Career Advice Tuesday – New Year’s
December 29, 2009
Due to the holiday, the number of questions we received in the last week has been pretty light. So, instead of doing a question this week, we’re going to do a quick post on the year end.
First, let me say that I hate New Year’s “Resolutions” – the idea of becoming resolute based on a date is a recipe for failure. (And research shows that 78% fail in that)
But the end of the year is often a good time for planning and thinking. It’s a time of year spent around family and a time where work in our industry often takes a slight lull. And Lee and I both use this time to take stock of our lives and our plans for the coming year.
So, we’d urge you to make this a time for career planning. As we said in our Defcon talk, our survey from last year showed that career planning matters – those with a written career plan are about 25% more likely to make more than $120K/year than those that don’t have a plan.
As far as what we’re planning for 2010, you can expect a lot from InfoSecLeaders. The results for that survey will be fully available in the immediate future, as well as a bunch more surveys in the coming months. Additionally, we’ll be continuing our articles in Search Security and be announcing other relationships with other publications. We’ll be speaking at conferences. And we’ll be releasing more online courses (like our Career Incident Response Series) soon as well.
And Career Advice Tuesday will continue. Ask your questions here.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
Why Information Security is the Hardest Career
November 10, 2009
I was talking to my friend Ian the other day and he mentioned that he was posting about our careers and what we do. I pointed that I have been ranting on the topic of why our career is the most difficult for the past couple of years – anybody who saw Lee and I speak at Defcon, Source or RSA in the past couple of years heard my rationale.
Security is an interesting discipline – the threat landscape is always changing and we’re forced to keep up constantly. The simple reason behind that change is that security is ultimately a quality issue. What’s interesting about quality is that issues in product quality are heavily front-loaded – as a product matures, the number of newly discovered quality issues decreases. Thus, the security issues are almost always within the newest technologies.
This forces security professionals to be always conversant on the newest technologies. Imagine for a second that we had a time machine, and we brought three IT professionals from 1997 to the present: a Unix system administrator, a C programmer, and a security engineer.
The Unix system administrator’s knowledge of SunOS 2.6 would allow them to be functionally conversant on a modern *nix system. They’d have a few things to learn, but most of their fundamental knowledge (e.g. run levels, cron, syslog) would be useful today.
The C++ programmer would still be able to hack on code. Sure, there have been changes to the STL over that time and there are some new constructs. They might have to learn pair programming and agile methods. But their coding skills would be the same.
The security engineer would be…. well, lost. Functionally incompetent. They could expound on Smurf and Land attacks and ensuring that there were as few SUID binaries on your box as possible. But they couldn’t even use the basic technologies… Firewalls weren’t stateful. IDS was barely nascent. There was no such thing as spyware. SIEM, DLP, and anti-spyware would have been terms that made no sense. No wireless networks. Not to mention that “cloud” and “social network” would have garnered confused looks.
Five years from today, the Unix admin and the coder will still be conversant. And my examples that I used talking about the security professional will seem quaint and antiquated.
This is because the challenges for the security professional are always in the brand new technology – we don’t deal with issues in the IP stack because we handled them in 1997. And we moved on because the attackers found more fertile ground in the new technologies. And we will move on again – in five years, web app security will be old hat, as will “the cloud”. (“Remember when we were all worried about issues on Facebook and Google Apps?“, we’ll remenisce at Defcon 22…)
This makes it extremely difficult to create a long-term career in infosec – the moment you stop being conversant in the newest technologies is the moment that you’re functionally obsolete. So, we have to be willing to make a long-term commitment to our own growth and investment. We have to study. And we have to continue to grow every day lest we be left behind.
Career Advice Tuesday – Career and Family Planning
August 4, 2009
Hi Lee & Mike,
I’m currently working in the Information Security field in the public sector. I have a Graduate Certificate and CS Masters focusing on Information Security. Unfortunately, I only have approximately 3 years of experience. In 1.5 – 2 years, I will be starting a family and may need to take as many as 8 years off from traditional employment as a result. I’d like my lifetime career to be in Infosec, so do you have any advice on ways to remain viable in the field while not being able to work in it for awhile? It seems prudent to ask now while I still have time to take action. If I were in any other field, I do not think I would be so concerned but the Infosec field changes more rapidly than most.
Thanks,
Future InfoSec Mom
Dear Future InfoSec Mom:
First of all, let me commend you for your foresight in anticipation of this situation.
It is very difficult to balance the responsibilities of a family and a career at the same time. I know that many other Information Security professionals, both male and female, can empathize with your situation and the choice that you are planning to make.
