Career Advice Tueday – “Biting Off More Than I Can Chew”

August 14, 2012

Dear Infosecleaders:

I have been working in the IT industry for many years and have been dabbling in the Information Security realm for about 5 years now, but am having a hard time getting the experience I would like

I was recently asked by a friend to help with a side job which required a Security Assessment to be performed.    I have never had to perform a Security Assessment so I am a little hesitant making the jump because if I accept the assignment, I want to do it correctly. 

I’m not one of those guys that will take the job, if I do not believe I can perform it correctly.  I do not want to be put in a position where I do a crappy job due to the fact that I do not know what I am doing.

How do I get the experience I would like,  so I can take “jobs” like this one with confidence?  I have a good reputation and I want to keep it that way.

Any advice you could give, I would be grateful.


“Biting Off More Than I Can Chew”


Dear “Big Mouth”:

I agree with your sentiments.  You only have one reputation and anything that you do that detracts from your reputation will only stay with you through the course of your career.   In the end, your work is a reflection of you, and it eventually will define you and become your “brand”.

I give you a good deal of credit for having the integrity to know that this position maybe beyond your scope of knowledge and “more than you can chew” at this point in your career.

I can offer you a couple of different options –

1) I would ask your friend if you would be open to “sub contracting” the assignment to someone that you trust.   If they say that is OK – what you could do is to ask around your network or on Twitter – if anyone is interested in a consulting assignment – with the caveat that if they take the job – that they will let you shadow them on the assignment and teach you.    This could be the best way to get practical experience – in essence you can learn – and someone else would get the revenue from the assignment.  This would be viewed as quite an even trade!

2) Another option would be to get formalized hands on training.   Now, I do realize that if you did take training, you would not be ready for this current assignment – however, with some foresight this could possibly give you the confidence to know that you would do a good job the next time that you get the opportunity to perform this type of work.

The key to this is to get “hands-on” training  – not just some certification – that will give you the confidence that you will do the job correctly.  Understand that you are doing for yourself, not someone else evaluating the value of the certification and utilizing that to judge your competency.     In this case, you need to overcome your fear of failure – practical experience, even in a training or lab environment should enable you to simulate a real world “assessment”.  It may not be live – but it is the next best thing.

With the right training, you should be able to do a “good job” on  future assessments,  and when you do, you can be sure that you will get additional opportunities to practice your craft.

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Career Investments, Networking, Planning, Skills, Uncategorized | Comments Off 

Infosecleaders at Black Hat and B-Sides – Come By and Say “Hello!”

July 23, 2012

As always, I am very excited to be heading out to Las Vegas for the Black Hat Briefings and Security B-Sides.  Although, having been to every Black Briefings (as either an attendee, a presenter, or just hanging out) it does make me feel older, however catching up with people whom I have worked with throughout their careers, on their way to achieving their professional goals,  is truly a great personal pleasure.

Black Hat and B-Sides also provides a great opportunity to meet new people, which is one of the best things about my profession.  While there aren’t any presentations on my agenda, I am going to be at Caesar’s from Monday – Friday, and will most likely be at B-Sides on Wednesday morning.

If anyone in the Infosecleaders community would like to say “Hello” or talk about their career or ask a questions, either send me an e-mail ( or ) or send me a DM on Twitter (@ljkush) and I will try my best to get together and spend some time.

If you have my mobile, feel free to call – just remember not that early!

Lee Kushner


PS.  Career Advice Tuesday will Return this week.  I will post three new CAT’s this week, to make up for the one’s I recently skipped while enjoying some time away with my family.

Posted by lee | Filed Under Behavior, Networking, Security Industry | 1 Comment 

Career Advice Tuesday – “Did I Pull Out Too Early”

April 3, 2012

Dear Infosecleaders:

I am currently engaged in an interview process and I am getting some mixed feelings about the position.  Initially I was a bit hesitant about engaging in the opportunity, but I had the opportunity to meet with the hiring manager, and the meeting was a great success, and we really hit it off, I felt that they could be a great mentor.  In addition, they made the position sound really appealing and more strategic than my initial impression.

After that meeting, I was asked to come back and meet with some other members of the team whom I would be working with.  During that meeting, I received a different interpretation about the role that I would be filling.,  and they made the role seem to be more tactical than I was searching for.   Quite frankly, although I liked the people,   the meeting was a complete turn off and I decided to make a decision to remove myself from consideration.

When the news of my decision got back to the hiring manager, they asked if  I would reconsider, and have lunch, in order to address my concerns. 

I am inclined to not go through with the meeting, as I think it is a bad use of time.  However, I wanted to know what you thought, and if you think that I am making a mistake?


