Career Advice Tuesday: “The Interview Batting Order; What Number Should I Hit?”

October 9, 2012

Dear Infosecleaders:

I know tat you are a baseball fan, so I wanted to ask a themed question now that the baseball post season is upon us.   The question I have is very simple, relates to interview mechanics and interview positioning.

From what I understand, for many senior level information security positions companies will interview between three and six people, I wanted to know if you felt that there was any advantage or disadvantage as to what order that you interview.

Some people have told me that it is best to go first, some say it is best to go last, some people say that it does not matter, I would like to know what you think.


Mr. October


Dear Mr. October,

Very good question and one that many people have differing opinions on.   The question you ask is really, when it is the most beneficial to interview?    I am going to tell you that in the end, there is probably no real difference when it comes down to decision making, but let me give you some strategies on what could be the best mindset depending on where you sit in the order.

1) Leading Off-   If you are set up to interview first, you need to understand that you are setting the standard for all other candidates who will be interviewed for the role.   The key to going first is to go into the interview with the goal for the hiring manager to decide that you are the best candidate for the role, and cancel the others.   Although this will likely not happen, you can try your best to help them arrive at this decision, by making a memorable impression.    The best way to do this is to excel at some of the intangibles – focusing on your alignment with the company’s culture, your appearance, and your communication skills.  In essence, when you go first you will need to emphasize style as much as substance.   The reason for this, is by the end of the process the interview team may get confused because all of the candidates will have good skills, however, the sharper communicator, the candidate with the best executive presence, and the best fit with the culture will be more memorable.

2) The Middle – No one likes the middle, but I don’t think that this is a disadvantage if you have some goals going into the discussions.  To me, the goal of a “middle” candidate is to exclude the candidate or candidates who have previously interviewed.   In essence, the candidate should go into the interview with a competitive attitude, since based on the fact that there is more than one candidate, this is now officially a competition and the interviewing team by nature will compare candidates.   Once piece of advice would be to ask the interviewers questions about what qualities will make the person successful in the role, and continuing to ask questions geared to understanding the ideal fit, what is missing, and what are the key problems that need solving.   By doing this, you may be able to get the interview team to reveal some of the shortcomings of previous candidates or to describe what attributes an ideal candidate will possess.  Once you have your answers, it is your duty to demonstrate value and to emphasize your strengths in this context – effectively blowing out the competition and positioning yourself in a way where the decision should be clear, no matter who walks in the door next.

3) Hitting Clean-Up – or Going Last – I know that many people like this position, but it definitely has its drawbacks.   If you go last, and the previous candidates are strong (see above) the interviewing team may view your candidacy as a nuisance and may not be fully engaged.    However, when you go last in the interview process you have the ability to make a lasting impression and be top of mind during the evaluation process.   You also have the ability to address any of the interviewers concerns about the role and the other candidate’s deficiencies.   So, the best way to attack this interview is to combine the approach of the first two suggestions – combine both style and substance, and most of all compete!    However, there is one thing that you can do if you interview in this position, than the others, you can “Close the Deal”.   When I say “Close the Deal”, what I mean is that you can let the interviewers know that you want the job, and leave little or no doubt that if offered you will accept it.   Not that you cannot do this in the other interviewing positions (and you should), but when you interview last, it is most powerful.

There is some additional piece of mind for the interviewing team to know that they will have their position filled, after the long interview process.  By leaving the interviewers with the confidence that they are not going to leave the process empty-handed could be a huge advantage.  Everyone likes a sure thing, and if they believe that you embody that, that could bode very well in the final decision making process.

Ideally there is no right or wrong answer here. In the end, in most interview processes talent usually wins out.  But remember, that all interviews are competitive situations, and you need to be prepared to successfully compete against your peers no matter when your meetings are scheduled.

Hope this helps – Enjoy the playoffs!

