October 23, 2012
I write to you seeking career advice. I graduated from college in 2005 with a B.S. in Computer Science (programming). I was unable to timely find a job in my field of studies, so I accepted an offer to become an IT Auditor. I’ve been an IT Auditor ever since in two different business environments (banking and government).
Because of my background in programming, I absolutely enjoy undertaking tasks that are related to business analytics, data mining, re-performance, etc. However, my current line of work does not require or provide for that. In addition, I have become greatly interested in security, but while I feel that I am very capable of learning effectively and efficiently, I do not have a strong foundation on networks.
In order to push myself to strive for more, I have looked at the option of becoming CISSP certified. However, I am not sure if the SSCP would be a better choice for me based on my knowledge level.
I am currently CISA certified and know that having another, more technical certification, will better position me in my job or others.
What would you suggest? Thanks in advance for your help.
Programming My Future
The best suggestion that I have for you is not to pursue any certifications for the sake of positioning yourself in your current role or others. The certification alone will not help you, finding an environment where your skills are valued for their unique combination is the best way to further your career.
To begin with you have a degree in Computer Science and a background in programming. Next, you have 5-7 years of real world experience in IT Audit and you are a CISA. On top of that, you have an interest in security, and you have a history of gravitating to more technical projects.
The combination of these skills and your interests are unique. Your skills have a great deal of value to an organization who realizes how to utilize them and leverage them for their benefit.
Recently we have been engaged in a number of searches that are looking to find technical information security professionals to work in IT Audit environments. The primary reason for this is that corporations are recognizing that it is critical for these two business functions to understand each other, and the key to this is to either have audit minded security professionals or technically and security astute IT Auditors.
This being said, it is good that you recognize that your lack of networking experience is a shortcoming and a potential skill gap. My feeling would be for you to find a way to work on developing this skill and knowledge. This could begin by reading some books on the topic, taking some vendor based training, and maybe eventually getting a certification that demonstrates and reinforces this knowledge.
If successful, this may be 2-3 year undertaking. If you begin down this road and it “does not take”, then I would suggest you refocus your energies on you’re the enhancement of your strengths – and maybe learn some new programming languages, application security, code review, or other related skills.
If you are interested in learning about some of these blended opportunities, do not hesitate to contact us at LJ Kushner (firstname.lastname@example.org) . If you do so, in your e-mail please mention – Career Advice Tuesday!
Hope this helps,
October 9, 2012
I know tat you are a baseball fan, so I wanted to ask a themed question now that the baseball post season is upon us. The question I have is very simple, relates to interview mechanics and interview positioning.
From what I understand, for many senior level information security positions companies will interview between three and six people, I wanted to know if you felt that there was any advantage or disadvantage as to what order that you interview.
Some people have told me that it is best to go first, some say it is best to go last, some people say that it does not matter, I would like to know what you think.
Dear Mr. October,
Very good question and one that many people have differing opinions on. The question you ask is really, when it is the most beneficial to interview? I am going to tell you that in the end, there is probably no real difference when it comes down to decision making, but let me give you some strategies on what could be the best mindset depending on where you sit in the order.
1) Leading Off- If you are set up to interview first, you need to understand that you are setting the standard for all other candidates who will be interviewed for the role. The key to going first is to go into the interview with the goal for the hiring manager to decide that you are the best candidate for the role, and cancel the others. Although this will likely not happen, you can try your best to help them arrive at this decision, by making a memorable impression. The best way to do this is to excel at some of the intangibles – focusing on your alignment with the company’s culture, your appearance, and your communication skills. In essence, when you go first you will need to emphasize style as much as substance. The reason for this, is by the end of the process the interview team may get confused because all of the candidates will have good skills, however, the sharper communicator, the candidate with the best executive presence, and the best fit with the culture will be more memorable.
2) The Middle – No one likes the middle, but I don’t think that this is a disadvantage if you have some goals going into the discussions. To me, the goal of a “middle” candidate is to exclude the candidate or candidates who have previously interviewed. In essence, the candidate should go into the interview with a competitive attitude, since based on the fact that there is more than one candidate, this is now officially a competition and the interviewing team by nature will compare candidates. Once piece of advice would be to ask the interviewers questions about what qualities will make the person successful in the role, and continuing to ask questions geared to understanding the ideal fit, what is missing, and what are the key problems that need solving. By doing this, you may be able to get the interview team to reveal some of the shortcomings of previous candidates or to describe what attributes an ideal candidate will possess. Once you have your answers, it is your duty to demonstrate value and to emphasize your strengths in this context – effectively blowing out the competition and positioning yourself in a way where the decision should be clear, no matter who walks in the door next.