Nolonga Interested


Dear Nolonga:

I think that you are making a mistake.

One of the best pieces of advice that I have ever received is that you always take a meeting, even if you think that the meeting is not going to produce your desired result.  Over the course of fifteen years of working in this industry, I can count a number of times when a job candidate initially decided to end their interview process, only to be convinced to keep an open mind, and hearing out the hiring manager.   In a majority of these occurrences, the candidate went on to accept the position, and greatly accelerated their career.

The opportunity to spend additional time with the hiring manager and potential mentor can only be a good thing.  First of all, since you have already “turned down” the role, you have inadvertently shifted some of the balance of power in the interview process.  You have forced the hiring manager to show their hand, and demonstrate that they want you as part of their team.  This should be able to give you more comfort in the interview process, and enable you to ask questions about career goals, professional development, and mentorship.   You can have a free discussion on the importance of this role, how your skills will be utilized, and if you are successful where this position will lead.

In addition to this, you will also have time to ask the hiring manager why they believe that you are a good match for the role, why they believe these skills are important, and why this roll could be a good accelerator in your career progression.

If you like the hiring manager, you can also pick their brain on their personal experiences and see if you can draw some correlations between your career and theirs (this should show you if the person could be a good mentor).

Another reason to take the meeting is that the second group of people whom you interviewed with might not understand the hiring manager’s vision for the role.  What they may understand the role to be, could be significantly different to how the hiring manager views the role .  It is possible that their vision of the role could be how things “used to be done”, while the hiring manager in recruiting for this position may be searching for a different skill matrix so that the position/function could be elevated and enhanced.  Chances are that your initial read from your interview with  the hiring manager was the correct one

Too many times information security professionals get caught up in the details of a job description and do not look at the big picture for their careers.  It is logical that any role will have a blend of strategic and tactical work – but more important than the “task” – is the person whom you will be working for, as they will be the one who ultimately creates the environment for your success.

Without  a doubt, take the meeting.  You have very little to lose, and  potentially plenty to gain.

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Leadership, Networking, Planning, Position Selection, Recruiting | 1 Comment 

Career Advice Tuesday – “Infosec Leaders Need To Be Good Recruiters”

December 27, 2011

Today I am sharing an article that we wrote that appeared in Tech Target’s Infomraiton Security Magazine.  The topic focuses on life on “The Other Side of the Desk”- becoming an effective recruiter in the building of your information security team.  The article scratches the surface of some important attributes that all solid information security leaders should possess in the acquiring the necessary talent in order to provide them with a better chance of success.

The original article was edited by our frien Michael Mimoso at Tech Target.

The article can be found here –

Happy New Year,

Lee and Mike

Posted by lee | Filed Under "The Other Side of The Desk", Advice, Behavior, Career Advice Tuesday, Interviewing, Networking, Recruiting | 5 Comments 

Career Advice Tuesday – “Black Hat Preview – Professional Development Workshop”

July 26, 2011

For today’s Career Advice Tuesday – we wanted to share a more detailed look at our Black Hat Professional Development workshop.  The workshop will take place on Thursday afternoon – from 1:45 – 6:00PM.    Anyone in attendance can come to either any individual session or stay for the whole program.

If you are at Black Hat, please come by and introduce yourselves.


InfoSec 2001 – A Career Odyssey

The Professional Development workshop is a half-day program that is designed to inspire the Black Hat attendee to think about their career as an information security professional and assist them in their journey towards the achievement of their long term career goals.

The Professional Development workshop will be divided into five (5) unique information security career topics that will be linked by a common theme – Skill Development and Differentiation.

The program will consist of the following:

1)    “The Value of Information Security Certifications Survey” – Research Revealed – 1350 information security professionals responded to an independent survey on the topic – the research will be revealed

2)   “Second Place Sucks” – A presentation geared toward differentiating yourself from your peers (and your competition)

3)   The Information Security Leader of The Future” -  a presentation that will outline the skills that employers are looking for when identifying and selecting their information security leaders.

4)   “The Other Side of The Desk” – a panel that will explore the different attitudes and beliefs by job applicant and employer during the interview process

5)   “Future Predictions” and “Career Advice Tuesday- Live” – Future trends will be discussed and explored – and attendees will have the opportunity to ask questions about infosec related career topics

The workshop is designed as an interactive forum that should inspire some shared thought and debate between audience members and the presenters.

Attendees should understand that they can elect to either participate in the entire workshop, or to pick and choose from select sessions that have a particular interest to them.

