Career Advice Tuesday – “Fork In The Road”

August 30, 2011

Due to the Hurricane, we are publishing a Career Advice Tuesday that we wrote for Tech Target – and our monthly advice column.  Below you will find the unedited version of our column.

Dear InfoSec Leaders:

I am writing to you with the hope of getting some career advice. I am consultant for one of the leading security vendors’ GRC products. I help customers set up their compliance programs with the product as the backbone. It’s been about 4 years of doing this and I now feel it’s time for a change. My career goal is to become a CISO someday and want to work towards that. I have two very different job opportunities and would like your thoughts as to which one aligns well with my goals.

One is that of a Product Manager with the same vendor for the same product. The position will give me immense exposure to senior security management folks across customers. I will also help me gain understating of their GRC efforts and pain points. The other position is that of a Security Architect with a large retailer. This team has been recently formed in the organization and is doing some exciting stuff. This position could possibly give me exposure across different security areas beyond GRC. Both these positions have pros and cons, for e.g. I’m not sure if staying with a vendor is a good career move or is the other side of the table a better option.

As you can tell, I have a lot of questions and very few convincing answers. I’m not sure if I should specialize in the GRC space (via the vendor) or gain exposure to have a holistic view of security.

I’d appreciate any words of wisdom you can send my way.

Signed,

“Fork in the Road”

Dear Fork:

Please understand that before we start, the advice that we are giving is based exclusively on the information that you have provided to us in your note, and that we do not have any additional background.

Based on your career goal to become a CISO, we believe that it would best for you to leave the product arena and accept the job as an Information Security Architect with the large retailer that has been recently formed.   Our answer is based on the following reasons, that coincide with your long term career goal.

1)   The group is newly formed

When someone tells us this, the first thing that comes to my mind is opportunity.  Newly formed information security functions generally provide environments for information security professionals opportunities to leverage their current areas of expertise (in your case GRC) to develop broader skills in other areas.   The biggest mistake that many infosec pros make when entering into a organization in this state, is to limit their contributions to their “job description”, and opportunity like one the one that you described should provide you with  the framework  to push yourself to develop new areas of expertise, as opposed to limiting yourself to the world of GRC.

2)   Retail experience should be valuable in the future

Due to the importance of PCI, many retailers and e-tailers are placing increased emphasis and dedicating additional resources toward information security programs.   Currently, many retailers are not making past “retail” experience a job requirement, however this will most likely change in the next few years.  Having this industry knowledge as part of your skill matrix, could become a differentiating factor when looking at the next step in your career.

3)   Product Management is not a requirement to become a CISO
There is no doubt that working as a Product Manager will help you develop skills that could be advantageous as a CISO – included customer skills, presentation skills, sales skills, market knowledge, and subject matter expertise.   However, when making a transition toward a CISO career path, you will encounter people in the hiring process who will have built in prejudices against hiring candidates who come from the “Product/Vendor” side at a high entry point.   For you to make this direct transition, you are going to have to find yourself a forward thinking CISO who will value this experience, and believe that the skills as a Product Manager will directly translate to their environment.   Our belief is that if you remain as a Product Manager , you will eventually have to make the transition toward an internal infosec role, (in your case – architect) at some point in time, so why delay.   You have the opportunity in front of you, now is the time to determine if transitioning to corporate information security function is right for you.

Again, our advice is based exclusively on the information that you have provided from your note, and based on generalities.

If you would like to contact us directly via phone to discuss your particular circumstances we welcome you to do so.

Good luck in making your decision.

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday, Planning, Position Selection, Security Industry, Skills, Uncategorized | Comments Off 

Career Advice Tuesday – “Advice For Starting An Infosec Consultancy”

August 16, 2011

Dear Infosecleaders:

I hate to bring up what seems to be the elephant in the room within information security and penetration testing in particular, but how exactly are people getting the gigs doing this.  Personally, I have tons of training, 15+ years experience in the realm, business experience to match and every time I ask this question, nobody seems to want to answer/discuss it.

It is a known fact that the big companies (IBM, the Big X, large telcos,etc) sell it as a service to existing companies but there are A LOT of two-three man pen testing teams that seem to stay busy constantly. I understand that people don’t want to give out there client attraction methods and strategy but I have yet to see this topic covered. There has to be a lot of others with the necessary experience asking the same thing.

Anyway, just can’t seem to tackle the elephant in the room. Nobody wants to cover it. 

Thanks guys and unique blog for the infosec community.

Signed,

The ZooKeeper

 

Dear Zookeeper-

To be candid, I had to look at your question a number of times before I was able to formulate a response.  It is my interpretation that the crux of your question is, how do you begin your own information security consulting business – particularly in the field of penetration testing.  In addition, you would like to know why others are successful,  and why some (you) can’t seem to get off the ground.