3) Hitting Clean-Up – or Going Last – I know that many people like this position, but it definitely has its drawbacks. If you go last, and the previous candidates are strong (see above) the interviewing team may view your candidacy as a nuisance and may not be fully engaged. However, when you go last in the interview process you have the ability to make a lasting impression and be top of mind during the evaluation process. You also have the ability to address any of the interviewers concerns about the role and the other candidate’s deficiencies. So, the best way to attack this interview is to combine the approach of the first two suggestions – combine both style and substance, and most of all compete! However, there is one thing that you can do if you interview in this position, than the others, you can “Close the Deal”. When I say “Close the Deal”, what I mean is that you can let the interviewers know that you want the job, and leave little or no doubt that if offered you will accept it. Not that you cannot do this in the other interviewing positions (and you should), but when you interview last, it is most powerful.
There is some additional piece of mind for the interviewing team to know that they will have their position filled, after the long interview process. By leaving the interviewers with the confidence that they are not going to leave the process empty-handed could be a huge advantage. Everyone likes a sure thing, and if they believe that you embody that, that could bode very well in the final decision making process.
Ideally there is no right or wrong answer here. In the end, in most interview processes talent usually wins out. But remember, that all interviews are competitive situations, and you need to be prepared to successfully compete against your peers no matter when your meetings are scheduled.
Hope this helps – Enjoy the playoffs!
August 14, 2012
I have been working in the IT industry for many years and have been dabbling in the Information Security realm for about 5 years now, but am having a hard time getting the experience I would like
I was recently asked by a friend to help with a side job which required a Security Assessment to be performed. I have never had to perform a Security Assessment so I am a little hesitant making the jump because if I accept the assignment, I want to do it correctly.
I’m not one of those guys that will take the job, if I do not believe I can perform it correctly. I do not want to be put in a position where I do a crappy job due to the fact that I do not know what I am doing.
How do I get the experience I would like, so I can take “jobs” like this one with confidence? I have a good reputation and I want to keep it that way.
Any advice you could give, I would be grateful.
“Biting Off More Than I Can Chew”
Dear “Big Mouth”:
I agree with your sentiments. You only have one reputation and anything that you do that detracts from your reputation will only stay with you through the course of your career. In the end, your work is a reflection of you, and it eventually will define you and become your “brand”.
I give you a good deal of credit for having the integrity to know that this position maybe beyond your scope of knowledge and “more than you can chew” at this point in your career.
I can offer you a couple of different options –
1) I would ask your friend if you would be open to “sub contracting” the assignment to someone that you trust. If they say that is OK – what you could do is to ask around your network or on Twitter – if anyone is interested in a consulting assignment – with the caveat that if they take the job – that they will let you shadow them on the assignment and teach you. This could be the best way to get practical experience – in essence you can learn – and someone else would get the revenue from the assignment. This would be viewed as quite an even trade!
2) Another option would be to get formalized hands on training. Now, I do realize that if you did take training, you would not be ready for this current assignment – however, with some foresight this could possibly give you the confidence to know that you would do a good job the next time that you get the opportunity to perform this type of work.
The key to this is to get “hands-on” training – not just some certification – that will give you the confidence that you will do the job correctly. Understand that you are doing for yourself, not someone else evaluating the value of the certification and utilizing that to judge your competency. In this case, you need to overcome your fear of failure – practical experience, even in a training or lab environment should enable you to simulate a real world “assessment”. It may not be live – but it is the next best thing.
With the right training, you should be able to do a “good job” on future assessments, and when you do, you can be sure that you will get additional opportunities to practice your craft.
Hope this helps,
July 24, 2012
Currently I am an Chief Information Security Officer at a medium size company. About a month ago, I engaged in an interview process to be a CISO at a much larger company, and I was offered the position. The role was quite appealing, but after some deliberation with my family, we decided that the location was not going to be right for us, so I called the hiring manager (CIO) and told them that I would have to decline.
