I am embarking on a job search and I am looking for some help.  My first ten years of my information security career has placed me in some interesting environments – serving as a technical information security engineer, working as an information security professional services practice in the area of risk and compliance, and working as a pre-sales engineer for a large information security product vendor. 

The truth is, I have enjoyed all of these three roles, and I am interested in a wide variety of opportunities.  I feel that my experience and versatility is a good thing, and it allows me to investigate many different career paths.

The question that I have, relates to my resume.  Do you have any advice for me on how to craft my resume – to both illustrate my versatility and breadth of experience, and to accurately align my skills and qualifications simultaneously with different opportunities?

Sincerely,

Ralph Furley

Dear Mr. Furley:

Good for you for having three unique and successful career experiences at this point in your career.  I can only imagine that you have developed and maintained a set of skills that include technical expertise, customer skills, and persuasive communication and presentation skills.

If my assumption is accurate, you are correct that these skills are in high demand and will appeal to many diverse environments.    Since you will be applying to roles in these different types of environments – I will make two suggestions regarding your resume –

The first being that you can write three separate resumes – one tailored to internal information security engineering roles, one tailored to professional services/consulting opportunities, and one tailored to pre-sales opportunities.    If you decide to go this route, what I would do, would be to keep the qualifications of the position you are applying for in mind, as you create each resume and highlight the skills that you have acquired in your three different roles.    Ideally, each resume will have a “theme” to it, which will align with the specific role that you are attempting to pursue.

For example, if you apply for an internal technical information security position,  I would make sure that you make your bullets from your sales engineering role are technical in nature.  I would try to find a way to point out the depth of your technical skills in the context of that role.

The second option that you can have would be to utilize the same resume, but to write three unique objective statements that can align with the types of roles that you are applying for.   What I would do in each of these statements, would be to allude to the facts that your diverse experiences has provided you with unique perspectives on how information security problems are solved – from an internal perspective, from an external perspective, and with the aid of information security products.      By demonstrating these three different perspectives in the body of your resume, and associating your skills with each of your three roles, should create a consistent overall theme.

In closing, having three diverse experiences and perspectives as an information security professional is a very good thing, and provides you with a great foundation

The combination of a well-written resume, and an astute employer who can connect the dots, should provide you with access to many roles that could serve as a springboard to the next stage of your information security career.

Good luck in your job search,

Lee Kushner

About six months ago, I accepted an information security position that was presented to me with a 20-25% travel requirement.   I felt that the position was a good match for me, as I would be able to use some of my past skills, and pick up some new experience in security technologies that included GRC and SIEM tools.

For the first three months of my new position, the travel requirement held true.  I was traveling on average about five days away from home per month.  In addition, a good bulk of the travel was geared toward attending training on the newer technologies.   All was good.

However, in month four my new company won a large engagement to help a Fortune 500 client implement some of these new tools.  The location is about two hours away from my home, so given the work hours it is impossible to commute on a regular basis.   I find myself staying away from home – a minimum of three days a week – or about 60-70% of the time.

I reminded my manager who hired me about the discussion we had about the travel requirements and his response was less than satisfying.  He told me that this was the only client that I could be placed on, and that if I did not want to travel – that I could commute, if I desired.

The long and short of it, is that although I like learning the new skills, I feel that I was lied to.  Technically, they may be correct, and I do not have to “travel”, but in essence I feel they misrepresented the opportunity.

Being on the road for extensive time periods takes me away from my family, lessens my quality of life, and just does not work for me.

Any suggestions would be appreciated.

Signed,

Willie Nelson

Dear Willie –

The best advice that I can give you is to use the job to pick up as many skills as possible, and begin to plan your exit strategy.   The fact is that if you are building information security skills in the areas of GRC and SIEM technology, you are developing experience that has external market value that can serve as your parachute to new opportunity.

I will tell you (and others who are reading) that a big mistake for anyone going into a professional services environment or consulting environment is the illusions that you can limit your travel to less than 50% or that you can control the location of your future customers.    The only exception to this would be is your consulting position enables you to do a bulk of your work remotely  – like penetration testing.

The nature of the professional services business is client service.  Clients dictate the engagements and they dictate the requirements.  Your main value to your employer is your utilization and chargeability.   In the end, if you are restricted in your ability to travel, and this is the only work where you can be utilized, you are placing yourself in an unsustainable situation, which will not end happily.

