The original article was edited by our frien Michael Mimoso at Tech Target.

The article can be found here – http://tinyurl.com/6q8k8gk

Happy New Year,

Lee and Mike

If you are at Black Hat, please come by and introduce yourselves.

InfoSec 2001 – A Career Odyssey

The Professional Development workshop is a half-day program that is designed to inspire the Black Hat attendee to think about their career as an information security professional and assist them in their journey towards the achievement of their long term career goals.

The Professional Development workshop will be divided into five (5) unique information security career topics that will be linked by a common theme – Skill Development and Differentiation.

The program will consist of the following:

1)    “The Value of Information Security Certifications Survey” – Research Revealed – 1350 information security professionals responded to an independent survey on the topic – the research will be revealed

2)   “Second Place Sucks” – A presentation geared toward differentiating yourself from your peers (and your competition)

3)   The Information Security Leader of The Future” -  a presentation that will outline the skills that employers are looking for when identifying and selecting their information security leaders.

4)   “The Other Side of The Desk” – a panel that will explore the different attitudes and beliefs by job applicant and employer during the interview process

5)   “Future Predictions” and “Career Advice Tuesday- Live” – Future trends will be discussed and explored – and attendees will have the opportunity to ask questions about infosec related career topics

The workshop is designed as an interactive forum that should inspire some shared thought and debate between audience members and the presenters.

Attendees should understand that they can elect to either participate in the entire workshop, or to pick and choose from select sessions that have a particular interest to them.

Session Previews:

Session 1  – 1:45 – 3:00

“The Value of Information Security Certifications Survey”

Presenters – Mike Murray and Lee Kushner – Infosecleaders.com  

In February of 2011, Infosecleaders.com launched an independent survey on the value of information security certifications.   The value of InfoSec certifications is a highly debated topic in the industry, and this is the first independent survey that asks questions to information security professionals (certified or not) – their opinions on topics that include – the motivations for certifications, the impression of the certification bodies, the value of skills vs. certifications, and certifications effect on employment.  With over 1350 respondents, the results should be revealing and eye-opening.

Second Place Sucks -

Presenter – Mike Murray

So, if certifications are no longer the magic bullet to get you to your career goals, then what is.  The topic of strategic career investments and personal branding will be the focus of this presentation.  The presentation will be spent on how you can plan and execute on career investment strategies that will enable you to differentiate from your peers and successfully compete for promotions and external information security leadership opportunities.

(15 minute break)

Session 2 – 3:15 – 4:45PM

3:15 – 3:45PM

“The Information Security Leader of the Future” –

Presenter – Lee Kushner

The skills for information security leaders are changing quite rapidly.  As many companies are aligning information security with their core business and branding, information security professionals will need to evolve as well.  The presentation will break down the core skill components of what information security professional will need to acquire and demonstrate to be considered for leadership roles in the future.

3:45PM – 4:45PM

The Other Side of the Desk – Different Perspectives on the Interview Process

Moderator – Mike Murray

Candidate Perspective – Lee Kushner

Hiring Managers Perspective –    

Bill Phelps, Executive Director Accenture  

Justin Somaini, CISO at Yahoo!

Abstract:

There are two parties involved in every interview process, the information security professional (the applicant) and the hiring manager (the decision maker).   While in essence, both parties ultimately desire the same outcome, their motivations lie in different places.   This portion of the presentation will present to the audience the perspective of the candidate and the perspective of the hiring manager, in a way that will educate both parties and enable them to social engineer the interview process, to work to their personal advantage.

Bill Phelps:

Bill Phelps is an Executive Director in Accenture’s security practice, and has spent the past 25 years in technology services.  In the past decade, Bill has been a practice leader, company founder, board member and trusted advisor helping organizations with complex management and technology challenges in the areas of information security, data center transformation and technology strategy.     Bill currently has overall responsibility for Accenture’s security business in North America.  Bill is aggressively growing Accenture’s security team, and plans to hire over security 200 professionals in the coming year.

Justin Somaini:

Justin Somaini is the Chief Information Security Officer at Yahoo! where he’s responsible for all aspects of Yahoo!’s Information Security strategy.  With over 15 years of Information Security experience he’s seen as a leader in industry by promoting an evolution of the security and risk management models.  Through his public speaking and industry involvement he’s given extensive talks and interviews on the threat landscape, public policy, security management and risk management.  Prior to joining Yahoo!, Justin was the CISO at Symantec.  Justin has also held security leadership roles at VeriSign, Charles Schwab and PricewaterhouseCoopers LLP.

4:45 – 6:00PM

Predictions for the Future and Career Advice Tuesday – “Live”

Presenters – Lee Kushner and Mike Murray

The employment market is dramatically changing – and the closing session will begin with information security employment predictions (based on experience and research) for the next ten years.  Once completed, this will be followed by a version of “Career Advice Tuesday” – “Live”.   All attendees can have their personal information security career questions answered in an open forum.   Topics will include skill development, compensation negotiation, career investments, career planning, and anything else you want to ask about your Information Security Career.

