Career Advice Tuesday – “Adoro la seguridad de información (I Love InfoSec)”

September 20, 2011

Dear Infosecleaders:

I graduated college with a B.A. in Spanish. However, I find myself intrigued by the Information Security field as I love a challenge and I am a problem-solver with an analytical mind. I am looking into Master’s programs for IS, but I am worried about finding a job with a Master’s and no relevant IS experience upon graduating.

Can you please offer me any advice? I really see myself enjoying a career in IS.

Signed,

Quiero ser un pirata informático

 

Dear “Pirata”:

The best way to respond is that your professional career will most likely span between 30-40 years, so you have a long time to make the transition that you desire. At this point in your career, your decision to study Spanish in college as opposed to information security or computer science, should not be viewed as an impediment to your future career, in fact you should figure out how to utilize this knowledge as a future enhancement.

The first piece of advice I would like to give to you is to not go back to school to get a  Masters degree.  Instead, what I would suggest would be to either go back to school to take some technology related classes and look into an eduational program that will provide you with some first hand experience working in technololgy.   You should be able to take some of these clasess concurrently.    Simultaneously, you should attempt to find an entry level position – even part time – to do some computer related work, so that you can get some exposure and practical knowledge.  This can include roles like working in a computer lab, working third shift in a network or security operations center, or something of that sort.    Once you feel comfortable with a base line of knowledge, maybe in about 18 months – you can attempt to attain an information security certification – something that reflects your technical knowledge.    This will help provide you with some external branding as an information security professional.

Once this is completed, my advice to you is to combine your experiences – your newly created technical skills and your Spanish undergraduate degree.   Due to the growing Spanish population and the global economy, being able to communicate in Spanish (or any foreign language)  is a unique skill that will differentiate you from others.  In fact, it is likely that you will be more attractive to company’s doing business with Spanish speaking customers than more qualified information security professionals without ability to communciate.     When you begin to look for jobs, it is these companies and these geographies that you should focus your search.

I would not be surprised if you could find a company that would give you the opportuntiy to serve as a conduit between a technical information security function with any of their Spanish speaking business units.

In the end, please let us know if it is easier to teach a Spanish major information security, or an information security professional Spanish.

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday, Planning, Skills | Comments Off 

Career Advice Tuesday – “Fork In The Road”

August 30, 2011

Due to the Hurricane, we are publishing a Career Advice Tuesday that we wrote for Tech Target – and our monthly advice column.  Below you will find the unedited version of our column.

Dear InfoSec Leaders:

I am writing to you with the hope of getting some career advice. I am consultant for one of the leading security vendors’ GRC products. I help customers set up their compliance programs with the product as the backbone. It’s been about 4 years of doing this and I now feel it’s time for a change. My career goal is to become a CISO someday and want to work towards that. I have two very different job opportunities and would like your thoughts as to which one aligns well with my goals.

One is that of a Product Manager with the same vendor for the same product. The position will give me immense exposure to senior security management folks across customers. I will also help me gain understating of their GRC efforts and pain points. The other position is that of a Security Architect with a large retailer. This team has been recently formed in the organization and is doing some exciting stuff. This position could possibly give me exposure across different security areas beyond GRC. Both these positions have pros and cons, for e.g. I’m not sure if staying with a vendor is a good career move or is the other side of the table a better option.

As you can tell, I have a lot of questions and very few convincing answers. I’m not sure if I should specialize in the GRC space (via the vendor) or gain exposure to have a holistic view of security.

I’d appreciate any words of wisdom you can send my way.

Signed,

“Fork in the Road”

Dear Fork:

Please understand that before we start, the advice that we are giving is based exclusively on the information that you have provided to us in your note, and that we do not have any additional background.

Based on your career goal to become a CISO, we believe that it would best for you to leave the product arena and accept the job as an Information Security Architect with the large retailer that has been recently formed.   Our answer is based on the following reasons, that coincide with your long term career goal.