Session Previews:

Session 1  – 1:45 – 3:00

“The Value of Information Security Certifications Survey”

Presenters – Mike Murray and Lee Kushner –  

In February of 2011, launched an independent survey on the value of information security certifications.   The value of InfoSec certifications is a highly debated topic in the industry, and this is the first independent survey that asks questions to information security professionals (certified or not) – their opinions on topics that include – the motivations for certifications, the impression of the certification bodies, the value of skills vs. certifications, and certifications effect on employment.  With over 1350 respondents, the results should be revealing and eye-opening.

Second Place Sucks -

Presenter – Mike Murray

So, if certifications are no longer the magic bullet to get you to your career goals, then what is.  The topic of strategic career investments and personal branding will be the focus of this presentation.  The presentation will be spent on how you can plan and execute on career investment strategies that will enable you to differentiate from your peers and successfully compete for promotions and external information security leadership opportunities.

(15 minute break)

Session 2 – 3:15 – 4:45PM

3:15 – 3:45PM

“The Information Security Leader of the Future” –

Presenter – Lee Kushner

The skills for information security leaders are changing quite rapidly.  As many companies are aligning information security with their core business and branding, information security professionals will need to evolve as well.  The presentation will break down the core skill components of what information security professional will need to acquire and demonstrate to be considered for leadership roles in the future.


3:45PM – 4:45PM

The Other Side of the Desk – Different Perspectives on the Interview Process

Moderator – Mike Murray

Candidate Perspective – Lee Kushner

Hiring Managers Perspective –    

Bill Phelps, Executive Director Accenture  

Justin Somaini, CISO at Yahoo!


There are two parties involved in every interview process, the information security professional (the applicant) and the hiring manager (the decision maker).   While in essence, both parties ultimately desire the same outcome, their motivations lie in different places.   This portion of the presentation will present to the audience the perspective of the candidate and the perspective of the hiring manager, in a way that will educate both parties and enable them to social engineer the interview process, to work to their personal advantage.

Bill Phelps:

Bill Phelps is an Executive Director in Accenture’s security practice, and has spent the past 25 years in technology services.  In the past decade, Bill has been a practice leader, company founder, board member and trusted advisor helping organizations with complex management and technology challenges in the areas of information security, data center transformation and technology strategy.     Bill currently has overall responsibility for Accenture’s security business in North America.  Bill is aggressively growing Accenture’s security team, and plans to hire over security 200 professionals in the coming year.

Justin Somaini:

Justin Somaini is the Chief Information Security Officer at Yahoo! where he’s responsible for all aspects of Yahoo!’s Information Security strategy.  With over 15 years of Information Security experience he’s seen as a leader in industry by promoting an evolution of the security and risk management models.  Through his public speaking and industry involvement he’s given extensive talks and interviews on the threat landscape, public policy, security management and risk management.  Prior to joining Yahoo!, Justin was the CISO at Symantec.  Justin has also held security leadership roles at VeriSign, Charles Schwab and PricewaterhouseCoopers LLP.

4:45 – 6:00PM

Predictions for the Future and Career Advice Tuesday – “Live”

Presenters – Lee Kushner and Mike Murray

The employment market is dramatically changing – and the closing session will begin with information security employment predictions (based on experience and research) for the next ten years.  Once completed, this will be followed by a version of “Career Advice Tuesday” – “Live”.   All attendees can have their personal information security career questions answered in an open forum.   Topics will include skill development, compensation negotiation, career investments, career planning, and anything else you want to ask about your Information Security Career.

Posted by lee | Filed Under "The Other Side of The Desk", Advice, Behavior, Branding, Career Advice Tuesday, Compensation, Interviewing, Networking, Planning, Position Selection, Presentation, Recruiting, Resume, Security Industry, Skills, Survey, Uncategorized | 1 Comment 

Career Advice Tuesday – A Conference First Timer’s Guide (Part II)

July 19, 2011

This is a continuation from last week’s question from a first time attendee at Blackhat and Defcon.

Tip #2 – Start Preparing Early

Once you’ve got a plan for the conference all figured out, it’s time to start getting prepared.  Long before we wrote these posts, we had already started contacting people who were on our plan for this year’s conference to make sure that we had set up some time to meet.  Mike’s schedule is already quite full from Sunday evening of that week all the way through our Thursday afternoon talk with people that he wants to see and events that he plans to attend.  Lee’s is the same.

Yours should be as well.  Start reaching out now to the people who you want to spend a few minutes with and make sure that you get on their calendar.  This is especially true if you know that the people who you want to meet up with are going to be busy at the show (esp. if they’re speakers at one of the various events).

