Career Advice Tuesday – No Confidence in the New Regime

June 19, 2012

Dear Infosecleaders:

I am an information security engineer, and about six months ago I decided to change employers.   The main reason for accepting the role was based on the connection and confidence that I had developed with the CISO., during the interview process.

When I initially interviewed for the role, I was on the fence about accepting the offer.  However, I had a dinner with the CISO and we spent the time together speaking about professional development and he assured me of his commitment to expose me to more of the business side of information security.   The trade off was that I had to give him 12-18 months in a security engineering capacity.   During this meeting he even shared with me about his own progression and how he had a mentor who helped him along the way in his professional development and ultimate transition form techie to Info Sec leader.

Well I bought in. 

About a month ago, I learned that corporate decided to make a decision and they have forced him to resign.  In his place, they have brought in someone internally, who is not an information security professional  (we will leave it at that) – and while he understands the company, he has demonstrated to me (and others) that he just does not understand the perspective of information security professionals or relate to them.    I know that many of my peers are actively interviewing and others have “checked out” hoping that the new leader fails.

As part of the transition, I had a meeting with him , and I shared with him the commitment that the former leader made to me to help develop my career beyond information security engineering.,  Although he was polite, my feeling was that he was not going to honor the ex-CISO’s promise to me.

Do I need to begin looking for a new job?  Any advice?


Vote Of No Confidence


Dear Voter:

One of my favorite sayings is that in the end you do not work for companies but you work for people.   In essence the company provides the framework but your manager has the real impact on your success and happiness.

You seem to be experiencing this first hand!

I think that what is particularly hard for you is that your decision to leave a good position was based upon the promises that your ex CISO made to you, and your assumption that these promises are going to be ignored.    It also appears that you do not have any confidence that the new CISO is going to make good decisions which are conducive to the development of the information security program and in essence your career.

Right now, the best advice that I can share with you is that you should give this person a chance.  Considering that your new manager is going to be evaluating your contributions to the company, you should in turn be evaluating their performance as well , as it relates to the development of your career.   Considering that the person is new to the role, and not an infosec professional -  my advice is to be the best information security engineer possible – and really demonstrate your talents, your passion, and your willingness to make positive contributions.   I would make it a point to really embrace the new leader, and demonstrate that you are their to support them.

Given the attitude of your peers, your positive attitude and work ethic should really stand out!

After doing this for ninety days or so, ask for a meeting.  At that meeting, you should revisit your conversation and your career goals.  At that point, you should see how receptive the new leader is.

If the new leader is receptive, you may have found a way to accelerate your career.  Keep working hard and contributing and see if you can produce some measurable results.

If the new leader is giving you lip service, ignoring you, and dismissing your requests – it is time to look for another role.   If the new leader does not recognize or appreciate you and your loyalty during this transition, it is likely that they are never going to connect with you or support your career development efforts.

At best you will be pleasantly surprised, at worse you can dust off the resume!

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Branding, Career Advice Tuesday, Leadership, Planning, Position Selection, Skills | 1 Comment 

Career Advice Tuesday – Why Info Sec Position Go Unfilled

May 15, 2012

Dear Infosecleaders Readers-

Below you will find the unedited version of my latest article for Tech Target/Search Security – Information Security Magazine.  The article is designed to shed some light as to why companies have such a difficult time in filling information security roles.

Let me know what you think.

Lee Kushner


Why Information Security Positions Go Unfilled


While the national unemployment rate has been steadying between 8-9%, information security professionals have been enjoying newfound prosperity.   Until recently, the information security function primarily held importance to industries whose success and market perception were tied directly to their customer’s trust, like financial services, and the federal government.  Due to a unique combination of technological innovation, increased regulatory scrutiny, external threat, and social activism, corporations in industries who have traditionally ignored information security,  have began to realize that the development of a competent information security function is a worthwhile and necessary investment.


When companies recognize that they are going to make this type of organizational commitment, their first order of business is to find competent information security talent to bridge their talent gap to address these issues.   However, finding and attracting competent information security professionals to a new position is a lot more difficult than it appears.   Companies quickly learn that the same strategies and processes that they apply to filling more generic business and technology roles, do not necessarily translate to the recruitment of information security professionals.    It is important for organizations and information security leaders to comprehend why information security positions go unfilled, so that they can make the proper adjustments to attract and hire this talent is a reasonable time frame.