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Planning, Recruiting | 2 Comments 

Career Advice Tuesday – “Past The Expiration Date”

September 12, 2012

Dear Infosecleaders:

Currently I am at the end of a job search.  The interviews have gone great, I really like the company, and I am on the verge of becoming a CISO for the first time in my career.  For about 95% of the process, I have been on “Cloud Nine”. 

Unfortunately, my process may have hit a snag, and I really need your advice to potentially avert a catastrophe. 

On the company’s application they asked me to list my current professional certifications.  I listed my CISSP and my CISA, which I know are current, but I also listed a couple of technical information security certifications that I received earlier in my career.   My assumption was that these certifications were current.

I received a call the other day from the background check company asking me to provide some proof of these certifications.   I did some checking, and I do have the actual certificates, however the during my discovery I learned that these certifications have definitely expired. 

Here is my issue; technically, I have misrepresented myself on the background check form, which I know speaks to my credibility.  At the same time, these certifications are not even applicable to my hiring or the qualifications that this information security leadership role requires.

Do you have any advice on how I should handle this situations, to preserve this opportunity?  On one hand I want to come clean and let them know of my oversight, on the other hand, since these certs are secondary, they may not even be verifiable, which would mean I would draw attention to something that will be irrelevant.

If you could let me know, that would be great. 


“Certifiably Expired”


Dear “Expired”:

My advice is simple but it is two-fold.  It will be short but sweet.

First of all, “tell the truth”.  What you need to do is to be in front of the story and to let them know that you made a mistake, and you want to bring it to their attention.  You can let them know that your assumption was that these certifications were granted for life, and to your knowledge you did not need to renew them.    If they question your sincerity, you can point to both your CISSP and your CISA, which are both current and in good standing, to demonstrate that renewing your certifications is a standard operating procedure for you.   In addition, the fact that you can produce the actual certificate as proof, will at least demonstrate to your new employer and their background check company that you did actually achieve the certification and your initial statement was indeed accurate.

Secondly, whenever you speak about this, and to whomever you discuss it with, make sure that you do not make this a “big deal”.  You should not send e-mails, or contact the senior members of the interview team – you should just deal with the background check company – and should do so via the phone, so that nothing can get forwarded to people with decision making authority for your hiring, who may have dogmatic views about this violation/oversight.

If you make it a big deal, it looks like you are attempting to cover it up and you got caught.  If you make it like it is just an honest mistake, you may get them to overlook it altogether and it will most likely become a foot note, and not even become an issue.

What can be learned from this is that when filling out an application, less is more.  Only include things that are essential and you know your can verify.  If you can not be 100% accurate, omit it, you can always complete it at a later date.

Hope this helps and it works out for you.

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Career Investments, Interviewing, Recruiting, Skills | 3 Comments 

Career Advice Tuesday (Returns) – “Why Are You Leaving?”

September 5, 2012

Dear Infosecleaders:

I’m currently responsible for a security program for a large enterprise. Before taking this role a couple of years ago, security was not a concern for this company, and I believe I’ve made strides in correcting this. However, I feel that I’ve accomplished as much as will be possible given the corporate culture from the top down. The board and company leaders are much more risk tolerant than I am personally comfortable with. This goes beyond a difference of opinions – I have been asked to back down from a number of very basic security policies (i.e. must have a password on a smartphone) because leaders rather deal with a potential security breach than with dissent in the ranks as a result of changing basic behavior. I do not believe that my personal ethics and pride in what I do will allow me to continue to brush security gaps under the rug because they are inconvenient.  As a result, I am slowly beginning to investigate the job market.

My question – when asked the inevitable,  “Why do you want to leave company XYZ”question in an interview, how do I portray my personal integrity and ethics in a way that does not sound like I’m trashing my employer?


 “Looking for the Right Words”


Dear  “Looking”:

First of all, I want to thank you for this question, it is a very good one and it generally requires a delicate response, mainly due to the fact that the interviewer likely has preconceived notions of what an acceptable response would be.

