Career Advice Tuesday – “Forget the Love, Show Me the Money”

February 14, 2012

Dear Infosecleaders:

I am looking for some help in my current situation and hoping that you can provide me some guidance. 

Currently I am working as a senior information security engineer for a Fortune 1000 company.  I work for a company that has recently awoken to the importance of information security, due to a security incident a year or so back. 

At the time of the incident, I was the only information security engineer at the company, since then we have begun to hire some other information security talent to augment my efforts.   Although the additional resources have been helpful, I am still viewed as the go to person by both my CISO and some of the other business and technology leaders.    Because of this, many of the key projects fall on my plate. 

I am pulled in many different directions, work about 60 hours a week, and have been consistently told by many that I am doing a good job.   There is no shortage of love to go around, and I definitely feel appreciated.   During the year, I spoke with my CISO that the workload was getting to me, and he asked me to “hang in there” and assured me that I “would be taken care of.” 

I had no reason not to believe him, as he has always been honest with me.

The other day I was called into his office, where we had a scheduled meeting regarding my review and my compensation for the upcoming year.   During the meeting he explained to me that the company had a down year, so my bonus would not be great.  In almost the same breath, he revealed to me that my salary increase would be about 4% – slightly above cost of living.

I left the meeting disappointed and feeling both betrayed and mislead.  I was expecting my boss and the other managers who sang my praises to fight for additional compensation for me, considering the value I provided to them.     

Quite frankly, I am not looking for love any more, what I am looking for is money. 

Do you have any advice for me?  How can I get them to show their love in dollars?

Your help is appreciated,

Signed,

Infosec Romeo

 

Dear Romeo:

I can understand why you feel the way that you do.  It is clear that you take a great deal of pride in your work as an information security leaders, and that you feel that you have gone the extra mile in demonstrating both our passion and commitment to both your CISO and the other managers that you have supported.

I also understand that you had some personal expectations in terms of financial reward in terms of the personal sacrifice that you gave your employer by working additional hours and delivering results to the people who counted on you.

Feeling betrayed because they did not return the favor, is only logical.

One thing that I can tell you is that you are fortunate that your employers let you know that you are important and appreciated, however, talk is cheap.  If your account of your extra effort and results are indeed factual, then you are justified for feeling that your managers should have fought harder for you when it came time to reward your performance monetarily – in terms of both your bonus and your raise.

That being said, here is some advice that you may find useful:

First of all, you mentioned that your information security organization is not that mature and that information security has not figured prominently until a little more than a year ago.    When organizations are in this transition phase, one of the things that usually lags in compensation for its staff members.    This is probably one of the reasons that the new members of your information security team have not significantly reduced the workload placed on you.  While your fellow workers are probably competent  – they probably represent the best that your company could afford, not the best available talent.    This is an organizational and human resources issue – that cannot be fought by one person, but you have the ability to help influence this by how you address your situation.

I would tell you that you should set up a meeting with your manager, and let him know in advance the subject of your meeting is your disappointment about compensation.   Prior to the meeting, I would spend some time and write down all of the accomplishments that you have had in your role over the past year.    In addition to this, I would pull all e-mails from either your boss or the other managers that have sung your praises over the past year.    What I would also do, is put together your interpretations of the business impact made by your contributions.

During the meeting, I would let your manager know that the praise was appreciated, but that your skills have a great deal of market value outside of the company.  You can share with your employer that you have turned down countless overtures from recruiters and other companies in the area, promising bigger roles and more money, based on the promises that you would be “taken care of” for your efforts over the past year.    You can also share with your boss that you were counting on the bonus and the increase, and were personally let down and hurt by this decision.

I would let your boss know that you do not regret your decision to stay, because you accomplished a great deal, that you enjoy working at the company, and that you have been building marketable skills.   However, you should let them know that you would hope that they may reevaluate their decision about your compensation and assess your skills versus the market.  (Before you do so, make sure that you know the answer, and that you are paid either “at” or “below” your market value. )  You may ask them to do a market study of what it would take for them to refill your position and contributions if they had to replace you.

