1) Attending Information Security Conferences Made A Huge Impact on My Own Career. 

While attending my first information security conferences, DefCon 5 (at the old Aladdin) and RSA 1997 (where it rained all week), I learned very quickly that information security professionals were an accepting bunch.  Although I was a recruiter (or “job whore”/”talent pimp”- as some called me) I found that as long as I had something meaningful to say or a unique perspective to share, that most of the attendees would include me in their conversations.  Being included in these discussions and “allowing” me to ask questions and listen to the responses (without ridicule), provided me with the foundation for my professional education.  Still to this very day, I often reference these experiences when training new employees for my team, or speaking with information security professionals about the value of opening themselves up to new professional relationships.

2) Some of the most important personal relationships I have made in my life happened because of information security conferences.

At that first DefCon, I was briefly introduced to a sharp guy, who was very smart and quite blunt.  In traditional “hacker” style, he was skeptical of my motivations, and may have actually introduced me to the term “talent pimp.”  During the following years, we ran into each other at other DefCon’s.   The conversations were never long, but we always acknowledged each other.  He then became an employee at one of my clients, and we got to know each other better personally. After the company he worked at was sold, I was able to help him locate a good position at a company. Through that  process, we became friends.    It is now fifteen years later, and I consider him family.  In no other universe would our worlds have collided, but thanks to this industry, in Ralph Logan, I have a “brother” whom I can count on for anything.

In addition to this, I met Mike Murray, the co-founder of Infosecleaders, in an elevator at the Mirage, and as we walked over to Black Hat.  Through our friendship, (and Infosecleaders), Mike has taught me many things and has opened up my mind and challenged me on my thought processes.  ( Mike, I hope that I have done the same) Although Mike and I could not have more opposite work styles and competencies, information security events have brought together our passions of helping people, and for this I could not be more thankful.

Finally, and most important, if it was not for Information Security conferences, I may have not met my wife Michele.   In 1997 on my way back from RSA, I met a woman named Nicole Schmidt, who was the CIBC information security analyst, on my flight home.  We struck up a conversation and exchanged numbers, and became friends.  Seven years later, Nicole made a suggestion that I go on a date with her best friend Michele.   Michele and I have been married for five years.  We have a son, Brodie, who will turn 4 tomorrow.   I am also known as “Uncle Lee” to Nicole’s little boy, Lucca.

3) In the end, the only thing that matters is “people”.

In the wake of the messages I saw on Sunday while checking my Twitter stream, the only thought racing through my mind was “what about the people.”   The first “people” that I thought of were the organizers of B-Sides.  I know Mike Dahn since he trusted me with his career about 8 years ago, and we have been friendly ever since.  I know that B-Sides is run by members of the community, so I could only think of how all of the effort and energy of the volunteers could possibly go to waste, and that they may be facing a huge bill due to previously made financial commitments  (as a business owner, I know some things about event contracts) .

My mind then jumped to all of the information security professionals that I know who are big fans of B-Sides and have made plans to come to the event.  My assumption is that most of the B-Sides attendees are coming to try to better their careers – either through learning or networking.    I also assume that the reason they choose B-Sides is the price – and due to the fact that their employers do not have ample training budgets.    I assume that many have already taken vacation days and personally incurred the cost of travel.   The thought of all of their plans being ruined, and their money lost, was not acceptable to me, and did not sit right.

When I got home, I called Mike and texted, I asked him how much money he needed to insure that the event would take place.   The amount that he provided me was manageable.  Knowing that Infosecleaders.com does not and has never had any involvement with the RSA Conference, I knew that I was in a position to help without any impediments or restrictions.

Over the last 24 hours, I have been blown away by the reaction, the e-mails, and the tweets.  My only response to this is that I do not feel that I deserve any additional accolades.  I believe that I only did what any other member of our community would have done, if they had the financial resources at their disposal.  Having the opportunity to give back to our community and provide for others, is a “mitzvah” and a blessing.

It is with great pride that I consider myself a member of the information security community, and to have had the privilege of being associated with such a great collection of talent, personality, and passion.

Looking forward to seeing everyone at B-Sides.