Getting back to your situation Willie, I think that your manager reaction is the real indicator of the company’s attitude about your request to reduce your travel.   From what you have shared this is not a battle that you can win.

In the end, when accepting a new position it is essential that you understand all of the requirements that can effect your quality of life – commute, travel, compensation, work hours – and the personal sacrifices you are willing to undertake in order to perform the position requirements correctly.

Hope this helps,

Lee Kushner

I have a question that is more for Lee, than for Mike, given that it has to do with a recruitment process that I am currently involved in.

About three weeks ago, I was contacted by an information security recruiter who whom was referred to me by a close colleague, about an opportunity in my geography that I found interesting.  I spent a good deal of time with the recruiter, asking questions about the company, the hiring manager, and the position.  The recruiter suggested that I revise my resume to help address some of the specifics of the opportunity, to align more closely with the needs of the position.

During the time that I was reformatting my resume, I got contacted on Linked IN, by a recruiter whom I had never interacted.  The recruiter sent me a job description, similar to the one that I had learned about from the other recruitment professional.  This individual refused to share with me the name of the company that they were representing, and pressured me to send a generic resume.

My gut feeling is that it is the same position – do you have any advice on how I should handle my discussions with both parties?  Is there anything that could jeopardize my recruitment process? 

Any help would be appreciated.
Signed, 

“Derek Fisher” 

Dear “Derek”:

Well, it is good to know that you are popular – so you have that going for you.   The first thing that I will say is that many recruitment firms (including LJ Kushner and Associates) utilize LinkedIn as a form of candidate profiling.  Although many people think that we know “everyone” in the industry, it is just not possible, and Linked IN provides recruitment firm’s access to information security professionals (job candidates) that we do not have deep relationships with.

That being said, the first thing that I would tell you would be that you should never trust a recruitment firm that is not willing to share the name of their client with you.  The two main reasons for this are as follows – first, it shows that they do not trust you.  If they share the name of their client with you – there is an outside chance that you will go to the client directly, and cut them out of the recruitment process – so they are going to wait until they have your resume, to spring this on you.   Personally, I find this very shady – it is akin to saying – “Please trust me with your career and your livelihood” – but “I am not going to return that trust by sharing the company where the job is located”.   

Secondly, by not sharing the name of their client, you give up control of the dissemination of your resume.  By providing you with a generic, broad base job description, you are basically giving them carte blanche to send your resume anywhere.  This could mean that your resume could wind up in the hands, of somewhere that you have already worked for (it makes you look foolish), somewhere you already interviewing with (it makes you look unorganized and unprofessional), and even possibly your current employer (which can be a disaster for obvious reasons)  

Don’t laugh, this does happen – and in the aftermath is not pretty. 

In regards to your current situation, you should work with the recruitment firm that you trust the most and the one that you believe has the best chance of helping you navigate the interview process for the specific job and company that you are interested in.    In your case, it appears to be the first one that you spoke with.

What I would do with the second recruiter, would be to first call them and ask them whom the opportunity is with.  If they refuse to share this with you, I would tell them politely that you are not interested in working together with them.  If they do share the information, and it is the same company that the other firm introduced, then I would simply tell them that you are already engaged on the opportunity, are being represented by another recruitment firm, and that your resume has already been submitted for consideration.  You could end the conversation, by saying that if they have other opportunities, and are willing to reveal the name of the employers, you would be happy to consider them.

I will say in closing that the “Rules of Engagement” for determining candidate representation are very tricky, and it is very important that you control your resume when you conduct any interview process.  Selecting the wrong recruitment firm, or “representation” – can greatly affect the perception of your candidacy for any opportunity.   

As a rule, your caliber of representation is a reflection of your brand, and your level of professionalism.

Hope this helps,

Lee Kushner

PS – “Derek Fisher” is a reference –not the name of the advice seeker

After about eight years at the same employer, I recently left my position (about five months ago) to begin a new position, as the head of information risk management at a fairly large health care company.     This career decision coincided with the completion of an advanced degree (MBA) from an well-thought of local university.    The new role is going great.  I very much like the people.  All of the things that they promised during the interview process have materialized, and I have had some early “wins” which has helped me establish credibility and the foundation of  a strong internal brand.

All was going smoothly until….  I received a call from a colleague from my MBA program, about an opportunity to interview for a position as the Chief Information Security officer role of a similar size company.  The background that they are searching for, is directly in line with my past experiences, the pay package is about 20% greater (stated), and the commute would be about 30 minutes shorter each way, from my current job. 

