October 23, 2012
I write to you seeking career advice. I graduated from college in 2005 with a B.S. in Computer Science (programming). I was unable to timely find a job in my field of studies, so I accepted an offer to become an IT Auditor. I’ve been an IT Auditor ever since in two different business environments (banking and government).
Because of my background in programming, I absolutely enjoy undertaking tasks that are related to business analytics, data mining, re-performance, etc. However, my current line of work does not require or provide for that. In addition, I have become greatly interested in security, but while I feel that I am very capable of learning effectively and efficiently, I do not have a strong foundation on networks.
In order to push myself to strive for more, I have looked at the option of becoming CISSP certified. However, I am not sure if the SSCP would be a better choice for me based on my knowledge level.
I am currently CISA certified and know that having another, more technical certification, will better position me in my job or others.
What would you suggest? Thanks in advance for your help.
Programming My Future
The best suggestion that I have for you is not to pursue any certifications for the sake of positioning yourself in your current role or others. The certification alone will not help you, finding an environment where your skills are valued for their unique combination is the best way to further your career.
To begin with you have a degree in Computer Science and a background in programming. Next, you have 5-7 years of real world experience in IT Audit and you are a CISA. On top of that, you have an interest in security, and you have a history of gravitating to more technical projects.
The combination of these skills and your interests are unique. Your skills have a great deal of value to an organization who realizes how to utilize them and leverage them for their benefit.
Recently we have been engaged in a number of searches that are looking to find technical information security professionals to work in IT Audit environments. The primary reason for this is that corporations are recognizing that it is critical for these two business functions to understand each other, and the key to this is to either have audit minded security professionals or technically and security astute IT Auditors.
This being said, it is good that you recognize that your lack of networking experience is a shortcoming and a potential skill gap. My feeling would be for you to find a way to work on developing this skill and knowledge. This could begin by reading some books on the topic, taking some vendor based training, and maybe eventually getting a certification that demonstrates and reinforces this knowledge.
If successful, this may be 2-3 year undertaking. If you begin down this road and it “does not take”, then I would suggest you refocus your energies on you’re the enhancement of your strengths – and maybe learn some new programming languages, application security, code review, or other related skills.
If you are interested in learning about some of these blended opportunities, do not hesitate to contact us at LJ Kushner (email@example.com) . If you do so, in your e-mail please mention – Career Advice Tuesday!
Hope this helps,
August 7, 2012
I am currently working as a penetration tester for a pretty large company. Prior to this, I worked for another large company, doing similar work. My current job is going well, I have a very good mentor, my company has been supportive of my professional development, and I like my hiring manager – as I feel that we have established an open line of communication.
I do have two complaints. First of all, I believe I can do more. Secondly, I believe that I travel way more than necessary to perform my duties.
I recently completed an interview process with a much smaller company that is in the middle of a growth spurt. Although they are much less structured, the people are very smart, and they have some focus in an area that interests me a great deal, Mobile Security. I believe that it is set up to enable me to take some leadership in this area. The position does not require a great deal of travel, and it will allow me more time to get involved in my local professional community.
The money for the position is very similar to my current role, however the position offers some stock, which is a exciting to me.
I have listened you’re your advice in the past about avoiding jobs that just provide the opportunity to “Change Golf Shirts”. Would like to know if you think I am doing this if I join the new company and accept the offer?
Any advice would be appreciated.
Based on your description above, I do not think you are “Changing Golf Shirts” at all, in fact, I think that these two opportunities are unique and very different.
Here are my thoughts:
1) First of all, the company you are joining appears to be a “Start-Up”, and it does not appear that you have any of that experience. Having the experience working at a “Start-Up” is unique, and I think that if you enter into that environment you will learn things about yourself that you would not have in the larger companies that you have worked for.
2) The new company appears to have some good alignment with your interests, which is great. Not saying that your current employer doesn’t, but it appears that you will be able to take more of a leadership role in this area in the new company. Smaller companies are great for this experience. Where in a larger company, there are more resources to compete with, a smaller company provides more opportunities to create more of a “Professional Brand.”
