Career Advice Tuesday – “Making Them Wait”

May 29, 2012

Dear Infosecleaders:

I am in the process of making my first job change and I am looking for some advice.  I have spent the past five years of my career working at a corporate information security position, and I am looking to transition to the world of large consulting – for both the experience, the exposure and the compensation.

I decided to interview with a few consulting firms who have advertised similar openings.  One of the firms whom I interviewed with, I really liked.  They have dynamic leader, a solid market presence, and they offered me a competitive compensation package.  On its own merits, it is definitely an offer that I would accept and be happy with.

Toward the end of my process with them, I was the contacted by another large consulting firm, and I went on an initial interview with them – and it also went well.  Although the roles are similar, the second firm is a bit more “prestigious” than the first, and in my opinion has a better external brand.   After the initial interview, the internal recruiter told me that the remainder of the process would take an additional two weeks to complete.

My offer with the initial firm is roughly a week old and is approaching expiration.

I would like to know what my boundaries are here.  I do not want to jeopardize my offer with the first firm, but I do not want to accept the role without hearing the second firm our, and reviewing their offer.   Is asking them to wait an additional two weeks an option?  Am I in jeopardy of “burning bridges”?

Any help would be appreciated.


Mr. Heinz 


Dear Mr. Heinz –

What your are really asking is how long is an acceptable time to “Make Them Wait” for your decision, without burning a bridge.

First some guidelines – an acceptable time to evaluate an offer is a week.  If you were more senior, I could even see that 10 days could be acceptable, maybe even 2 weeks,  especially if it involved a relocation.  But at your level, a week is ample time – anything else is excessive and somewhat disrespectful.

The best thing that I can share with you, is that you definitely have the right to evaluate all of your options before making a job change, you have to remember that the practice leaders of these firms (who will be your managers and bosses) are highly competitive and have a good amount of pride (or else they would not be in charge).  In addition, what would make losing this recruitment battle worse, is the fact that they would be losing out to one of their competitors.

So you need to be careful.

To give you some perspective, I want to introduce a scenario to you, that should be able to provide you with clarity:

You go out an interview with a company.   You interview well and the company states that they like you – and they believe you are a good fit.   At the end of the interview process, they basically say this – Mr. Heinz – you are an excellent candidate, have all the skills to do this job correctly, and we would want you on our team – however, in three weeks we are expecting to interview another candidate with very similar skills, compensation requirements, and personality -  we would like for you to wait three weeks – so that we can compare them to you – and so that we can elect to move forward with either you or the other candidate.

How would you feel?  How would you view the opportunity?  Would you feel good about going to work at an employer where they have essentially told you that you may be a second choice, or a fall back option?

Chances are, your feelings would be hurt.  All of the good will would be sucked out of the interview process and you would want to consider working at other places – not because of the role, but because how you were treated.

This is how the hiring manager at the other firm feels as a result of your actions and intentions.

My advice would be to accept the position with the first firm.

The roles are basically the same.  You are going to gain very similar experiences.  The compensation packages are going to be very similar in the end as well (within about 5K).  The first firm treated you well, you were comfortable, and you liked the environment – essentially what more could you want.  Large information security consulting firms basically have similar brands – and are looped together – there is essentially no branding difference between consulting firms that offer a broad range of security consulting services.

If you turn this position down, you are essentially going to “burn the bridge” because of how you handled the process.

In the future, the way to avoid this is to let all of the firms that you are interviewing with know that you are looking to make a decision by a specific date.  You can tell them that you would like to have all offers by a certain date, so that you can evaluate them side by side.  By setting this expectation, you demonstrate that you are a good communicator, you are well thought out in your approach, and you establish ground rules so that they can control the timeline of your hiring process

In closing, you are a first time job changer, so you should be forgiven for this.  But in the future, you need to learn from this, so that you do not find yourself in this situation again in the future.

Hope this helps,

Lee Kushner


Posted by lee | Filed Under "The Other Side of The Desk", Advice, Behavior, Career Advice Tuesday, Interviewing, Position Selection, Recruiting | 2 Comments 

Career Advice Tuesday – “The Silent Treatment – Executive Style”

March 20, 2012

Dear Infosecleaders:

I have recently engaged in an interview process for a Senior Information Security leadership role through the help of a retained executive search firm.   This is the first time that I have even been considered by one of these types of entities, and I can tell you that the process has been quite elaborate. 

Before I even had a chance to speak with the company, I had to go through three rounds of interviews with the executive search firm so that I could be vetted.  This included in person interviews, a personality profile, and a series of video conferences.