Lee Kushner

My question comes from a different angle than most of the questions that you address on your blog – I am an information security leader, and I have been trying to hire some key technical information security engineers for my team, and I have not had much luck.

I have been looking for these positions for close to six months, and the only thing that I have to show for it is three rejected offers of employment and a good deal of wasted time.  The candidates have rejected our offers for a variety of reasons:  compensation, expectations associated with the position, and one of the candidates never every responded to the offer. 

I think that my internal recruitment team has written the positions off and we do not have any budget to hire external search firms to help locate this talent.  I have posted these roles on internet websites, and I can not tell you how many resumes we have received which do not nearly resemble the skill combinations and experience which I outlined in the job description.

I guess I would like to know if you have any advice for me.  We are committed to hiring the right people for the roles, but I am at the point that I will settle for someone with a pulse and some passion.

Is there any advice that you can share with me to help me solve this issue and hire some future information security leaders.

Signed,

Looking for Mr. (or Ms.) Goodbar?

Dear Info Sec Leader:

There is no simple solution to hiring the correct talent for your information security team.  It appears from your note that you are resource constrained on many levels – compensation, internal support, and external budget.  Although these are substantial obstacles to overcome, they are not insurmountable.

The first thing that I would do would be to look at your job description, and determine which skills are absolutely necessary to perform the position that you are looking to fill.  Sometimes job descriptions are filled with a good number of “nice to have” bullets, and they overshadow the “need to have” requirements.   It is logical that the candidates that you have been interested in have a good amount of the experiences that you request,  but your budget simply cannot afford that level of resource.

What you should do is to winnow the amount of experience down to the skills and experience to reflect a level that you can actually afford.  You should understand that it is one thing to attract candidates, hiring them is completely different.    If you lessen some of your requirements, and require that candidates who lack certain experiences make up for it by displaying “passion” and “drive”, during your interviews, you should be able to locate a candidate that you can afford.

When you design a position to inspire professional growth and career acceleration, you will generally attract candidates who have a high level of motivation and professional pride.  So, what they lack in experience, they will make up in aptitude and “passion”.  It will be important that you screen for these intangibles in the interview process.   Constructing your position in the matter will truly turn it into an “opportunity” as opposed to what your past candidate pool has viewed it as; “a job.”

As far as building your relationships with human resources and your internal recruitment team, my suggestion would be for you to schedule some time to reengage them and start anew.  During this time, you may be able to educate them on your new requirements, provide them some good screening questions, and adjust some of the elements of the job description to reflect less experience and more passion.  You can accomplish this by screening the candidates for things that reflect this, like conference attendance, industry involvement, and logical career investments.   I would then educate them on potential sources in your market for these skills, so that they may be able to do better in pre-screening resumes.   Try to schedule a weekly meeting with them to both provide status on their efforts, and to give them a regular opportunity to ask questions.    The more that you engage them in the process, the more they will want to help you.

Although you cannot use external agencies, you can still post the position on internal and external websites.   In posting the position, try to do so in a way that reflects the type of career opportunity that is available and the candidate profile you are attempting to attract.   I would use words that could possibly encourage more affordable and slightly more junior candidates to respond.  A good exercise would be to think back of your career, and think about the things that would attract you to a role like the one that you are offering.   When the candidate eventually comes to the interview, utilize these examples as selling points as to why this role will benefit their professional development and their career as an aspiring information security leader.

Feel comfort that your experience is not unique.  Do the best you can with what you have, and keep your expectations realistic.

Hopefully this helps, and you will fill your roles in the next 30 days.

Sincerely,

Lee Kushner

Here are my thoughts:

While I agree that Mobile Security is going to be an information security skill in demand, I do not believe it is the only skill that companies will look for in 2012.   Have no fear – companies will still have a high level of demand for knowledge in the areas of Cloud, GRC, SIEM, DLP, PCI, Software Security, Identity Management, and overall IT Risk Management.  In addition, while I do believe that it is a good idea to have a blend of technology and business skills, there is still a very strong market for information security professionals that have hard core technical skills – and that should never be forgotten or overlooked.  The technical information security professionals with developed knowledge and enterprise experience in securing networks, operating systems, applications and databases will do just fine as well.  Also, all of the penetration testers out there can sleep easy your skills will still be needed and remain in demand.
Below you will find my biggest objection – and probably the information that I find to be the most inaccurate.