I am really interested in the role, and if I was presented this opportunity along side my position, I would have selected it, for the reasons stated.   However, I am not a job hopper, and after being at a role for only five months, my question is should I pursue the role.?  And if I happen to get it, how would this look on my resume?

Please help me figure this out (quickly),

Signed,

BD Timing

Dear BD:

Very simple, my advice is to go on the interview.

One of the many things that information security professionals and other corporate employees do not have control of is the presentation of opportunities.    Therefore, it is important that you understand that your responsibility is to yourself, your significant others, and your career – and unfortunately not the corporation that you work for.

I know that this sounds harsh – but for a majority of US based corporations, employees are “employees at will” and therefore can be terminated or relieved of their duties without any explanation or notice.    The reason I bring this up, is that if your current employer had a massive lay off, went out of business, or was acquired shortly after you joined, how do you think they would have treated you?  Do you think that they would say, well we just hired her/him, so we need to keep paying them, although they are not useful anymore?  Of course they would not.  They would place their own interests and the interests of their shareholders ahead of you and your family.

So, go on the interview and investigate the opportunity.  You have nothing to lose and everything to gain.  Once you have had a chance to get the initial interviews out of the way,  I want to  make sure you let the manager of the interview process know (either HR/the hiring entity/or the executive recruiter) to make sure that there is not any issue with you leaving your employer quickly – to engage in the process.

It would be good to get this out on the table, as early as possible, to avoid wasting any time.    If they raise objection, you can point to the past history and your long tenure of employment with past employers.

If you want to, you can say, to them … “Look, if I accept this position, I am going to have to make it work, because I could not afford to have two short terms of employment”  That may provide them with some validation of your self awareness, and the fact that you are thinking about this role as a long term career decision.

In closing, if you do wind up taking this role, you should expect to hang in there for a while.  Everyone is allowed one “short term decision”, a second one is indicative of a “pattern”, that could create future obstacles.

We wish you good luck on the interview.  Let us know how it goes.

Hope this helps,

Lee and Mike

I would like to ask you a question about a current situation that I find myself in regarding making a possible job change.

I am currently gainfully employed as a network security engineer, working in a consulting capacity (full time), where I am working for a large company in the DC area.   I also hold a security clearance, which is valuable in this market. 

My current employer treats me well, and I have comfort in my job stability, however it is accepted that the company pays about 80-85% of what the market should bear for the skills that me and my fellow information security professionals possess.   In the past, that has been fine, but currently my bills are beginning to pile up.  I have new expenses that come with a growing family (clothes, school, youth sports, etc) where the extra $15,000-$20,000 would come in handy. 

A fellow information security pro and ex-coworker recently reached out to me about joining a company that would agree to pay about 10-15% more than market rates, for my skills.  This would translate to an increase of somewhere between 25-35% of  my current compensation (considering I am 15-20% below market), which would be very helpful.  

It sounds like a no brainer, but here comes the catch(es):

First of all, the company is only adding to its staff because it has won a new government contract and has overpromised resources that it cannot deliver.  The company has not ever performed work for the entity, so there is a chance that they will not be able to deliver to the clients satisfaction.  

Secondly,  I have done my due diligence on the owner of the new company, and what I have learned has not been favorable.  I have heard from more than 5 people who have worked with this person at previous company that there business practices are questionable.  This includes making snap decisions about firing employees, occasionally missing pay roll, and mistreating business partners.

Here lies my question -  I really could use the money, but something inside is telling me that this new situation is not a good one for me.   My fear is that I will leave my “safe” position, and in a short while I will find myself in a precarious situation.

I really feel that I am making a “deal with the devil”

Any advice.

Faust

Dear Faust:

The best advice that I can give you is to listen to your gut.  If your gut is telling you that there is danger ahead, and that you may be making a “deal with the devil” you most likely are.

It appears to me that you have a great deal of responsibility to your family, and as you progress in your career (and life) these responsibilities are increasing and they are causing financial pressure.  While it is a “no brainer” that $30,000 more per year will ease some of that burden, but you may want to think about what you are really signing up for.

In essence, you are not signing up for a position with career progression and professional development, you are signing up for a 1099 contract position with an employer that is only interested in hiring you because it benefits them financially.  If the new employer fails on this contract,  you are going to find yourself without a pay check, without employment, and a difficult event to explain on your resume – that may make others question your competency or your judgment.

