Career Advice Tueday – “Getting Past the Gate-Keeper”

January 17, 2012

Dear Infosecleaders:

I have recently applied for a position that I believe will advance my information security career.  In submitting my resume via the company’s internet posting, I tailored many of my accomplishments directly to the criteria of the position description.   I have to admit that I am a very skilled wordsmith, and may have taken some liberties in the description and the scope of the work that I have performed.

For example, I often serve as a team lead and project manager for technical engagements, but I have never managed people directly.  The role that I am applying for has direct reports.   Also, the position description calls for an understanding of some specific information security tools that the company uses – like data loss prevention and GRC compliance software.  While I have experience with these concepts and similar tools, in depth knowledge and experience with these particular tools has eluded me.    Finally, the position calls for the ability to travel 50% of the time.    I am really not interested in this amount of travel, but I have a friend that works there and she told me that she does not travel any more than 25%.

I am now scheduled to have my first conversation for the interview, a phone conversation with the human resources/internal recruiter – given the things that I have shared with you, do you have any advice on how I should handle her questions?  I know that she is going to read the JD verbatim, and ask me questions where my answers may exclude me from consideration.

I really want a chance to speak to the hiring manager and fellow info sec professionals in the group, to articulate my experiences and demonstrate that I have what it takes to be a viable candidate for the role.

Any words of advice.

Sincerely,

Michaele Salahi

 

Dear Michaele:

I would like to provide you with some advice that is two-fold for your exact situation.    First, is that some of the deficiencies that you have pointed our in your skill set may be deal breakers with the resident information security leader, so please tread carefully in your presentation in the skills that you have to offer.  There are many items in a job description that are truly requirements of a position, and no matter how great your ambition or creative your presentation, you may have to accept that your skills are going to fall short of expectations.

For example, the role may really need someone who has strong people management skills, which is not found in a “team lead” or “project manager”.  The utilization and knowledge of specific tools may be a success factor in the role, and although your friend only travels 25% in their role, this position may require double that amount of travel.

All that being said, I agree with you 100% that the decision should be placed in the hands of the hiring manager and not the internal recruiter/human resources professional.   Ideally, the Infosecleader and hiring manager are the ones that best understand their needs, and no matter how adept their level of communication, something get lost in translation – specifically granular job requirements.

You should understand that this misunderstanding is not the fault or responsibility of the internal human resources/recruiter, as it is nearly impossible for someone who works in a general capacity, to understand the nuances of what it takes to understand the specific nature of the role that you are pursuing.  However, there are certain elements of the role that HR will understand – the company’s definition of a “Manager”, the importance of specific tool knowledge (although they may not be able to make the jump from tool (i.e. Checkpoint) to concept (Firewalls)), or the amount of travel.

Independent, after doing my job for 15 years, I am of firm belief that it should be every information security professional’s goal to get to the decision maker during an interview process.  This is where your “sales skills” should come into play.   My advice for you would be to engage the internal recruiter, and leave them with enough confidence from your discussion to move you forward in the interview process.

This will enable you to get the real answers to your questions and demonstrate your level of competence to a knowledgeable party who has the ability to make an evaluation of your skills.   When you do get to that level of the interview, you have a responsibility to make it clear to the hiring manager, what your true capabilities are as it relates to the job requirements that they articulate during your discussion.

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Recruiting, Resume, Skills | Leave a Comment 

Career Advice Tuesday – “Three Experiences – One Resume”

January 10, 2012

Dear Infosecleaders:

I am embarking on a job search and I am looking for some help.  My first ten years of my information security career has placed me in some interesting environments – serving as a technical information security engineer, working as an information security professional services practice in the area of risk and compliance, and working as a pre-sales engineer for a large information security product vendor. 

The truth is, I have enjoyed all of these three roles, and I am interested in a wide variety of opportunities.  I feel that my experience and versatility is a good thing, and it allows me to investigate many different career paths.

The question that I have, relates to my resume.  Do you have any advice for me on how to craft my resume – to both illustrate my versatility and breadth of experience, and to accurately align my skills and qualifications simultaneously with different opportunities?