1)   The group is newly formed

When someone tells us this, the first thing that comes to my mind is opportunity.  Newly formed information security functions generally provide environments for information security professionals opportunities to leverage their current areas of expertise (in your case GRC) to develop broader skills in other areas.   The biggest mistake that many infosec pros make when entering into a organization in this state, is to limit their contributions to their “job description”, and opportunity like one the one that you described should provide you with  the framework  to push yourself to develop new areas of expertise, as opposed to limiting yourself to the world of GRC.

2)   Retail experience should be valuable in the future

Due to the importance of PCI, many retailers and e-tailers are placing increased emphasis and dedicating additional resources toward information security programs.   Currently, many retailers are not making past “retail” experience a job requirement, however this will most likely change in the next few years.  Having this industry knowledge as part of your skill matrix, could become a differentiating factor when looking at the next step in your career.

3)   Product Management is not a requirement to become a CISO
There is no doubt that working as a Product Manager will help you develop skills that could be advantageous as a CISO – included customer skills, presentation skills, sales skills, market knowledge, and subject matter expertise.   However, when making a transition toward a CISO career path, you will encounter people in the hiring process who will have built in prejudices against hiring candidates who come from the “Product/Vendor” side at a high entry point.   For you to make this direct transition, you are going to have to find yourself a forward thinking CISO who will value this experience, and believe that the skills as a Product Manager will directly translate to their environment.   Our belief is that if you remain as a Product Manager , you will eventually have to make the transition toward an internal infosec role, (in your case – architect) at some point in time, so why delay.   You have the opportunity in front of you, now is the time to determine if transitioning to corporate information security function is right for you.

Again, our advice is based exclusively on the information that you have provided from your note, and based on generalities.

If you would like to contact us directly via phone to discuss your particular circumstances we welcome you to do so.

Good luck in making your decision.

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday, Planning, Position Selection, Security Industry, Skills, Uncategorized | Comments Off 

Career Advice Tuesday- “Observations From Black Hat”

August 9, 2011

Having just returned from Black Hat, we thought it would be good to utilize Career Advice Tuesday to provide our readers with some observations and what it means to you and your career as an information security professional.

1)   Our industry has a short memory

Not too long ago, Mike and I were sitting together putting together the “Career Incident Response” Podcast series, because there were so many information security professionals who were getting outsourced, downsized, or laid off.   How quickly things have changed.   Prior to a the conference an article by Information Security Media Group claimed 0% unemployment and during the event the NSA announced it was going to use DefCon as a job fair as an attempt to hire 1500 information security professionals.    Walking the trade show floor, Amazon.com dedicated their booth to recruiting members for their team, and many of the booths had signs that said “we are hiring”.

While we do not believe that there is 0% Infosec unemployment or that the audience at DefCon will have an easy time passing the NSA Background Check requirements, we do believe that the employment market is increasingly healthy.   During the conference itself, I (Lee) personally had meetings with over 15 new entities (corporations, service providers, product companies) who would like to attempt to engage LJ Kushner & Associates’ services to help them recruit information security talent.

It is my belief that all of the recent events have awakened many to the fact that information security needs to be an element of their business and that hiring the right talent is a great challenge.

2)   We Don’t Have A Quantity Problem, We Have A Quality Problem

Without question employers need to hire information security professionals.  It is also clear that by the attendance at both Black Hat and DefCon, there are plenty of folks who are either information security professionals or who have an interest in becoming information security professionals.  So, if that is the case, what is the issue – the hiring needs should be solved – but they are not.

What many do not understand is that there is a big difference between “people” and “talented people”, and there is bigger difference between a “job” and a “quality job”.

Information security professionals are operating under the misconception that just because they are in the field of infosec, that they are qualified for many of the positions that companies are looking to fill.  The fact is, that although many information security pros are more than qualified to perform their same job at a different company, they are not viewed as qualified for information security opportunities that can be viewed as a “step-up” and will advance their careers.   The main reason behind this is the lack of investment in their professional development beyond standard industry certifications.