The primary impediment to filling information security positions is geography.   In many cases, the talent and skills alone would be difficult to find, however the need for an employee to based in a certain location significantly impacts the depth of the candidate pool.   For example, although the NY Metro area is filled with companies, positions based in locations like Long Island, Central New Jersey, and Southern Connecticut will greatly reduce the candidate pool due to commuting time.  Conversely, there are many information security professionals who would not want to incur the additional cost of commuting into Manhattan.  In the past, companies were much more amenable to relocating candidates to fill positions, however the economic events and the housing bubble has greatly reduced the ability for people to relocate or companies willing to subsidize these costs. In general, companies relocation packages have become less encompassing, saddling the candidate with additional expenditures if they decide to accept an opportunity and relocate.   In these instances, the candidate can simply not afford to accept the position, even though it aligns with their career plan and professional development.


The next major component in the breakdown of a recruitment process is in the area of compensation. When corporations are determining the compensation value of their job openings they traditionally consult specialized market research firms that provide them with this information.  This compensation information generally equates to what the candidate, with the skills, already in the position should be paid.  While this should serve as a good baseline, it does not take into consideration the recruitment premium that an information security professional, currently performing a similar role at a similar organization would need to leave the comfort of their existing environment.  For example, if a Senior Information Security Architect is earning “X” in their current role, the market data may be correct and instruct you to price the position at “X”.  However, in order to be successful in attracting the Senior Security Architect to your team, your will need to price that position at “X + 10- 20%” In addition, many times compensation packages neglect to address existing financial and non-financial benefits associated with tenure at a current employer.    Because money is fungible, financial benefits are more easily replaceable, however non-financial benefits are often more difficult to address. Information security professionals can place greater value on vacation time, flexible work hours, and telecommuting, and may be unwilling to relinquish these benefits.  Corporate human resource policies may not allow you the flexibility to provide alternatives for these privileges.


An additional compensation based reason that information security positions go unfilled is due to internal equity.   Internal equity is the belief that any new employee’s compensation cannot be significantly more than their functional or organizational peers.   It is the information security leader’s responsibility to both address this within their teams and to educate their human resources staff  about the uniqueness of the skill combinations that they are attempting to recruit.


Before any major recruitment initiative, the information security leader must partner with human resources and perform a market based assessment of the skills and functions already performed by current information security team members.  The question that should be asked is, “If I had to replace that person, what would I have to pay them?”  In addition, the information security leaders should be aware of the value of their employee’s skills in the market place, and be proactive in their approach to aligning their compensation with both their internal contributions and external value.


In addition, it is common place for human resources teams to align information security compensation with other technical functions like network engineers, systems administrators, or software developers.   It is essential for information security leadership to sit down with human resources and articulate to them why the skill combinations associated with the roles that they are attempting to fill are more complex and scarce, than these technical resources.  The information security leader should have a great deal of incentive to win this argument, because if the compensation packages are insufficient, positions will remain open for long period of time or will be filled with substandard talent.


While these factors contribute to unsuccessful recruitment processes, the primary reason that positions go unfilled is the failure of the information security leader (hiring authority) to think like the candidate that they are attempting to attract.   All information security leaders at one time had to interview for a job.  It can be assumed that when they contemplated their last job change, they created a list of criteria that become key factors in their decision making process.    Some of these factors will include the commitment of the organization, the level of responsibility associated with the role, the career path for the position, professional development opportunities, title, and compensation.  In summary, most likely they changed positions because the new opportunity represented increased opportunity and personal satisfaction. Often, information security leaders forget their own motivations, and ignore the fact that their applicant pool are driven by similar forces.


One of the biggest mistakes is that hiring managers only focus on their organizational “need” as opposed to taking into consideration what the applicant “wants”.   When information security leaders begin designing their job descriptions, it is essential that they understand the appeal of the opportunity and what types of candidates it will attract.  When they conduct their interview process, they should be taking into the consideration the candidate’s point of view, and determine if the position and the environment can serve as the framework for their candidate to accomplish their professional goals and develop their information security career.   By viewing the position form the candidate’s perspective, information security leaders will find themselves prepared to communicate the merits of the position during a recruitment process, which should make a positive impact on the candidate’s interpretation of the career opportunity.


One of the best way to evaluate leadership is by the caliber of the people with whom they surround themselves.  Attracting top information security talent to your team can be both time consuming and frustrating.  Building an effective recruitment strategy, addressing potential obstacles, building organizational partnerships and understanding the motivations of your future employees are key ingredients to efficiently filling your information security openings.