Sincerely,

Ralph Furley

 

Dear Mr. Furley:

Good for you for having three unique and successful career experiences at this point in your career.  I can only imagine that you have developed and maintained a set of skills that include technical expertise, customer skills, and persuasive communication and presentation skills.

If my assumption is accurate, you are correct that these skills are in high demand and will appeal to many diverse environments.    Since you will be applying to roles in these different types of environments – I will make two suggestions regarding your resume –

The first being that you can write three separate resumes – one tailored to internal information security engineering roles, one tailored to professional services/consulting opportunities, and one tailored to pre-sales opportunities.    If you decide to go this route, what I would do, would be to keep the qualifications of the position you are applying for in mind, as you create each resume and highlight the skills that you have acquired in your three different roles.    Ideally, each resume will have a “theme” to it, which will align with the specific role that you are attempting to pursue.

For example, if you apply for an internal technical information security position,  I would make sure that you make your bullets from your sales engineering role are technical in nature.  I would try to find a way to point out the depth of your technical skills in the context of that role.

The second option that you can have would be to utilize the same resume, but to write three unique objective statements that can align with the types of roles that you are applying for.   What I would do in each of these statements, would be to allude to the facts that your diverse experiences has provided you with unique perspectives on how information security problems are solved – from an internal perspective, from an external perspective, and with the aid of information security products.      By demonstrating these three different perspectives in the body of your resume, and associating your skills with each of your three roles, should create a consistent overall theme.

In closing, having three diverse experiences and perspectives as an information security professional is a very good thing, and provides you with a great foundation

The combination of a well-written resume, and an astute employer who can connect the dots, should provide you with access to many roles that could serve as a springboard to the next stage of your information security career.

Good luck in your job search,

Lee Kushner

Posted by lee | Filed Under Advice, Career Advice Tuesday, Planning, Position Selection, Resume, Skills | Leave a Comment 

Career Advice Tuesday – “Resume Hurdle”

September 27, 2011

Dear Infosecleaders:

I am writing to see if you can help me with a situation that seems to be haunting me as I look for a new job.

I have been working as an information security engineer for the past 10 years, mostly on long term contracts.  Each of my contract assignments for the past five years are through the same contracting firm.  During these past five years, I have supported over 8 different Fortune 500 customers, in the implementation of various security technologies ranging from IDS, Firewalls, SIEM, DLP, etc.  Each of the assignments have spanned from 4 months (shortest) to 16 months (longest).    On my resume, I outline each of these projects, listing the customer, the scope fo the project, the duration, and the impact of my efforts.  

Now that I am looking for a full time job, in my opinion my resume makes my employment look inconsistent, although I have been working for the same employer (contracting agency) for the past five years. 

Do you have any tips on what I can do to overcome this hurdle?

Signed,

Edwin Moses

 

Dear Edwin:

This may turn out to be our shortest response, but your answer is a simple one.

What you need to do is to create a resume entry, before the projects, demonstrating that you worked with the same company for the past five years.   (2-3 lines).  Underneath the employer and the date,, you should write a short term description about the company and the nature of your work as a security consultant servicing Fortune clients.

Your resume should read no different then a person who has worked as an information security consultant for for a large consultancy – like a Big X or a large systems integrator – with the exception of being able to demonstrate career progression or titles.

If you are able to place this experience under the larger umbrella, it will let employers know that you are both loyal and have a good deal of diverse information security experience.

That should lift some of your hurdles and help you in your transition.

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Advice, Branding, Career Advice Tuesday, Interviewing, Resume, Skills | 1 Comment 

“Value of InfoSec Certification Survey” – Results Preview Featured in Dark Reading

July 28, 2011

Last year at RSA, we launched the “Value of Info Sec Certification” Survey.

A preview of the results are featured in today’s issue of Dark Reading, in an article by Kelly Jackson Higgins.

On Thursday, August 4th, at 1:45 PM PST,  as the first part of our Professional Development Workshop at Black Hat, we are going to announce the full results.