After that battery of tests, I was invited to fly out to the company’s headquarters where I had to commit to two full days of interviews.  The interviews consisted of a range of corporate executives including the CFO, COO, CIO, General Council, Business Unit Leads, and various technical SME’s.  

The days were exhausting, and I left the meetings feeling that I did “OK”, but quite frankly I do not really believe that I would want the position if offered.    I provided feedback to the executive search firm and I have yet to hear back.

That was roughly a month ago. 

In that time, I have lobbed some calls in to the search firm and sent some e-mails but I have not heard anything back from them.  At this point, I am assuming that I was not selected, however, I believe that I am entitled to understand why.  

First, I believe it would be good from a learning perspective, to understand which skills that I am lacking and need to develop.  Secondly, I believe that I am entitled to some closure and some courtesy.  I mean, I have taken about five days to go through this interview process, and I believe I deserve this decency.

Any help can be appreciated.


“Hear No Evil”


Dear “Hear No Evil”:

Believe it or not, I would not assume that you have not been selected for the position.  I know that this may sound strange, but many executive search processes take extended periods of time, due to the fact that it is difficult to coordinate calendars of both the interviewers and the candidate pools.

Understand that in a true “Executive Search” process, it is likely that a company will interview as many as five or six candidates on site, before they are able to build comparisons, rank the candidates, and come to some conclusions.  In addition, in some cases after interviewing the candidate pool, they may come to the conclusion that they have designed the role incorrectly, and they want to engage a candidate pool with a different collection of skills.

You should also understand that many (I will not speak for all) executive search firms believe that their only client is the one paying the bills – not the candidate they are sending into the interviews.    In an executive search process, the recruitment fees are quite significant, and I can image that for the position that you are applying for that the fee could approach $100,000 – $200,000.

The search firm in this case is being paid more as a “Consultant” – and for their elaborate process and guidance in the search process, as opposed to the hiring of the candidate.  In fact, they will be paid a majority of this fee ( and it is likely that  they will be paid the entire fee) , whether they fill the position or not.

Considering that their allegiance is to the company that is paying their bills they are going to carry out their wishes.  One of those wishes may be to not communicate with the candidates until all of the interviews have been completed.

Now that you have a better understanding of the process, let me get back to your question…..

You definitely have a right to get some feedback from your efforts.  However, understand that you may not get this.  I would continue to attempt to engage the executive search firm to get this feedback through a pattern of phone calls and e-mails.  However, I would not be too persistent or too pushy, as they will be “judging” you by the method and the delivery of your attempts.

It would be good to determine if you want to keep a relationship with the executive search firm.   My advice is that you should, even though you may not like the process.  The next time that you do engage, you should ask the executive recruiter to map our their process, their time lines, and their feedback process.   At that time, you can determine if  the Information Security leadership position is worth exposing yourself to this type of process.

Hope this helps.

Lee Kushner

Posted by lee | Filed Under "The Other Side of The Desk", Advice, Behavior, Career Advice Tuesday, Interviewing, Leadership, Recruiting | 1 Comment 

Infosecleaders at #BSidesSF

February 27, 2012

Good morning Infosecleaders community!

I am looking forward to an exciting two days at Security BSides, and meeting many of you whom I have communicated with about your Information Security careers over the past year(s).

If you are not in attendance, you can view my presentations and all of the content at #BSidesSF live stream:
Track 1 -
Track 2 –

My presentations are scheduled as follows:

Monday (Today) February 27   -  Track 1  – 9:40PST/12:40 EDT – 10:00PST/ 1:00PST

B-Sides Welcome Address –

It is such an honor to have been asked by the folks at B-Sides to give the welcome address.  I plan to share some of my thoughts about the importance of community in the development of a successful Information Security Career.

Tuesday – February 28th    Track 2    – 11:00AM PST/ 2:00PM EDT – 12 noon PST/3:00PM EDT

The Other Side of The Desk: Different Perspectives on The Interviewing/Recruitment Process  -

Lenny Zeltser and I take a look at the recruitment and hiring process from two unique angles – the hiring manager (Lenny) and the information security professional/ job candidate (Lee).  The presentation is designed to provide the attendees some insight into the minds of the other party – in the simultaneous pursuit of talent and opportunity.

Tuesday – February 28th   Tracks 1 and 2    Career Advice Tuesday  – Live

12 noon PST/3:00PM EDT – 1PM PST/4:00PM EDT

This is the opportunity to ask your information security career questions live.  You can ask them either as yourself or anonymously – and I will answer them live.  If you would like to ask your questions prior to the sessions -  follow these instructions – or come see me at BSides today.