Ask your manager if you could meet again in a about a week or two (not longer) and ask them to reconsider their stance on both compensation components.

Taking this tact will allow you to speak your mind in a non-threatening situation.  At no point do your threaten to quit or leave – but you imply that you have had other opportunities, have developed marketable skills, and that it may cost significantly more to replace you.   You have allowed your employer and your manager to make  a business decision based on fact and value, not based on threat and emotion.

Hopefully this will help you and your employers will realize that they have made a mistake in judgment.

When they do, make sure that you “Show them the love,” when they “Show you the Money”.

Hope this helps,
Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Compensation, Recruiting, Security Industry, Skills | 1 Comment 

Career Advice Tuesday – “Timely Disclosure”

February 7, 2012

Dear Infosecleaders:

I have a specific question regarding my personal situation.  I am an information security professional and I am currently working in the US on an H1-B Visa.   I have recently grown dissatisfied with my current company and I am looking for new challenges.

From listening to my colleagues (also working on H1-B Visa’s) discuss their personal information security job search experiences, I have learned that many companies are unwilling to sponsor or transfer the sponsorship of candidates working on H1-B Visa’s due to corporate human resources policy. 

What I wanted to ask you, was when should I reveal my work status to perspective employers?  My feeling is that I should wait until I am deep in the interview process, so that they can judge me for my skills and not work status.  Am I wrong to think that with the right skills, I can convince a company to change their policies.

Signed,

“Temporary Resident”

 

Dear “Temp Res”

I will be the first person to tell you that I am not an expert on H-1 B and Visa issues.  However, over the course of my career I have worked with many candidates who have had to face this issue at some point during their recruitment process and their careers.

Basically, when we work with clients looking for talent, they fall into two distinct categories, those who are willing and equipped to sponsor candidates, and those who are unwilling to do so.  In my years of doing this, while I have seen many instances where clients who were willing to sponsor candidates, decide that they no longer would, there has only been one instance where I have witnessed a client augment their policy to enable a candidate to be sponsored.  In this situation, the candidate was a noted authority on a specific subject matter, had written books on the topic, and the CISO was fully empowered to make this exception.  When they did apply for the exception, the CISO had to make a business case and the exception had to be approved by the corporation’s global head of human resources.

With this in mind, my best guidance for you would be to reveal your work status at the onset of the interview process, and that you will require sponsorship.  I believe this for two key reasons – the value of time and integrity.    Plain and simple, timing is a key element of any interview process.  If you find yourself focusing on opportunities that cannot come to fruition (based on a known factor), then you may be distracting yourself from opportunities that could be both interesting and possible.   I also think that for candidates in your situation it is important to join companies that have hiring processes that embrace employees who are not US Citizens.  Companies that have cultures that encourage this type of hiring, often are more knowledgeable of these issues, are more supportive in the Green Card process, and have employees in leadership positions that have been through this very same process.

In addition, as an information security professional you are often judged on integrity, honesty, and openness.  Failing to inform a prospective employer of your work status, may be considered a form of misrepresentation.  I use the work “may”, because, like in all processes, you are at the whim of the opinions of the decision maker or makers.   Letting everyone know at the onset that this is a potential issue, enables the prospective employer to plan accordingly, budget the necessary costs, and engage the proper internal parties.   By doing this, you set the foundation for a future work relationship, by letting your future employer know that sponsorship is an important issue for you, and a critical component to your future career.

Again, there are many more experienced in these matters, so please treat my response that way.   Independent, I do know that no one ever lost an opportunity for being too honest and forthcoming!

Hope this helps,

 

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Personal, Position Selection, Recruiting | 1 Comment 

Career Advice Tuesday – ” Noone Will Come Work For Me”

January 24, 2012

Dear Infosecleaders:

My question comes from a different angle than most of the questions that you address on your blog – I am an information security leader, and I have been trying to hire some key technical information security engineers for my team, and I have not had much luck.

I have been looking for these positions for close to six months, and the only thing that I have to show for it is three rejected offers of employment and a good deal of wasted time.  The candidates have rejected our offers for a variety of reasons:  compensation, expectations associated with the position, and one of the candidates never every responded to the offer. 