Posted by lee | Filed Under Advice, Career Advice Tuesday, Interviewing, Leadership, Recruiting, Security Industry, Skills, Uncategorized | 5 Comments 

Career Advice Tuesday – “ I Have Nothing Against Profit”

April 17, 2012

Dear Infosecleaders:

I am writing to you because I would like some advice on how to make a transition as an Information Security leader from a non-profit entity to a large enterprise.

For the past five years, I have been the Information Security leader for a Non-Profit Healthcare centric entity.  In the beginning, the role was exciting, as the company did not have any information security program.  Although the opportunity was a challenge for my skill set at the time, I jumped at the opportunity and believe I made the most of the experience.  In addition to building the program, I have gotten a masters degree, additional certifications, and made additional career investments.

That being said, the opportunity has run its course.  The program that I have led/built is sufficient for the organization’s risk tolerance.  I am not able to secure budget for new technology expenditures and due to the economy, we have not replaced the staff that we were forced to let go. 

I would like to parlay my leadership skills into a large entity at a leadership level, preferably as a CISO.   I believe that the mix of my healthcare knowledge and track record would make me a viable candidate,

Can you suggest a methodology for my search?


Warren Buffet


Dear Warren:

Profit is a good thing, and I admire your pursuit of an entity that makes money.

You are correct, the transition that you are attempting to make is indeed a difficult one, however it is not an impossible task. Hopefully, this will give you some ideas on how to leverage your skills.

First of all, you need to understand your most marketable skills and determine what types of organizations they would be appealing to.  From your note, three things come to mind -1) you have built a program from inception 2) you have had leadership responsibilities for all facets  – giving you broad experience 3) you have experience in healthcare and security issues facing this industry.

You need to accept the fact that you are not going to become the CISO of a Fortune 500 company immediately, but there could be other organizations that could serve as logical places for your skills – and roles that you would be an excellent candidate for.

For example, there are many professional services firms – such as law firms or large groups of physicians who are awakening to the need to establish an information security program – your skills could have value to these types of entities.

You can also look at the healthcare vertical market and look for organizations that have considerable exposure to HIPAA.   These could include for profit healthcare firms, biotech, pharmaceuticals, or insurance.  Your domain expertise and leadership would be quite applicable.    What may be the best fit for you would be to enter into these organizations at a BISO (Business Information Security Officer) – where you could have leadership for a business unit of a larger entity.

Finally, you could always consider professional services – working within one of the larger consulting firm’s information security and privacy consulting practices – could be a good match.  Granted you would have to accept travel, but they would be happy to leverage your experience with their healthcare clients, – and in turn you may get exposure to other industries like financial services, media, retail, etc.   In addition, the large consulting firm’s provide environments that enable people to utilize a broad range of skills, but also develop specific areas of expertise – this blend could serve you well.

In general, I think you will need to accept that you will initially not have the same level of authority and may not have the same level of compensation, however you need to look at the big picture

Down the road, your experience in the non-profit and your new role should build a skill and experience matrix that will open doors for you and exposure you to bigger leadership roles in larger organizations.

Hope this helps,


Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Leadership, Planning, Position Selection, Skills | Comments Off 

Career Advice Tuesday – “Did I Pull Out Too Early”

April 3, 2012

Dear Infosecleaders:

I am currently engaged in an interview process and I am getting some mixed feelings about the position.  Initially I was a bit hesitant about engaging in the opportunity, but I had the opportunity to meet with the hiring manager, and the meeting was a great success, and we really hit it off, I felt that they could be a great mentor.  In addition, they made the position sound really appealing and more strategic than my initial impression.

After that meeting, I was asked to come back and meet with some other members of the team whom I would be working with.  During that meeting, I received a different interpretation about the role that I would be filling.,  and they made the role seem to be more tactical than I was searching for.   Quite frankly, although I liked the people,   the meeting was a complete turn off and I decided to make a decision to remove myself from consideration.

When the news of my decision got back to the hiring manager, they asked if  I would reconsider, and have lunch, in order to address my concerns. 

I am inclined to not go through with the meeting, as I think it is a bad use of time.  However, I wanted to know what you thought, and if you think that I am making a mistake?


Nolonga Interested


Dear Nolonga:

I think that you are making a mistake.

One of the best pieces of advice that I have ever received is that you always take a meeting, even if you think that the meeting is not going to produce your desired result.  Over the course of fifteen years of working in this industry, I can count a number of times when a job candidate initially decided to end their interview process, only to be convinced to keep an open mind, and hearing out the hiring manager.   In a majority of these occurrences, the candidate went on to accept the position, and greatly accelerated their career.