Enjoy the Conference.  Make the Most of It!

Lee Kushner

Posted by lee | Filed Under "The Other Side of The Desk", Advice, Behavior, Personal, Position Selection, Presentation, Recruiting, Security Industry, Skills | Comments Off 

Career Advice Tuesday – “Infosec Leaders Need To Be Good Recruiters”

December 27, 2011

Today I am sharing an article that we wrote that appeared in Tech Target’s Infomraiton Security Magazine.  The topic focuses on life on “The Other Side of the Desk”- becoming an effective recruiter in the building of your information security team.  The article scratches the surface of some important attributes that all solid information security leaders should possess in the acquiring the necessary talent in order to provide them with a better chance of success.

The original article was edited by our frien Michael Mimoso at Tech Target.

The article can be found here –

Happy New Year,

Lee and Mike

Posted by lee | Filed Under "The Other Side of The Desk", Advice, Behavior, Career Advice Tuesday, Interviewing, Networking, Recruiting | 5 Comments 

Career Advice Tuesday – “Black Hat Preview – Professional Development Workshop”

July 26, 2011

For today’s Career Advice Tuesday – we wanted to share a more detailed look at our Black Hat Professional Development workshop.  The workshop will take place on Thursday afternoon – from 1:45 – 6:00PM.    Anyone in attendance can come to either any individual session or stay for the whole program.

If you are at Black Hat, please come by and introduce yourselves.


InfoSec 2001 – A Career Odyssey

The Professional Development workshop is a half-day program that is designed to inspire the Black Hat attendee to think about their career as an information security professional and assist them in their journey towards the achievement of their long term career goals.

The Professional Development workshop will be divided into five (5) unique information security career topics that will be linked by a common theme – Skill Development and Differentiation.

The program will consist of the following:

1)    “The Value of Information Security Certifications Survey” – Research Revealed – 1350 information security professionals responded to an independent survey on the topic – the research will be revealed

2)   “Second Place Sucks” – A presentation geared toward differentiating yourself from your peers (and your competition)

3)   The Information Security Leader of The Future” -  a presentation that will outline the skills that employers are looking for when identifying and selecting their information security leaders.

4)   “The Other Side of The Desk” – a panel that will explore the different attitudes and beliefs by job applicant and employer during the interview process

5)   “Future Predictions” and “Career Advice Tuesday- Live” – Future trends will be discussed and explored – and attendees will have the opportunity to ask questions about infosec related career topics

The workshop is designed as an interactive forum that should inspire some shared thought and debate between audience members and the presenters.

Attendees should understand that they can elect to either participate in the entire workshop, or to pick and choose from select sessions that have a particular interest to them.

Session Previews:

Session 1  – 1:45 – 3:00

“The Value of Information Security Certifications Survey”

Presenters – Mike Murray and Lee Kushner –  

In February of 2011, launched an independent survey on the value of information security certifications.   The value of InfoSec certifications is a highly debated topic in the industry, and this is the first independent survey that asks questions to information security professionals (certified or not) – their opinions on topics that include – the motivations for certifications, the impression of the certification bodies, the value of skills vs. certifications, and certifications effect on employment.  With over 1350 respondents, the results should be revealing and eye-opening.

Second Place Sucks -

Presenter – Mike Murray

So, if certifications are no longer the magic bullet to get you to your career goals, then what is.  The topic of strategic career investments and personal branding will be the focus of this presentation.  The presentation will be spent on how you can plan and execute on career investment strategies that will enable you to differentiate from your peers and successfully compete for promotions and external information security leadership opportunities.

(15 minute break)

Session 2 – 3:15 – 4:45PM

3:15 – 3:45PM

“The Information Security Leader of the Future” –

Presenter – Lee Kushner

The skills for information security leaders are changing quite rapidly.  As many companies are aligning information security with their core business and branding, information security professionals will need to evolve as well.  The presentation will break down the core skill components of what information security professional will need to acquire and demonstrate to be considered for leadership roles in the future.


3:45PM – 4:45PM

The Other Side of the Desk – Different Perspectives on the Interview Process

Moderator – Mike Murray

Candidate Perspective – Lee Kushner

Hiring Managers Perspective –    

Bill Phelps, Executive Director Accenture  

Justin Somaini, CISO at Yahoo!


There are two parties involved in every interview process, the information security professional (the applicant) and the hiring manager (the decision maker).   While in essence, both parties ultimately desire the same outcome, their motivations lie in different places.   This portion of the presentation will present to the audience the perspective of the candidate and the perspective of the hiring manager, in a way that will educate both parties and enable them to social engineer the interview process, to work to their personal advantage.