On the flip side two things are happening.   First, the positions that many company’s are advertising for are viewed by many information security professionals as “dead end” jobs, that on the surface do not provide the growth and career advancement opportunities that many are looking for.  Secondly, when companies are looking for more talented and experienced professionals, they are creating job descriptions that require complex skill combination and experience requirements, without offering compensation packages that are consistent with their requests and reflect a “risk/recruitment” premium for the applicants that they are searching for.

Therefore their junior level roles go unfilled because no one wants them, and their senior level roles go unfilled because their skill requests lay outside their budget.

Something has to eventually give in this process – or the information security talent myth will continue to grow.

3)   Outside Market Conditions and Industry Events Will Have An Effect on our Future

While we were attending BlackHat, the United States extended our debt ceiling,  and then on Thursday, the stock market plummeted 500 points, which was followed on Monday with another 600 point decline.

We both do not claim to know anything about the stock market, but there is no question that if the world slips back into a global recession, the information security industry is not going to be immune to its effects.  Now is the time for information security professionals to take a pro-active approach to insuring that that they do not become collateral damage if the economy begins to deteriorate.

The only sure way to insure your career is to continue to build your skills, stay current with technology, and demonstrate our value to your current employers.   Now that times are good, and we are in demand, it is time to take advantage of the situation, and use your current role as a platform to exhibit your skills, your impact and your knowledge.

If any one of our readers have their own information security career observations from Black Hat, it would be great to hear from you.

Lee and Mike

Posted by lee | Filed Under Behavior, Career Advice Tuesday, Planning, Recruiting, Security Industry | 3 Comments 

“Value of InfoSec Certification Survey” – Results Preview Featured in Dark Reading

July 28, 2011

Last year at RSA, we launched the “Value of Info Sec Certification” Survey.

A preview of the results are featured in today’s issue of Dark Reading, in an article by Kelly Jackson Higgins.

On Thursday, August 4th, at 1:45 PM PST,  as the first part of our Professional Development Workshop at Black Hat, we are going to announce the full results.

We were very happy to receive 1349 respondents to the survey, and from reviewing the background of the respondents we find it to be a very good sampling of the Information Security industry:

2/3 of the respondents have worked in information security for more than 6 years

25% of the respondents have worked in the industry for more than 12 years

1000 of our respondents either hold or have held an information security certification  (Yes, exactly 1000)

699 of the respondents hold or have held the CISSP  (667 current/ 32 no longer)

50% percent of the respondents earn 100K or more

35% have a long term career goal of becoming a CISO or CSO, an additional 10% aspire to be a CTO or CIO – (Competition should remain fierce for these roles!)

25% of the respondents said that they had a Written Career Plan – (which means that we are making progress)

These results are just the tip of the iceberg – you will have to come to our session at Black Hat if you want the full release.   Anyone who is not in attendance at the conference and would like a copy of the results after the conference, you can sign up at Infosecleaders – Research – shortly after the release.

A special thanks to all of those who participated.  Thanks for making this a great success.    Stay tuned for our next industry survey!

Regards,

Lee and Mike

 

Posted by lee | Filed Under Behavior, Planning, Resume, Security Industry, Skills, Survey | 2 Comments 

Career Advice Tuesday – “Black Hat Preview – Professional Development Workshop”

July 26, 2011

For today’s Career Advice Tuesday – we wanted to share a more detailed look at our Black Hat Professional Development workshop.  The workshop will take place on Thursday afternoon – from 1:45 – 6:00PM.    Anyone in attendance can come to either any individual session or stay for the whole program.

If you are at Black Hat, please come by and introduce yourselves.

 

InfoSec 2001 – A Career Odyssey

The Professional Development workshop is a half-day program that is designed to inspire the Black Hat attendee to think about their career as an information security professional and assist them in their journey towards the achievement of their long term career goals.

The Professional Development workshop will be divided into five (5) unique information security career topics that will be linked by a common theme – Skill Development and Differentiation.

The program will consist of the following:

1)    “The Value of Information Security Certifications Survey” – Research Revealed – 1350 information security professionals responded to an independent survey on the topic – the research will be revealed

2)   “Second Place Sucks” – A presentation geared toward differentiating yourself from your peers (and your competition)

3)   The Information Security Leader of The Future” -  a presentation that will outline the skills that employers are looking for when identifying and selecting their information security leaders.