3) You are going to work with “Smart People”. Not that you do not already, but the only thing better than “Smart People” you know, is “Smart People” you do not know – because if you take this job, your “network of Smart People” just got much larger.
4) You have some earning potential with the stock options. No, you probably will not retire, but stock options provide some upside earning potential that you are not getting in your current role. As a “Pen Tester” there is a standard comp range that you are restricted to, based on the market – so compensation for a new job, is never going to be that significant of an increase, in that case, Stock Options provide you with a possible accelerator of you earnings. Even if they are worth nothing, there is no risk for you – as your compensation is going to be equivalent.
5) You can always go back to the big company. Even if your current company will not have you back, there will be another big company that will take you back, and they will probably be willing to pay you a little more money to go work there, again you do not have any risk.
My feeling to you is to take a shot on the new company, and see where it goes. Use the opportunity of not traveling to become more involved in your local community, become known to more people, and really sink your teeth into your interest in “Mobile Security” – and become more visible.
If you maximize this opportunity, it will be much better than trading for a “New Golf Shirt.”
Hope this helps,
July 23, 2012
As always, I am very excited to be heading out to Las Vegas for the Black Hat Briefings and Security B-Sides. Although, having been to every Black Briefings (as either an attendee, a presenter, or just hanging out) it does make me feel older, however catching up with people whom I have worked with throughout their careers, on their way to achieving their professional goals, is truly a great personal pleasure.
Black Hat and B-Sides also provides a great opportunity to meet new people, which is one of the best things about my profession. While there aren’t any presentations on my agenda, I am going to be at Caesar’s from Monday – Friday, and will most likely be at B-Sides on Wednesday morning.
If anyone in the Infosecleaders community would like to say “Hello” or talk about their career or ask a questions, either send me an e-mail (firstname.lastname@example.org or email@example.com ) or send me a DM on Twitter (@ljkush) and I will try my best to get together and spend some time.
If you have my mobile, feel free to call – just remember not that early!
PS. Career Advice Tuesday will Return this week. I will post three new CAT’s this week, to make up for the one’s I recently skipped while enjoying some time away with my family.
July 10, 2012
I am about to transition from Military to the Civilian work force. I am a IT Support and Security Professional. I am currently working to gain the CISSP through the SANS Security S+ course. My question is will this class help with gaining the knowledge I “really need” to pass the CISSP and will this help with the progressing in the civilian work force? This course is expensive but it come highly recommended from some of the professionals that I work with. Need some guidance.
First of all, let me say a big THANK YOU for your service to our country.
As a disclaimer – I am not familiar with the particular topics covered in the SANS Security S+ course – so my answer to your question will be a more general one.
The first thing that I want to say is that I question the concept that you actually “really need” to pass the CISSP to work as an information security professional in the civilian work force. Most of the customers that we support, are more interested in the candidate’s talent – as opposed to their certifications.
I believe that the question that you should be asking yourself is, “Which training class will enable me to develop my skills and make a smoother transition to work in a commercial environment?”
One of the best ways to determine this will be to first understand the foundation of your current skills and the strengths that you can be leverage. Generally speaking, these skills will be more “technical “ in nature – centering on either networking, operating systems, software development, etc. Once you are comfortable with this assessment, you may want to look at a training class that can help supplement these skills – possibly something in the area of incident response, security event management, penetration testing, etc.
In developing these skills and skill combinations, you should be able to place yourself in a professional information security environment that will provide you with some exposure to the “domains of knowledge” encompassed by the “CISSP Certification”. In the context of the job, engaging your peers, the purchase of some relatively cheap study guides, and some initiative you should be able to pass the CISSP (at a substantially lower price point)– if you decide at that this is a worthwhile career investment as you aspire toward your ultimate career destination.
Hope this helps,
June 12, 2012
A few weeks back, I was informed by my manager that my company was looking for an information security engineer to help us round out our team. In a team meeting, my peers and I were asked if we would be willing to recommend someone for the role. During the meeting, we were asked if we could publicize this opening to our professional networks, specifically LinkedIN.
As a good employee and team player I have done this, and posted the position to both my networks and the LinkedIN groups where this type of role would be suitable. My initial thought was that this would be quite easy, as my positing would net a couple of qualified folks, and the hiring process would be smooth.