Before I answer, I want to tell you that I think that this is the worst interview question and in all my years as a recruiter, I believe that this question should really be irrelevant to someone’s interest in a particular opportunity and here is why:

 There is really no good answer

“What is a good reason for leaving?” – I mean really, if things were good, would someone really be leaving.   

Here are some common Question/Answer responses:

1)   If you say something like “I got passed over for a promotion” – the interviewer worries that you are not that talented and that if you are not promoted on your timetable you will leave. 

2)    If you respond saying that you are “looking for more compensation” – you are effectively a mercenary.  You are now labeled as greedy and money motivated, looking for a job for all the “wrong reasons”, or willing to move again for the next biggest pay day.

3)    If you say that you “do not like your manager’s style”- then you are all of a sudden difficult to manage and red flags go up

4)   If you say “you do not like the work environment” – you are now a malcontent.  

5)   If you tell them that you want to “work with smarter people” – you are now labeled as cocky and conceited.

6)   If you say that the “commute is too long and the hours are too intensive” – they question your work ethic

7)   If you state that you want “to work for a better company” – you lose a majority of your leverage and negotiation power

8)   If you state that you “have a problem with your company’ s integrity and how they do business” –  You are now either a “whistleblower” or have a “god complex”

Believe me, I can go on and on, but I will leave off at your question and try to help you find a better response.

One of my beliefs about interviewing is that the most successful interviewers are effective storytellers.  The best interviewers are able to share their experiences in a way that points back to an underlying theme that will enable them to reemphasize a key characteristic or skill.  In essence they take something that makes them unique and attractive, and they share experiences that force the interviewer to draw a conclusion aligned with how they want to be portrayed.   This enables the interviewee to get their point across more gently, and allows them to paint a picture of both their skills and their character – focusing on the whole “body of work” and not just one particular experience.

In a situation like this, my advice to you would be to build a theme of “ethics and integrity” and make that your interview story.  You may be able to begin your story with the reason you were attracted to information security as a career.  You then may want to speak about managers that you worked for that reinforced this concept and discuss situations where your ethics and integrity were critical in helping both your employer and team accomplish its goal.   You can even lead up to your current role, and speak about why you accepted it, discussing how when you began the role and established the function, that this was a main driver in making that decision.

Now, if asked why you are looking, you can simply state that the company and the people whom you work for now, are much different than the company that you originally joined.   This will subtly reinforce your “theme/story”.  The interviewer should be astute enough to draw their own conclusion without you having to verbalize this.

You can let the interviewer know that one of the reasons you are interviewing at their company is that from what you have learned and read, it appears that their company’s values align well with your values.   You can then turn the interview around and ask them some questions on how ethics and values effect their decision making process.  Hopefully they will provide you an answer that will make you feel more comfortable about joining their team!

Hope this helps you.


Lee Kushner

If you would like to speak more about this and your pursuit, please either contact my office, or send me a number where I may reach you.

Posted by lee | Filed Under Advice, Career Advice Tuesday, Interviewing, Position Selection, Recruiting | 1 Comment 

Career Advice Tuesday – “Am I Just ‘Changing Golf Shirts’?”

August 7, 2012

Dear Infosecleaders:

I am currently working as a penetration tester for a pretty large company.   Prior to this, I worked for another large company, doing similar work.   My current job is going well, I have a very good mentor, my company has been supportive of my professional development, and I like my hiring manager – as I feel that we have established an open line of communication.   

I do have two complaints.  First of all, I believe I can do more.  Secondly, I believe that I travel way more than necessary to perform my duties.

I recently completed an interview process with a much smaller company that is in the middle of a growth spurt.  Although they are much less structured, the people are very smart, and they have some focus in an area that interests me a great deal, Mobile Security.  I believe that it is set up to enable me to take some leadership in this area.  The position does not require a great deal of travel, and it will allow me more time to get involved in my local professional community.