However, if you do decide that the extra money is worth the risk, then I would ask you to take the following precautions and steps:

1)   Before you accept the position, you should sit down with your current employer who has been good to you, and let them know of your financial situation and your need.  I would give them the opportunity to provide you with the additional income, prior to joining this new company.   You never know, they may decide that your skills merit this type of increase.

2)   I would ask you to ask the new employer for some sort of severance plan, in case the contract is lost, not as a result of your performance.  I would figure that it would take about 45 days for you to find a new role in DC with a clearance (at your old pay) so ask them for 6 weeks, and negotiate down to 30 days.   There response should provide you with more information about how they may value their employees.

3)   If they balk at this request, and you still decide to take the job, what I want you to do is to live on your old compensation, for the first six months, and save the rest.  After about 6 months, you will have about 6 weeks of emergency money saved up, which will serve as the funding of your own severance plan.    This will give you some comfort, if things do not go according to plan.

Again, without knowing all the details I can’t provide you with a definitive answer, however I find in most cases that the character and reputation of your employers are generally earned – both positively and negatively.   You should not believe that your experience would be any different than others who have come before you.

Best of luck,

Lee and Mike

My question deals with a touchy topic. I am an IT and Infosec veteran with a 16 year old felony for crimes related to moral turpitude (theft). The state I was convicted in does not have any mechanisms for expungement, short of a pardon.

I won’t make excuses, and never have but suffice to say that I made some stupid mistakes as a kid in the military and have learned my lesson. I’ve been fortunate enough to work for a few employers in state and local government who saw fit to give me a chance and I have really excelled. I’m active in the infosec community, have earned a college degree and a ridiculous number of certifications and have started to develop a name for myself in the community. My personal branding strategies seem to be really taking off.

The issue I’m running into is that I’m looking for greater challenges and my background has created some roadblocks for me. I’ve been turned down for a few opportunities but my fear is that if I apply and get turned down at too many more I will start to develop a “rep” as that felon who thinks he can work in IT security. The information security community is relatively small and this would create significant challenges for me. I interview extremely well and I have recruiters beating down my door, at least 12 unique hits every week but the my past becomes a real stumbling block.

Should I count myself fortunate to have a job at all even if I’m not happy there or run the risk of further exposure with employers and the development of a “rep”? At this point I’m starting to get discouraged. Yes I made a mistake 16 years ago but I could really use some advice for moving forward with my career.

Sincerely, 

A. Tony Ment

Dear Tony:

I would tell you that the first thing that I would do, would be to think of myself as an Information Security professional, who made a mistake early in their lives, as opposed to a felon, who has taken up information security as a profession.

From a self esteem perspective, I do not think it is healthy to view yourself this way, especially with how far that you have come in the past 16 years.

From what you have shared, you have a great deal to be proud of – including your education, your certification, the development of your personal brand, and industry standing.   My feeling is that you should be more focused on your accomplishments as opposed to your transgressions, and you should use this as an opportunity to demonstrate personal and professional development to others whom you encounter.

That being said, I understand how a previous mistake that you made as a younger person, can come back to haunt you in the development of your professional career, and can become an obstacle in your pursuit of loftier information security career goals.

Here are some things that you may want to consider along your way to minimize this:

1)    Do Not Worry About Group Think -  Plain and simple, I do not believe that many people in the information security community will ostracize  you for a mistake you made in the past.  First of all, most of the information security pros that I know are not that judgmental and are a pretty accepting bunch.  Secondly, many of them are going to be understanding, as they were young once, and may have done some things that could have been construed as “grey” hat, in their earlier days.  The only thing that may differentiate you from them, is the fact that you got caught –and fortunately their actions went unnoticed.

2)    Control Your External Exposure -  When someone tells me that they have their resume posted and that they have been contacted by over a dozen recruiters, my first reaction is that they are not effective in managing their careers.   Placing yourself in the public eye, forces you to create a more public persona, and reveal both favorable and unfavorable attributes to  larger audiences.  In your case, this is not a good thing, because many recruiters who’s primary source of candidates are “job boards” and “social networks” – are not adept enough to handle your specific situation or to address it with people empowered to make a decision about your future as an information security professional.  You need to manager your job search process, and that means utilizing someone who understands how to manage and communicate your profile to others, including your felony.