One thing that you have going for you is that you work in the public sector and they are generally more sensitive to work/life balance issues. Here are a couple of pieces of advice:
1) Work for a company or agency that has a long term commitment to Information Security as a career path for their employees. If you can prove yourself as a valuable asset to the Info Sec program, they should have a vested interest in welcoming you back upon your return.
2) Figure out if you can locate or potentially help develop a role where you could work part time and still be of value during your eight years away. This will require creative thinking and progressive management. If you can introduce a logical use for your skills in a part time capacity while you are current working, you will be the one most likely to benefit for this new position.
3) Focus on developing some of the skills that are centered around policy, governance, awareness, and business risk - as opposed to hard technical skills. The hard technical skills may be very difficult to keep up with if you are not engaged with the technology on a daily basis. It may be easier to keep up with regulations and standards – since these can be acquired by traditional educational means.
Good luck to you in both of your pursuits. We hope this helps.
Lee and Mike
Career Advice Tuesday- When The Economy Negatively Impacts Your “Good Job”
July 21, 2009
Dear Lee and Mike:
The ongoing hardships caused by this lovely economy have now really
started to impact our company culture. Things are now quite strained.
We’re not getting any raises, no empty positions are being filled,
everyone’s doing extra work, training budget has been killed off. In
short, it’s getting fairly grim.
In spite of it all, I’d honestly like to stay at this job. I
strongly believe in our mission, and I’m friends with most of the
coworkers, but things are souring… what can I do to re-sweeten
things? Or am I simply holding onto past glories?
Signed, Conflicted
Dear Conflicted:
Let me start by saying that you are not alone. Many of your peers are experiencing some of the same things due to economic issues. The loss of corporate revenue has negatively impacted training budgets, technology advancements, raises, and bonuses across the board. Unfortunately, as professionals we have grown a bit accustomed to the perks attached to our position. When employers begin to tighten the purse strings are we are asked to share in the burden, it becomes a bit uncomfortable.
From what you have described it appears that you particularly have a couple of good things going for you:
1) Although you are currently experiencing some short term discomfort, it appears that your company has a track record in the past for “doing the right thing” by making solid investments in the Information Security program and the staff.
2) It also appears that some of the core values that relate to your situation remain intact. You believe in what the company is doing, you have solid peer relationships, and my guess is that you are well thought of, and your opinions are well respected. All of these things are positive.
My advice to you (and your peers) is to give your current employer the benefit of the doubt, in the near term, and utilize this as an opportunity to attempt to creatively solve your problems and build your personal brand.
Here are a couple of examples :
When a department is understaffed, and are not adding new personnel, there is usually an opportunity for work that is outside of your traditional comfort zone. Try to volunteer for some of this newer work, so that you can develop a new skill or perfect an existing one. If you can utilize this opportunity to build more skills, your future value and marketability will increase, whether you choose to remain at your current employer or move on.
Regarding training, I believe this is when you need to utilize your creativity to continue receiving training but at a lesser cost. This is the time that you can get together with your team and figure out some solutions and present them together to management. Remember, there is always strength in numbers, and you may achieve a greater impact if you address this with your manager in collective fashion.
Here are some suggestions that may provide a lower cost option to training:
1) Build an Info Sec Library – Ask your employer if they will reimburse the purchase of information security related books, that can be kept as a corporate reference guide.
2) Volume Discounts – Call up some of the traditional training programs and conferences and ask for volume discounts. These folks are in business too, and they may be flexible. They are facing some of the same economic issues.
3) Invite Guest Speakers – Many people in Information Security like to share their knowledge. Create a guest speaker program where you can bring in an external speaker (you may have to cover some travel expense and meal) once a month, to address a specific topic.
Unfortunately, I do not have any solutions for bonuses or raises. If money is the main motivator, you may be forced to begin looking for a new role.
In closing, I believe that you will benefit for exhibiting a little bit of patience with your current employer. However, if things do not change in three – six months, and you are still having the same feelings, you may have to begin looking elsewhere.
Hope this helps.
Lee and Mike
Career Advice – Beware the $700 Resume
June 1, 2009
Got a call the other day from a friend of mine who is currently in between positions, and he told me that he was on The Ladders, and had applied for a resume critique. After submitting his resume, he was sent an e-mail from a resume reviewer that basically dissected his resume and provided him with some high level generic feedback. These recommendations included things like elevating his language/vocabulary, omitting the year that he graduated college, formatting and visual design, and defining a specific job title that applies to his experiences.
On its own, I would tell you that some of the feedback had some merit; however there were items that I did not agree with. For instance, if a company is going to discriminate against me by knowing my age (whether I am either too old or too young) I would like to know before I waste my time in interviewing.
However there was a catch.