The money for the position is very similar to my current role, however the position offers some stock, which is a exciting to me.

I have listened you’re your advice in the past about avoiding jobs that just provide the opportunity to “Change Golf Shirts”.  Would like to know if you think I am doing this if I join the new company and accept the offer?

Any advice would be appreciated.


“Tiger Woods”


Dear Tiger:

Based on your description above, I do not think you are “Changing Golf Shirts” at all, in fact, I think that these two opportunities are unique and very different.

Here are my thoughts:

1)   First of all, the company you are joining appears to be a “Start-Up”, and it does not appear that you have any of that experience.   Having the experience working at a “Start-Up” is unique, and I think that if you enter into that environment you will learn things about yourself that you would not have in the larger companies that you have worked for.

2)   The new company appears to have some good alignment with your interests, which is great.  Not saying that your current employer doesn’t, but it appears that you will be able to take more of a leadership role in this area in the new company.  Smaller companies are great for this experience.  Where in a larger company, there are more resources to compete with, a smaller company provides more opportunities to create more of a “Professional Brand.”

3)   You are going to work with “Smart People”.   Not that you do not already, but the only thing better than “Smart People” you know, is “Smart People” you do not know – because if you take this job, your “network of Smart People” just got much larger.

4)   You have some earning potential with the stock options.  No, you probably will not retire, but stock options provide some upside earning potential that you are not getting in your current role.  As a “Pen Tester” there is a standard comp range that you are restricted to, based on the market – so compensation for a new job, is never going to be that significant of an increase, in that case, Stock Options provide you with a possible accelerator of you earnings.  Even if they are worth nothing, there is no risk for you – as your compensation is going to be equivalent.

5)   You can always go back to the big company.  Even if your current company will not have you back, there will be another big company that will take you back, and they will probably be willing to pay you a little more money to go work there, again you do not have any risk.

My feeling to you is to take a shot on the new company, and see where it goes.  Use the opportunity of not traveling to become more involved in your local community, become known to more people, and really sink your teeth into your interest in “Mobile Security” – and become more visible.

If you maximize this opportunity, it will be much better than trading for a  “New Golf Shirt.”

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Branding, Career Advice Tuesday, Compensation, Interviewing, Position Selection, Recruiting, Security Industry, Skills | 1 Comment 

Career Advice Tuesday – “The Ol’ Bait and Switch”

July 31, 2012

Dear Infosecleaders:

For the past two months I have been in the middle of an interview process, for what I believe to be a pretty senior role.   The role was a promotion from my current duties, and it was to provide me with a larger team of people, a bigger scope of responsibilities, and a larger compensation package.

During the interview process, I confirmed that the scope of the role was larger with both the hiring manager, and the hiring manager’s manager.  This was confirmed both on the phone and via e-mail.   I also had detailed discussions with the human resources person at the onset of the interview process about my compensation requirements and what it would take for me to give up my current role (where I am quite happy).  I received assurances that this would not be an issue.

Well, I finished the interview process and the offer was incredibly disappointing.  First of all, the role on the offer was for a lower level (similar to my current job) and the compensation was for 20K salary less than I requested.  

The hiring manager told me that I should “trust them”, and they just had to smooth things over with the incumbents before they made the announcement.  They also blamed the whole compensation thing on the HR team, stating that “they’d see what they could do”, but could not go much higher than the initial offer

Do you have any advice for me?  Should I trust them?  I feel so deflated as this was a job that I saw as the next step in my career  and I feel that I have been “bait and switched” and taken for a fool.


“Cadillac Man”


Dear “Cadillac Man”:

Beware, if you take this job, you are going to get a “Clunker”

There is absolutely no excuse for two hiring manager’s to tell you something in writing about a position, and then not be able to back it up in writing and in an offer.  The concept of “Trust Me” should be applied to minor details of a job offer – like a work at home policy, or extra vacation – but for something as important as the core reason that you were interested in the job, NO WAY!