He understood, but he was obviously disappointed and a little frustrated.
Well, time has passed and I just can’t seem to get the opportunity out of my head. I really think that it was a very good career move, the money was good, the relocation package was solid, and my husband has become more receptive to the idea, finding certain elements of the location that would appeal to him both personally and professionally.
My question to you would be how could I reengage them? Is it possible? Have a ruined my chances?
“On Second Thought”
Dear “Second Thought”:
The answer to your question is – “No, you have not ruined your chances” and “Yes, it is possible to reengage them, and due to the reasons that you provided, and the way you have handled it (as stated), it may be welcomed.
How you reengage them is important, so here are some steps to follow:
1) Inform your source of introduction. If you worked with a recruiter, you need to let them know, as they may have some more knowledge on the current status of the search. They also may be able to get a better feel for how the company really felt about your original decline of their offer.
2) Call the hiring manager directly. I am a big believer in going to the source. The fact that you called the hiring manager to decline the offer, should work to your advantage this way – as it created a communication channel. When you call them, make sure that you explain to them that the reason for changing your mind is that your family is now receptive to the move, and that was the only reason you declined the role in the first place. Explain to them why they have come around, and you can include something like : “My husband knew that I wanted this job, and it has all that I have talked about since I declined. He is fully supportive.”
3) Do not renegotiate anything: You lost this privilege when you declined the offer, so do not even attempt to do so, as this will take away all good feeling. (Conversely, if they contacted you to reengage, you may have some leverage – but in this case you don’t.)
4) Give them a quick start date. Let them know that you could be out there in three weeks or less. This will show them you are serious, and ready to go.
Sometimes many of the best career decisions have been the result of an elongated decision making processes. Give yourself some credit for rethinking your original decision.
Let me know how it turns out. Hope this helps.
July 10, 2012
I am about to transition from Military to the Civilian work force. I am a IT Support and Security Professional. I am currently working to gain the CISSP through the SANS Security S+ course. My question is will this class help with gaining the knowledge I “really need” to pass the CISSP and will this help with the progressing in the civilian work force? This course is expensive but it come highly recommended from some of the professionals that I work with. Need some guidance.
First of all, let me say a big THANK YOU for your service to our country.
As a disclaimer – I am not familiar with the particular topics covered in the SANS Security S+ course – so my answer to your question will be a more general one.
The first thing that I want to say is that I question the concept that you actually “really need” to pass the CISSP to work as an information security professional in the civilian work force. Most of the customers that we support, are more interested in the candidate’s talent – as opposed to their certifications.
I believe that the question that you should be asking yourself is, “Which training class will enable me to develop my skills and make a smoother transition to work in a commercial environment?”
One of the best ways to determine this will be to first understand the foundation of your current skills and the strengths that you can be leverage. Generally speaking, these skills will be more “technical “ in nature – centering on either networking, operating systems, software development, etc. Once you are comfortable with this assessment, you may want to look at a training class that can help supplement these skills – possibly something in the area of incident response, security event management, penetration testing, etc.
In developing these skills and skill combinations, you should be able to place yourself in a professional information security environment that will provide you with some exposure to the “domains of knowledge” encompassed by the “CISSP Certification”. In the context of the job, engaging your peers, the purchase of some relatively cheap study guides, and some initiative you should be able to pass the CISSP (at a substantially lower price point)– if you decide at that this is a worthwhile career investment as you aspire toward your ultimate career destination.
Hope this helps,
June 19, 2012
I am an information security engineer, and about six months ago I decided to change employers. The main reason for accepting the role was based on the connection and confidence that I had developed with the CISO., during the interview process.
When I initially interviewed for the role, I was on the fence about accepting the offer. However, I had a dinner with the CISO and we spent the time together speaking about professional development and he assured me of his commitment to expose me to more of the business side of information security. The trade off was that I had to give him 12-18 months in a security engineering capacity. During this meeting he even shared with me about his own progression and how he had a mentor who helped him along the way in his professional development and ultimate transition form techie to Info Sec leader.
Well I bought in.
About a month ago, I learned that corporate decided to make a decision and they have forced him to resign. In his place, they have brought in someone internally, who is not an information security professional (we will leave it at that) – and while he understands the company, he has demonstrated to me (and others) that he just does not understand the perspective of information security professionals or relate to them. I know that many of my peers are actively interviewing and others have “checked out” hoping that the new leader fails.