I think that my internal recruitment team has written the positions off and we do not have any budget to hire external search firms to help locate this talent.  I have posted these roles on internet websites, and I can not tell you how many resumes we have received which do not nearly resemble the skill combinations and experience which I outlined in the job description.

I guess I would like to know if you have any advice for me.  We are committed to hiring the right people for the roles, but I am at the point that I will settle for someone with a pulse and some passion.

Is there any advice that you can share with me to help me solve this issue and hire some future information security leaders.

Signed,

Looking for Mr. (or Ms.) Goodbar?

 

Dear Info Sec Leader:

There is no simple solution to hiring the correct talent for your information security team.  It appears from your note that you are resource constrained on many levels – compensation, internal support, and external budget.  Although these are substantial obstacles to overcome, they are not insurmountable.

The first thing that I would do would be to look at your job description, and determine which skills are absolutely necessary to perform the position that you are looking to fill.  Sometimes job descriptions are filled with a good number of “nice to have” bullets, and they overshadow the “need to have” requirements.   It is logical that the candidates that you have been interested in have a good amount of the experiences that you request,  but your budget simply cannot afford that level of resource.

What you should do is to winnow the amount of experience down to the skills and experience to reflect a level that you can actually afford.  You should understand that it is one thing to attract candidates, hiring them is completely different.    If you lessen some of your requirements, and require that candidates who lack certain experiences make up for it by displaying “passion” and “drive”, during your interviews, you should be able to locate a candidate that you can afford.

When you design a position to inspire professional growth and career acceleration, you will generally attract candidates who have a high level of motivation and professional pride.  So, what they lack in experience, they will make up in aptitude and “passion”.  It will be important that you screen for these intangibles in the interview process.   Constructing your position in the matter will truly turn it into an “opportunity” as opposed to what your past candidate pool has viewed it as; “a job.”

As far as building your relationships with human resources and your internal recruitment team, my suggestion would be for you to schedule some time to reengage them and start anew.  During this time, you may be able to educate them on your new requirements, provide them some good screening questions, and adjust some of the elements of the job description to reflect less experience and more passion.  You can accomplish this by screening the candidates for things that reflect this, like conference attendance, industry involvement, and logical career investments.   I would then educate them on potential sources in your market for these skills, so that they may be able to do better in pre-screening resumes.   Try to schedule a weekly meeting with them to both provide status on their efforts, and to give them a regular opportunity to ask questions.    The more that you engage them in the process, the more they will want to help you.

Although you cannot use external agencies, you can still post the position on internal and external websites.   In posting the position, try to do so in a way that reflects the type of career opportunity that is available and the candidate profile you are attempting to attract.   I would use words that could possibly encourage more affordable and slightly more junior candidates to respond.  A good exercise would be to think back of your career, and think about the things that would attract you to a role like the one that you are offering.   When the candidate eventually comes to the interview, utilize these examples as selling points as to why this role will benefit their professional development and their career as an aspiring information security leader.

Feel comfort that your experience is not unique.  Do the best you can with what you have, and keep your expectations realistic.

Hopefully this helps, and you will fill your roles in the next 30 days.

Sincerely,

Lee Kushner

Posted by lee | Filed Under Advice, Career Advice Tuesday, Interviewing, Leadership, Recruiting, Security Industry, Skills | 2 Comments 

Career Advice Tueday – “Getting Past the Gate-Keeper”

January 17, 2012

Dear Infosecleaders:

I have recently applied for a position that I believe will advance my information security career.  In submitting my resume via the company’s internet posting, I tailored many of my accomplishments directly to the criteria of the position description.   I have to admit that I am a very skilled wordsmith, and may have taken some liberties in the description and the scope of the work that I have performed.