The opportunity to spend additional time with the hiring manager and potential mentor can only be a good thing.  First of all, since you have already “turned down” the role, you have inadvertently shifted some of the balance of power in the interview process.  You have forced the hiring manager to show their hand, and demonstrate that they want you as part of their team.  This should be able to give you more comfort in the interview process, and enable you to ask questions about career goals, professional development, and mentorship.   You can have a free discussion on the importance of this role, how your skills will be utilized, and if you are successful where this position will lead.

In addition to this, you will also have time to ask the hiring manager why they believe that you are a good match for the role, why they believe these skills are important, and why this roll could be a good accelerator in your career progression.

If you like the hiring manager, you can also pick their brain on their personal experiences and see if you can draw some correlations between your career and theirs (this should show you if the person could be a good mentor).

Another reason to take the meeting is that the second group of people whom you interviewed with might not understand the hiring manager’s vision for the role.  What they may understand the role to be, could be significantly different to how the hiring manager views the role .  It is possible that their vision of the role could be how things “used to be done”, while the hiring manager in recruiting for this position may be searching for a different skill matrix so that the position/function could be elevated and enhanced.  Chances are that your initial read from your interview with  the hiring manager was the correct one

Too many times information security professionals get caught up in the details of a job description and do not look at the big picture for their careers.  It is logical that any role will have a blend of strategic and tactical work – but more important than the “task” – is the person whom you will be working for, as they will be the one who ultimately creates the environment for your success.

Without  a doubt, take the meeting.  You have very little to lose, and  potentially plenty to gain.

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Leadership, Networking, Planning, Position Selection, Recruiting | 1 Comment 

Career Advice Tuesday – “The Silent Treatment – Executive Style”

March 20, 2012

Dear Infosecleaders:

I have recently engaged in an interview process for a Senior Information Security leadership role through the help of a retained executive search firm.   This is the first time that I have even been considered by one of these types of entities, and I can tell you that the process has been quite elaborate. 

Before I even had a chance to speak with the company, I had to go through three rounds of interviews with the executive search firm so that I could be vetted.  This included in person interviews, a personality profile, and a series of video conferences.

After that battery of tests, I was invited to fly out to the company’s headquarters where I had to commit to two full days of interviews.  The interviews consisted of a range of corporate executives including the CFO, COO, CIO, General Council, Business Unit Leads, and various technical SME’s.  

The days were exhausting, and I left the meetings feeling that I did “OK”, but quite frankly I do not really believe that I would want the position if offered.    I provided feedback to the executive search firm and I have yet to hear back.

That was roughly a month ago. 

In that time, I have lobbed some calls in to the search firm and sent some e-mails but I have not heard anything back from them.  At this point, I am assuming that I was not selected, however, I believe that I am entitled to understand why.  

First, I believe it would be good from a learning perspective, to understand which skills that I am lacking and need to develop.  Secondly, I believe that I am entitled to some closure and some courtesy.  I mean, I have taken about five days to go through this interview process, and I believe I deserve this decency.

Any help can be appreciated.


“Hear No Evil”


Dear “Hear No Evil”:

Believe it or not, I would not assume that you have not been selected for the position.  I know that this may sound strange, but many executive search processes take extended periods of time, due to the fact that it is difficult to coordinate calendars of both the interviewers and the candidate pools.

Understand that in a true “Executive Search” process, it is likely that a company will interview as many as five or six candidates on site, before they are able to build comparisons, rank the candidates, and come to some conclusions.  In addition, in some cases after interviewing the candidate pool, they may come to the conclusion that they have designed the role incorrectly, and they want to engage a candidate pool with a different collection of skills.

You should also understand that many (I will not speak for all) executive search firms believe that their only client is the one paying the bills – not the candidate they are sending into the interviews.    In an executive search process, the recruitment fees are quite significant, and I can image that for the position that you are applying for that the fee could approach $100,000 – $200,000.

The search firm in this case is being paid more as a “Consultant” – and for their elaborate process and guidance in the search process, as opposed to the hiring of the candidate.  In fact, they will be paid a majority of this fee ( and it is likely that  they will be paid the entire fee) , whether they fill the position or not.

Considering that their allegiance is to the company that is paying their bills they are going to carry out their wishes.  One of those wishes may be to not communicate with the candidates until all of the interviews have been completed.

Now that you have a better understanding of the process, let me get back to your question…..

You definitely have a right to get some feedback from your efforts.  However, understand that you may not get this.  I would continue to attempt to engage the executive search firm to get this feedback through a pattern of phone calls and e-mails.  However, I would not be too persistent or too pushy, as they will be “judging” you by the method and the delivery of your attempts.