Tip #3  - Skip Most of the Talks

This may seem counter-intuitive – most people think that conferences are entirely about the talks.  While this may have been true in 1998, it’s not nearly as true in 2011.  This tip can all be summed up by a single quote that we overheard at last year’s conference:  ”They record the presentations.  They don’t record the hallway conversations.”

When you go to a conference like Blackhat, you get a CD of all of the presentation materials and recordings of all of the talks are uploaded online.  You can get that material anywhere.  What you can’t get is the information and relationships that you get from each of the million conversations you’ll have at lunch, during the breaks, and at the parties in the evening.

Far too many people get up early to go to all of the talks and skip the parties because they have to work.  Here’s our advice:  if you’re going to do work, do it from the talk itself.  Take your laptop, pop your 3G card in (which is better than most Vegas hotel connections), and get your work done while speakers are talking.  You won’t miss anything that you can’t go back and re-watch later.

Then, make sure that you go to a bunch of the parties.  Meet the people who are on your plan and have a drink with them.

This is how you’ll make many life-long friendships and professional connections.

As we’ve pointed out before, it’s how Lee and Mike met in the first place.

So… with those three tips in hand, get a stack of at least 250 business cards and pack your bags.  And come find each of us when you get there – we’ll be the ones not attending the talks and talking to all of our favorite people.

Lee & Mike

Posted by mmurray | Filed Under Career Advice Tuesday, Networking | 2 Comments 

RSA Professional Development Seminar – “The Top Of The Pyramid – Meet The CISO’s”

February 11, 2011

We are down the home stretch now, and the Professional Development Seminaris only a weekend away.   I can tell you that both Mike and I are very much looking forward to being a part of the program, and are expecting a great turn out.  If you plan to attend, please make sure to arrive early – we have been told that there has been a great deal of interest.

The Seminar will take place as follows:

Monday, February 14th , 12:30 – 5:00PM, Moscone Center – Orange Room 305

Then final panel will follow immediately after my presentation- – which begins at 3:30 – and will conclude at 5:00Pm.

The final presentation is really the showcase for the event.  The panel discussion will feature three accomplished Information Security Leaders, who will guide the audience through the evolution of their information security career, and provide insight and guidance to the audience on how to accelerate their own careers.

The participating CISO’s represent a variety of industry’s and have some very unique career progressions.  They include the following :

Patrick Heim - CISO Kaiser Permanente, former CISO McKesson

John Kirkwood- CISO Royal Ahold, fomer CISO American Express

Stephen Scharf - Global CISO Experian , former CSO Bloomberg

The topics that we will cover will include the following :

1) Key career decisions that impacted and accelerated their careers

2) How they select talent?  What they look for in interviews?  How they determine who gets promotions and more responsibility?

3) Their own professional development – through industry involvement, certifications, and advanced education and training

4) What the future holds for them?  What they see on the horizon?

5) General Advice to aspiring Information Security Leaders

All I can say is that it is very exciting to bring this panel to the RSA audience.  The opportunity to gain insight into the careers of successful information security leaders, and in an open forum where the audience can receive unfiltered advice and guidance is a unique opportunity.

For all of the aspiring information security leaders out there, this panel is worth the price of admission alone.

Look forward to seeing you all.  Safe travels!

Lee and Mike

Posted by lee | Filed Under Advice, Networking, Personal, Presentation, Recruiting, Security Industry, Skills, Uncategorized | Comments Off 

RSA Session Preview – “Making The A-List”

January 21, 2011

As a follow up in our series, you will find the preview of Jeff Combs’ RSA Presentation, “Making the A-List” -  Jeff provides a glimpse into his session that will guide the attendees to differentiate from their peers, and make themselves more attractive for internal promotions and overall career acceleration.

Session Date – February 14, 2011 (yep still Valentine’s Day)

Session Time- 2:30PM – 3:10PM

Location – Orange Room 305

Session Preview -”Making The A-List” - Written By Jeff Combs (guest blogger)

As a headhunter with over a decade of experience recruiting in Security, it’s my job to align the best candidates with the right opportunities.  It’s not an easy job, but one that can be very gratifying when you’re able to make a positive difference in people’s lives.  To be successful, a recruiter has to have a number of traits – empathy, listening skills, industry knowledge, the ability to earn trust and…the ability to think like a horse trader.

It’s a fact that companies will only pay to hire the best.  That’s why recruiters exist, to identify and attract talent that stands out from the rest of the crowd. Average doesn’t cut it.  So while I give everyone the benefit of the doubt, I can’t afford to represent anyone to my clients who isn’t a cut above their peers.  The candidates that I do advocate for have to be on the “A-list”.