Secondly, think about the organization that you are heading to.  The hiring manager blamed the HR person.  Whether that is true or not, this is very telling of their personal style and the corporate culture you will be heading into .

At this level of a search, if you were a key hire and being recruited for a “Senior” role then compensation should be something that should be able to be worked out if both sides are reasonable.   Without having the details, maybe a request for 20K more than they offered was a bit aggressive – but I would figure that they would have taken a much different approach.

Also, at this level, if they really want you and you really wanted the job, this process of compromise would be easy.

The translation of their offer  is as follows:  

We liked you a great deal.  We feel that you would be good for the role/level where you are currently performing at (at your other company).  We do not mind paying you a little more to do that role at our company.  It is possible that you will have the ability for a larger role, but it will not be on DAY ONE!   You are welcome to try out for that role once you are an employee and prove yourself in our organization.

However, they have elected to be dishonest with you and try to sway you otherwise.  I can assure you that if you accepted the offer to work for this company, that this would not be the last of the unwelcome surprises.

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Compensation, Interviewing, Position Selection, Recruiting | Comments Off 

Career Advice Tuesday – “On Second Thought”

July 24, 2012

Dear Infosecleaders

Currently I am an Chief Information Security Officer at a medium size company.  About a month ago, I engaged in an interview process to be a CISO at a much larger company, and I was offered the position.   The role was quite appealing, but after some deliberation with my family, we decided that the location was not going to be right for us, so I called the hiring manager (CIO) and told them that I would have to decline.

He understood, but he was obviously disappointed and a little frustrated.

Well, time has passed and I just can’t seem to get the opportunity out of my head.   I really think that it was a very good career move, the money was good, the relocation package was solid, and my husband has become more receptive to the idea, finding certain elements of the location that would appeal to him both personally and professionally.

My question to you would be how could I reengage them?  Is it possible?  Have a ruined my chances?


“On Second Thought”


Dear “Second Thought”:

The answer to your question is – “No, you have not ruined your chances” and “Yes, it is possible to reengage them, and due to the reasons that you provided, and the way you have handled it (as stated), it may be welcomed.

How you reengage them is important, so here are some steps to follow:

1)   Inform your source of introduction.  If you worked with a recruiter, you need to let them know, as they may have some more knowledge on the current status of the search.  They also may be able to get a better feel for how the company really felt about your original decline of their offer.

2)   Call the hiring manager directly.   I am a big believer in going to the source.  The fact that you called the hiring manager to decline the offer, should work to your advantage this way – as it created a communication channel.   When you call them, make sure that you explain to them that the reason for changing your mind is that your family is now receptive to the move, and that was the only reason you declined the role in the first place.   Explain to them why they have come around, and you can include something like : “My husband knew that I wanted this job, and it has all that I have talked about since I declined.  He is fully supportive.”

3)   Do not renegotiate anything:  You lost this privilege when you declined the offer, so do not even attempt to  do so, as this will take away all good feeling.  (Conversely, if they contacted you to reengage, you may have some leverage – but in this case you don’t.)

4)   Give them a quick start date.  Let them know that you could be out there in three weeks or less.  This will show them you are serious, and ready to go.

Sometimes many of the best career decisions have been the result of an elongated decision making processes.  Give yourself some credit for rethinking your original decision.

Let me know how it turns out.   Hope this helps.

Lee Kushner


Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Planning, Position Selection, Recruiting | 1 Comment 

Career Advice Tuesday – “Do I Get On The Plane For The Final Interview?”

June 26, 2012

Dear Infosecleaders:

I am in the middle of an interview process and I am looking for some guidance. 

I was approached about an opportunity from a past co-worker, about joining his new company.  The role that he approached me about was basically similar to my current role as a GRC consultant, but it was a bit different.    My friend’s new company paid about 10% more, had better benefits, provided more training budget, and would allow me to travel less.   When I first learned about the opportunity, I was quite excited, and I felt that this would be the best of both worlds.