4)   “The Other Side of The Desk” – a panel that will explore the different attitudes and beliefs by job applicant and employer during the interview process

5)   “Future Predictions” and “Career Advice Tuesday- Live” – Future trends will be discussed and explored – and attendees will have the opportunity to ask questions about infosec related career topics

The workshop is designed as an interactive forum that should inspire some shared thought and debate between audience members and the presenters.

Attendees should understand that they can elect to either participate in the entire workshop, or to pick and choose from select sessions that have a particular interest to them.


Session Previews:

Session 1  – 1:45 – 3:00

“The Value of Information Security Certifications Survey”

Presenters – Mike Murray and Lee Kushner – Infosecleaders.com  

In February of 2011, Infosecleaders.com launched an independent survey on the value of information security certifications.   The value of InfoSec certifications is a highly debated topic in the industry, and this is the first independent survey that asks questions to information security professionals (certified or not) – their opinions on topics that include – the motivations for certifications, the impression of the certification bodies, the value of skills vs. certifications, and certifications effect on employment.  With over 1350 respondents, the results should be revealing and eye-opening.

Second Place Sucks -

Presenter – Mike Murray

So, if certifications are no longer the magic bullet to get you to your career goals, then what is.  The topic of strategic career investments and personal branding will be the focus of this presentation.  The presentation will be spent on how you can plan and execute on career investment strategies that will enable you to differentiate from your peers and successfully compete for promotions and external information security leadership opportunities.

(15 minute break)

Session 2 – 3:15 – 4:45PM

3:15 – 3:45PM

“The Information Security Leader of the Future” –

Presenter – Lee Kushner

The skills for information security leaders are changing quite rapidly.  As many companies are aligning information security with their core business and branding, information security professionals will need to evolve as well.  The presentation will break down the core skill components of what information security professional will need to acquire and demonstrate to be considered for leadership roles in the future.

 

3:45PM – 4:45PM

The Other Side of the Desk – Different Perspectives on the Interview Process

Moderator – Mike Murray

Candidate Perspective – Lee Kushner

Hiring Managers Perspective –    

Bill Phelps, Executive Director Accenture  

Justin Somaini, CISO at Yahoo!

Abstract:

There are two parties involved in every interview process, the information security professional (the applicant) and the hiring manager (the decision maker).   While in essence, both parties ultimately desire the same outcome, their motivations lie in different places.   This portion of the presentation will present to the audience the perspective of the candidate and the perspective of the hiring manager, in a way that will educate both parties and enable them to social engineer the interview process, to work to their personal advantage.

Bill Phelps:

Bill Phelps is an Executive Director in Accenture’s security practice, and has spent the past 25 years in technology services.  In the past decade, Bill has been a practice leader, company founder, board member and trusted advisor helping organizations with complex management and technology challenges in the areas of information security, data center transformation and technology strategy.     Bill currently has overall responsibility for Accenture’s security business in North America.  Bill is aggressively growing Accenture’s security team, and plans to hire over security 200 professionals in the coming year.

Justin Somaini:

Justin Somaini is the Chief Information Security Officer at Yahoo! where he’s responsible for all aspects of Yahoo!’s Information Security strategy.  With over 15 years of Information Security experience he’s seen as a leader in industry by promoting an evolution of the security and risk management models.  Through his public speaking and industry involvement he’s given extensive talks and interviews on the threat landscape, public policy, security management and risk management.  Prior to joining Yahoo!, Justin was the CISO at Symantec.  Justin has also held security leadership roles at VeriSign, Charles Schwab and PricewaterhouseCoopers LLP.

4:45 – 6:00PM

Predictions for the Future and Career Advice Tuesday – “Live”

Presenters – Lee Kushner and Mike Murray

The employment market is dramatically changing – and the closing session will begin with information security employment predictions (based on experience and research) for the next ten years.  Once completed, this will be followed by a version of “Career Advice Tuesday” – “Live”.   All attendees can have their personal information security career questions answered in an open forum.   Topics will include skill development, compensation negotiation, career investments, career planning, and anything else you want to ask about your Information Security Career.