We were very happy to receive 1349 respondents to the survey, and from reviewing the background of the respondents we find it to be a very good sampling of the Information Security industry:

2/3 of the respondents have worked in information security for more than 6 years

25% of the respondents have worked in the industry for more than 12 years

1000 of our respondents either hold or have held an information security certification  (Yes, exactly 1000)

699 of the respondents hold or have held the CISSP  (667 current/ 32 no longer)

50% percent of the respondents earn 100K or more

35% have a long term career goal of becoming a CISO or CSO, an additional 10% aspire to be a CTO or CIO – (Competition should remain fierce for these roles!)

25% of the respondents said that they had a Written Career Plan – (which means that we are making progress)

These results are just the tip of the iceberg – you will have to come to our session at Black Hat if you want the full release.   Anyone who is not in attendance at the conference and would like a copy of the results after the conference, you can sign up at Infosecleaders – Research – shortly after the release.

A special thanks to all of those who participated.  Thanks for making this a great success.    Stay tuned for our next industry survey!

Regards,

Lee and Mike

 

Posted by lee | Filed Under Behavior, Planning, Resume, Security Industry, Skills, Survey | 2 Comments 

Career Advice Tuesday – “Black Hat Preview – Professional Development Workshop”

July 26, 2011

For today’s Career Advice Tuesday – we wanted to share a more detailed look at our Black Hat Professional Development workshop.  The workshop will take place on Thursday afternoon – from 1:45 – 6:00PM.    Anyone in attendance can come to either any individual session or stay for the whole program.

If you are at Black Hat, please come by and introduce yourselves.

 

InfoSec 2001 – A Career Odyssey

The Professional Development workshop is a half-day program that is designed to inspire the Black Hat attendee to think about their career as an information security professional and assist them in their journey towards the achievement of their long term career goals.

The Professional Development workshop will be divided into five (5) unique information security career topics that will be linked by a common theme – Skill Development and Differentiation.

The program will consist of the following:

1)    “The Value of Information Security Certifications Survey” – Research Revealed – 1350 information security professionals responded to an independent survey on the topic – the research will be revealed

2)   “Second Place Sucks” – A presentation geared toward differentiating yourself from your peers (and your competition)

3)   The Information Security Leader of The Future” -  a presentation that will outline the skills that employers are looking for when identifying and selecting their information security leaders.

4)   “The Other Side of The Desk” – a panel that will explore the different attitudes and beliefs by job applicant and employer during the interview process

5)   “Future Predictions” and “Career Advice Tuesday- Live” – Future trends will be discussed and explored – and attendees will have the opportunity to ask questions about infosec related career topics

The workshop is designed as an interactive forum that should inspire some shared thought and debate between audience members and the presenters.

Attendees should understand that they can elect to either participate in the entire workshop, or to pick and choose from select sessions that have a particular interest to them.


Session Previews:

Session 1  – 1:45 – 3:00

“The Value of Information Security Certifications Survey”

Presenters – Mike Murray and Lee Kushner – Infosecleaders.com  

In February of 2011, Infosecleaders.com launched an independent survey on the value of information security certifications.   The value of InfoSec certifications is a highly debated topic in the industry, and this is the first independent survey that asks questions to information security professionals (certified or not) – their opinions on topics that include – the motivations for certifications, the impression of the certification bodies, the value of skills vs. certifications, and certifications effect on employment.  With over 1350 respondents, the results should be revealing and eye-opening.

Second Place Sucks -

Presenter – Mike Murray

So, if certifications are no longer the magic bullet to get you to your career goals, then what is.  The topic of strategic career investments and personal branding will be the focus of this presentation.  The presentation will be spent on how you can plan and execute on career investment strategies that will enable you to differentiate from your peers and successfully compete for promotions and external information security leadership opportunities.

(15 minute break)

Session 2 – 3:15 – 4:45PM

3:15 – 3:45PM

“The Information Security Leader of the Future” –

Presenter – Lee Kushner

The skills for information security leaders are changing quite rapidly.  As many companies are aligning information security with their core business and branding, information security professionals will need to evolve as well.  The presentation will break down the core skill components of what information security professional will need to acquire and demonstrate to be considered for leadership roles in the future.