Here are my disclaimers -

I would like to state that I do not personally know Mr. Snyder, nor have I had any dealings with him.  

I have read his securityrecruiter.com blog on a number of occasions, and I find his perspectives to be both unique and entertaining.

To my knowledge, Mr. Snyder and my firm do not compete within any of my recruitment customers, and although we are in the same profession and industry, our paths do not seem to cross, except when quoted in articles about information security careers.

As per the author of the Tech Target article – please find a quote from Mr. Snyder -

“When companies are using a search firm to fill a position, then they’re going to usually expect that a candidate’s going to have industry experience,” he said. “In other words, if it’s a bank, they want someone who’s coming out of a bank; if it’s a retailer, they want someone coming out of retail; and if somebody’s going after that job on their own, then the bar isn’t usually sent quite as high.”  – Jeff Snyder

The Accuracy

The main point of the quote is accurate.  When companies are looking to find information security leaders, independent of the source, they ideally would like to locate people who possess applicable industry knowledge.  This is generally one of the core criteria of an information security leadership or CISO level search.

Like Mr. Snyder points out – a retail organization would ideally like to hire an information security professional who understands the information security challenges that a retail business faces and who has experience solving those problems.   You can apply the same logic to industries that include health care, high technology, manufacturing, financial services, media and entertainment, and any other business.

The Inaccuracy -

Mr. Snyder’s quote infers that a company has more stringent requirements when they engage an executive search firm.   His statement that  ” …..if somebody’s going after that job on their own, then the bar isn’t usually sent quite as high.”  - can be interpreted in a way that leads information security professionals to believe that they can afford to be less qualified, if they decide to apply for positions on their own – and not through an executive search firm.

THIS IS DEAD WRONG

First of all, the decision to engage an executive search firm is generally based on a company’s desire to insure that they get access to a qualified candidate pool in a time efficient manner.  The business decision to engage a search firm is the same type of decision making methodology that can be applied to engaging a professional services firm to provide a service that the company does not believe that they can perform effectively with internal resources.  The budgets for engaging executive search firms either come from a general corporate budget or from a specific business unit who can justify the value and the return on investment for the cost associated with the search firm’s fee.    In addition, the amount of the search fee does not have any impact on the compensation offered to the candidate.

Mr. Snyder is correct in his inference, that when companies engage an executive search firm, they are expecting to get value for their dollars.  This will take the form of, industry intelligence, compensation data, a professionally managed recruitment process, and eventually the placement of a successful candidate to fill the duties of the information security leadership role.   In exchange for money, the companies are going to expect an executive recruitment firm to deliver a candidate who is going to match the key criteria that they have outlined for the position.

Just like anyone who pays for a service, companies who engage executive search firms have the right to have realistic expectations of competence and results when retaining them to help fill a position.  However, in my 15 years of experience, I have never witnessed a situation where a company that is committed to recruiting the correct information security leader, will agree to hire a less competent candidate, solely because they were introduced to them directly, and not through an executive search process.

In 2012, and in the future, completion for Information Security leadership roles is going to intensify,  Companies are going to continue set the bar high for finding the correct  talent match, no matter what method they select to recruit for these positions.  In addition, the more influence and importance that an information security role has to an organization, the more detailed the requirements will be and the more demanding the interview process.

To all current and aspiring information security leaders, for 2012, I am urging you to take a proactive approach to developing a career plan, honing your skills, investing in yourself, and make wise choices about selecting the right positions to help accomplish your career and life goals.

Happy and Healthy New Year,

Lee Kushner

Last week I was pleasantly surprised when my employer presented me with a year end bonus of $10,000, which is more than 15% of my current salary.  I know that this should be a reason to smile, but let me tell you about my predicament..

I am currently toward the end of an interview process with another company, for a position that mirrors my current one.  I will say that the main reason that I was looking was that I felt that I was underpaid in my current role, and in my exploration of the market, I found my assumptions to be correct.   However, if it was not for the money, I would stay at my current employer – they treat me well, I have flexibility, and I am able to pursue some of my interests in information security research.