Posted by lee | Filed Under "The Other Side of The Desk", Advice, Behavior, Branding, Career Advice Tuesday, Compensation, Interviewing, Networking, Planning, Position Selection, Presentation, Recruiting, Resume, Security Industry, Skills, Survey, Uncategorized | 1 Comment 

Career Advice Tuesday – A Conference First Timer’s Guide (Part I)

July 12, 2011

Dear Infosecleaders,

I had a quick question.  Blackhat and Defcon are coming up and I get to go for the first time.  Do you have any advice on what I can do to get the most out of my conference experience?

Conference Rookie

Dear Rookie,

It’s definitely conference time for much of the information security industry.  Recon was last weekend, the big Blackhat / Defcon / BSidesLV triumverate is coming up, and there are a bunch more coming up in August and September that are worth going to as well.  And we’re really glad you asked this one, as it’s definitely something that far too few people actually think about: most people just show up at the conference, follow along with the good time that they’re having, and come away with whatever stories that they come away with.

That hasn’t ever been our approach to conferences.  As two guys who run their own businesses, we can’t afford to just show up – conferences like Blackhat are where we do a lot of business, and making sure that we have a productive time is what allows us to succeed.

But that’s not just a business thing – we did that before we were running our own companies as well.  To that end, we have three main tips to succeeding at conferences – and this post is going to be long enough that we’re going to spread it over two Tuesdays.

Tip #1 – Have a Plan

What far too few people do before they leave for a conference is to have a plan.   They may know that they want to see a particular talk or go to a particular party, but far too few people that I’ve met go in to the conference with a legitimate plan.

You should approach every conference that you attend like a sales person – know what you want to get out of the conference.  Sometimes, that’s information – you want to learn about a particular topic from a speaker or a trainer.

But most often, there’s something you want currently in your career: to move in a different direction, to get a new job, to move up the ladder at your current job, etc.  And there is almost always going on or someone there who can help you out with that.  But it requires that you actually sit down and figure out who / what that thing is and how you can get involved with them.

Networking expert Keith Ferrazzi said it best: “[G]et focused. Take time weeks before the conference to think through and write down why you are attending. What do you want to achieve? Who do you want to meet? The more clearly you articulate what you want and need from the conference, the more likely you can plan and execute your mission.

This week, you should be sitting down and figuring out what your goal for your first time at each of these conferences is.  Who do you want to meet?  What experiences do you want to have?  What talks do you want to see?

I promise, the conferences will be much more fun when you know in advance what you want to do.

As an aside, there’s something that you definitely should be doing on Thursday afternoon at Blackhat:  We (and some special guest friends) are doing a full afternoon workshop on getting the most out of your information security career.  It’s going to be full of all of our latest research (and the results of our 2011 Value of Certifications Survey) and some really great advice.  As well as an opportunity to ask us questions live.  Make sure that’s on your plan.

Once you have a plan, stay tuned for part II next week….

Lee & Mike

Posted by mmurray | Filed Under Career Advice Tuesday, Planning, Security Industry | 3 Comments 

Career Advice Tuesday – “Experience vs. MBA”

June 28, 2011

Dear Infosecleaders:

I just graduated college, and was lucky enough to get a great job as an information security analyst.  It’s essentially a job I figured I’d have to work towards for two or three more years to get, but somehow I lucked out.

After several months, I now have an opportunity to go back to school for an MBA, as well as study Information Assurance with some really great advisors.  My grad degree would be completely paid for, plus a bit for living expenses, as they do not want me to work during school-time.  This would have been the perfect option had I not already gotten the perfect high salary job.

I ask, “To School or Not To School”

Sincerely,

Hamlet

 

Dear Hamlet:

I often like to begin to discuss advice like this by saying that you are very fortunate to have a decision on your hands, not a dilemma.  This is an excellent position that you find yourself in, and I am going to answer your question by posing some additional questions for you to consider as you are attempting to arrive at your own conclusion.