This has not been the case. In fact it has been a nightmare.
Since positing the role, I have received over 70 inquiries about the position. This has included many people who are either not qualified for the role, do not live anywhere near the position’s location, have greatly surpassed this type of position, and some whom I know well enough to know that I would not want to work with them. The responses have included resumes being sent to my personal address, phone calls off hours, and other intrusions that really lay outside the context of my role. I simply do not have time to respond to all of these people, am unsure of the proper etiquette and I feel that in doing so, I may damage some of my relationships
I wanted to raise this point out to the Infosecleaders community and wanted to see if you had any advice for me – to help relieve me from the burden of my current situation.
You are witnessing first hand that it is not that there are a lot of personal obligations that go along with engaging your network, especially in the context of recruiting.
Let me give you two pieces of advice that may help you alleviate your current pain:
1) The first is to change the LinkedIN posting or take it down. If you decide to take it down, make sure you speak with your manager, and let them know why you are doing so, and the problem this has caused you. If you do decide to keep it up, what I want you to do is to attach a line to the bottom of the positing that states:
“PLEASE DO NOT CONTACT ME DIRECTLY. AS PER CORPORATE POLICY I AM NOT AT LIBERTY TO PROVIDE ANY ADDITIONAL INFORMATION ABOUT THIS OPPORTUNITY BEYOND THE POSTING. PLEASE ADDRESS ALL INQUIRIES TO- (ENTER YOUR HR BUSINESS PARTNER’S EMAIL ADDRESS)”
Something like this should help you draw some clear guidelines and remove you from the communication loop.
2) What I would do would be to collect the e-mail addresses of all 70 folks that have responded to this posting and write an e-mail with a confidential distribution list that states the following – (please make sure that the distribution list is confidential)
Thank you all for your response to my posting. I have sent all of your responses to our human resources representative who is responsible for the recruitment process for this position. Your credentials will be reviewed by the hiring manager (which is not me!) and if there is interest, you will be contacted to engage in our interview process. I wish you all well in your pursuit of this opportunity. As you progress deeper in the interview process, I would be happy to share with you my personal experiences as an employee of _______________________ and as a member of the Information Security team.
Hopefully this advice will alleviate this burden and help you return your focus to your role as an information security professional and your recruitment career will be a brief one!
Hope this helps,
May 15, 2012
Dear Infosecleaders Readers-
Below you will find the unedited version of my latest article for Tech Target/Search Security – Information Security Magazine. The article is designed to shed some light as to why companies have such a difficult time in filling information security roles.
Let me know what you think.
Why Information Security Positions Go Unfilled
While the national unemployment rate has been steadying between 8-9%, information security professionals have been enjoying newfound prosperity. Until recently, the information security function primarily held importance to industries whose success and market perception were tied directly to their customer’s trust, like financial services, and the federal government. Due to a unique combination of technological innovation, increased regulatory scrutiny, external threat, and social activism, corporations in industries who have traditionally ignored information security, have began to realize that the development of a competent information security function is a worthwhile and necessary investment.
When companies recognize that they are going to make this type of organizational commitment, their first order of business is to find competent information security talent to bridge their talent gap to address these issues. However, finding and attracting competent information security professionals to a new position is a lot more difficult than it appears. Companies quickly learn that the same strategies and processes that they apply to filling more generic business and technology roles, do not necessarily translate to the recruitment of information security professionals. It is important for organizations and information security leaders to comprehend why information security positions go unfilled, so that they can make the proper adjustments to attract and hire this talent is a reasonable time frame.
The primary impediment to filling information security positions is geography. In many cases, the talent and skills alone would be difficult to find, however the need for an employee to based in a certain location significantly impacts the depth of the candidate pool. For example, although the NY Metro area is filled with companies, positions based in locations like Long Island, Central New Jersey, and Southern Connecticut will greatly reduce the candidate pool due to commuting time. Conversely, there are many information security professionals who would not want to incur the additional cost of commuting into Manhattan. In the past, companies were much more amenable to relocating candidates to fill positions, however the economic events and the housing bubble has greatly reduced the ability for people to relocate or companies willing to subsidize these costs. In general, companies relocation packages have become less encompassing, saddling the candidate with additional expenditures if they decide to accept an opportunity and relocate. In these instances, the candidate can simply not afford to accept the position, even though it aligns with their career plan and professional development.