In addition to the bonus, the President of the company called me into his office, and told me that they are in the process of reviewing their compensation programs, and that he hoped that I would view the “Surprise Bonus” as a demonstration that they were taking a proactive approach to compensation of their key employees. 

My question to you, is how should I handle my current interview process?  Should I let my employer know that I was looking?   Do you think it is possible to maximize my employer’s current generosity to get additional compensation benefits? 

Look forward to hearing back from you,

Sincerely,

Jack Pot

Dear Jack –

First of all, congratulations!  No matter what the reason, it is always good to receive money that you were not expecting based upon recognition of your performance and your contributions.

To address your questions, in order:

Question 1)   I think at this point it is wise for you to continue on in your interview process, for the simple reason that you have already invested your time, and you have the right to attempt to reach a conclusion and truly understand your external market value.  That being said, if you are offered a position, I believe that I would think long and hard about accepting it, based upon your employers recent actions.

The simple reason for this, is that I really do not think that it is a great career move to move jobs just for the simple reason of money – unless you are being taken advantage of, or your life situation dictates the immediate need (like having a child or financial obligations).   The way that you described your job search, it appears that your move would be lateral in nature – and your job responsibilities would not change much at your new employer.

Questions 2&3 : I do think that you should utilize this situation to your best advantage, and by that I mean that you should take this as the opportunity to open up the lines of communication with your employer.  Their actions have demonstrated that your contributions are valued, so that should translate as they care about your opinions.

I would tell your employer that the compensation situation was a great source of concern to you, and their gesture could not have come at a better time.   You can let them know that you are regularly contacted by recruitment firms and members of your professional community about other job opportunities., and that recently you have been giving them more consideration.

You can even let them know that at the time you received the “surprise bonus”, you were in the process of interviewing for another position, purely based on finances.   You can even let them know that the other employer was offering to pay you an additional (X%) salary..   At the same time, you should be clear to your employer how much you enjoy working there – due to the nature of the work, how you are treated, and your ability to explore your independent research and participate in the information security community.

Having this conversation will serve two purposes.  First, it will demonstrate your loyalty.  I know that this sounds strange, but by letting your employer know that you were looking based solely on compensation – you will provide them with validation that they made a wise business decision (by proactively giving you the surprise bonus) and will show them that you will be honest with them and that they can trust you.

Revealing to your employer that you have been looking can be risky, but under these conditions, it may be a risk that can be worth taking.  Considering that they by giving you this money that they have shown that they want to retain your services, your risk of being fired is almost zero – ( in the worst scenario – your ongoing interview process is your contingency plan, and your $10,000 can serve as a short term severance) .   The additional upside to sharing this with your employer, is that it should enable you to get other “requests” on the table beyond compensaiton – maybe for additional training, professional development, or the pursuit of your career goals.

I would tell you that you are in a good position and you have all of your bases covered – both internally and externally.  I would tell you that outside of unique circumstances, I would give your current employer the benefit of the doubt and remain with your current firm.

It appears that you have a bright future, and they recognize it!

Hope this helps,

Lee Kushner

My question deals with a touchy topic. I am an IT and Infosec veteran with a 16 year old felony for crimes related to moral turpitude (theft). The state I was convicted in does not have any mechanisms for expungement, short of a pardon.

I won’t make excuses, and never have but suffice to say that I made some stupid mistakes as a kid in the military and have learned my lesson. I’ve been fortunate enough to work for a few employers in state and local government who saw fit to give me a chance and I have really excelled. I’m active in the infosec community, have earned a college degree and a ridiculous number of certifications and have started to develop a name for myself in the community. My personal branding strategies seem to be really taking off.

The issue I’m running into is that I’m looking for greater challenges and my background has created some roadblocks for me. I’ve been turned down for a few opportunities but my fear is that if I apply and get turned down at too many more I will start to develop a “rep” as that felon who thinks he can work in IT security. The information security community is relatively small and this would create significant challenges for me. I interview extremely well and I have recruiters beating down my door, at least 12 unique hits every week but the my past becomes a real stumbling block.