It would be good to determine if you want to keep a relationship with the executive search firm.   My advice is that you should, even though you may not like the process.  The next time that you do engage, you should ask the executive recruiter to map our their process, their time lines, and their feedback process.   At that time, you can determine if  the Information Security leadership position is worth exposing yourself to this type of process.

Hope this helps.

Lee Kushner

Posted by lee | Filed Under "The Other Side of The Desk", Advice, Behavior, Career Advice Tuesday, Interviewing, Leadership, Recruiting | 1 Comment 

Career Advice Tuesday – ” Noone Will Come Work For Me”

January 24, 2012

Dear Infosecleaders:

My question comes from a different angle than most of the questions that you address on your blog – I am an information security leader, and I have been trying to hire some key technical information security engineers for my team, and I have not had much luck.

I have been looking for these positions for close to six months, and the only thing that I have to show for it is three rejected offers of employment and a good deal of wasted time.  The candidates have rejected our offers for a variety of reasons:  compensation, expectations associated with the position, and one of the candidates never every responded to the offer. 

I think that my internal recruitment team has written the positions off and we do not have any budget to hire external search firms to help locate this talent.  I have posted these roles on internet websites, and I can not tell you how many resumes we have received which do not nearly resemble the skill combinations and experience which I outlined in the job description.

I guess I would like to know if you have any advice for me.  We are committed to hiring the right people for the roles, but I am at the point that I will settle for someone with a pulse and some passion.

Is there any advice that you can share with me to help me solve this issue and hire some future information security leaders.


Looking for Mr. (or Ms.) Goodbar?


Dear Info Sec Leader:

There is no simple solution to hiring the correct talent for your information security team.  It appears from your note that you are resource constrained on many levels – compensation, internal support, and external budget.  Although these are substantial obstacles to overcome, they are not insurmountable.

The first thing that I would do would be to look at your job description, and determine which skills are absolutely necessary to perform the position that you are looking to fill.  Sometimes job descriptions are filled with a good number of “nice to have” bullets, and they overshadow the “need to have” requirements.   It is logical that the candidates that you have been interested in have a good amount of the experiences that you request,  but your budget simply cannot afford that level of resource.

What you should do is to winnow the amount of experience down to the skills and experience to reflect a level that you can actually afford.  You should understand that it is one thing to attract candidates, hiring them is completely different.    If you lessen some of your requirements, and require that candidates who lack certain experiences make up for it by displaying “passion” and “drive”, during your interviews, you should be able to locate a candidate that you can afford.

When you design a position to inspire professional growth and career acceleration, you will generally attract candidates who have a high level of motivation and professional pride.  So, what they lack in experience, they will make up in aptitude and “passion”.  It will be important that you screen for these intangibles in the interview process.   Constructing your position in the matter will truly turn it into an “opportunity” as opposed to what your past candidate pool has viewed it as; “a job.”

As far as building your relationships with human resources and your internal recruitment team, my suggestion would be for you to schedule some time to reengage them and start anew.  During this time, you may be able to educate them on your new requirements, provide them some good screening questions, and adjust some of the elements of the job description to reflect less experience and more passion.  You can accomplish this by screening the candidates for things that reflect this, like conference attendance, industry involvement, and logical career investments.   I would then educate them on potential sources in your market for these skills, so that they may be able to do better in pre-screening resumes.   Try to schedule a weekly meeting with them to both provide status on their efforts, and to give them a regular opportunity to ask questions.    The more that you engage them in the process, the more they will want to help you.

Although you cannot use external agencies, you can still post the position on internal and external websites.   In posting the position, try to do so in a way that reflects the type of career opportunity that is available and the candidate profile you are attempting to attract.   I would use words that could possibly encourage more affordable and slightly more junior candidates to respond.  A good exercise would be to think back of your career, and think about the things that would attract you to a role like the one that you are offering.   When the candidate eventually comes to the interview, utilize these examples as selling points as to why this role will benefit their professional development and their career as an aspiring information security leader.

Feel comfort that your experience is not unique.  Do the best you can with what you have, and keep your expectations realistic.

Hopefully this helps, and you will fill your roles in the next 30 days.


Lee Kushner

Posted by lee | Filed Under Advice, Career Advice Tuesday, Interviewing, Leadership, Recruiting, Security Industry, Skills | 2 Comments 

CAT – Clearing Some Things Up – Advice and Predictions for 2012

January 3, 2012

Recently, I was cited in an article for Search Security , where I was asked about my opinions for the information security industry employment market for 2012 .   I will say that the author did not misquote me at all, however, upon reading the article I felt that it was necessary to clear up some things that I found inaccurate – and I wanted to make sure that the audience knows exactly where I stand on the topics covered.