What gets a candidate onto the A-list? There are roughly seven qualities that I look for when interviewing prospective candidates.  Some are “hard”, relating to a candidate’s skills and experience. Others are “soft” and focus on personal qualities. Taken as a whole, these qualities should tell a compelling story that will cause heads to nod and votes of confidence to be cast.

I’ll also describe a way of looking at your career and professional accomplishments that can have a big impact on how you present yourself and how hiring managers perceive you.  I refer to it as “Personal Product Management” and while not rocket surgery, it’s a simple way of making sure you’re headed in the right direction and conveying the right message.

A word of caution, for those seeking empirical data and quantitative metrics this may not be the session for you.  However, for those interested in hearing an insider’s perspective on what makes some succeed and many other’s fail, as well as some open discussion on ways to stand out from the crowd I think it will be time well spent.

I hope to see you there.

Jeff Combs

Posted by lee | Filed Under Networking, Personal, Planning, Recruiting, Skills, Uncategorized | Comments Off 

RSA Preview (Panel)- All-Star Panel Kick’s Off Professional Development Program

January 14, 2011

The professional development seminar kicks off with an all-star panel of information security leaders discussing the current landscape of the information security marketplace.  Moderated by seminar co-host, Mike Gentile, the panel will explore industry trends that are affecting both the supply and the demand for information security professionals.  The panel will discuss some of the career development challenges that face information security professionals as they attempt to climb their personal career ladders to attain their personal career goals.

The panel’s unique composition will provide perspectives that reflect challenges on the different components of the industry – internal information security programs, government and public sector information security programs, professional services, information security software industry and the maturing “hacker” community.   The panel will discuss topics that include the role of certifications, the different perspectives of employers and perspective employees, and the challenges that face security professionals as they attempt to broaden their skills to gain greater acceptance by business leaders and executive management.

We were very fortunate to attract a panel of influential information security leaders including:

Kevin Richards,  President, ISSA International and VP of Services at Neohapsis

Jeff Moss, Founder of Black Hat and DEF CON, and Homeland Security Advisory Council Member

Michael Assante, President and CEO, National Board of Information Security Examiners

Chris Chock, Security Lead, Orange County Transportation Authority

Posted by lee | Filed Under Advice, Networking, Planning, Security Industry | Comments Off 

Nothing Says “ I Love You” Like an Information Security Career Development Seminar – RSA -Feb 14, 2011

January 7, 2011

The RSA Conference is traditionally known as one of the marquee information security conferences in the United States.  This year, the conference organizers have decided to create a pre conference seminar that is focused exclusively on the information security professional’s career development. The seminar is included with all paid conference admissions.  Personally I was honored when the program committee asked me to co-host the event and contribute to the content of the agenda.

Different then past RSA events, the Seminar is scheduled outside of the main conference tracks, where it does not compete with the highly technical presentations or the key notes.  By doing this, they have enabled all delegates to dedicate time to focus on their careers – and to learn how to best maximize their current positions and strive to attain their long term career aspirations.  The program is designed to take the Information Security professionals through a journey that will provide them with both content and context for managing their careers.

The Seminar will take place on Monday afternoon, February 14th from 12:30 – 5:00PM.

On  the upcoming Fridays leading up to the conference, The InfoSec Leaders blog will feature an in depth abstract and preview to the content of the panels and the individual presentations.

The agenda for the seminar will be as follows:

A panel discussion, moderated by seminar co-host Mike Gentile, that will address  current state of the information security market, the skills that employers are looking for, and trends in today’s employment market.

An individual presentation from InfoSecLeaders’ Mike Murray on Career Planning.  This presentation will help guide the attendees through some basic steps to create a career plan tailored to achieving their long term information security career and life goals.

A presentation given by Jeff Combs focusing on differentiation and personal brand development.  Jeff will utilize his decade long experience as an Information Security executive recruiter to illustrate to the attendees how to make themselves more marketable and attractive – to both their current employers and future ones.

A presentation by me, Lee Kushner, that will focus on the skill requirements for the CISO of the future.  From our Infosecleaders survey we learned that 37% of the respondents aspired to become a CSO/CISO.  This presentation will outline the real skills that company’s are requiring and demanding from their Information Security Leaders of the future.

The seminar will then conclude with a panel discussion (moderated by me) of three current Information Security Leaders – Stephen Scharf, CSO Experian, Patrick Heim, CISO Kaiser Permanente, and John Kirkwood, Global CISO of Royal Ahold who will discuss their own careers paths and progressions, how they select and identify future information security leaders, what skills and attributes they search for in employees, and where they are heading next in their careers.  The panel will allow questions from the audience.

Posted by lee | Filed Under Behavior, Branding, Networking, Planning, Security Industry, Skills, Uncategorized | Comments Off 

Next Page »