The next major component in the breakdown of a recruitment process is in the area of compensation. When corporations are determining the compensation value of their job openings they traditionally consult specialized market research firms that provide them with this information. This compensation information generally equates to what the candidate, with the skills, already in the position should be paid. While this should serve as a good baseline, it does not take into consideration the recruitment premium that an information security professional, currently performing a similar role at a similar organization would need to leave the comfort of their existing environment. For example, if a Senior Information Security Architect is earning “X” in their current role, the market data may be correct and instruct you to price the position at “X”. However, in order to be successful in attracting the Senior Security Architect to your team, your will need to price that position at “X + 10- 20%” In addition, many times compensation packages neglect to address existing financial and non-financial benefits associated with tenure at a current employer. Because money is fungible, financial benefits are more easily replaceable, however non-financial benefits are often more difficult to address. Information security professionals can place greater value on vacation time, flexible work hours, and telecommuting, and may be unwilling to relinquish these benefits. Corporate human resource policies may not allow you the flexibility to provide alternatives for these privileges.
An additional compensation based reason that information security positions go unfilled is due to internal equity. Internal equity is the belief that any new employee’s compensation cannot be significantly more than their functional or organizational peers. It is the information security leader’s responsibility to both address this within their teams and to educate their human resources staff about the uniqueness of the skill combinations that they are attempting to recruit.
Before any major recruitment initiative, the information security leader must partner with human resources and perform a market based assessment of the skills and functions already performed by current information security team members. The question that should be asked is, “If I had to replace that person, what would I have to pay them?” In addition, the information security leaders should be aware of the value of their employee’s skills in the market place, and be proactive in their approach to aligning their compensation with both their internal contributions and external value.
In addition, it is common place for human resources teams to align information security compensation with other technical functions like network engineers, systems administrators, or software developers. It is essential for information security leadership to sit down with human resources and articulate to them why the skill combinations associated with the roles that they are attempting to fill are more complex and scarce, than these technical resources. The information security leader should have a great deal of incentive to win this argument, because if the compensation packages are insufficient, positions will remain open for long period of time or will be filled with substandard talent.
While these factors contribute to unsuccessful recruitment processes, the primary reason that positions go unfilled is the failure of the information security leader (hiring authority) to think like the candidate that they are attempting to attract. All information security leaders at one time had to interview for a job. It can be assumed that when they contemplated their last job change, they created a list of criteria that become key factors in their decision making process. Some of these factors will include the commitment of the organization, the level of responsibility associated with the role, the career path for the position, professional development opportunities, title, and compensation. In summary, most likely they changed positions because the new opportunity represented increased opportunity and personal satisfaction. Often, information security leaders forget their own motivations, and ignore the fact that their applicant pool are driven by similar forces.
One of the biggest mistakes is that hiring managers only focus on their organizational “need” as opposed to taking into consideration what the applicant “wants”. When information security leaders begin designing their job descriptions, it is essential that they understand the appeal of the opportunity and what types of candidates it will attract. When they conduct their interview process, they should be taking into the consideration the candidate’s point of view, and determine if the position and the environment can serve as the framework for their candidate to accomplish their professional goals and develop their information security career. By viewing the position form the candidate’s perspective, information security leaders will find themselves prepared to communicate the merits of the position during a recruitment process, which should make a positive impact on the candidate’s interpretation of the career opportunity.
One of the best way to evaluate leadership is by the caliber of the people with whom they surround themselves. Attracting top information security talent to your team can be both time consuming and frustrating. Building an effective recruitment strategy, addressing potential obstacles, building organizational partnerships and understanding the motivations of your future employees are key ingredients to efficiently filling your information security openings.
March 27, 2012
Do you feel that the accuracy of these sites take into consideration outside factors such as clearances? What would the baseline salary be for someone with a CISSP, TS Clearance, and Masters Degree?