First of all, I should start by telling you that all businesses are similar – and beginning a penetration testing consulting business is no different than starting any other services business – such as lawn care, pool service, or home painting.   When people decide to buy any service, they look for certain elements – experience, competency, price, and reliability.    Anyone who has been successful in beginning a small information security business has been able to personally demonstrate these qualities in their previous life, prior to forming their own company.  It is from this reputation and personal brand, that they are able to attract some of their initial customers, which provide them with experience and references, which they should be able to leverage into new business opportunities.

Another essential component of any business (and career) is the ability to sell and market ones services and one’s self.   It is this skill that often separates the successful from the remainder of the pack.  Selling ones talents and branding ones skills in the marketplace and information security is often overlooked as the key factor in determining success.   Many information security professionals have focused their professional development on their technical skills, but at the same time they have neglected to attempt to develop their business/sales/presentation skills.

Long and short, there are many technical “rock stars” that have failed on their own as business people, but once partnered with competent business people, have achieved great things.

I have learned over the years that business is about surrounding yourself with great people who compliment your strengths.  Maybe it would be best for you to find someone who can help “open some doors” and help sell your talents.  Or, maybe you need to reevaluate your assessment of your business skills, and try to honestly assess some of the obstacles that are standing in your way in getting your business off the ground.

Understand that it is easy to prove technical competency, but in the world of business, the proof of competency solely lies in the color of the ink – “red” or “black”.

In closing, our note does not mean to come across as harsh, but it is meant to be direct.

Hopefully some of this advice and insight helps, and your infosec consulting business will get off the ground soon.

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Advice, Branding, Career Advice Tuesday, Security Industry, Skills, Uncategorized | Comments Off 

Career Advice Tuesday- “Observations From Black Hat”

August 9, 2011

Having just returned from Black Hat, we thought it would be good to utilize Career Advice Tuesday to provide our readers with some observations and what it means to you and your career as an information security professional.

1)   Our industry has a short memory

Not too long ago, Mike and I were sitting together putting together the “Career Incident Response” Podcast series, because there were so many information security professionals who were getting outsourced, downsized, or laid off.   How quickly things have changed.   Prior to a the conference an article by Information Security Media Group claimed 0% unemployment and during the event the NSA announced it was going to use DefCon as a job fair as an attempt to hire 1500 information security professionals.    Walking the trade show floor, Amazon.com dedicated their booth to recruiting members for their team, and many of the booths had signs that said “we are hiring”.

While we do not believe that there is 0% Infosec unemployment or that the audience at DefCon will have an easy time passing the NSA Background Check requirements, we do believe that the employment market is increasingly healthy.   During the conference itself, I (Lee) personally had meetings with over 15 new entities (corporations, service providers, product companies) who would like to attempt to engage LJ Kushner & Associates’ services to help them recruit information security talent.

It is my belief that all of the recent events have awakened many to the fact that information security needs to be an element of their business and that hiring the right talent is a great challenge.

2)   We Don’t Have A Quantity Problem, We Have A Quality Problem

Without question employers need to hire information security professionals.  It is also clear that by the attendance at both Black Hat and DefCon, there are plenty of folks who are either information security professionals or who have an interest in becoming information security professionals.  So, if that is the case, what is the issue – the hiring needs should be solved – but they are not.

What many do not understand is that there is a big difference between “people” and “talented people”, and there is bigger difference between a “job” and a “quality job”.

Information security professionals are operating under the misconception that just because they are in the field of infosec, that they are qualified for many of the positions that companies are looking to fill.  The fact is, that although many information security pros are more than qualified to perform their same job at a different company, they are not viewed as qualified for information security opportunities that can be viewed as a “step-up” and will advance their careers.   The main reason behind this is the lack of investment in their professional development beyond standard industry certifications.

On the flip side two things are happening.   First, the positions that many company’s are advertising for are viewed by many information security professionals as “dead end” jobs, that on the surface do not provide the growth and career advancement opportunities that many are looking for.  Secondly, when companies are looking for more talented and experienced professionals, they are creating job descriptions that require complex skill combination and experience requirements, without offering compensation packages that are consistent with their requests and reflect a “risk/recruitment” premium for the applicants that they are searching for.

Therefore their junior level roles go unfilled because no one wants them, and their senior level roles go unfilled because their skill requests lay outside their budget.

Something has to eventually give in this process – or the information security talent myth will continue to grow.

3)   Outside Market Conditions and Industry Events Will Have An Effect on our Future

While we were attending BlackHat, the United States extended our debt ceiling,  and then on Thursday, the stock market plummeted 500 points, which was followed on Monday with another 600 point decline.

We both do not claim to know anything about the stock market, but there is no question that if the world slips back into a global recession, the information security industry is not going to be immune to its effects.  Now is the time for information security professionals to take a pro-active approach to insuring that that they do not become collateral damage if the economy begins to deteriorate.