Here are my thoughts:

While I agree that Mobile Security is going to be an information security skill in demand, I do not believe it is the only skill that companies will look for in 2012.   Have no fear – companies will still have a high level of demand for knowledge in the areas of Cloud, GRC, SIEM, DLP, PCI, Software Security, Identity Management, and overall IT Risk Management.  In addition, while I do believe that it is a good idea to have a blend of technology and business skills, there is still a very strong market for information security professionals that have hard core technical skills – and that should never be forgotten or overlooked.  The technical information security professionals with developed knowledge and enterprise experience in securing networks, operating systems, applications and databases will do just fine as well.  Also, all of the penetration testers out there can sleep easy your skills will still be needed and remain in demand.
Below you will find my biggest objection – and probably the information that I find to be the most inaccurate.

Here are my disclaimers -

I would like to state that I do not personally know Mr. Snyder, nor have I had any dealings with him.  

I have read his blog on a number of occasions, and I find his perspectives to be both unique and entertaining.

To my knowledge, Mr. Snyder and my firm do not compete within any of my recruitment customers, and although we are in the same profession and industry, our paths do not seem to cross, except when quoted in articles about information security careers.

As per the author of the Tech Target article – please find a quote from Mr. Snyder -

“When companies are using a search firm to fill a position, then they’re going to usually expect that a candidate’s going to have industry experience,” he said. “In other words, if it’s a bank, they want someone who’s coming out of a bank; if it’s a retailer, they want someone coming out of retail; and if somebody’s going after that job on their own, then the bar isn’t usually sent quite as high.”  – Jeff Snyder

The Accuracy

The main point of the quote is accurate.  When companies are looking to find information security leaders, independent of the source, they ideally would like to locate people who possess applicable industry knowledge.  This is generally one of the core criteria of an information security leadership or CISO level search.

Like Mr. Snyder points out – a retail organization would ideally like to hire an information security professional who understands the information security challenges that a retail business faces and who has experience solving those problems.   You can apply the same logic to industries that include health care, high technology, manufacturing, financial services, media and entertainment, and any other business.

The Inaccuracy -

Mr. Snyder’s quote infers that a company has more stringent requirements when they engage an executive search firm.   His statement that  ” …..if somebody’s going after that job on their own, then the bar isn’t usually sent quite as high.”  - can be interpreted in a way that leads information security professionals to believe that they can afford to be less qualified, if they decide to apply for positions on their own – and not through an executive search firm.


First of all, the decision to engage an executive search firm is generally based on a company’s desire to insure that they get access to a qualified candidate pool in a time efficient manner.  The business decision to engage a search firm is the same type of decision making methodology that can be applied to engaging a professional services firm to provide a service that the company does not believe that they can perform effectively with internal resources.  The budgets for engaging executive search firms either come from a general corporate budget or from a specific business unit who can justify the value and the return on investment for the cost associated with the search firm’s fee.    In addition, the amount of the search fee does not have any impact on the compensation offered to the candidate.

Mr. Snyder is correct in his inference, that when companies engage an executive search firm, they are expecting to get value for their dollars.  This will take the form of, industry intelligence, compensation data, a professionally managed recruitment process, and eventually the placement of a successful candidate to fill the duties of the information security leadership role.   In exchange for money, the companies are going to expect an executive recruitment firm to deliver a candidate who is going to match the key criteria that they have outlined for the position.

Just like anyone who pays for a service, companies who engage executive search firms have the right to have realistic expectations of competence and results when retaining them to help fill a position.  However, in my 15 years of experience, I have never witnessed a situation where a company that is committed to recruiting the correct information security leader, will agree to hire a less competent candidate, solely because they were introduced to them directly, and not through an executive search process.

In 2012, and in the future, completion for Information Security leadership roles is going to intensify,  Companies are going to continue set the bar high for finding the correct  talent match, no matter what method they select to recruit for these positions.  In addition, the more influence and importance that an information security role has to an organization, the more detailed the requirements will be and the more demanding the interview process.

To all current and aspiring information security leaders, for 2012, I am urging you to take a proactive approach to developing a career plan, honing your skills, investing in yourself, and make wise choices about selecting the right positions to help accomplish your career and life goals.