Bill Phelps:

Bill Phelps is an Executive Director in Accenture’s security practice, and has spent the past 25 years in technology services.  In the past decade, Bill has been a practice leader, company founder, board member and trusted advisor helping organizations with complex management and technology challenges in the areas of information security, data center transformation and technology strategy.     Bill currently has overall responsibility for Accenture’s security business in North America.  Bill is aggressively growing Accenture’s security team, and plans to hire over security 200 professionals in the coming year.

Justin Somaini:

Justin Somaini is the Chief Information Security Officer at Yahoo! where he’s responsible for all aspects of Yahoo!’s Information Security strategy.  With over 15 years of Information Security experience he’s seen as a leader in industry by promoting an evolution of the security and risk management models.  Through his public speaking and industry involvement he’s given extensive talks and interviews on the threat landscape, public policy, security management and risk management.  Prior to joining Yahoo!, Justin was the CISO at Symantec.  Justin has also held security leadership roles at VeriSign, Charles Schwab and PricewaterhouseCoopers LLP.

4:45 – 6:00PM

Predictions for the Future and Career Advice Tuesday – “Live”

Presenters – Lee Kushner and Mike Murray

The employment market is dramatically changing – and the closing session will begin with information security employment predictions (based on experience and research) for the next ten years.  Once completed, this will be followed by a version of “Career Advice Tuesday” – “Live”.   All attendees can have their personal information security career questions answered in an open forum.   Topics will include skill development, compensation negotiation, career investments, career planning, and anything else you want to ask about your Information Security Career.

Posted by lee | Filed Under "The Other Side of The Desk", Advice, Behavior, Branding, Career Advice Tuesday, Compensation, Interviewing, Networking, Planning, Position Selection, Presentation, Recruiting, Resume, Security Industry, Skills, Survey, Uncategorized | 1 Comment 

New Blog Series- “The Other Side of The Desk”

June 26, 2009

Interviews are the gateway to opportunity. Whether it is for the purpose of employment, education, or social activities, interviews provide a framework for information exchange, skill validation, and ethics.

All job interviews have two different components: the employer and the candidate. The main reason for employers to begin interviewing is due to the fact that they have an organizational need that they have to address. The main reason that candidates decide to interview, is that they believe that they will gain some kind of benefit by joining the employer. Depending on the candidate’s particular motivation, this could include money, responsibility, skill development, career advancement, quality of life, or a number of other things.

Upon conclusion of the interview, there are four possible outcomes, they are as follows:

Both the employer and candidate like each other.
The employer likes the candidate, but the candidate does not like the employer.
The candidate likes the employer, but the employer does not like the candidate.
Both the candidate and employer do not like each other.

When both parties agree upon the outcome, the situation is comfortable. However, when the parties leave the meetings with different impressions, people’s feelings begin to get hurt. That is when things become difficult and generally mishandled.

After thirteen years of recruiting information security professionals, I have reached the conclusion that the recruitment process itself is very delicate. The outcome of the interview process can have a significant effect on the candidate’s career and the organization’s success. There is a good deal of pressure, that can cause the process to become emotionally charged. It has become clear to me that many things have to go right during this process, to insure successful recruitment. It is possible that only one negative interaction, can undo all of these positives.

It is a true shame when opportunity is lost because of process, rather than skill.

I am astounded by the general disconnect that come from both sides of the interview process. Whether it originates from the candidate, or the employer, I have been able to witness some of the most inconsiderate forms of human behavior, in my role as a recruiter. I have seen far too many opportunities squandered due to poor communication, lack of professional courtesy, and the absence of common sense.

In response to this, I am going to begin to share some of my experiences from my time as a recruiter in this industry with both successful and unsuccessful recruitment processes. I believe that in taking some of the mystery away from the interview process itself, and sharing the different perspectives of both the employer and the candidate, we will be able to help people become more successful interviewers and team builders. I also hope that if we can help create an environment where Information Security professionals can learn from their interview failures, communicate better during this process, and can better prepare themselves for future interviews.

I promise a minimum of one blog entry a month under this title and on this subject. All of the entries will be anonymous and based on my collective experiences, not just one particular recruitment situation. If you have a personal story that you would like to share (as a candidate or an employer), questions to ask, or something you would like for me to comment on, please send them to

Posted by lee | Filed Under "The Other Side of The Desk", Interviewing, Uncategorized | Comments Off