As part of the transition, I had a meeting with him , and I shared with him the commitment that the former leader made to me to help develop my career beyond information security engineering., Although he was polite, my feeling was that he was not going to honor the ex-CISO’s promise to me.
Do I need to begin looking for a new job? Any advice?
Vote Of No Confidence
One of my favorite sayings is that in the end you do not work for companies but you work for people. In essence the company provides the framework but your manager has the real impact on your success and happiness.
You seem to be experiencing this first hand!
I think that what is particularly hard for you is that your decision to leave a good position was based upon the promises that your ex CISO made to you, and your assumption that these promises are going to be ignored. It also appears that you do not have any confidence that the new CISO is going to make good decisions which are conducive to the development of the information security program and in essence your career.
Right now, the best advice that I can share with you is that you should give this person a chance. Considering that your new manager is going to be evaluating your contributions to the company, you should in turn be evaluating their performance as well , as it relates to the development of your career. Considering that the person is new to the role, and not an infosec professional - my advice is to be the best information security engineer possible – and really demonstrate your talents, your passion, and your willingness to make positive contributions. I would make it a point to really embrace the new leader, and demonstrate that you are their to support them.
Given the attitude of your peers, your positive attitude and work ethic should really stand out!
After doing this for ninety days or so, ask for a meeting. At that meeting, you should revisit your conversation and your career goals. At that point, you should see how receptive the new leader is.
If the new leader is receptive, you may have found a way to accelerate your career. Keep working hard and contributing and see if you can produce some measurable results.
If the new leader is giving you lip service, ignoring you, and dismissing your requests – it is time to look for another role. If the new leader does not recognize or appreciate you and your loyalty during this transition, it is likely that they are never going to connect with you or support your career development efforts.
At best you will be pleasantly surprised, at worse you can dust off the resume!
Hope this helps,
April 17, 2012
I am writing to you because I would like some advice on how to make a transition as an Information Security leader from a non-profit entity to a large enterprise.
For the past five years, I have been the Information Security leader for a Non-Profit Healthcare centric entity. In the beginning, the role was exciting, as the company did not have any information security program. Although the opportunity was a challenge for my skill set at the time, I jumped at the opportunity and believe I made the most of the experience. In addition to building the program, I have gotten a masters degree, additional certifications, and made additional career investments.
That being said, the opportunity has run its course. The program that I have led/built is sufficient for the organization’s risk tolerance. I am not able to secure budget for new technology expenditures and due to the economy, we have not replaced the staff that we were forced to let go.
I would like to parlay my leadership skills into a large entity at a leadership level, preferably as a CISO. I believe that the mix of my healthcare knowledge and track record would make me a viable candidate,
Can you suggest a methodology for my search?
Profit is a good thing, and I admire your pursuit of an entity that makes money.
You are correct, the transition that you are attempting to make is indeed a difficult one, however it is not an impossible task. Hopefully, this will give you some ideas on how to leverage your skills.
First of all, you need to understand your most marketable skills and determine what types of organizations they would be appealing to. From your note, three things come to mind -1) you have built a program from inception 2) you have had leadership responsibilities for all facets – giving you broad experience 3) you have experience in healthcare and security issues facing this industry.
You need to accept the fact that you are not going to become the CISO of a Fortune 500 company immediately, but there could be other organizations that could serve as logical places for your skills – and roles that you would be an excellent candidate for.
For example, there are many professional services firms – such as law firms or large groups of physicians who are awakening to the need to establish an information security program – your skills could have value to these types of entities.
You can also look at the healthcare vertical market and look for organizations that have considerable exposure to HIPAA. These could include for profit healthcare firms, biotech, pharmaceuticals, or insurance. Your domain expertise and leadership would be quite applicable. What may be the best fit for you would be to enter into these organizations at a BISO (Business Information Security Officer) – where you could have leadership for a business unit of a larger entity.
Finally, you could always consider professional services – working within one of the larger consulting firm’s information security and privacy consulting practices – could be a good match. Granted you would have to accept travel, but they would be happy to leverage your experience with their healthcare clients, – and in turn you may get exposure to other industries like financial services, media, retail, etc. In addition, the large consulting firm’s provide environments that enable people to utilize a broad range of skills, but also develop specific areas of expertise – this blend could serve you well.
