer.  Supporting a customer like this requires 7X 24 effort – and I am often called upon for late nights and weekends.

Recently, my manager called me into his office, and let me know that our company’s sales team has acquired another “flagship” client, and we are going to need to provide them with the same level of support and client service.   The manager has informed me that they are going to want me to be the main point of contact for the client.

I first asked who would be taking over my previous responsibilities, and he remarked that nothing would change and I would be now expected to manage both clients.    When he told me this, my expectation was that this increase in responsibility (and time commitment) would coincide with a salary increase, but as the meeting drew to a close, it was clear that this was not on the table.

After thinking about this, I feel that I am taking advantage of.  The increase in work means more time away from my family, more weekends, more responsibility, and lets face it, more pressure.

Not quite sure that I want to take on all of this without any additional financial incentive.   I have flirted with leaving the company in the past, but like working here and believe in our mission.  In fact, the client that I am supporting has approached me a number of times to come work for them – and I know that this option is open to me.

Do you have any advice for me?

Signed,

“SOC-Sessful”

Dear “SOC-Sessful”:

First of all, congratulations for doing a good job and being recognized for additional responsibility by your manager and employer.  The fact that they have demonstrated this to you by attempting to give you additional responsibility provides you with an indication that you are valued and subsequently provides you with some leverage in these future discussions.

What we would like for you to do is to schedule a meeting with your current manager to discuss the new responsibilities and requirements.  During this meeting, you should have your manager clearly express any new requirements that they will have on you – this should include their expectations of additional time, service, skill, and availability.   Once your manager expresses this to you, you should first let them know that you are happy to take on additional responsibility,  but your expectations would be that if you are successful your expectation would be that you would receive additional compensation – in terms of salary, bonus, and equity (if this is an option) .   You should ask your manager to review these items with you, six months from today – and even ask them to calendar the meeting when your are in your office.   In addition, at this time, you should inform your manager that, beginning with the new assignment,  you would like to have some more discretion over your vacation/PTO time – considering your time away from your family will increase.

By doing both of these things you are setting some precedent with your manager:

1)   You are letting your manager know that you are willing to take on more responsibility and are willing to prove yourself without immediate reward.   This is a sign of maturity – and should be recognized.  At the same time, you are also letting your employer now that you have an expectation for a financial reward, if you perform your job well.   This gives your manager the necessary time to plan with their management to budget for these financial outlays.

2)   By asking for discretion on vacation, you are demonstrating that you will demand additional benefits for increased workload.  This sets a precedent to your manager that they can not give you additional work, for nothing in exchange and that your time is valuable.   Giving you discretion over vacation is something easy for your manager to provide you, without any permission from their management.

What you have effectively done is make some demands on your management without “holding a gun” to their head.

Once you embark on this new assignment, ask your manager to review you in 60 days, and 120 days, leading up to your six month review.  This will provide you with a documented status, on your performance.   During these meetings you can remind your manager of your expectations of increased compensation.   You should have a pretty good understanding of what your manager thinks of your progress and performance.

If in six months, you do a good job, you will have that meeting with your manager, and you should have your increase.  If you do not receive your increase, keep your client’s number on speed dial, as if they do not financially reward you, you will have no other choice but to leave.

The reasoning is that by ignoring your request,  your company will have effectively set the precedent that they can give you more work, without any additional  pay – and if you accept this, they will continue to do so.

Hope this helps,

Lee and Mike