Should I count myself fortunate to have a job at all even if I’m not happy there or run the risk of further exposure with employers and the development of a “rep”? At this point I’m starting to get discouraged. Yes I made a mistake 16 years ago but I could really use some advice for moving forward with my career.

Sincerely, 

A. Tony Ment

Dear Tony:

I would tell you that the first thing that I would do, would be to think of myself as an Information Security professional, who made a mistake early in their lives, as opposed to a felon, who has taken up information security as a profession.

From a self esteem perspective, I do not think it is healthy to view yourself this way, especially with how far that you have come in the past 16 years.

From what you have shared, you have a great deal to be proud of – including your education, your certification, the development of your personal brand, and industry standing.   My feeling is that you should be more focused on your accomplishments as opposed to your transgressions, and you should use this as an opportunity to demonstrate personal and professional development to others whom you encounter.

That being said, I understand how a previous mistake that you made as a younger person, can come back to haunt you in the development of your professional career, and can become an obstacle in your pursuit of loftier information security career goals.

Here are some things that you may want to consider along your way to minimize this:

1)    Do Not Worry About Group Think -  Plain and simple, I do not believe that many people in the information security community will ostracize  you for a mistake you made in the past.  First of all, most of the information security pros that I know are not that judgmental and are a pretty accepting bunch.  Secondly, many of them are going to be understanding, as they were young once, and may have done some things that could have been construed as “grey” hat, in their earlier days.  The only thing that may differentiate you from them, is the fact that you got caught –and fortunately their actions went unnoticed.

2)    Control Your External Exposure -  When someone tells me that they have their resume posted and that they have been contacted by over a dozen recruiters, my first reaction is that they are not effective in managing their careers.   Placing yourself in the public eye, forces you to create a more public persona, and reveal both favorable and unfavorable attributes to  larger audiences.  In your case, this is not a good thing, because many recruiters who’s primary source of candidates are “job boards” and “social networks” – are not adept enough to handle your specific situation or to address it with people empowered to make a decision about your future as an information security professional.  You need to manager your job search process, and that means utilizing someone who understands how to manage and communicate your profile to others, including your felony.

3)    Be Up Front – But Not Too Upfront -  Personally, I think that there is a time and place to reveal an unflattering past, whatever it may be.  Usually, I believe this to be sometime shortly after a relationship has been developed – after one or two phone conversations.  This will enable the other party to be able to formulate an opinion based on facts and talent, as opposed to jumping to conclusions that are associated with a term, like “convicted felon.”   After that has been established, and before anything gets to far (i.e. a recruiter making an introduction, a first level interviewer introducing you to a supervisor, or the incurring of any expense (money or time) for an interview) you should reveal your “Scarlet Letter”.   When you reveal it, I would begin by letting the other party know that it took place over 15 years ago, but nonetheless it happened, and you have paid your debt and have  taken responsibility for your actions.

4)    Demonstrate “Community” Service -  This is my personal belief, but I think it is the most important thing that you can do.  It is one thing to attempt to improve your own life, but by helping others improve their’s, from the lessons learned by your own mistakes, takes it to another level.  What I would do, would be to figure out a way to do this on a regular basis – this can be in the form of speaking to youth groups (Hackid) , donating your time to information security causes (I Hack Charities, the EFF), or non Infosec causes that benefit some of the people that you may have previously hurt.   By doing this, it will show others that you are indeed remorseful for your actions and offers a form of restitution that can be measured and referenced.

In closing, these are some general ideas that may help you overcome this obstacle.  In the end, you will definitely encounter both individuals and companies whose policies will prohibit them from considering your candidacy.  Unfortunately, you will need to accept this.

That being said, over my years of working in the industry, using these methods, I have been able to secure employment for information security leaders who found themselves in similar situations.  The process is never easy, but it is definitely possible

Hope this helps,

Lee and Mike

Dear InfoSec Leaders:

I am writing to you with the hope of getting some career advice. I am consultant for one of the leading security vendors’ GRC products. I help customers set up their compliance programs with the product as the backbone. It’s been about 4 years of doing this and I now feel it’s time for a change. My career goal is to become a CISO someday and want to work towards that. I have two very different job opportunities and would like your thoughts as to which one aligns well with my goals.