For example, I often serve as a team lead and project manager for technical engagements, but I have never managed people directly.  The role that I am applying for has direct reports.   Also, the position description calls for an understanding of some specific information security tools that the company uses – like data loss prevention and GRC compliance software.  While I have experience with these concepts and similar tools, in depth knowledge and experience with these particular tools has eluded me.    Finally, the position calls for the ability to travel 50% of the time.    I am really not interested in this amount of travel, but I have a friend that works there and she told me that she does not travel any more than 25%.

I am now scheduled to have my first conversation for the interview, a phone conversation with the human resources/internal recruiter – given the things that I have shared with you, do you have any advice on how I should handle her questions?  I know that she is going to read the JD verbatim, and ask me questions where my answers may exclude me from consideration.

I really want a chance to speak to the hiring manager and fellow info sec professionals in the group, to articulate my experiences and demonstrate that I have what it takes to be a viable candidate for the role.

Any words of advice.

Sincerely,

Michaele Salahi

 

Dear Michaele:

I would like to provide you with some advice that is two-fold for your exact situation.    First, is that some of the deficiencies that you have pointed our in your skill set may be deal breakers with the resident information security leader, so please tread carefully in your presentation in the skills that you have to offer.  There are many items in a job description that are truly requirements of a position, and no matter how great your ambition or creative your presentation, you may have to accept that your skills are going to fall short of expectations.

For example, the role may really need someone who has strong people management skills, which is not found in a “team lead” or “project manager”.  The utilization and knowledge of specific tools may be a success factor in the role, and although your friend only travels 25% in their role, this position may require double that amount of travel.

All that being said, I agree with you 100% that the decision should be placed in the hands of the hiring manager and not the internal recruiter/human resources professional.   Ideally, the Infosecleader and hiring manager are the ones that best understand their needs, and no matter how adept their level of communication, something get lost in translation – specifically granular job requirements.

You should understand that this misunderstanding is not the fault or responsibility of the internal human resources/recruiter, as it is nearly impossible for someone who works in a general capacity, to understand the nuances of what it takes to understand the specific nature of the role that you are pursuing.  However, there are certain elements of the role that HR will understand – the company’s definition of a “Manager”, the importance of specific tool knowledge (although they may not be able to make the jump from tool (i.e. Checkpoint) to concept (Firewalls)), or the amount of travel.

Independent, after doing my job for 15 years, I am of firm belief that it should be every information security professional’s goal to get to the decision maker during an interview process.  This is where your “sales skills” should come into play.   My advice for you would be to engage the internal recruiter, and leave them with enough confidence from your discussion to move you forward in the interview process.

This will enable you to get the real answers to your questions and demonstrate your level of competence to a knowledgeable party who has the ability to make an evaluation of your skills.   When you do get to that level of the interview, you have a responsibility to make it clear to the hiring manager, what your true capabilities are as it relates to the job requirements that they articulate during your discussion.

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Recruiting, Resume, Skills | Comments Off 

CAT – Clearing Some Things Up – Advice and Predictions for 2012

January 3, 2012

Recently, I was cited in an article for Search Security , where I was asked about my opinions for the information security industry employment market for 2012 .   I will say that the author did not misquote me at all, however, upon reading the article I felt that it was necessary to clear up some things that I found inaccurate – and I wanted to make sure that the Infosecleaders.com audience knows exactly where I stand on the topics covered.

Here are my thoughts:

While I agree that Mobile Security is going to be an information security skill in demand, I do not believe it is the only skill that companies will look for in 2012.   Have no fear – companies will still have a high level of demand for knowledge in the areas of Cloud, GRC, SIEM, DLP, PCI, Software Security, Identity Management, and overall IT Risk Management.  In addition, while I do believe that it is a good idea to have a blend of technology and business skills, there is still a very strong market for information security professionals that have hard core technical skills – and that should never be forgotten or overlooked.  The technical information security professionals with developed knowledge and enterprise experience in securing networks, operating systems, applications and databases will do just fine as well.  Also, all of the penetration testers out there can sleep easy your skills will still be needed and remain in demand.
Below you will find my biggest objection – and probably the information that I find to be the most inaccurate.

Here are my disclaimers -

I would like to state that I do not personally know Mr. Snyder, nor have I had any dealings with him.  