In general, I think you will need to accept that you will initially not have the same level of authority and may not have the same level of compensation, however you need to look at the big picture
Down the road, your experience in the non-profit and your new role should build a skill and experience matrix that will open doors for you and exposure you to bigger leadership roles in larger organizations.
Hope this helps,
April 3, 2012
I am currently engaged in an interview process and I am getting some mixed feelings about the position. Initially I was a bit hesitant about engaging in the opportunity, but I had the opportunity to meet with the hiring manager, and the meeting was a great success, and we really hit it off, I felt that they could be a great mentor. In addition, they made the position sound really appealing and more strategic than my initial impression.
After that meeting, I was asked to come back and meet with some other members of the team whom I would be working with. During that meeting, I received a different interpretation about the role that I would be filling., and they made the role seem to be more tactical than I was searching for. Quite frankly, although I liked the people, the meeting was a complete turn off and I decided to make a decision to remove myself from consideration.
When the news of my decision got back to the hiring manager, they asked if I would reconsider, and have lunch, in order to address my concerns.
I am inclined to not go through with the meeting, as I think it is a bad use of time. However, I wanted to know what you thought, and if you think that I am making a mistake?
I think that you are making a mistake.
One of the best pieces of advice that I have ever received is that you always take a meeting, even if you think that the meeting is not going to produce your desired result. Over the course of fifteen years of working in this industry, I can count a number of times when a job candidate initially decided to end their interview process, only to be convinced to keep an open mind, and hearing out the hiring manager. In a majority of these occurrences, the candidate went on to accept the position, and greatly accelerated their career.
The opportunity to spend additional time with the hiring manager and potential mentor can only be a good thing. First of all, since you have already “turned down” the role, you have inadvertently shifted some of the balance of power in the interview process. You have forced the hiring manager to show their hand, and demonstrate that they want you as part of their team. This should be able to give you more comfort in the interview process, and enable you to ask questions about career goals, professional development, and mentorship. You can have a free discussion on the importance of this role, how your skills will be utilized, and if you are successful where this position will lead.
In addition to this, you will also have time to ask the hiring manager why they believe that you are a good match for the role, why they believe these skills are important, and why this roll could be a good accelerator in your career progression.
If you like the hiring manager, you can also pick their brain on their personal experiences and see if you can draw some correlations between your career and theirs (this should show you if the person could be a good mentor).
Another reason to take the meeting is that the second group of people whom you interviewed with might not understand the hiring manager’s vision for the role. What they may understand the role to be, could be significantly different to how the hiring manager views the role . It is possible that their vision of the role could be how things “used to be done”, while the hiring manager in recruiting for this position may be searching for a different skill matrix so that the position/function could be elevated and enhanced. Chances are that your initial read from your interview with the hiring manager was the correct one
Too many times information security professionals get caught up in the details of a job description and do not look at the big picture for their careers. It is logical that any role will have a blend of strategic and tactical work – but more important than the “task” – is the person whom you will be working for, as they will be the one who ultimately creates the environment for your success.
Without a doubt, take the meeting. You have very little to lose, and potentially plenty to gain.
Hope this helps,
February 21, 2012
I am writing to you as my last sounding board, as I believe that I have made the decision to leave the world of “employee” for the career of “1099 information security consultant.”
I have arrived at my decision due to the fact that I am frustrated working at my current employer. I worked for a boutique professional services firm, where I am the only person who delivers my specific type of technical information security services – application security and code review. All of my co-workers do a lot of policy, compliance and governance work – and my firm has a pretty large PCI practice.
My company likes to tell its customers that we are adept at performing technical security assessments, web application tests, and code review – but in this case, in essence the “firm” is “me.” When our sales team sells work, my phone rings off the hook. This means that I am responsible for additional travel, RFP’s, delivery, and reports – much more than my other colleagues whose skills are repeatable and more plentiful. Although I am unique, my compensation is not, and I do feel underpaid.
My thought is to start my own business, leave my current employer and offer them to use my services to their customers as a 1099. This should enable me to earn additional monies and give me some flexibility on the projects I want to work on. Upon completion, my plan would be to partner up with some others independent consultants, and try to find additional work.