 

3:45PM – 4:45PM

The Other Side of the Desk – Different Perspectives on the Interview Process

Moderator – Mike Murray

Candidate Perspective – Lee Kushner

Hiring Managers Perspective –    

Bill Phelps, Executive Director Accenture  

Justin Somaini, CISO at Yahoo!

Abstract:

There are two parties involved in every interview process, the information security professional (the applicant) and the hiring manager (the decision maker).   While in essence, both parties ultimately desire the same outcome, their motivations lie in different places.   This portion of the presentation will present to the audience the perspective of the candidate and the perspective of the hiring manager, in a way that will educate both parties and enable them to social engineer the interview process, to work to their personal advantage.

Bill Phelps:

Bill Phelps is an Executive Director in Accenture’s security practice, and has spent the past 25 years in technology services.  In the past decade, Bill has been a practice leader, company founder, board member and trusted advisor helping organizations with complex management and technology challenges in the areas of information security, data center transformation and technology strategy.     Bill currently has overall responsibility for Accenture’s security business in North America.  Bill is aggressively growing Accenture’s security team, and plans to hire over security 200 professionals in the coming year.

Justin Somaini:

Justin Somaini is the Chief Information Security Officer at Yahoo! where he’s responsible for all aspects of Yahoo!’s Information Security strategy.  With over 15 years of Information Security experience he’s seen as a leader in industry by promoting an evolution of the security and risk management models.  Through his public speaking and industry involvement he’s given extensive talks and interviews on the threat landscape, public policy, security management and risk management.  Prior to joining Yahoo!, Justin was the CISO at Symantec.  Justin has also held security leadership roles at VeriSign, Charles Schwab and PricewaterhouseCoopers LLP.

4:45 – 6:00PM

Predictions for the Future and Career Advice Tuesday – “Live”

Presenters – Lee Kushner and Mike Murray

The employment market is dramatically changing – and the closing session will begin with information security employment predictions (based on experience and research) for the next ten years.  Once completed, this will be followed by a version of “Career Advice Tuesday” – “Live”.   All attendees can have their personal information security career questions answered in an open forum.   Topics will include skill development, compensation negotiation, career investments, career planning, and anything else you want to ask about your Information Security Career.

Posted by lee | Filed Under "The Other Side of The Desk", Advice, Behavior, Branding, Career Advice Tuesday, Compensation, Interviewing, Networking, Planning, Position Selection, Presentation, Recruiting, Resume, Security Industry, Skills, Survey, Uncategorized | 1 Comment 

Career Advice Tuesday – “Listing Polarizing Interests on a Resume”

November 30, 2010

Dear Infosecleaders:

Wanted to ask a question about my resume and including my outside of work activities.   Without getting into specifics – I take part in some outside activities that some may consider to be polarizing.  Although I know that this site is anonymous, I would like to keep them to myself – however, for arguments sake, lets say that they fall into categories that would include one of the following:

1) My Political Beliefs

2) My Religious Beliefs

3) My Sexual Preference

4)My Ethnicity

I have followed your advice, and not only am I a member of this group, but I am also a leader.  My group has raised a great deal of money, performed good work in the community, and I am very proud of the work that we have done.   My participation in these groups have enabled me to develop and refine some additional skills that benefit me in my job as an information security professional.

I ultimately would like to list them on my resume, because I believe that they reflect well.  However, I have learned from reading your site that when it comes to employment and selection of candidates - ”beauty is in the eye of the beholder”. 

My fear is that by listing these activities, I will do more harm than good, and  I will close more doors than I will open. 

Do you have any advice? 

Signed,

“Wanna B. Free”

Dear Wanna:

Your question is a good one and I think that the answer that you are searching for can fall into two categories – 1) Focusing on your Goal  (Getting a Better Job) and 2) Being Honest with Yourself.

If the goal of the resume is to get a better job, I think that you are taking a big risk in featuring your outside activities on your resume, if you believe that they are as polarizing.  By including these items on a resume, you begin to eliminate your audience and you enable people to make prejudgments about you as a person.  Granted if some of the employers share the same interests or beliefs, that may give you a leg up in the process, however since many people will be viewing your resume, you become more likely that you will encounter someone who may disqualify you based exclusively on this activity. 