Tip #2 – Start Preparing Early

Once you’ve got a plan for the conference all figured out, it’s time to start getting prepared.  Long before we wrote these posts, we had already started contacting people who were on our plan for this year’s conference to make sure that we had set up some time to meet.  Mike’s schedule is already quite full from Sunday evening of that week all the way through our Thursday afternoon talk with people that he wants to see and events that he plans to attend.  Lee’s is the same.

Yours should be as well.  Start reaching out now to the people who you want to spend a few minutes with and make sure that you get on their calendar.  This is especially true if you know that the people who you want to meet up with are going to be busy at the show (esp. if they’re speakers at one of the various events).

Tip #3  - Skip Most of the Talks

This may seem counter-intuitive – most people think that conferences are entirely about the talks.  While this may have been true in 1998, it’s not nearly as true in 2011.  This tip can all be summed up by a single quote that we overheard at last year’s conference:  ”They record the presentations.  They don’t record the hallway conversations.”

When you go to a conference like Blackhat, you get a CD of all of the presentation materials and recordings of all of the talks are uploaded online.  You can get that material anywhere.  What you can’t get is the information and relationships that you get from each of the million conversations you’ll have at lunch, during the breaks, and at the parties in the evening.

Far too many people get up early to go to all of the talks and skip the parties because they have to work.  Here’s our advice:  if you’re going to do work, do it from the talk itself.  Take your laptop, pop your 3G card in (which is better than most Vegas hotel connections), and get your work done while speakers are talking.  You won’t miss anything that you can’t go back and re-watch later.

Then, make sure that you go to a bunch of the parties.  Meet the people who are on your plan and have a drink with them.

This is how you’ll make many life-long friendships and professional connections.

As we’ve pointed out before, it’s how Lee and Mike met in the first place.

So… with those three tips in hand, get a stack of at least 250 business cards and pack your bags.  And come find each of us when you get there – we’ll be the ones not attending the talks and talking to all of our favorite people.

Lee & Mike

The Seminar will take place as follows:

Monday, February 14th , 12:30 – 5:00PM, Moscone Center – Orange Room 305

Then final panel will follow immediately after my presentation- – which begins at 3:30 – and will conclude at 5:00Pm.

The final presentation is really the showcase for the event.  The panel discussion will feature three accomplished Information Security Leaders, who will guide the audience through the evolution of their information security career, and provide insight and guidance to the audience on how to accelerate their own careers.

The participating CISO’s represent a variety of industry’s and have some very unique career progressions.  They include the following :

Patrick Heim - CISO Kaiser Permanente, former CISO McKesson

John Kirkwood- CISO Royal Ahold, fomer CISO American Express

Stephen Scharf - Global CISO Experian , former CSO Bloomberg

The topics that we will cover will include the following :

1) Key career decisions that impacted and accelerated their careers

2) How they select talent?  What they look for in interviews?  How they determine who gets promotions and more responsibility?

3) Their own professional development – through industry involvement, certifications, and advanced education and training

4) What the future holds for them?  What they see on the horizon?

5) General Advice to aspiring Information Security Leaders

All I can say is that it is very exciting to bring this panel to the RSA audience.  The opportunity to gain insight into the careers of successful information security leaders, and in an open forum where the audience can receive unfiltered advice and guidance is a unique opportunity.

For all of the aspiring information security leaders out there, this panel is worth the price of admission alone.

Look forward to seeing you all.  Safe travels!

Lee and Mike

Session Date – February 14, 2011 (yep still Valentine’s Day)

Session Time- 2:30PM – 3:10PM

Location – Orange Room 305

Session Preview -”Making The A-List” - Written By Jeff Combs (guest blogger)

As a headhunter with over a decade of experience recruiting in Security, it’s my job to align the best candidates with the right opportunities.  It’s not an easy job, but one that can be very gratifying when you’re able to make a positive difference in people’s lives.  To be successful, a recruiter has to have a number of traits – empathy, listening skills, industry knowledge, the ability to earn trust and…the ability to think like a horse trader.

It’s a fact that companies will only pay to hire the best.  That’s why recruiters exist, to identify and attract talent that stands out from the rest of the crowd. Average doesn’t cut it.  So while I give everyone the benefit of the doubt, I can’t afford to represent anyone to my clients who isn’t a cut above their peers.  The candidates that I do advocate for have to be on the “A-list”.

What gets a candidate onto the A-list? There are roughly seven qualities that I look for when interviewing prospective candidates.  Some are “hard”, relating to a candidate’s skills and experience. Others are “soft” and focus on personal qualities. Taken as a whole, these qualities should tell a compelling story that will cause heads to nod and votes of confidence to be cast.