I figure that in the end, if it does not work out, I can always get another job with a services firm similar to my current employer.
Do you have any words of wisdom for me? I have always wanted to be the president of a company, even if I am its only employee.
Dear Mitt –
The first thing that I will do is to agree with you. If you decide that you want to leave your current consulting company, to begin your own venture, you most likely will have very little risk. If you decide after a short period of time that you do not like working as an independent, you can always go back to the work force and attempt to find a job.
However, I am going to caution you to think through your decision a little bit more thoroughly and begin to think of the bigger picture, which is your career. A decision to leave traditional employment and enter the world of independent contracting is great, when your skills are in demand and the market is hot – but good times do not always last forever. If you decide to take this route, you need to be cognizant of this – and make sure that you continue to invest in yourself and your career, and make sure that you remain on the leading edge of your subject matter expertise.
One thing that you may or may not be aware of is how good your skills are in comparison to the remainder of the market. In your company, since you are the only one who does what you do, you may be the “big fish” in the “little pond.” Your skills may only be viewed as “outstanding” because of what they can be compared to.
In order to truly be successful as an independent consultant – you have to be exceptional and unique.
Before deciding to step out on your own, my advice would be to join a firm that has an area of specialty that aligns with your core competency of application security and software review. I would select one of the smaller boutique firms – maybe one that has between 10-30 people – who are known in the industry for their expertise in this area. The first indication of your talent should be your success in the interview process. These firms traditionally hold a high bar for talent, passing these obstacles with a good degree of ease, should be the first indication that you have talent. Then, upon joining the firm – I would treat your employment like it was your own business and incorporate all of the elements into it – delivery, customer management, and sales.
See how this goes for a year or so, and see how successful you are, in all of the stated components. You should be able to have enough data to understand if you would be happier in this type of environment or out on your own as an independent. At the end of this experiment, you will definitely be able to make a more informed decision about your future.
Regardless of your choice, you are always the President of your own career, and the CEO of You, Inc.
January 10, 2012
I am embarking on a job search and I am looking for some help. My first ten years of my information security career has placed me in some interesting environments – serving as a technical information security engineer, working as an information security professional services practice in the area of risk and compliance, and working as a pre-sales engineer for a large information security product vendor.
The truth is, I have enjoyed all of these three roles, and I am interested in a wide variety of opportunities. I feel that my experience and versatility is a good thing, and it allows me to investigate many different career paths.
The question that I have, relates to my resume. Do you have any advice for me on how to craft my resume – to both illustrate my versatility and breadth of experience, and to accurately align my skills and qualifications simultaneously with different opportunities?
Dear Mr. Furley:
Good for you for having three unique and successful career experiences at this point in your career. I can only imagine that you have developed and maintained a set of skills that include technical expertise, customer skills, and persuasive communication and presentation skills.
If my assumption is accurate, you are correct that these skills are in high demand and will appeal to many diverse environments. Since you will be applying to roles in these different types of environments – I will make two suggestions regarding your resume –
The first being that you can write three separate resumes – one tailored to internal information security engineering roles, one tailored to professional services/consulting opportunities, and one tailored to pre-sales opportunities. If you decide to go this route, what I would do, would be to keep the qualifications of the position you are applying for in mind, as you create each resume and highlight the skills that you have acquired in your three different roles. Ideally, each resume will have a “theme” to it, which will align with the specific role that you are attempting to pursue.
For example, if you apply for an internal technical information security position, I would make sure that you make your bullets from your sales engineering role are technical in nature. I would try to find a way to point out the depth of your technical skills in the context of that role.
The second option that you can have would be to utilize the same resume, but to write three unique objective statements that can align with the types of roles that you are applying for. What I would do in each of these statements, would be to allude to the facts that your diverse experiences has provided you with unique perspectives on how information security problems are solved – from an internal perspective, from an external perspective, and with the aid of information security products. By demonstrating these three different perspectives in the body of your resume, and associating your skills with each of your three roles, should create a consistent overall theme.
In closing, having three diverse experiences and perspectives as an information security professional is a very good thing, and provides you with a great foundation
The combination of a well-written resume, and an astute employer who can connect the dots, should provide you with access to many roles that could serve as a springboard to the next stage of your information security career.
Good luck in your job search,