Happy and Healthy New Year,

Lee Kushner




Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Leadership, Recruiting, Security Industry, Skills, Uncategorized | 1 Comment 

Career Advice Tuesday- ” Help! New CISO Has A Bad Reputation”

December 13, 2011

Dear Infosecleaders:

About three weeks ago, I accepted a new position with a company, where I am going to be reporting to a new CISO.  During the interview process I was told by the CISO that my position was going to be the “first key hire” as the company begins to revamp their information security program.   However, since the interview process concluded and I accepted my position I have found out differently.

I learned that one of my friends and industry colleagues was contacted by a similar position at the same company – he was told almost exactly the same thing that I was – that this position was the “first key hire”.   When he learned of this, he played dumb.   My friend (who is a little better connected than I am) called a couple of his Linked IN connections who were directly connected to the new CISO (my new boss) and he told me that what he learned was less than complimentary.

He told me that the CISO left his last employer in a mess, there was a mutiny from the staff, and that the guy has a reputation of being self-serving and has questionable ethics. 

What makes matters worse for me is that I have already resigned my job.  I am relocating to accept this position, and I fee that I am walking into a bad situation. 

What should I do?


JJ Blackheart


Dear JJ:

There is no question that you should value the opinions of others whom you trust, however it is often a mistake to accept their opinions without first hand experience and extensive validation from multiple sources.

The first thing that I would do, would be to try to locate someone from the CISO’s former employer, who was a direct report to the CISO.  I would pick up the phone and introduce myself, explain my situation, and ask them if they have any helpful hints on how to succeed under your new boss’ management style.     It is possible that this person can provide you with some new perspective, it is also possible that this person will decline your request to share any details – and in that case  – a red flag should go up.

I would tell you that if you do not feel comfortable with your decision you can do the following – contact your old employer back, and ask them if they would let you take back your resignation (this is why it is always good to leave on positive terms) and have your old position back, or contact others in your geography to see if you could locate a position similar to your old one (quickly).  If neither of these works, begin work at your new employer.

If you decide to begin your new job, you need to suspend all of your relocation activities, immediately.  The reason for this is that you do not want to compound your mistakes.  In addition, if you received a relocation package, you do not want to be in a situation where you have to return your relocation monies, if you decide that you do not want to remain at your new job.

Once in your new job, I would begin to look for things that would either validate or refute your earlier suspicions.  I would look for ways that your new CISO manages, how he communicates with subordinates, and for the consistency of his/her messages.   You should use the first 90 days of your employment to see if you could work with this person long term and evaluate the prospects of a satisfying work relationship.

Simultaneously, you should continue to look for suitable opportunities in your former location, as a contingency plan.  If one of those opportunities comes to fruition, you can compare it with your current position at your new employer, and then make a decision.

My advice would be to either put an end to this before it starts, or within 90-120 days after you begin work.

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Leadership, Position Selection, Recruiting | 1 Comment 

Career Advice Tuesday – “Change In Command”

October 4, 2011

Dear Infosecleaders:

I recently have found myself in a precarious situation and I am hoping that you can help me get through this.

Recently, about four months ago, I accepted a Director of Information Security position, reporting into the CISO of a 10,000 person company.    The position that I left to accept the role, Manager of Policy and Compliance, I held for 18 months.  While I was not looking for a new job at the time, the Director role was too good to pass up, both from a career and a financial perspective. 

Six weeks ago, I received an e-mail from the General Counsel letting me know that the CISO, who just hired me, was “relieved” of his duties and would no longer be working at the company.  The CISO was one of the main reasons that I accepted the position, and in a short time I had established a good working relationship and I respected his management style. 

The search for the new CISO is currently underway, and they are interviewing potential successors. – both internal and external.  I have met the final two candidates, and quite frankly I am not pleased with either of the options.  Their backgrounds and views on information security are much different than mine and I just do not get a good vibe.

Additionally, I am well aware that if they get hired, they will most likely be able to select their teams and their direct reports, so my time here is probably limited. 

Any advice on how I can deal with this situation?  If I am forced to leave, how can I explain the fact that my last two jobs lasted for such a short period of time?


Gomer Pyle


Dear Gomer:

The best thing that I can tell you is that you need to accept that change is coming, and you need to figure out a way to deal with it and make the best of things.  The way that I would look at this is as an opportunity to hone your interpersonal communication and relationship skills.

The truth is that at your level of seniority, you cannot really afford another short stint of employment, especially after an implied promotion.  If you can not show some accomplishments in this current role, future employers will most likely look at this as a failure, no matter how you spin it.  (Personally, I think this is unfair, but those are the rules of the game that we play by – and perception is often viewed as reality)

Whomever they decide to hire, I think that you should embrace and support with your fullest ability.  I think that a good way to demonstrate this is to attempt to relate to your new manager (CISO) on a personal level, letting them know that you are both in the same boat (as new employees), and by demonstrating as much willingness and flexibility as possible to help them out.   The best way to do this is to go outside your job description, and take on additional responsibilities that may be in your current sphere of knowledge, or from previous professional experience.