I’ll also describe a way of looking at your career and professional accomplishments that can have a big impact on how you present yourself and how hiring managers perceive you.  I refer to it as “Personal Product Management” and while not rocket surgery, it’s a simple way of making sure you’re headed in the right direction and conveying the right message.

A word of caution, for those seeking empirical data and quantitative metrics this may not be the session for you.  However, for those interested in hearing an insider’s perspective on what makes some succeed and many other’s fail, as well as some open discussion on ways to stand out from the crowd I think it will be time well spent.

I hope to see you there.

Jeff Combs

The panel’s unique composition will provide perspectives that reflect challenges on the different components of the industry – internal information security programs, government and public sector information security programs, professional services, information security software industry and the maturing “hacker” community.   The panel will discuss topics that include the role of certifications, the different perspectives of employers and perspective employees, and the challenges that face security professionals as they attempt to broaden their skills to gain greater acceptance by business leaders and executive management.

We were very fortunate to attract a panel of influential information security leaders including:

Kevin Richards,  President, ISSA International and VP of Services at Neohapsis

Jeff Moss, Founder of Black Hat and DEF CON, and Homeland Security Advisory Council Member

Michael Assante, President and CEO, National Board of Information Security Examiners

Chris Chock, Security Lead, Orange County Transportation Authority

Different then past RSA events, the Seminar is scheduled outside of the main conference tracks, where it does not compete with the highly technical presentations or the key notes.  By doing this, they have enabled all delegates to dedicate time to focus on their careers – and to learn how to best maximize their current positions and strive to attain their long term career aspirations.  The program is designed to take the Information Security professionals through a journey that will provide them with both content and context for managing their careers.

The Seminar will take place on Monday afternoon, February 14^th from 12:30 – 5:00PM.

On  the upcoming Fridays leading up to the conference, The InfoSec Leaders blog will feature an in depth abstract and preview to the content of the panels and the individual presentations.

The agenda for the seminar will be as follows:

A panel discussion, moderated by seminar co-host Mike Gentile, that will address  current state of the information security market, the skills that employers are looking for, and trends in today’s employment market.

An individual presentation from InfoSecLeaders’ Mike Murray on Career Planning.  This presentation will help guide the attendees through some basic steps to create a career plan tailored to achieving their long term information security career and life goals.

A presentation given by Jeff Combs focusing on differentiation and personal brand development.  Jeff will utilize his decade long experience as an Information Security executive recruiter to illustrate to the attendees how to make themselves more marketable and attractive – to both their current employers and future ones.

A presentation by me, Lee Kushner, that will focus on the skill requirements for the CISO of the future.  From our Infosecleaders survey we learned that 37% of the respondents aspired to become a CSO/CISO.  This presentation will outline the real skills that company’s are requiring and demanding from their Information Security Leaders of the future.

The seminar will then conclude with a panel discussion (moderated by me) of three current Information Security Leaders – Stephen Scharf, CSO Experian, Patrick Heim, CISO Kaiser Permanente, and John Kirkwood, Global CISO of Royal Ahold who will discuss their own careers paths and progressions, how they select and identify future information security leaders, what skills and attributes they search for in employees, and where they are heading next in their careers.  The panel will allow questions from the audience.

There is not any excuse for a reputable recruiter to operate in this manner. I would challenge anyone to come up with a reason, that this practice would be beneficial to you, as a candidate for an Information Security opportunity. 

My advice would be to steer clear of any recruiter or recruitment firm that utilizes these practices.

Here are my reasons:

1) Trust : The recruiter/candidate relationship is based on trust and professionalism. If a recruiter can not even reveal the name of their client, it simply means that they do not trust you with this information. What they are really saying is, “If I tell you who my client is, you may send them your resume by yourself and cut me out of the picture.”

Conversely, you are supposed to trust them with your career.

Something here just is not right.

2) Authorization:The recruiter might not even have a working agreement with the client or be authorized to present candidates. Since many jobs are posted on the internet, recruiters have access to these job descriptions, and search for profiles that appear to fit. It is a common practice for recruitment firms’ to “market candidates” in the hopes of gaining a formal recruitment agreement with a new client. As a the owner of a business I do not begrudge anyone from trying to build new client relationships, however as an information security professional I would prefer that my career not be a guinea pig for someone else’s business development experiment.

3) Control – If your recruiter does not reveal who their client is, you have basically given them permission to send your resume to anywhere that they deem fit. By allowing someone to “wallpaper” the world with your resume, you will most likely waste significant time interviewing for opportunities that could benefit the recruiter, but have no benefit to you.  The surrendering of control over the distribution of your resume, could lead to ……

4) Exposure - When anyone is more interested in quantity, and opposed to quality, details sometimes get overlooked. In this case, the detail may include having your resume sent to your current employer (unfortunately I am not making this up)  or people with big mouths (who will notify your current employer)

 Use your imagination to consider all of the potential consequences of this.  