One is that of a Product Manager with the same vendor for the same product. The position will give me immense exposure to senior security management folks across customers. I will also help me gain understating of their GRC efforts and pain points. The other position is that of a Security Architect with a large retailer. This team has been recently formed in the organization and is doing some exciting stuff. This position could possibly give me exposure across different security areas beyond GRC. Both these positions have pros and cons, for e.g. I’m not sure if staying with a vendor is a good career move or is the other side of the table a better option.

As you can tell, I have a lot of questions and very few convincing answers. I’m not sure if I should specialize in the GRC space (via the vendor) or gain exposure to have a holistic view of security.

I’d appreciate any words of wisdom you can send my way.

Signed,

“Fork in the Road”

Dear Fork:

Please understand that before we start, the advice that we are giving is based exclusively on the information that you have provided to us in your note, and that we do not have any additional background.

Based on your career goal to become a CISO, we believe that it would best for you to leave the product arena and accept the job as an Information Security Architect with the large retailer that has been recently formed.   Our answer is based on the following reasons, that coincide with your long term career goal.

1)   The group is newly formed

When someone tells us this, the first thing that comes to my mind is opportunity.  Newly formed information security functions generally provide environments for information security professionals opportunities to leverage their current areas of expertise (in your case GRC) to develop broader skills in other areas.   The biggest mistake that many infosec pros make when entering into a organization in this state, is to limit their contributions to their “job description”, and opportunity like one the one that you described should provide you with  the framework  to push yourself to develop new areas of expertise, as opposed to limiting yourself to the world of GRC.

2)   Retail experience should be valuable in the future

Due to the importance of PCI, many retailers and e-tailers are placing increased emphasis and dedicating additional resources toward information security programs.   Currently, many retailers are not making past “retail” experience a job requirement, however this will most likely change in the next few years.  Having this industry knowledge as part of your skill matrix, could become a differentiating factor when looking at the next step in your career.

3)   Product Management is not a requirement to become a CISO
There is no doubt that working as a Product Manager will help you develop skills that could be advantageous as a CISO – included customer skills, presentation skills, sales skills, market knowledge, and subject matter expertise.   However, when making a transition toward a CISO career path, you will encounter people in the hiring process who will have built in prejudices against hiring candidates who come from the “Product/Vendor” side at a high entry point.   For you to make this direct transition, you are going to have to find yourself a forward thinking CISO who will value this experience, and believe that the skills as a Product Manager will directly translate to their environment.   Our belief is that if you remain as a Product Manager , you will eventually have to make the transition toward an internal infosec role, (in your case – architect) at some point in time, so why delay.   You have the opportunity in front of you, now is the time to determine if transitioning to corporate information security function is right for you.

Again, our advice is based exclusively on the information that you have provided from your note, and based on generalities.

If you would like to contact us directly via phone to discuss your particular circumstances we welcome you to do so.

Good luck in making your decision.

Lee and Mike

I hate to bring up what seems to be the elephant in the room within information security and penetration testing in particular, but how exactly are people getting the gigs doing this.  Personally, I have tons of training, 15+ years experience in the realm, business experience to match and every time I ask this question, nobody seems to want to answer/discuss it.

It is a known fact that the big companies (IBM, the Big X, large telcos,etc) sell it as a service to existing companies but there are A LOT of two-three man pen testing teams that seem to stay busy constantly. I understand that people don’t want to give out there client attraction methods and strategy but I have yet to see this topic covered. There has to be a lot of others with the necessary experience asking the same thing.

Anyway, just can’t seem to tackle the elephant in the room. Nobody wants to cover it. 

Thanks guys and unique blog for the infosec community.

Signed,

The ZooKeeper

Dear Zookeeper-

To be candid, I had to look at your question a number of times before I was able to formulate a response.  It is my interpretation that the crux of your question is, how do you begin your own information security consulting business – particularly in the field of penetration testing.  In addition, you would like to know why others are successful,  and why some (you) can’t seem to get off the ground.