In addition, today the legal environment in the workplace is more risk adverse than ever.  Granted, companies preach the concept of diversity, however at the same time they try to prevent the work place becoming the “soap box” for the expression of people’s personal beliefs, especially if they may offend others or pose a distraction.   Sometimes no matter how talented the candidate, companies simply do not want to take this risk.  

To compound on this, many times hiring managers will ultimately choose an alternate candidate, simply due to the fact that they may be exposing themselves if they hire someone that may be more of an outlier, as opposed to someone who is viewed as a safer choice.  Remember, they have a job too!

2) Being Honest With Yourself – I think that you have to determine if this outside interest, you bring into the work place.   Many people cannot separate their avocations from their vocations, and their outside interests consume them in all environments.   If you recognize that you fall into this category, my advice would be to list it. 

The reason for this, is that this outside interest speaks to exactly who you are.  And if this is the case, the company should know it, and you should feel comfortable that they are accepting of you (in your totality).   I think that by being honest with yourself- and your employer – you set a strong foundation for a long lasting relationship.  However, if by being honest you repel the employer and are not hired, you may experience short some initial remorse.  However,  in the long run you will benefit for not having to work in an environment that does not embrace you or your extracurricular activities.

In the end, I think that resumes in general are not an ideal form of communication, so I do believe that it would be best to list your interest, but soften it a bit so that it is not viewed as polarizing, but still provides a potential platform for discussion.     If you eventually get selected for an interview, you should figure out if you want to bring this up with members of the interview team during a discussion.  In this form of communication, it may be easier for you to articulate your external interests and demonstrate how they have effected your personal and career development in a positive way.

Thanks for asking the question.  Many people struggle with this.  Hope that the answers are useful to you and to others.

Lee and Mike

Posted by lee | Filed Under Advice, Branding, Career Advice Tuesday, Resume | Comments Off 

First, Just Get the Basics Down

June 15, 2009

I recently wrote a post that referenced a post over at PR Squared entitled “First, Be Flawless”.

The author got it right on with this line:

First of all, those clever notes seem to contain more than their fair share of typos. If I see a typo on a resume or cover letter, I immediately discard it. I don’t care about your qualifications if you send me a letter with typos in it.

On this point, I’m in 100% agreement – it is not that hard to ensure that you proof-read your resume. It’s also not that hard to ensure that Word has grammar-checking turned on, and that any egregious grammatical errors are dealt with.

There’s a branch of economics known as Signal theory that deals with information flow. Signal theory is concerned with how information implies other information. As a (trite) example, the guy who drives an expensive car may be trying to convey information to the people around him about his social status, his job, etc.

In the case of the typo on a resume or a cover letter, it serves as a very effective signal to a potential employer. The information conveyed is: “this didn’t matter enough to me to put in the effort to run spell check”.

That is not the signal you ever want to send. So, get the basics down. Make sure that the structure of your resume is consistent. Everything is spelled correctly and in appropriate English sentences. Have at least one person proof-read your resume (and if you can’t find anyone, send it to me and I’ll proof-read it just to save the hiring manager the pain). And always, always, always make sure that you spell the hiring manager’s name right.

This stuff is simple, but if more people did it, I wouldn’t have to say it.

Posted by mmurray | Filed Under Resume | 1 Comment 

Listing Personal Interests on a Resume

June 5, 2009

 The experiences that I had as a student-athlete really helped shape my character and had a positive effect on my life as a professional.   To this day, I can think of many times in my business career, where I referenced past experiences on a baseball diamond to help me solve problems in the work place.   To this day, I remain a fan of college baseball, and more specifically my alma mater East Carolina University.   

This upcoming weekend is special to me.  East Carolina University is playing their arch rival,  University of North Carolina in the NCAA Super Regional Baseball tournament.  The winner will advance to the College World Series.   I will be glued to the TV set, and if ECU emerges victorious I will be off to Omaha, Nebraska next weekend for the College World Series.   ECU is a big underdog, but stranger things have happened in the history of sports.