I have read his securityrecruiter.com blog on a number of occasions, and I find his perspectives to be both unique and entertaining.

To my knowledge, Mr. Snyder and my firm do not compete within any of my recruitment customers, and although we are in the same profession and industry, our paths do not seem to cross, except when quoted in articles about information security careers.

As per the author of the Tech Target article – please find a quote from Mr. Snyder -

“When companies are using a search firm to fill a position, then they’re going to usually expect that a candidate’s going to have industry experience,” he said. “In other words, if it’s a bank, they want someone who’s coming out of a bank; if it’s a retailer, they want someone coming out of retail; and if somebody’s going after that job on their own, then the bar isn’t usually sent quite as high.”  – Jeff Snyder

The Accuracy

The main point of the quote is accurate.  When companies are looking to find information security leaders, independent of the source, they ideally would like to locate people who possess applicable industry knowledge.  This is generally one of the core criteria of an information security leadership or CISO level search.

Like Mr. Snyder points out – a retail organization would ideally like to hire an information security professional who understands the information security challenges that a retail business faces and who has experience solving those problems.   You can apply the same logic to industries that include health care, high technology, manufacturing, financial services, media and entertainment, and any other business.

The Inaccuracy -

Mr. Snyder’s quote infers that a company has more stringent requirements when they engage an executive search firm.   His statement that  ” …..if somebody’s going after that job on their own, then the bar isn’t usually sent quite as high.”  - can be interpreted in a way that leads information security professionals to believe that they can afford to be less qualified, if they decide to apply for positions on their own – and not through an executive search firm.

THIS IS DEAD WRONG

First of all, the decision to engage an executive search firm is generally based on a company’s desire to insure that they get access to a qualified candidate pool in a time efficient manner.  The business decision to engage a search firm is the same type of decision making methodology that can be applied to engaging a professional services firm to provide a service that the company does not believe that they can perform effectively with internal resources.  The budgets for engaging executive search firms either come from a general corporate budget or from a specific business unit who can justify the value and the return on investment for the cost associated with the search firm’s fee.    In addition, the amount of the search fee does not have any impact on the compensation offered to the candidate.

Mr. Snyder is correct in his inference, that when companies engage an executive search firm, they are expecting to get value for their dollars.  This will take the form of, industry intelligence, compensation data, a professionally managed recruitment process, and eventually the placement of a successful candidate to fill the duties of the information security leadership role.   In exchange for money, the companies are going to expect an executive recruitment firm to deliver a candidate who is going to match the key criteria that they have outlined for the position.

Just like anyone who pays for a service, companies who engage executive search firms have the right to have realistic expectations of competence and results when retaining them to help fill a position.  However, in my 15 years of experience, I have never witnessed a situation where a company that is committed to recruiting the correct information security leader, will agree to hire a less competent candidate, solely because they were introduced to them directly, and not through an executive search process.

In 2012, and in the future, completion for Information Security leadership roles is going to intensify,  Companies are going to continue set the bar high for finding the correct  talent match, no matter what method they select to recruit for these positions.  In addition, the more influence and importance that an information security role has to an organization, the more detailed the requirements will be and the more demanding the interview process.

To all current and aspiring information security leaders, for 2012, I am urging you to take a proactive approach to developing a career plan, honing your skills, investing in yourself, and make wise choices about selecting the right positions to help accomplish your career and life goals.

Happy and Healthy New Year,

Lee Kushner

 

 

 

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Leadership, Recruiting, Security Industry, Skills, Uncategorized | 1 Comment 

Career Advice Tuesday – “Infosec Leaders Need To Be Good Recruiters”

December 27, 2011

Today I am sharing an article that we wrote that appeared in Tech Target’s Infomraiton Security Magazine.  The topic focuses on life on “The Other Side of the Desk”- becoming an effective recruiter in the building of your information security team.  The article scratches the surface of some important attributes that all solid information security leaders should possess in the acquiring the necessary talent in order to provide them with a better chance of success.

The original article was edited by our frien Michael Mimoso at Tech Target.