1) Do you have enough maturity to fully maximize the “Masters Degree” experience?

Plain and simple, a Masters degree, especially an MBA is a lot more involved than just attending classes and getting good grades.  A Masters degree will often introduce concepts that have more value when you can apply them to practical experiences, as opposed to just “school experience” – many people advise to go get work experience prior to pursuing an advanced degree, however, you have to figure out which situation works best for you, and often that comes being honest with yourself.

2) Your personal financial situation?  Are their any conditions attached to the money?

Having the opportunity for a third party to pay for your degree in full is a great benefit.  It is logical that a Masters degree could often cost up to $100,000, not including the time off of work.  This is a great deal of money to walk away from and this has to be a strong part of your decision making process, and weigh strongly on the direction you decide to take.

Additionally, in my experience a gift like this – a full education, and living expenses, rarely comes without strings attached.  If there are strings attached which creates an “indentured servant” type of environment, where you are forced into a direction that may take you on a detour, away from your near term career goals, this needs to be given strong weighting as you make your decision.

3) How good is your current job and what are you learning?

I know that you said you had a well paying job, but lets forget about the money for a moment, and consider the skills that you are learning in your day-to-day role.   It is most likely that your near term career opportunities are going to come from your practical experience as opposed to an advanced degree.   If you are gaining good experience, have a plan for additional training, and have a manager that fosters your career development, this can turn out to be more valuable than a Masters Degree.  Again, it is up to you to evaluate these components of your current opportunity and honestly assess them.

4) Finally, what is your gut telling you?

When you make any decision, the best thing to do is to trust your own judgment and stay true to yourself.  Considering that you cannot go wrong either way- that is you can always find another job, and the last time I checked, Masters Degree programs are not closing their doors any time soon – you really can not go wrong.

You are fortunate to have this opportunity chances are you are a bright young person with a big future ahead of you, so you will most likely have more opportunities in the future.  This decision has a great deal of magnitude, however it is not a “make or break” type of decision.  There really is no wrong answer.

As the holder of your own destiny, you ultimately hold the responsibility for your career – you will reap the rewards for good decisions, and have to address the consequences of incorrect ones.

Follow your gut, follow your heart, listen to smart people, and do not look back!

Let us know what you decide,

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday, Compensation, Planning, Position Selection | Comments Off 

Career Advice Tuesday – “Graduate’s First Career Decision”

May 31, 2011

Dear Infosecleaders:

I am a recent graduate of a Masters program with a concentration in Information Security and I am trying to make a decision about selecting my first job.

To give you some background, I have an undergraduate degree in Computer Science and have been coding since I am about eight years old.  During the course of my undergraduate studies I discovered information security, and I was hooked.  During undergrad I found internships that were centered on software development, but found myself looking for information security related problems to solve.

Upon graduation, I decided to pursue a Masters degree to learn more about information security, which I have.  The program has focused on some of the non-technical areas, which has really opened my eyes to some of the types of issues that I would like to focus on.

Now that I am about to graduate, I have two different opportunities to choose from – the first is a software development role (at one of the company’s where I interned) that has some components of information security.  The pay for the position is $75,000 and they will pay for relocation.  Also, the role is in an area of the country where the cost of living is relatively low, so the money will go further.

The second opportunity is to work in the information security function of a Fortune sized company, where I will work on security governance, risk, and compliance initiatives, in support of a Director.  That position pays $45,000, the relocation package is not as comprehensive, and the cost of living is much greater.   The upside is that the area has a thriving information security community, and I should be able to meet many other information security professionals.

One other point, I have student loans, no additional financial support from my parents, and a car that has about 160,000 miles.

All of my friends and parents have told me to take the higher paying job and get on my feet, but there is something inside me that tells me that the other job is better suited for my interests.

Any advice would be appreciated.

Thanks,

Mr. PIB

 

Dear Mr. PIB:

The best advice that I can give you is to follow your gut and follow your passion.  Wherever the destination you choose, make the best of it, and maximize its value.