Better yet, how should the information gathered utilizing these tools be applied to your current compensation and desired compensation if searching for a new position.
C’mon Billy, I would think that you, of all people, would know a thing or two about negotiating price on the internet!
As an information security professional, you cannot negotiate your salary or determine your market value based on the information that you glean on these types of websites. It is simply impossible. The data is baseless, as these sites are more focused on generalities as opposed to the many nuances which may determine compensation in an information security professionals role.
I have my own opinions on some of the market intelligence and salary scales that corporations utilize when it comes down to assigning compensation for information security professionals. Considering that the information security industry is comprised of both generalists and specialists, it is very difficult to apply this type of salary information broadly
For example, if you are an identity management specialist with a CISSP, a Masters Degree, and a TS Clearance – with a highly technical skill set, you will earn considerably more than someone with similar experience who has the same credentials that focuses on Certification and Accreditation work, or policy development.
The best way to determine your market worth is to ask your peers who hold similar positions, have similar experiences, and who work for similar types of organizations within your geography. If you can get a sample of the compensation of people who share your background, you will find that your compensation should fit within the range of these numbers. It is very rare that information security professionals have compensation packages that are outliers and anomalies – we just are not that type of industry,
I would tell you and the infosecleaders audience that the factors that determine compensation usually combine skill, responsibility, location, company size, quality of life and industry type. In addition, companies that have greater commitments to the protection of their information, generally have a slightly higher scale than others.
In the future, forget sites that claim to have this information. They do little more that build misconceptions and create false expectations that are not based in reality.
Hope this helps,
February 27, 2012
Good morning Infosecleaders community!
I am looking forward to an exciting two days at Security BSides, and meeting many of you whom I have communicated with about your Information Security careers over the past year(s).
If you are not in attendance, you can view my presentations and all of the content at #BSidesSF live stream:
Track 1 - http://www.ustream.tv/channel/bsidessf-track1
Track 2 – http://www.ustream.tv/channel/bsidessf-track2
My presentations are scheduled as follows:
Monday (Today) February 27 - Track 1 – 9:40PST/12:40 EDT – 10:00PST/ 1:00PST
B-Sides Welcome Address –
It is such an honor to have been asked by the folks at B-Sides to give the welcome address. I plan to share some of my thoughts about the importance of community in the development of a successful Information Security Career.
Lenny Zeltser and I take a look at the recruitment and hiring process from two unique angles – the hiring manager (Lenny) and the information security professional/ job candidate (Lee). The presentation is designed to provide the attendees some insight into the minds of the other party – in the simultaneous pursuit of talent and opportunity.
Tuesday – February 28th Tracks 1 and 2 Career Advice Tuesday – Live
12 noon PST/3:00PM EDT – 1PM PST/4:00PM EDT
This is the opportunity to ask your information security career questions live. You can ask them either as yourself or anonymously – and I will answer them live. If you would like to ask your questions prior to the sessions - follow these instructions – or come see me at BSides today.
Enjoy the Conference. Make the Most of It!
February 26, 2012
Would like the Infosecleaders community to know that I will be hosting a session of Career Advice Tuesday – “Live” – from SF Security B-Sides. The session will take place at 12:00 noon (PST) on Tuesday, February 28th.
In addition to accepting questions from the B-Sides attendees, I would like to give any Infosecleaders community members the opportunity to ask their career related questions, so that they may be shared with the audience. From what I understand the session will be streamed live from B-Sides.
Questions can included any Information Security career related topics – career planning, position selection, professional development, career investments, brand building, compensation, relationship with management– or anything else that may be appropriate.
Questions can be asked any of the following methods:
If you would like for your question to be asked anonymously, or if you would like to create your own pseudonym (as many of you have) please feel free to do so.
Thank you in advance for your participation. If you are in attendance at either B-Sides or RSA (Booth 650), please make sure that you come by and introduce yourself.
February 14, 2012
I am looking for some help in my current situation and hoping that you can provide me some guidance.
Currently I am working as a senior information security engineer for a Fortune 1000 company. I work for a company that has recently awoken to the importance of information security, due to a security incident a year or so back.