All of this feedback was packaged nicely around carefully crafted language that in my opinion is a poorly designed sales pitch. The words that they used stated that “THE BEST RESUMES -NOT CANDIDATES receive attention”, “your resume goes FIRST and it’s their ONLY impression of YOU,” “Managers are interested in IMPACT over action.”
I cannot deny that these statements are indeed factual and make a great deal of sense. I did get a chuckle of how they decided to capitalize and bold some of the words to draw emphasis. FOR EFFECT I WILL CONTINUE ON USING THEIR STYLE.
As you read on The Ladders critique instructs the candidate to “go back and reread your resume, and you will see that this document is selling you short. The bottom line: Your resume simply does not reflect your professional caliber at all. You have an excellent background…you have the qualifications…but you are just not making that first impression count.”
THIS STATEMENT IS PATRONIZING AT BEST. I ALWAYS APPRECIATE A GOOD BACKHANDED COMPLIMENT.
The Ladders writes “You are a premium member of TheLadders.com BECAUSE you’ve got the valuable experience, the superior skills, the unique qualifications and most importantly the DRIVE to get that next 100k+ job (yes, we redirect people who don’t fit our profile; it is in our best interest to do so).”
THIS IS YOUR CUE TO BEGIN FEELING SPECIAL. STATING THAT YOU SHOULD BE PRVILIGED TO BE INCLUDED AS A MEMBER OF THE LADDERS, WHOSE BARRIER TO ENTRY IS EITHER YOUR PERSONAL INFORMATION OR YOUR MONTHLY MEMBERSHIP FEE, IS QUITE AN HONOR!
The Ladders writes “On paper, your wording and presentation leave much to be desired. Your resume does NOT generate excitement and professionalism. These two elements combine to make you the ideal candidate for a resume rewrite. We are here to make your job search QUICK and SUCCESSFUL! To this end, it is crucial that your document look as impressive as you do, and that you do not LOSE interviews in the process.”
THIS CONFIRMS THAT NOT ONLY ARE YOU DEFICIENT IN YOUR PRESENTATION, BUT YOU ARE ALSO A POOR COMMUNCATOR (OF COURSE SO ARE ALL THE OTHERS) ,BUT OTHER THAN THAT YOU HAVE GREAT SKILLS. FEAR NOT – HOPE IS ON THE WAY (Begin Playing Superhero Theme Song of Your Choice) IT JUST SO HAPPENS THAT YOU (AND ANY ONE ELSE WHO ASKED FOR THIS CRITIQUE) ARE THE “IDEAL CANDIDATE”FOR THIS SERVICE. WE DESIGNED THIS WITH YOU IN MIND! NOTHING SAYS SPECIAL LIKE A FORM LETTER!
The Ladders writes – “Most people are like you—they struggle to put themselves down on paper effectively—but that’s where we come in, because we are experts at knowing the best way to present you. Most competing professionals employ the services of professional resume writers, creating a disadvantage for those that make the attempt alone.”
THIS IS MY FAVORITE- DO NOT FEEL ALONE. YOU ARE NOT SPECIAL. EVERYONE NEEDS OUR HELP. HOWEVER ONLY THE WISE CHOSE TO ACCEPT IT (AND OF COURSE HAVE A VALID CREDIT CARD). THEN THEY TELL YOU THIS CAN ALL BE YOURS FOR THE LOW RETAIL PRICE OF $700.
Please understand that I am not writing this to single out The Ladders or any other resume writing service, but $700 is a lot of money. I am sure that many have received value for this service and are happy with the results. What I want to explain that YOU ARE CLEARLY BEING SOLD TO!
Unfortunately, there are many who seek to profit from others during times when they are most vulnerable. As you can tell from the critique above, the key statement that they make, is that you are clearly at a competitive disadvantage is you DO NOT do this.
I do believe that resume writing assistance is valuable and that if used correctly, it can be the difference in providing you the opportunity to be included in the interview process and being considered for a position. I am also a firm believer that those “WHO RECEIVE FREE ADVICE, TRADITIONALLY GET WHAT THEY PAY FOR.”
I understand that companies, like The Ladders, are in business to make money and are not run like charities. But there is a time and place for everything. To make promises that this type of investment will produce results and help you get employed quicker, is not 100% truthful. I am pretty confident that there is some strong legal language and disclaimers attached to this service agreement.
I am a big believer that the time to make this investment is when your career is in good shape, and you are in good financial health. I think that is not a great business practice to ask people for money in times when they need it the most.
Here are some guidelines that I can give you when considering a resume writing/preparation service:
1) Find someone who understands the Information Security industry, your marketable skills, and your target audiences. This will be incredibly helpful in helping you market yourself effectively to the companies that are looking for talents like the ones you possess.