For the past three weeks I have been going through a series of preliminary interviews that have all gone reasonably well.  The interviews have tested my expertise and have provided me with opportunities to ask questions.    The answers to my questions have been consistent, and nothing that I have learned has been negative.   Based on my performance and my friend’s recommendation, the company has invited me out for an in-person interview.

Initially, I consented to go on the interview, but I am now second-guessing my decision making process.   After giving greater thought to the opportunity, I have come to the conclusion that there is nothing truly unique about it.  It is essentially the same job, in a smaller environment, but my responsibilities will almost be the exact same.  

At this point I am thinking about changing my mind and not going out to the interview.  What do you think about this?  Do I have anything to gain by getting on the plane?


“Window Seat”


Dear “Window Seat”:

My advice is to definitely get on the plane , and here is my main reason:

You have absolutely nothing to lose and everything to gain,  In essence, you are playing with house money.(Well, the only thing you have to lose is a vacation day – and the assumed risks associated with air travel)


First of all, you have already participated in the new employer’s part of the interview process, and have passed.  You have established your credibility, have answered their questions, and have gone through a process that they have dictated.  In essence, if all of these phone conversations were to assess your skills, the in person interview is going to provide you with the opportunity to assess the new company and the opportunity, and learn first hand the answers to your questions.

They should include the following:

1)   Is this new employer truly better than my current employer?

2)   What freedoms and opportunities can I get in my new job that I cannot receive in my current position?

3)   What is the opportunity for growth?

4)   Is the compensation increase going to be significant?

5)   Is my quality of life going to improve?

While your in person interview is still a test for your skills and abilities, the balance of power has definitely shifted slightly to your favor, as the new company is not incurring the expense to interview you if they don’t believe that it is more than likely you will be an asset to their company

By placing yourself in the situation to ask questions that are important to you – and were the initial reason for your interest in the role – you will enable yourself to truly vet the opportunity.  Gaining a first hand look at the opportunity, and having your questions answered is really the only way that you can truly determine if the position, the company, and the management team will provide you with the framework for an improved career and quality of life.

Once you receive the information and are able to process it first hand, you may arrive at one of three conclusions -  you should remain at your job,  you should join the new company, or you should join the new company if the compensation/offer terms warrant it.

In any of these cases, the decision will be in your hands and you will have the data to make the best decision possible.

Enjoy the complimentary pretzels  (do they still do that),

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Position Selection, Recruiting | Comments Off 

Career Advice Tuesday – “Flooded By LinkedIN”

June 12, 2012

Dear Infosecleaders:

A few weeks back,  I was informed by my manager that my company was looking for an information security engineer to help us round out our team.   In a team meeting, my peers and I were asked if we would be willing to recommend someone for the role.   During the meeting, we were asked if we could publicize this opening to our professional networks, specifically LinkedIN.

As a good employee and team player I have done this, and posted the position to both my networks and the LinkedIN groups where this type of role would be suitable.   My initial thought was that this would be quite easy, as my positing would net a couple of qualified folks, and the hiring process would be smooth.

This has not been the case.  In fact it has been a nightmare.

Since positing the role, I have received over 70 inquiries about the position.  This has included many people who are either not qualified for the role, do not live anywhere near the position’s location, have greatly surpassed this type of position, and some whom I know well enough to know that I would not want to work with  them.    The responses have included resumes being sent to my personal address, phone calls off hours, and other intrusions that really lay outside the context of my role.  I simply do not have time to respond to all of these people, am unsure of the proper etiquette and I feel that in doing so, I may damage some of my relationships

I wanted to raise this point out to the Infosecleaders community and wanted to see if you had any advice for me – to help relieve me from the burden of my current situation.




Dear Noah:

You are witnessing first hand that it is not that there are a lot of personal obligations that go along with engaging your network, especially in the context of recruiting.