While I am not going to give you an answer to your question – I am going to point out some facts that I think you should apply to your framework for decision making:

1)   You came to the realization through the years that Information Security is the direction you would like for your career to lead.

2)   You spent two years of your time and money attending graduate school to learn about information security.

3)   You have already worked in the environment (via internship) in the software development role, so you have some first hand experience on how they feel about information security and if you will be able to utilize your knowledge.

4)   It appears that your policy job is in an area where there is a thriving community and many other information security opportunities.  The software development job appears to be located in a more remote location without many other suitable employers.

5)   Only you know your financial issues, and can appreciate the effect that they will have on your living situation.   (We were all there once.)

Some other things that I will share from experience:

1)   You are at a point in your life where you have personal freedom and can follow your dreams.  As you get older, you will be forced to make decisions based on external factors, so my advice is to take advantage of this freedom – before you know it, it will be gone.

2)   As long as you keep your hard “technical” skills, you will be able to find employment.   For example, if the policy job does not work out, I am pretty confident you could call the other company and ask if they would hire you as a software developer.

3)   Dismiss the opinions of anyone who tells you to take the job that pays the best, exclusively on that criteria.  (This logic alone validates that they are amateurs, and do not understand a thing about your professional options)  This can be your parents, your significant other, or even a professor, at this stage in your life, money is a component of your decision, but should not be the driver.

4)   Whatever you decide, make the most out of it.  Work your butt off.  Meet as many people as you can – internally or externally – so that you grow your skills , your network and develop  your interests in information security.

5)   Don’t second guess yourself – try not to wonder “what if” – you decided differently, it may only make you crazy.

Like I said, I am not going to give you an answer on what I would select.  Now is about the time that all of your great education should come in handy!

Best of luck,

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday, Compensation, Planning, Position Selection, Skills | 2 Comments 

Career Advice Tueday – “Advice for Job Hoppers”

May 24, 2011

Dear Infosecleaders:

I have been working in a company for over two (2) years now, and for the last eighteen months I have been focused on Privacy Controls Implementation.

Plain and simple, I find this work to be boring.  I have a difficult focusing on my current job and I feel that my work is suffering due to my lack of enthusiasm and the loss of passion.

My initial goal would be to remain with my company, but my manager is not open to my request and simply told me to “keep my head down” and focus on my current project.

I would really like to begin a search for another employer, and to find an opportunity that lets me shift my focus, and let me utilize some of my other skills as an information security professional.   However, I have a history of changing positions every two years, and I have run into the obstacle of being labeled as a “job hopper”.

For the record – I have worked for six companies in my 14 year information security career.

I am not sure how to overcome this obstacle, and progress toward my career goal.   Do you have any suggestions on how I can implement a strategy to change roles and overcome the perception of my lack of commitment?

Any ideas would be welcomed.

Sincerely,

“Frog Man”

 

Dear “Froggy”:

Unfortunately, we do not have much help for you.   The best that I can offer is to utilize your experience to help others, so that they can utilize this as a learning tool for their own careers.

The fact is that history is a very good predictor of future results, and to any new employer it is logical for them to assume that you will only remain at your current position for two years (or slightly more) at a time.   The fact that this is a repeatable pattern – not just once, twice or three times – but six times – is a good indication that you will not stay with your next employer much longer.

In this day and age, hiring managers are facing greater scrutiny when hiring external resources, and if they decide to provide you with an opportunity for employment it is likely that their judgment is going to come into question by their managers.   Many hiring mangers are unwilling to take this risk, as the competition for their jobs is greater.

Therefore your dilemma, Froggy.

If any of you beginning information security professionals are reading this, this should be a lesson and a situation that you need to avoid.   You have to understand that your career and your career choices tell a story, and are a reflection of your decision making, your intangibles, and your personal make-up.   It is often very easy to pick up and leave your employer, however the decision that provides you with instant gratification, often has longer term implications.  This will limit your choices and create an obstacle that you may not be able to overcome.