5) First Impression - If more than one recruitment firm submits your resume to a particular opportunity it makes you look unorganized in the eyes of the prospective employer. Your recruitment process is the first window into how you operate and communicate. Failure to properly manage this process is not the first impression you want to make on a new employer.

When speaking with a recruiter, you need to demand transparency to insure that you understand which company you are applying to and where your resume is being sent.  You should also verbalize with your recruiter that you resume should not be sent to any third party without your consent and knowledge.   

Your career is important, make sure that you use good judgement in whom you trust it to.

The interview encompasses some of my thougthts around career management and career planning.

I welcome any questions or comments.

From what I understood when receiving the e-mail invitation, my friend was given the liberty to invite industry colleagues and other potential “customers” to this dinner to forge relationships and potentially develop new business opportunities. I believed that I was added to the guest list for some broad perspective of the security market which would have been beneficial to all in attendance.

The dinner was initially to be attended by somewhere between 9 or 10 people, however for one reason or the other – jet lag, previous plans, not wanting to begin dinner at 9PM PST, the final number in attendance was 5. The final roster included me, my friend, his co-worker, and two representatives from the vendor.

The vendor chose a San Francisco favorite, Scoma’s, an Italian/Seafood restaurant located at Fisherman’s Wharf. After a round of drinks, we sat down at a table. It became very evident to me, whom the most senior member of the vendor team was, as he interacted with the waiter, received the wine list, and quickly accepted the role of “table captain.”

The conversation at the table was free and easy. We spoke about our families (even showed some pictures), sporting events, our college experiences, careers, the economy, and other topics. We did not even begin to discuss Information Security, their products, or anything relative to traditional business.

As this was going on, the “table captain” took the reigns and began to order. He ordered appetizers for the table, an extra course of salad for himself, a main course, and selected the wine. As a guest, I followed his lead. Shared the appetizer, did not select a salad, chose a main course within five dollars of his choice, and had a beer instead of wine. As the meal came to a close, he ordered himself a desert, coffee, and asked everyone if they every had port wine – and ordered himself a glass, I passed on dessert and coffee – but took him up and the port wine. I am not really a wine drinker, but I was up for the experience – and at his encouragement, I thought I would take him up on his suggestion.

The conversation continued throughout the meal, and everyone became more relaxed during the time, and people were obviously comfortable. The one single person discussed his current dating dilemmas, one spoke about raising a special needs child, we even touched on the standard no-nos, religion and politics. But that was the level of comfort, it was really a great dinner, until…

The check came!

The table captain left the table at the end of the meal to seek out the waiter and to call a cab. In his absence the waiter appeared and handed me an itemized copy of the bill and stated “Everything else is taken care of. This is for you.”

I did not know how to react at first. There were many items going through my mind, but I chose to just stare in disbelief for the first couple of moments. My first inclination was to go to see the waiter, and pay for the entire check – just our of principle and make the “table captain” feel uncomfortable, my second thought was to just reach in my pocket, pay cash, and leave on my own, the third option was to refuse to pay, and create more discomfort. The remaining three other people, including the person who invited me, were obviously uncomfortable and this created a very awkward moment.

After the awkwardness subsided, I reached for my money but was interrupted by the other member of the vendor team. Obviously embarrassed, he reached to his wallet and paid on the corporate credit card. It was also obvious to me how embarrassed my friend who invited me was. He remarked to me after how impressed he was on how I handled the awkwardness of the situation.

As we waited for the cab, the “table captain” returned to an much different table. The subject of business took hold and I can tell from the reaction of the two “customers” they were not nearly as engaged as they would have been, if the “table captain” would have just paid the entire check. The actions of the “table captain” gave off the impression that he was only concerned with people who could make him money. Personally, I think this spoke loudly for his character and I believe that I would reconsider sending any additional business in his direction. But that is just me!

There are a number of things we can learn from this. First, if you are going to invite someone to dinner, the expectation is that it is your meeting and you are going to be responsible. Second, it is always a good idea at a business meeting to follow the lead of the “table captain”. Your ordering pattern should mimic theirs. Third, never take advantage of a good gesture. If everyone is ordering $20 items, do not order the 4lb lobster that costs $80 – that is just rude and says a great deal about your character. Also, think before you speak. Know which topics are fair game to discuss, and which ones are a bit taboo for the subject. Finally, never make anyone feel insignificant. In the situation above, if the waiter produced five separate checks, I would not have had any issue. However, singling me out made me feel like a second class citizen, even though throughout the dinner I was treated like an invited guest.

Just remember, people are judging and evaluating you in many different environments. Your are always interviewing.