First of all, I should start by telling you that all businesses are similar – and beginning a penetration testing consulting business is no different than starting any other services business – such as lawn care, pool service, or home painting.   When people decide to buy any service, they look for certain elements – experience, competency, price, and reliability.    Anyone who has been successful in beginning a small information security business has been able to personally demonstrate these qualities in their previous life, prior to forming their own company.  It is from this reputation and personal brand, that they are able to attract some of their initial customers, which provide them with experience and references, which they should be able to leverage into new business opportunities.

Another essential component of any business (and career) is the ability to sell and market ones services and one’s self.   It is this skill that often separates the successful from the remainder of the pack.  Selling ones talents and branding ones skills in the marketplace and information security is often overlooked as the key factor in determining success.   Many information security professionals have focused their professional development on their technical skills, but at the same time they have neglected to attempt to develop their business/sales/presentation skills.

Long and short, there are many technical “rock stars” that have failed on their own as business people, but once partnered with competent business people, have achieved great things.

I have learned over the years that business is about surrounding yourself with great people who compliment your strengths.  Maybe it would be best for you to find someone who can help “open some doors” and help sell your talents.  Or, maybe you need to reevaluate your assessment of your business skills, and try to honestly assess some of the obstacles that are standing in your way in getting your business off the ground.

Understand that it is easy to prove technical competency, but in the world of business, the proof of competency solely lies in the color of the ink – “red” or “black”.

In closing, our note does not mean to come across as harsh, but it is meant to be direct.

Hopefully some of this advice and insight helps, and your infosec consulting business will get off the ground soon.

Hope this helps,

Lee and Mike

1)   Our industry has a short memory

Not too long ago, Mike and I were sitting together putting together the “Career Incident Response” Podcast series, because there were so many information security professionals who were getting outsourced, downsized, or laid off.   How quickly things have changed.   Prior to a the conference an article by Information Security Media Group claimed 0% unemployment and during the event the NSA announced it was going to use DefCon as a job fair as an attempt to hire 1500 information security professionals.    Walking the trade show floor, Amazon.com dedicated their booth to recruiting members for their team, and many of the booths had signs that said “we are hiring”.

While we do not believe that there is 0% Infosec unemployment or that the audience at DefCon will have an easy time passing the NSA Background Check requirements, we do believe that the employment market is increasingly healthy.   During the conference itself, I (Lee) personally had meetings with over 15 new entities (corporations, service providers, product companies) who would like to attempt to engage LJ Kushner & Associates’ services to help them recruit information security talent.

It is my belief that all of the recent events have awakened many to the fact that information security needs to be an element of their business and that hiring the right talent is a great challenge.

2)   We Don’t Have A Quantity Problem, We Have A Quality Problem

Without question employers need to hire information security professionals.  It is also clear that by the attendance at both Black Hat and DefCon, there are plenty of folks who are either information security professionals or who have an interest in becoming information security professionals.  So, if that is the case, what is the issue – the hiring needs should be solved – but they are not.

What many do not understand is that there is a big difference between “people” and “talented people”, and there is bigger difference between a “job” and a “quality job”.

Information security professionals are operating under the misconception that just because they are in the field of infosec, that they are qualified for many of the positions that companies are looking to fill.  The fact is, that although many information security pros are more than qualified to perform their same job at a different company, they are not viewed as qualified for information security opportunities that can be viewed as a “step-up” and will advance their careers.   The main reason behind this is the lack of investment in their professional development beyond standard industry certifications.

On the flip side two things are happening.   First, the positions that many company’s are advertising for are viewed by many information security professionals as “dead end” jobs, that on the surface do not provide the growth and career advancement opportunities that many are looking for.  Secondly, when companies are looking for more talented and experienced professionals, they are creating job descriptions that require complex skill combination and experience requirements, without offering compensation packages that are consistent with their requests and reflect a “risk/recruitment” premium for the applicants that they are searching for.

Therefore their junior level roles go unfilled because no one wants them, and their senior level roles go unfilled because their skill requests lay outside their budget.

Something has to eventually give in this process – or the information security talent myth will continue to grow.

3)   Outside Market Conditions and Industry Events Will Have An Effect on our Future

While we were attending BlackHat, the United States extended our debt ceiling,  and then on Thursday, the stock market plummeted 500 points, which was followed on Monday with another 600 point decline.