2) Understand from the resume service what their success rate is in working with people with your talent and at your level of employment. When possible ask for references. Ask your peers if they can recommend anyone in particular. Make some of their fee contingent upon receiving a result. For example, 50% percent of the fee to be paid up front, and the remainder to be paid upon getting an interview- based on this new resume.
3) Find someone that you already have a previously developed trusted relationship with to help you. Granted this may be a “free service” like a member of your network or a mentor, who will be happy to give you some advice and guidance. It can even be a recruitment firm or career coach that has helped you in the past, who offers this as a “fee based” service. As a general guideline, if you have a previous relationship, you are already have an understanding of what your expected level of service will be.
4) Figure out the “fair value” for their service. You can do this by applying a dollar value to their time. As a guideline, think about what your “hourly rate” would be, and use that as a number.
For example, if your compensation is $100 an hour, and it will take three hours, fair value for the service would be $300. You can pay $150 up front, and $150 after you go on your first interview.
In closing, please be careful on whom you trust with your career and which services that you pay for. Make sure that the service providers are motivated by the development of a lasting relationship, not just a short term transaction!
Remember – THIS BLOG IS FULL OF FREE ADVICE, YOU ARE GETTING WHAT YOU ARE PAYING FOR!
Announcing the Career Incident Response Audio Series
May 23, 2009
I can’t tell you the number of people I have talked with lately who are either afraid of losing their job, are about to lose their job or already have lost their job. Lee and I talk about it almost daily – it’s a consistent flow of new people who are having their career plans “hacked” by some unexpected event.
Because it’s so constant, Lee and I decided to get on the phone a few times over the past couple of months and put together a guide to setting up your own “Career Incident Response” plan. The people who have planned for it and are prepared are the ones who land on their feet most easily.
Click here to sign up to start receiving the audio and the exercises that will walk you through setting up your plan, dealing with your career incident, and coming out the other side.
Check out the short Trailer Episode we put together, or Sign up now.
Interview with Art of InfoSecurity – Part 2
May 12, 2009
Recently I finisehd an interview with Eric Heidt, author of The Art of Information Security Blog. The interview was posted in two separate segments. You can find the first segment posted on April 17.
The interview encompasses some of my thougthts around career management and career planning.
I welcome any questions or comments.
Decisions and Dilemmas
May 8, 2009
During the 1986 baseball season, the New York Mets were getting ready for the World Series. During the season, their four starting pitchers Dwight Gooden, Ron Darling, Sid Fernandez, and Bobby Ojeda were all pitching well. Since the World Series schedule (back then) only required three starting pitchers, a reporter stated to Mets manager Davey Johnson, “You have a dilemma on your hands, you have too many starting pitchers. ” Johnson responded, “You are incorrect. A dilemma is when you do not have enough starting pitchers. I have a decision to make.”
In speaking with a candidate the other day, he told me that he had a dilemma on his hands, he had two job offers that he was considering, both were compelling and he did not know which one to choose. At that time, I remembered the Johnson quotation, and explained to him that he was fortunate to have two opportunities and he had to make a decision regarding his immediate future.
Due to the shortage and need for Information Security professionals, we, as an industry, have been fortunate enough to be faced with more “decisions” than “dilemmas.” When you are currently employed or engaged, you always have a decision. You can evaluate if the new opportunity is better suited for your career than your current one. In many cases, even when in transition, Information Security professionals could choose between a number of career choices, and had to make “decisions” regarding a variety of options and environments.
Today, the market is a bit different. Sure, there is still a shortage of talent and we are in better shape then most other professions, but I am surprised to see how many quality Information Security professionals, have found themselves in “career dilemmas.” Many of these talented professionals, some whom I have known for over a decade, have traditionally been highly sought after and have impressive credentials. Unfortunately, many have not planned accordingly or developed “career contingency” plans.
The problem they are facing is that their qualifications and their salaries have put them in a place where their job searches are going to take a good bit of time. However their financial situations do not afford them the luxury for waiting out a lengthy job search process, and they need to find a steady paycheck. This is definitely a “dilemma.”
Here are three pieces of advice that I traditionally give to them:
1) Leverage your network to find contract work so that you can relieve yourself of immediate financial pressure.
2) Position your resume, so that you can demonstrate your most marketable skills that solve pressing information security issues.
3) If you are forced to find a full time job immediately, define the “lowest common denominator” for your career. By that I mean, to figure out the lowest level position and salary that you are willing to accept, as you try to find employment quickly.
There is no substitute for proper long term career planning, it is truly the only way to avoid a career “dilemma”. We never know what the future will bring.