Let me give you two pieces of advice that may help you alleviate your current pain:

1)   The first is to change the LinkedIN posting or take it down.   If you decide to take it down, make sure you speak with your manager, and let them know why you are doing so, and the problem this has caused you.   If you do decide to keep it up, what I want you to do is to attach a line to the bottom of the positing that states:


Something like this should help you draw some clear guidelines and remove you from the communication loop.

2)   What I would do would be to collect the e-mail addresses of all 70 folks that have responded to this posting and write an e-mail with a confidential distribution list that states the following – (please make sure that the distribution list is confidential)

Thank you all for your response to my posting.  I have sent all of your responses to our human resources representative who is responsible for the recruitment process for this position.   Your credentials will be reviewed by the hiring manager (which is not me!) and if there is interest, you will be contacted to engage in our interview process.   I wish you all well in your pursuit of this opportunity.  As you progress deeper in the interview process, I would be happy to share with you my personal experiences as an employee of _______________________ and as a member of the Information Security team.

Hopefully this advice will alleviate this burden and help you return your focus to your role as an information security professional and your recruitment career will be a brief one!

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Recruiting, Security Industry, Social Media | 1 Comment 

Career Advice Tuesday – “ The Artist Formerly Known As “QSA”

June 5, 2012

Dear Infosecleaders:

My question centers around my resume and my application for an information security position. 

First some background.  I used to work as an information security consultant at one of the largest PCI consulting firms.  When I worked at the company, I was a QSA and held other related PCI Certs.  When I left that firm, I went to work in a consulting firm that was not a QSA, so I had to allow my QSA to lapse. 

Recently I have decided to leave consulting in order to locate a position at a corporation, where I can help them with their governance, risk, and compliance initiatives.  I have located an opportunity with a retailer, who has posted for such a position, but the job description states that all applicants must be QSA Certified.

I know that I can do the job.  My skills as a QSA have not lapsed.  Quite frankly they were not that difficult to acquire.   However, I cannot claim that I am currently a “QSA”.   

I think that I have two options – either to list it on my resume, and explain it later – or to list on my resume that I am a former “QSA” – however, I feel that this could be received negatively by the internal screener.

Can you provide me some advice?


“The Artist Formerly Known As “QSA”


Dear “Artist”:

This is a very interesting situation.

Your example points out the exact problem with key word screening criteria, and job descriptions written by the uniformed.   What may also be funny is if the internal screener was also screening out candidates who currently work at consulting firms – which in essence would eliminate the entire candidate pool and leave the position unfilled.

First of all, you can never ever misrepresent the truth on a resume.  This is a show- stopper, a red flag, and questions your integrity and ethics.  Companies will check your certifications, and when it comes up that you do not hold the QSA, your interview process will come to an abrupt end.

The best advice that I can give you is to list on your resume: “Former QSA”  – Your Certification Number – and the Years You Held The Certification.  You can also list your other PCI related certifications as well with a similar format. 

Underneath your certifications and in the body of your resume, you should explain in one sentence or bullet point as to why your QSA certification lapsed.   You need to show the screener – that it is impossible to maintain a QSA without working at a Certified Assessor.   If necessary – you can link a website –that could reference this, so that they can validate it.

Unfortunately, we live in a world where not all involved in the decision making process understand the nature of qualifications for information security roles.  Considering that many in the HR field are trained to exclude on “key words” and not to investigate further, it is very possible to be overlooked for a role for which you are qualified and are an excellent candidate.

I would like to reiterate to all of the Infosecleaders in the audience, that it is in your best interest to assist your HR team members and educate them when you are enlisting their help in recruiting for an experienced information security professional.

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Branding, Career Advice Tuesday, Interviewing, Resume, Skills | Comments Off 

Career Advice Tuesday – “Making Them Wait”

May 29, 2012

Dear Infosecleaders:

I am in the process of making my first job change and I am looking for some advice.  I have spent the past five years of my career working at a corporate information security position, and I am looking to transition to the world of large consulting – for both the experience, the exposure and the compensation.