We both do not claim to know anything about the stock market, but there is no question that if the world slips back into a global recession, the information security industry is not going to be immune to its effects.  Now is the time for information security professionals to take a pro-active approach to insuring that that they do not become collateral damage if the economy begins to deteriorate.

The only sure way to insure your career is to continue to build your skills, stay current with technology, and demonstrate our value to your current employers.   Now that times are good, and we are in demand, it is time to take advantage of the situation, and use your current role as a platform to exhibit your skills, your impact and your knowledge.

If any one of our readers have their own information security career observations from Black Hat, it would be great to hear from you.

Lee and Mike

On the surface, that should be great news.  However, with choices come decisions.    With decisions come mistakes.   It is our goal at Infosecleaders, to provide you with information and frameworks, to minimize your risks, and maximize your rewards!

Thanks to Jeff, Ping, and the folks  at Black Hat, today we have a platform to do this.

This afternoon, at the Black Hat Briefings in the Florentine Room – Mike and I are going to share our collected data on InfoSec Certifications (The Value of Cert Survey), help you beat out your competition for the “Good Jobs”  (Second Place Sucks),  provide you with a road map for developing your “future skills” (Infosec Leader of the Future), shed insight into the real world of hiring, recruiting, and interviewing  (The Other Side of The Desk), and  provide an open forum for you to ask your Information Security Career Questions (Career Advice Tuesday – Live – (in Vegas, it is always someone’s Tuesday).

Schedule- Florentine Room

1:45 – 3PM – Value of Certification Results & Second Place Sucks

3:15 – 4:45PM – InfoSec Leader of the Future & Other Side of the Desk

4:45 – 6PM – Career Advice Tuesday Live  and Predictions for the Future

We hope that if you are attending Black Hat, you choose to spend some of your afternoon with us, and take something away from the conference that you can apply to your professional growth and career development.

Look forward to seeing you,

Lee and Mike

The other day I learned that my information security program will be going through a reorganization. 

The good news is that as a result, I am receiving increased responsibility, visibility and exposure.  The bad news is that I am getting more work, more headaches, and I am not receiving any additional compensation.   

Needless to say, I am angry.

I really like my employer, but I consistently fight battles with management and human resources about my compensation.   Last year I received an “over market” increase (according to HR), which from my perspective was underwhelming, and did not reflect may contributions.    When I brought them “data” about compensation, they dismissed it.

Here I am again.  The pattern is repeating itself.   I am planning on putting my thoughts down in writing, in  a very direct letter to both may management and human resources, documenting and reflecting my feelings.

Do you approve of this approach?

Sincerely,

“Caesar Chavez”

Dear Caesar:

Before you decide to put your thoughts down in paper or in an e-mail, you need to ask yourself, “How good of a writer am I?”  By writing a note, your thoughts are going to be contained forever, and can always be referenced.  If your note takes an angry tone,  it can be viewed as a line in the sand to your current manager and employer, and it can force an action – which may or may not be worth the risk.

Personally, I believe that you should express your opinions verbally, in a meeting setting with both your manager and human resources present.  I think that you should set the tone of the meeting, by first letting them know that you appreciate their recognition of your contributions, by providing you with additional responsibility.

Once this point is conveyed, you should let them know that your expectation would be that once your prove yourself in this new capacity, that you be compensated commensurate with others across the organization who hold the same titles and responsibility.   During this meeting, you should ask your manager to establish specific metrics on how your performance will be evaluated.  In front of HR, you should ask for a follow up meeting so that these can be reviewed, and set up a timetable for an initial review (6 months may be ample time).  In these 6 months, you should work your butt off, to overachieve, to show them that they made the correct choice in giving you this opportunity.

By handling it this way, you are demonstrating maturity in your approach.  It is a common mistake for people to ask for money once given an “opportunity”, but the fact is that the extra money is earned once you prove that you can perform at this newly elevated level.

When the review cycle comes around, one of two things will happen – you will either be happy with you new position and increase, or your will be polishing off your resume, looking for an employer that appreciates your experience and newly learned skills.

Hope this helps,

Lee and Mike