It led me to think, which of my personal interests would I list on my resume and what value would they have to me in the job search process.  I began to ask myself the following questions.   Would it make sense for me to state that I am a big fan of college baseball? What would be the best way to express my experiences as a student-athlete?  Could any of this help me get noticed by an employer?  Maybe it would be better for me to leave this off entirely?

As I read many resumes, I often see people list their personal interests somewhere down at the bottom.  I am amazed by some of the things that I learn about people from this information.  Some of it is fascinating.  I have had ball room dance champions, auctioneers, race car drivers, professional wrestlers and hypnotists.  I have also seen the mundane.  People have listed that they enjoy leisure travel (who does not like a vacation), reading (should that go without saying), and fine dining (watch out corporate Amex).   

Remember, that anything that you put down on paper will be dissected and scrutinized by many different reviewers.  It is just as easy to inspire a negative reaction as it is to evoke a positive response. 

Regarding my example, it is quite possible that the interviewer could have a negative opinion of “jocks,” may not like baseball, or be a fan of a rival school.  These items could negatively impact their opinion of me.   On the other hand, the interviewer could have a strong respect for athletics and the commitment necessary to achieve and compete at a high level.  They may also draw the correlation that  involvement in team sports would translate well to their corporate environment.  At the simplest level, they may be a baseball fan or even better an ex-ballplayer themselves.   All of the above could lead to an inspired discussion, that could transcend the actual interview itself.

Unfortunately, you may never know the reaction until you have a chance to observe it in person, it is a calculated risk.    I believe that you can use these guidelines to help you make a good decision:

1-Anything that you list should not be too polarizing.   Whatever you list, should not ilicit an emotional response from the reviewer.   In my example, baseball is relatively harmless, it is still considered the National Pastime.   Listing my political beliefs would alienate approximately 50% of the population. 

2- List items that enforce the qualities necessary for success.   Anything that you list, should be able to help you demonstrate a skill or skills that can translate well in the position.   For example, if one of your hobbies were chess, and you had a high ranking, I would list it.  I believe that would convey traits that include  dedication, strategic thinking, concentration and intelligence.    

3-Make sure your items do not carry a negative connotation.  For example, one could argue that a skilled poker player would have the same characteristics of a chess player.  However, when people think of poker, they immediately think of gambling.  It is possible that this could be an activity that would turn someone off.

4- List a skill or interest that is easy for others to relate to.  A good example of this would be the ability to play a musicalinstrument.   Everyone can relate to music.  There is a natural correlation between music al proficiency and an aptitude for technology.   Just make sure that if they ask you to play something at the holiday party, you are able to do so!

5-Show leadership.  Leaders traditionally can not help leading – even in their non work activities.  If you are listing a group or organization, show that you are not afraid to gravitate toward responsibility.  This could be something as simple as being a Troop Leader for Boy/Girl Scouts, or the Secretary of a Community Organization.

6-Avoid average interests.  An interest should make you appear to be more interesting and different. It should help  set you apart from the others.  Listing that you enjoy concerts, movies and sporting events -is great for a dating site – but lousy for the purpose of getting a job. 

7-You can almost never go wrong with charitable causes.   Avoid listing charitable causes that can also be construed as political.

8-Make sure that your interest is not too time consuming.  Your employer should not be able to even remotely  infer that your interest will interfere with your work responsibilities.  

In closing, listing a personal interest can break down barriers during an interview process and create a more relaxed environment for discussion.  It can help create a common bond between interviewer and interviewee in an accelerated time period.  In the extreme, it could also be the ”tie-breaker” in comparing two similar candidates for a position.

Use your best judgement when deciding on what interests to list, and how to list them.  When in doubt, choosing not to list anything is also a suitable option.

For the record, I chose not to list my interest in college baseball, but have chose to disclose my experience as a Student-Athlete.  I have placed this under my education activities on my LinkedIN  profile, as follows:  Varsity Baseball, Scholarship Athlete, Academic All-America.

Posted by lee | Filed Under Advice, Personal, Resume | Comments Off