3)    Be Up Front – But Not Too Upfront -  Personally, I think that there is a time and place to reveal an unflattering past, whatever it may be.  Usually, I believe this to be sometime shortly after a relationship has been developed – after one or two phone conversations.  This will enable the other party to be able to formulate an opinion based on facts and talent, as opposed to jumping to conclusions that are associated with a term, like “convicted felon.”   After that has been established, and before anything gets to far (i.e. a recruiter making an introduction, a first level interviewer introducing you to a supervisor, or the incurring of any expense (money or time) for an interview) you should reveal your “Scarlet Letter”.   When you reveal it, I would begin by letting the other party know that it took place over 15 years ago, but nonetheless it happened, and you have paid your debt and have  taken responsibility for your actions.

4)    Demonstrate “Community” Service -  This is my personal belief, but I think it is the most important thing that you can do.  It is one thing to attempt to improve your own life, but by helping others improve their’s, from the lessons learned by your own mistakes, takes it to another level.  What I would do, would be to figure out a way to do this on a regular basis – this can be in the form of speaking to youth groups (Hackid) , donating your time to information security causes (I Hack Charities, the EFF), or non Infosec causes that benefit some of the people that you may have previously hurt.   By doing this, it will show others that you are indeed remorseful for your actions and offers a form of restitution that can be measured and referenced.

In closing, these are some general ideas that may help you overcome this obstacle.  In the end, you will definitely encounter both individuals and companies whose policies will prohibit them from considering your candidacy.  Unfortunately, you will need to accept this.

That being said, over my years of working in the industry, using these methods, I have been able to secure employment for information security leaders who found themselves in similar situations.  The process is never easy, but it is definitely possible

Hope this helps,

Lee and Mike

I recently have found myself in a precarious situation and I am hoping that you can help me get through this.

Recently, about four months ago, I accepted a Director of Information Security position, reporting into the CISO of a 10,000 person company.    The position that I left to accept the role, Manager of Policy and Compliance, I held for 18 months.  While I was not looking for a new job at the time, the Director role was too good to pass up, both from a career and a financial perspective. 

Six weeks ago, I received an e-mail from the General Counsel letting me know that the CISO, who just hired me, was “relieved” of his duties and would no longer be working at the company.  The CISO was one of the main reasons that I accepted the position, and in a short time I had established a good working relationship and I respected his management style. 

The search for the new CISO is currently underway, and they are interviewing potential successors. – both internal and external.  I have met the final two candidates, and quite frankly I am not pleased with either of the options.  Their backgrounds and views on information security are much different than mine and I just do not get a good vibe.

Additionally, I am well aware that if they get hired, they will most likely be able to select their teams and their direct reports, so my time here is probably limited. 

Any advice on how I can deal with this situation?  If I am forced to leave, how can I explain the fact that my last two jobs lasted for such a short period of time?

Sincerely,

Gomer Pyle

Dear Gomer:

The best thing that I can tell you is that you need to accept that change is coming, and you need to figure out a way to deal with it and make the best of things.  The way that I would look at this is as an opportunity to hone your interpersonal communication and relationship skills.

The truth is that at your level of seniority, you cannot really afford another short stint of employment, especially after an implied promotion.  If you can not show some accomplishments in this current role, future employers will most likely look at this as a failure, no matter how you spin it.  (Personally, I think this is unfair, but those are the rules of the game that we play by – and perception is often viewed as reality)

Whomever they decide to hire, I think that you should embrace and support with your fullest ability.  I think that a good way to demonstrate this is to attempt to relate to your new manager (CISO) on a personal level, letting them know that you are both in the same boat (as new employees), and by demonstrating as much willingness and flexibility as possible to help them out.   The best way to do this is to go outside your job description, and take on additional responsibilities that may be in your current sphere of knowledge, or from previous professional experience.

In addition, you should plan to demonstrate your work ethic, your integrity, and support at any opportunity.  This should include coming early, staying late, accepting unpopular assignments, whatever it takes.   By demonstrating this level of leadership and commitment, you are going to win this new person over – and they will have no other choice to view you as a valuable asset.

If you can win them over, and convince the new manager (CISO) that you make his job and his life easier, he will have no choice but to keep you.

If you are able to accomplish this, you will not have to explain your short duration of employment.  If it is all right with you, we will save that question/answer for another Tuesday.