The article can be found here – http://tinyurl.com/6q8k8gk

Happy New Year,

Lee and Mike

Posted by lee | Filed Under "The Other Side of The Desk", Advice, Behavior, Career Advice Tuesday, Interviewing, Networking, Recruiting | 5 Comments 

Career Advice Tuesday- ” Help! New CISO Has A Bad Reputation”

December 13, 2011

Dear Infosecleaders:

About three weeks ago, I accepted a new position with a company, where I am going to be reporting to a new CISO.  During the interview process I was told by the CISO that my position was going to be the “first key hire” as the company begins to revamp their information security program.   However, since the interview process concluded and I accepted my position I have found out differently.

I learned that one of my friends and industry colleagues was contacted by a similar position at the same company – he was told almost exactly the same thing that I was – that this position was the “first key hire”.   When he learned of this, he played dumb.   My friend (who is a little better connected than I am) called a couple of his Linked IN connections who were directly connected to the new CISO (my new boss) and he told me that what he learned was less than complimentary.

He told me that the CISO left his last employer in a mess, there was a mutiny from the staff, and that the guy has a reputation of being self-serving and has questionable ethics. 

What makes matters worse for me is that I have already resigned my job.  I am relocating to accept this position, and I fee that I am walking into a bad situation. 

What should I do?

Sincerely,

JJ Blackheart

 

Dear JJ:

There is no question that you should value the opinions of others whom you trust, however it is often a mistake to accept their opinions without first hand experience and extensive validation from multiple sources.

The first thing that I would do, would be to try to locate someone from the CISO’s former employer, who was a direct report to the CISO.  I would pick up the phone and introduce myself, explain my situation, and ask them if they have any helpful hints on how to succeed under your new boss’ management style.     It is possible that this person can provide you with some new perspective, it is also possible that this person will decline your request to share any details – and in that case  – a red flag should go up.

I would tell you that if you do not feel comfortable with your decision you can do the following – contact your old employer back, and ask them if they would let you take back your resignation (this is why it is always good to leave on positive terms) and have your old position back, or contact others in your geography to see if you could locate a position similar to your old one (quickly).  If neither of these works, begin work at your new employer.

If you decide to begin your new job, you need to suspend all of your relocation activities, immediately.  The reason for this is that you do not want to compound your mistakes.  In addition, if you received a relocation package, you do not want to be in a situation where you have to return your relocation monies, if you decide that you do not want to remain at your new job.

Once in your new job, I would begin to look for things that would either validate or refute your earlier suspicions.  I would look for ways that your new CISO manages, how he communicates with subordinates, and for the consistency of his/her messages.   You should use the first 90 days of your employment to see if you could work with this person long term and evaluate the prospects of a satisfying work relationship.

Simultaneously, you should continue to look for suitable opportunities in your former location, as a contingency plan.  If one of those opportunities comes to fruition, you can compare it with your current position at your new employer, and then make a decision.

My advice would be to either put an end to this before it starts, or within 90-120 days after you begin work.

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Leadership, Position Selection, Recruiting | 1 Comment 

Career Advice Tuesday – “Should I Audition?”

November 29, 2011

Dear Infosecleaders:

I am a talented penetration tester and have been perfecting my craft for over a decade in both corporate and consulting work environments.  I have spoken at some of the major InfoSec conferences, have authored chapters of books, and have spent a good deal of time and energy in the development of my personal brand. 

Based on my industry reputation, I have been solicited directly by an internal recruiter of a technology firm that has a well-documented information security issues.  They would like for me to interview to lead their internal penetration testing initiative. 

 After the initial interview with the hiring manager, they have asked me to come in and perform a practical application assessment, prior to learning more about the position and the company.  Generally speaking, I have some issue with this – as they sought me out for the role, based n my credentials.

I guess what I am asking is if I should be putt off by being asked to “audition” for the role.  I kind of feel that I am at a point in my career where I should not need to “audition”, and I find this to be quite insulting. 

Do you think that I am over reacting?  Would it be appropriate to tell the employer that I am not willing to be a part of their practical “experiment”? 