In addition, you should plan to demonstrate your work ethic, your integrity, and support at any opportunity.  This should include coming early, staying late, accepting unpopular assignments, whatever it takes.   By demonstrating this level of leadership and commitment, you are going to win this new person over – and they will have no other choice to view you as a valuable asset.

If you can win them over, and convince the new manager (CISO) that you make his job and his life easier, he will have no choice but to keep you.

If you are able to accomplish this, you will not have to explain your short duration of employment.  If it is all right with you, we will save that question/answer for another Tuesday.

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Advice, Branding, Career Advice Tuesday, Leadership, Planning, Position Selection | 1 Comment 

Leadership in Other Ways – Seeking Help and Support From The Infosecleader Communtiy for Charity

July 27, 2011

Dear Infosecleader Community:

For the past couple of years Mike and I have written about information security career topics and spoken about the importance of leadership, in all forms.  One of the things that we have suggested in many of our posts, has been to find opportunities to demonstrate leadership outside of the work environment.

Recently, I have decided to follow my advice, and take a leadership role in the origination of a charity event that blends a number of things that I am passionate about:  Children, Community, and Athletics.

For the past three years I have been playing in an over-35 fast pitch softball league, called MVP Softball, where I play on the Central Jersey Trees.  About a year ago, we began discussing the concept of joining together and putting together a softball charity event that could benefit needy, local families and children in  our community.

After agreeing on the idea, we began thinking about charities that we could support that could accomplish our mission.    In the end, we decided upon two charities – the Monmouth County Challenger Leagues  (Freehold and CYSP of Lincroft) and The Chariot Riders.

Here is a brief synopsis -  The Challenger Sports Programs are designed to provide sports programs and activities for children who are both physically and mentally challenged.  The local challenger programs participate in sports that include baseball, basketball, soccer, tennis, golf, and cheer leading.

The Chariot Riders program provides therapeutic horseback riding for physically and mentally challenged children and adults to improve the quality of their physical, emotional, mental and social well-being.

After selecting our charities, we partnered with a local volunteer organization named Play2Win Foundation, who has a mission statement that aligns with our event.  Play2Win is a 5013c entity, and takes absolutely no money in administrative fees.  They have been instrumental in providing us with the infrastructure and operational help to pull the event together.

The Event itself is titled the Extrainnings Classic.   The event has 4 key components -

1) A 100 inning marathon softball game -

2) A Youth Skills Competition Called “The Baseball/Softball Olympics” – where children of all abilities, including the Challenger Athletes, will compete side by side in a series of baseball/softball skills challenges – in hitting, running, and throwing events.  We received sponsorship from a local baseball facility to help with the operations and the coaching.

3) The Challenger Baseball Exhibition – both of the Challenger Leagues will participate in an hour long exhibition that showcases the abilities of these special athletes.  The game will be the showcase of the event.

4) The Home Run Derby – where some of the leagues big hitters will test their skills in a “All-Star” Game style Home Run Derby - as a point of note – I have been installed as the morning line favorite.

The main purpose behind this blog entry is to ask for your help in supporting these events.  Personally, I have made it a goal of mine to raise up to $5000 for the event – and the only way that I can accomplish this is with your support.

I would like to ask anyone who received some good, useful advice from the blog or from our research to help me support these great causes, and pledge a donation – per inning of the softball game.  (Very similar to sponsoring someone per mile for a marathon or bicycle race)

F0r example;

$1 per inning = $100

$.50 per inning = $50

$.25 per inning = $25

$.10 per inning $10

My goal is to raise $2500 in contributions, and then I will write a matching check to the charities for any amount that is donated.

All donations are tax deductible to the fullest extent allowed by law – (disclaimer – I am not an accountant).

Donations can be made by clicking on my donation page on the Extrainnings Classic website, through either a CC or PayPal account.   If you would prefer, you could always write a check to Play2Win Foundation, and mail it to my office at 36 West Main Street, Suite 302, Freehold NJ 07728.

I really appreciate any support that you can provide for these worthy charities, the families, and most importantly the children.

Thank you for listening,


Lee Kushner

Central Jersey Trees, 1st Base, #33



Posted by lee | Filed Under Behavior, Leadership, Personal | Comments Off