Hope this helps,

Lee and Mike

I graduated college with a B.A. in Spanish. However, I find myself intrigued by the Information Security field as I love a challenge and I am a problem-solver with an analytical mind. I am looking into Master’s programs for IS, but I am worried about finding a job with a Master’s and no relevant IS experience upon graduating.

Can you please offer me any advice? I really see myself enjoying a career in IS.

Signed,

Quiero ser un pirata informático

Dear “Pirata”:

The best way to respond is that your professional career will most likely span between 30-40 years, so you have a long time to make the transition that you desire. At this point in your career, your decision to study Spanish in college as opposed to information security or computer science, should not be viewed as an impediment to your future career, in fact you should figure out how to utilize this knowledge as a future enhancement.

The first piece of advice I would like to give to you is to not go back to school to get a  Masters degree.  Instead, what I would suggest would be to either go back to school to take some technology related classes and look into an eduational program that will provide you with some first hand experience working in technololgy.   You should be able to take some of these clasess concurrently.    Simultaneously, you should attempt to find an entry level position – even part time – to do some computer related work, so that you can get some exposure and practical knowledge.  This can include roles like working in a computer lab, working third shift in a network or security operations center, or something of that sort.    Once you feel comfortable with a base line of knowledge, maybe in about 18 months – you can attempt to attain an information security certification – something that reflects your technical knowledge.    This will help provide you with some external branding as an information security professional.

Once this is completed, my advice to you is to combine your experiences – your newly created technical skills and your Spanish undergraduate degree.   Due to the growing Spanish population and the global economy, being able to communicate in Spanish (or any foreign language)  is a unique skill that will differentiate you from others.  In fact, it is likely that you will be more attractive to company’s doing business with Spanish speaking customers than more qualified information security professionals without ability to communciate.     When you begin to look for jobs, it is these companies and these geographies that you should focus your search.

I would not be surprised if you could find a company that would give you the opportuntiy to serve as a conduit between a technical information security function with any of their Spanish speaking business units.

In the end, please let us know if it is easier to teach a Spanish major information security, or an information security professional Spanish.

Hope this helps,

Lee and Mike

Dear InfoSec Leaders:

I am writing to you with the hope of getting some career advice. I am consultant for one of the leading security vendors’ GRC products. I help customers set up their compliance programs with the product as the backbone. It’s been about 4 years of doing this and I now feel it’s time for a change. My career goal is to become a CISO someday and want to work towards that. I have two very different job opportunities and would like your thoughts as to which one aligns well with my goals.

One is that of a Product Manager with the same vendor for the same product. The position will give me immense exposure to senior security management folks across customers. I will also help me gain understating of their GRC efforts and pain points. The other position is that of a Security Architect with a large retailer. This team has been recently formed in the organization and is doing some exciting stuff. This position could possibly give me exposure across different security areas beyond GRC. Both these positions have pros and cons, for e.g. I’m not sure if staying with a vendor is a good career move or is the other side of the table a better option.

As you can tell, I have a lot of questions and very few convincing answers. I’m not sure if I should specialize in the GRC space (via the vendor) or gain exposure to have a holistic view of security.

I’d appreciate any words of wisdom you can send my way.

Signed,

“Fork in the Road”

Dear Fork:

Please understand that before we start, the advice that we are giving is based exclusively on the information that you have provided to us in your note, and that we do not have any additional background.

Based on your career goal to become a CISO, we believe that it would best for you to leave the product arena and accept the job as an Information Security Architect with the large retailer that has been recently formed.   Our answer is based on the following reasons, that coincide with your long term career goal.

1)   The group is newly formed

When someone tells us this, the first thing that comes to my mind is opportunity.  Newly formed information security functions generally provide environments for information security professionals opportunities to leverage their current areas of expertise (in your case GRC) to develop broader skills in other areas.   The biggest mistake that many infosec pros make when entering into a organization in this state, is to limit their contributions to their “job description”, and opportunity like one the one that you described should provide you with  the framework  to push yourself to develop new areas of expertise, as opposed to limiting yourself to the world of GRC.

2)   Retail experience should be valuable in the future

Due to the importance of PCI, many retailers and e-tailers are placing increased emphasis and dedicating additional resources toward information security programs.   Currently, many retailers are not making past “retail” experience a job requirement, however this will most likely change in the next few years.  Having this industry knowledge as part of your skill matrix, could become a differentiating factor when looking at the next step in your career.