Any help would be appreciated.

“Brad Pitt”

 

Dear Mr. Pitt:

The best thing that I can tell you is not to let your ego get in the way of a good career opportunity.

One of the primary knocks against information security professionals – especially penetration testers – that their egos get in the way of their ability to conform to corporate cultures – this may be your opportunity to dispel this perception.

I would tell you that your willingness to conform to the company’s interview process and “audition” for the role, should be based on your level of interest in the opportunity and the knowledge of “what you are playing for”.    If you are genuinely interested in the company, the position represents a good career move, and the compensation is attractive to you – then I believe you should go through with the “audition”.

But before you do, I would tell you that you should adjust your attitude prior to participating in the exercise.  Instead of looking at the “audition” as a test of your talents, I would look at it as a puzzle or as a challenge like a miniature “capture the flag”.   What I would do is to use this scenario as a way to showcase not only your skills but also your thought process and problem solving abilities.  You should demonstrate your creativity in finding ways to discover vulnerabilities and maybe even point out solutions.

By raising the bar, you may create a greater desire to hire you for the role and this could even lead to some additional leverage in your compensation negotiations.

In closing, get over yourself, have fun with it, and understand that even the most proven talents have to audition – as the producers always have the final say!

Good luck,

Lee and Mike

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Compensation, Interviewing, Position Selection, Recruiting | 3 Comments 

Career Advice Tuesday – “Did I Thank Myself Out of a Job?”

November 22, 2011

Dear Infosecleaders:

I recently went on an interview for an information security engineer position.  During the interview, I met with five different people, from human resources to the Chief Information Security officer.   After each interview I asked each interviewer for their business card and contact information, for the purpose of writing them thank you notes.

The day after the interview, I sent a thank you note to the group.  I sent one e-mail, and CC’ed everyone whom I met with expressing my gratitude for their time, my interest in the position, and some additional information.

It has been a week since I went on the interview, I have not received any definitive feedback from the human resources person, just a “We’ll get back to you” and not one of the additional interviewers have sent me a response to my thank you note.

Can you let me know how I should interpret this?  Do you think there was something wrong with my “Thank You” note?

Signed,

Will Mannered

 

Dear Will:

To answer your question, I am pretty confident that you did not get the role.  I can say this because no one has responded to you at all, and even provided you with positive reinforcement from your interview.  The fact that the HR person did not share anything substantial with you is a subtle way of saying – “ I want to be careful what I say, so I do not get myself in trouble.  I do not want to provide you with feedback, especially in writing, because if I say the wrong thing, I may get fired.”   Technically you may be still “under consideration” – but that is only until you get a form letter in the mail or via e-mail.

The reason that you have not heard from many or any of the information security staff is likely for the same reason; the company likely has a policy that states all negative responses are to come from Human Resources, for the very reasons stated above – that a non “PC” response could expose the company legally.

It is definitely a shame that no one had the personal courtesy to respond to your note, even if it was a simple, “Thank you for interviewing us.  I enjoyed the time we spent together”, but unfortunately that is the world that we live in.    Although that would not provide you with any substance, it would at least provide you with some confirmation that your note was received.

All those things aside, I will tell you that writing a group “Thank You” is probably an error on your part.  By sending one thank you note, as opposed to five separate ones, can be interpreted in many ways.  The first would be is that you are lazy – that you could not even write five short notes.  The second is that you value all of your conversations the same, and could not address the specific levels of the conversations that you had.   Finally, by addressing the group, it does not allow you to connect with anyone interviewer in a one-on-one manner.  Since the group knows that you sent everyone the same thank you, they may feel that they cannot respond to you “anonymously”.

In the future, send individual notes.  Each note should have the same general message, but you should draw some specifics from each interview and potential working relationship, to reflect the context of the interview.  Doing this will demonstrate that you were listening to each interview, and it will personalize the discussions.  You may even create more of a bond with one of the interviewees – and the thank you note may strike a personal chord, that may help them champion your cause during any deliberation.    In addition, you may choose to “connect” with them on Linked IN – or in some other industry group or social network that you may share, that may provide another personal “link” and common point of interest.