I decided to interview with a few consulting firms who have advertised similar openings.  One of the firms whom I interviewed with, I really liked.  They have dynamic leader, a solid market presence, and they offered me a competitive compensation package.  On its own merits, it is definitely an offer that I would accept and be happy with.

Toward the end of my process with them, I was the contacted by another large consulting firm, and I went on an initial interview with them – and it also went well.  Although the roles are similar, the second firm is a bit more “prestigious” than the first, and in my opinion has a better external brand.   After the initial interview, the internal recruiter told me that the remainder of the process would take an additional two weeks to complete.

My offer with the initial firm is roughly a week old and is approaching expiration.

I would like to know what my boundaries are here.  I do not want to jeopardize my offer with the first firm, but I do not want to accept the role without hearing the second firm our, and reviewing their offer.   Is asking them to wait an additional two weeks an option?  Am I in jeopardy of “burning bridges”?

Any help would be appreciated.


Mr. Heinz 


Dear Mr. Heinz –

What your are really asking is how long is an acceptable time to “Make Them Wait” for your decision, without burning a bridge.

First some guidelines – an acceptable time to evaluate an offer is a week.  If you were more senior, I could even see that 10 days could be acceptable, maybe even 2 weeks,  especially if it involved a relocation.  But at your level, a week is ample time – anything else is excessive and somewhat disrespectful.

The best thing that I can share with you, is that you definitely have the right to evaluate all of your options before making a job change, you have to remember that the practice leaders of these firms (who will be your managers and bosses) are highly competitive and have a good amount of pride (or else they would not be in charge).  In addition, what would make losing this recruitment battle worse, is the fact that they would be losing out to one of their competitors.

So you need to be careful.

To give you some perspective, I want to introduce a scenario to you, that should be able to provide you with clarity:

You go out an interview with a company.   You interview well and the company states that they like you – and they believe you are a good fit.   At the end of the interview process, they basically say this – Mr. Heinz – you are an excellent candidate, have all the skills to do this job correctly, and we would want you on our team – however, in three weeks we are expecting to interview another candidate with very similar skills, compensation requirements, and personality -  we would like for you to wait three weeks – so that we can compare them to you – and so that we can elect to move forward with either you or the other candidate.

How would you feel?  How would you view the opportunity?  Would you feel good about going to work at an employer where they have essentially told you that you may be a second choice, or a fall back option?

Chances are, your feelings would be hurt.  All of the good will would be sucked out of the interview process and you would want to consider working at other places – not because of the role, but because how you were treated.

This is how the hiring manager at the other firm feels as a result of your actions and intentions.

My advice would be to accept the position with the first firm.

The roles are basically the same.  You are going to gain very similar experiences.  The compensation packages are going to be very similar in the end as well (within about 5K).  The first firm treated you well, you were comfortable, and you liked the environment – essentially what more could you want.  Large information security consulting firms basically have similar brands – and are looped together – there is essentially no branding difference between consulting firms that offer a broad range of security consulting services.

If you turn this position down, you are essentially going to “burn the bridge” because of how you handled the process.

In the future, the way to avoid this is to let all of the firms that you are interviewing with know that you are looking to make a decision by a specific date.  You can tell them that you would like to have all offers by a certain date, so that you can evaluate them side by side.  By setting this expectation, you demonstrate that you are a good communicator, you are well thought out in your approach, and you establish ground rules so that they can control the timeline of your hiring process

In closing, you are a first time job changer, so you should be forgiven for this.  But in the future, you need to learn from this, so that you do not find yourself in this situation again in the future.

Hope this helps,

Lee Kushner


Posted by lee | Filed Under "The Other Side of The Desk", Advice, Behavior, Career Advice Tuesday, Interviewing, Position Selection, Recruiting | 2 Comments 

Next Page »