3)   Product Management is not a requirement to become a CISO
There is no doubt that working as a Product Manager will help you develop skills that could be advantageous as a CISO – included customer skills, presentation skills, sales skills, market knowledge, and subject matter expertise.   However, when making a transition toward a CISO career path, you will encounter people in the hiring process who will have built in prejudices against hiring candidates who come from the “Product/Vendor” side at a high entry point.   For you to make this direct transition, you are going to have to find yourself a forward thinking CISO who will value this experience, and believe that the skills as a Product Manager will directly translate to their environment.   Our belief is that if you remain as a Product Manager , you will eventually have to make the transition toward an internal infosec role, (in your case – architect) at some point in time, so why delay.   You have the opportunity in front of you, now is the time to determine if transitioning to corporate information security function is right for you.

Again, our advice is based exclusively on the information that you have provided from your note, and based on generalities.

If you would like to contact us directly via phone to discuss your particular circumstances we welcome you to do so.

Good luck in making your decision.

Lee and Mike

1)   Our industry has a short memory

Not too long ago, Mike and I were sitting together putting together the “Career Incident Response” Podcast series, because there were so many information security professionals who were getting outsourced, downsized, or laid off.   How quickly things have changed.   Prior to a the conference an article by Information Security Media Group claimed 0% unemployment and during the event the NSA announced it was going to use DefCon as a job fair as an attempt to hire 1500 information security professionals.    Walking the trade show floor, Amazon.com dedicated their booth to recruiting members for their team, and many of the booths had signs that said “we are hiring”.

While we do not believe that there is 0% Infosec unemployment or that the audience at DefCon will have an easy time passing the NSA Background Check requirements, we do believe that the employment market is increasingly healthy.   During the conference itself, I (Lee) personally had meetings with over 15 new entities (corporations, service providers, product companies) who would like to attempt to engage LJ Kushner & Associates’ services to help them recruit information security talent.

It is my belief that all of the recent events have awakened many to the fact that information security needs to be an element of their business and that hiring the right talent is a great challenge.

2)   We Don’t Have A Quantity Problem, We Have A Quality Problem

Without question employers need to hire information security professionals.  It is also clear that by the attendance at both Black Hat and DefCon, there are plenty of folks who are either information security professionals or who have an interest in becoming information security professionals.  So, if that is the case, what is the issue – the hiring needs should be solved – but they are not.

What many do not understand is that there is a big difference between “people” and “talented people”, and there is bigger difference between a “job” and a “quality job”.

Information security professionals are operating under the misconception that just because they are in the field of infosec, that they are qualified for many of the positions that companies are looking to fill.  The fact is, that although many information security pros are more than qualified to perform their same job at a different company, they are not viewed as qualified for information security opportunities that can be viewed as a “step-up” and will advance their careers.   The main reason behind this is the lack of investment in their professional development beyond standard industry certifications.

On the flip side two things are happening.   First, the positions that many company’s are advertising for are viewed by many information security professionals as “dead end” jobs, that on the surface do not provide the growth and career advancement opportunities that many are looking for.  Secondly, when companies are looking for more talented and experienced professionals, they are creating job descriptions that require complex skill combination and experience requirements, without offering compensation packages that are consistent with their requests and reflect a “risk/recruitment” premium for the applicants that they are searching for.

Therefore their junior level roles go unfilled because no one wants them, and their senior level roles go unfilled because their skill requests lay outside their budget.

Something has to eventually give in this process – or the information security talent myth will continue to grow.

3)   Outside Market Conditions and Industry Events Will Have An Effect on our Future

While we were attending BlackHat, the United States extended our debt ceiling,  and then on Thursday, the stock market plummeted 500 points, which was followed on Monday with another 600 point decline.

We both do not claim to know anything about the stock market, but there is no question that if the world slips back into a global recession, the information security industry is not going to be immune to its effects.  Now is the time for information security professionals to take a pro-active approach to insuring that that they do not become collateral damage if the economy begins to deteriorate.

The only sure way to insure your career is to continue to build your skills, stay current with technology, and demonstrate our value to your current employers.   Now that times are good, and we are in demand, it is time to take advantage of the situation, and use your current role as a platform to exhibit your skills, your impact and your knowledge.

If any one of our readers have their own information security career observations from Black Hat, it would be great to hear from you.

Lee and Mike