At the time of the incident, I was the only information security engineer at the company, since then we have begun to hire some other information security talent to augment my efforts. Although the additional resources have been helpful, I am still viewed as the go to person by both my CISO and some of the other business and technology leaders. Because of this, many of the key projects fall on my plate.
I am pulled in many different directions, work about 60 hours a week, and have been consistently told by many that I am doing a good job. There is no shortage of love to go around, and I definitely feel appreciated. During the year, I spoke with my CISO that the workload was getting to me, and he asked me to “hang in there” and assured me that I “would be taken care of.”
I had no reason not to believe him, as he has always been honest with me.
The other day I was called into his office, where we had a scheduled meeting regarding my review and my compensation for the upcoming year. During the meeting he explained to me that the company had a down year, so my bonus would not be great. In almost the same breath, he revealed to me that my salary increase would be about 4% – slightly above cost of living.
I left the meeting disappointed and feeling both betrayed and mislead. I was expecting my boss and the other managers who sang my praises to fight for additional compensation for me, considering the value I provided to them.
Quite frankly, I am not looking for love any more, what I am looking for is money.
Do you have any advice for me? How can I get them to show their love in dollars?
Your help is appreciated,
I can understand why you feel the way that you do. It is clear that you take a great deal of pride in your work as an information security leaders, and that you feel that you have gone the extra mile in demonstrating both our passion and commitment to both your CISO and the other managers that you have supported.
I also understand that you had some personal expectations in terms of financial reward in terms of the personal sacrifice that you gave your employer by working additional hours and delivering results to the people who counted on you.
Feeling betrayed because they did not return the favor, is only logical.
One thing that I can tell you is that you are fortunate that your employers let you know that you are important and appreciated, however, talk is cheap. If your account of your extra effort and results are indeed factual, then you are justified for feeling that your managers should have fought harder for you when it came time to reward your performance monetarily – in terms of both your bonus and your raise.
That being said, here is some advice that you may find useful:
First of all, you mentioned that your information security organization is not that mature and that information security has not figured prominently until a little more than a year ago. When organizations are in this transition phase, one of the things that usually lags in compensation for its staff members. This is probably one of the reasons that the new members of your information security team have not significantly reduced the workload placed on you. While your fellow workers are probably competent – they probably represent the best that your company could afford, not the best available talent. This is an organizational and human resources issue – that cannot be fought by one person, but you have the ability to help influence this by how you address your situation.
I would tell you that you should set up a meeting with your manager, and let him know in advance the subject of your meeting is your disappointment about compensation. Prior to the meeting, I would spend some time and write down all of the accomplishments that you have had in your role over the past year. In addition to this, I would pull all e-mails from either your boss or the other managers that have sung your praises over the past year. What I would also do, is put together your interpretations of the business impact made by your contributions.
During the meeting, I would let your manager know that the praise was appreciated, but that your skills have a great deal of market value outside of the company. You can share with your employer that you have turned down countless overtures from recruiters and other companies in the area, promising bigger roles and more money, based on the promises that you would be “taken care of” for your efforts over the past year. You can also share with your boss that you were counting on the bonus and the increase, and were personally let down and hurt by this decision.
I would let your boss know that you do not regret your decision to stay, because you accomplished a great deal, that you enjoy working at the company, and that you have been building marketable skills. However, you should let them know that you would hope that they may reevaluate their decision about your compensation and assess your skills versus the market. (Before you do so, make sure that you know the answer, and that you are paid either “at” or “below” your market value. ) You may ask them to do a market study of what it would take for them to refill your position and contributions if they had to replace you.
Ask your manager if you could meet again in a about a week or two (not longer) and ask them to reconsider their stance on both compensation components.
Taking this tact will allow you to speak your mind in a non-threatening situation. At no point do your threaten to quit or leave – but you imply that you have had other opportunities, have developed marketable skills, and that it may cost significantly more to replace you. You have allowed your employer and your manager to make a business decision based on fact and value, not based on threat and emotion.
Hopefully this will help you and your employers will realize that they have made a mistake in judgment.
When they do, make sure that you “Show them the love,” when they “Show you the Money”.
Hope this helps,