In closing, do not take it personally that they did not respond.  Think carefully the next time you send a Thank You note- and never forget to check your spelling!

Chalk this up as a learning experience, and good luck on your interviews with your next potential employer.

Have a Happy Thanksgiving!

Lee and Mike

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Recruiting | Comments Off 

Career Advice Tuesday – “Selecting Proper Representation”

November 15, 2011

Dear Infosecleaders:

I have a question that is more for Lee, than for Mike, given that it has to do with a recruitment process that I am currently involved in.

About three weeks ago, I was contacted by an information security recruiter who whom was referred to me by a close colleague, about an opportunity in my geography that I found interesting.  I spent a good deal of time with the recruiter, asking questions about the company, the hiring manager, and the position.  The recruiter suggested that I revise my resume to help address some of the specifics of the opportunity, to align more closely with the needs of the position.

During the time that I was reformatting my resume, I got contacted on Linked IN, by a recruiter whom I had never interacted.  The recruiter sent me a job description, similar to the one that I had learned about from the other recruitment professional.  This individual refused to share with me the name of the company that they were representing, and pressured me to send a generic resume.

My gut feeling is that it is the same position – do you have any advice on how I should handle my discussions with both parties?  Is there anything that could jeopardize my recruitment process? 

Any help would be appreciated.
Signed, 

“Derek Fisher” 

 

Dear “Derek”:

Well, it is good to know that you are popular – so you have that going for you.   The first thing that I will say is that many recruitment firms (including LJ Kushner and Associates) utilize LinkedIn as a form of candidate profiling.  Although many people think that we know “everyone” in the industry, it is just not possible, and Linked IN provides recruitment firm’s access to information security professionals (job candidates) that we do not have deep relationships with.

That being said, the first thing that I would tell you would be that you should never trust a recruitment firm that is not willing to share the name of their client with you.  The two main reasons for this are as follows – first, it shows that they do not trust you.  If they share the name of their client with you – there is an outside chance that you will go to the client directly, and cut them out of the recruitment process – so they are going to wait until they have your resume, to spring this on you.   Personally, I find this very shady – it is akin to saying – “Please trust me with your career and your livelihood” – but “I am not going to return that trust by sharing the company where the job is located”.   

Secondly, by not sharing the name of their client, you give up control of the dissemination of your resume.  By providing you with a generic, broad base job description, you are basically giving them carte blanche to send your resume anywhere.  This could mean that your resume could wind up in the hands, of somewhere that you have already worked for (it makes you look foolish), somewhere you already interviewing with (it makes you look unorganized and unprofessional), and even possibly your current employer (which can be a disaster for obvious reasons)  

Don’t laugh, this does happen – and in the aftermath is not pretty. 

In regards to your current situation, you should work with the recruitment firm that you trust the most and the one that you believe has the best chance of helping you navigate the interview process for the specific job and company that you are interested in.    In your case, it appears to be the first one that you spoke with.

What I would do with the second recruiter, would be to first call them and ask them whom the opportunity is with.  If they refuse to share this with you, I would tell them politely that you are not interested in working together with them.  If they do share the information, and it is the same company that the other firm introduced, then I would simply tell them that you are already engaged on the opportunity, are being represented by another recruitment firm, and that your resume has already been submitted for consideration.  You could end the conversation, by saying that if they have other opportunities, and are willing to reveal the name of the employers, you would be happy to consider them.

I will say in closing that the “Rules of Engagement” for determining candidate representation are very tricky, and it is very important that you control your resume when you conduct any interview process.  Selecting the wrong recruitment firm, or “representation” – can greatly affect the perception of your candidacy for any opportunity.   

As a rule, your caliber of representation is a reflection of your brand, and your level of professionalism.

Hope this helps,

Lee Kushner

PS – “Derek Fisher” is a reference –not the name of the advice seeker

Posted by lee | Filed Under Advice, Behavior, Branding, Career Advice Tuesday, Interviewing, Planning, Recruiting | Comments Off 

« Previous PageNext Page »