Take a lesson from Froggy – and try to make sure that you exhaust all internal options prior to making a career decision.   Understand that when you decide to change jobs, try to determine if there is room for growth, and work with your manager to determine the best way to develop your skills and create opportunities for yourself that challenge you and grow.

Back to you Froggy – you are going to have to grit it out- and try your best to convince your manager to provide you with an opportunity that will renew your passion.  You need to demonstrate this by finding it within yourself to become the best Privacy Controls Implementation professional possible, and seek out opportunities that allow you to leverage this expertise into new roles with your current employer.

Give yourself an additional year to do this, and see how it turns out.    In the meantime, take the year to make some personal career investments that may align with your future goals.   When the time is right to go for another interview, you can tell a better story – about how you “stuck it out”,  “tried your best to make it work” – and rededicated yourself to your career -  that is a powerful story that any progressive hiring manager will like to hear – and can sell to their management when asked about your employment history and ”job hopping”.

Write us in a year, let us know how this turns out.

Wish we could be more immediate help,

Lee and Mike

 

Posted by lee | Filed Under Advice, Behavior, Branding, Career Advice Tuesday, Planning, Position Selection, Uncategorized | 2 Comments 

Career Advice Tuesday – “Sub-Prime” Employment

May 10, 2011

Dear InfoSec Leaders:

About a year ago, I accepted an information security position that included a relocation package. The relocation package was quite comprehensive, and the total amount is equal to about $60,000 (which is about 50% of my salary). In order to accept the relocation package, I had to agree to a two year recovery clause on the relocation money. At the time, I thought that this was fair – especially considering that the company helped me get out from under a bad mortgage in a declining real estate market.

However, now that I am about 10 months into my new job, I am regretting the decision.

The company and the position that I am in has changed dramatically over the last six month due to some new leadership. My role that was designed to do one thing – has now been shifted to perform tasks that I am generally bored with, and accomplished three years ago.

I have a dilemma. I can’t afford to pay back the relocation money – and I can’t stay here 14 months without going crazy. If I leave after 2 months (my year anniversary) – I will still have to pay back $30,000.

Do you have any advice for me? How can I get out of this bind?

Sincerely,

“Sub Prime” Employment

Dear “Sub-Prime”,

The only way to answer your question is to be blunt – you are in a bad situation. The best advice that we can give is to try to make the best out of it and arrive at a decision that you can live with.

The way we look at it, you have two choices – the first is that you can figure out a way to justify swallowing the $30,000 that you owe your current employer and find a new job. The next is that you come to peace with the fact you will be at your current role for 14 more months – and make the best of it.

There is a third option –which is to become so disruptive that they “ask you to leave” and one condition of you agreeing not to “pursue legal action” is for them to release you from your obligation. We do not recommend this – but it is definitely an option.

We think that you have to view this problem as two fold – first in a financial way, next is from a career perspective. $30,000 is not a small amount of money, but in the course of a career, it is really not all that much ($1,000 per year for 30 years of working) . The fact that you would have owed this money on your home – had the new company not rescued you from the housing crisis, you should look at this as “found money”.

What you need to think about is if your “happiness” and “job satisfaction” is worth $30,000? That is a question that only you can answer.

From a career perspective, you need to really understand if you can “afford” working in a role where your skills are regressing. The opportunity cost of working in a position where you stagnate your professional development could cost you considerably more than $30,000 over the course of your remaining career- in terms of promotions or competing for new opportunities. You should figure out in the context of your current role if there are skills that you can build as you bide your time over the next year. It is quite possible the framework of this opportunity could enable you to develop a weakness or to find extra time to attend additional education or make career investments that can augment your current skills. If the opportunity does not provide you with this – you have to sit down and think if you can financially afford to take the hit and write the check.

Remember, the cash that you owe your employer is post tax (disclosure – we are not accountants), you will need to come up with roughly $40-45K in cash to pay for the 30K that you owe.

You have a difficult decision to make. Good luck as you attempt to find the best solution that works for you and your career.

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday, Compensation, Planning, Position Selection | Comments Off 

« Previous PageNext Page »