The only sure way to insure your career is to continue to build your skills, stay current with technology, and demonstrate our value to your current employers.   Now that times are good, and we are in demand, it is time to take advantage of the situation, and use your current role as a platform to exhibit your skills, your impact and your knowledge.

If any one of our readers have their own information security career observations from Black Hat, it would be great to hear from you.

Lee and Mike

Posted by lee | Filed Under Behavior, Career Advice Tuesday, Planning, Recruiting, Security Industry | 3 Comments 

Infosecleaders Professional Development Workshop Today at Black Hat

August 4, 2011

From my three days in Las Vegas, I am clear about one thing – there is an increasing demand for quality information security professionals and companies are having a very difficult time attracting Information Security professional to their teams.

On the surface, that should be great news.  However, with choices come decisions.    With decisions come mistakes.   It is our goal at Infosecleaders, to provide you with information and frameworks, to minimize your risks, and maximize your rewards!

Thanks to Jeff, Ping, and the folks  at Black Hat, today we have a platform to do this.

This afternoon, at the Black Hat Briefings in the Florentine Room – Mike and I are going to share our collected data on InfoSec Certifications (The Value of Cert Survey), help you beat out your competition for the “Good Jobs”  (Second Place Sucks),  provide you with a road map for developing your “future skills” (Infosec Leader of the Future), shed insight into the real world of hiring, recruiting, and interviewing  (The Other Side of The Desk), and  provide an open forum for you to ask your Information Security Career Questions (Career Advice Tuesday – Live – (in Vegas, it is always someone’s Tuesday).

Schedule- Florentine Room

1:45 – 3PM – Value of Certification Results & Second Place Sucks

3:15 – 4:45PM – InfoSec Leader of the Future & Other Side of the Desk

4:45 – 6PM – Career Advice Tuesday Live  and Predictions for the Future

We hope that if you are attending Black Hat, you choose to spend some of your afternoon with us, and take something away from the conference that you can apply to your professional growth and career development.

Look forward to seeing you,

Lee and Mike

Posted by lee | Filed Under Compensation, Interviewing, Position Selection, Presentation, Recruiting, Security Industry, Survey | 1 Comment 

Career Advice Tuesday – “Should More Work Mean More Pay?”

August 2, 2011

Dear Infosecleaders:

The other day I learned that my information security program will be going through a reorganization. 

The good news is that as a result, I am receiving increased responsibility, visibility and exposure.  The bad news is that I am getting more work, more headaches, and I am not receiving any additional compensation.   

Needless to say, I am angry.

I really like my employer, but I consistently fight battles with management and human resources about my compensation.   Last year I received an “over market” increase (according to HR), which from my perspective was underwhelming, and did not reflect may contributions.    When I brought them “data” about compensation, they dismissed it.

Here I am again.  The pattern is repeating itself.   I am planning on putting my thoughts down in writing, in  a very direct letter to both may management and human resources, documenting and reflecting my feelings.

Do you approve of this approach?

Sincerely,

“Caesar Chavez”

 

Dear Caesar:

Before you decide to put your thoughts down in paper or in an e-mail, you need to ask yourself, “How good of a writer am I?”  By writing a note, your thoughts are going to be contained forever, and can always be referenced.  If your note takes an angry tone,  it can be viewed as a line in the sand to your current manager and employer, and it can force an action – which may or may not be worth the risk.

Personally, I believe that you should express your opinions verbally, in a meeting setting with both your manager and human resources present.  I think that you should set the tone of the meeting, by first letting them know that you appreciate their recognition of your contributions, by providing you with additional responsibility.

Once this point is conveyed, you should let them know that your expectation would be that once your prove yourself in this new capacity, that you be compensated commensurate with others across the organization who hold the same titles and responsibility.   During this meeting, you should ask your manager to establish specific metrics on how your performance will be evaluated.  In front of HR, you should ask for a follow up meeting so that these can be reviewed, and set up a timetable for an initial review (6 months may be ample time).  In these 6 months, you should work your butt off, to overachieve, to show them that they made the correct choice in giving you this opportunity.

By handling it this way, you are demonstrating maturity in your approach.  It is a common mistake for people to ask for money once given an “opportunity”, but the fact is that the extra money is earned once you prove that you can perform at this newly elevated level.

When the review cycle comes around, one of two things will happen – you will either be happy with you new position and increase, or your will be polishing off your resume, looking for an employer that appreciates your experience and newly learned skills.

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday, Compensation, Personal, Security Industry, Skills | 1 Comment 

“Value of InfoSec Certification Survey” – Results Preview Featured in Dark Reading

July 28, 2011

Last year at RSA, we launched the “Value of Info Sec Certification” Survey.

A preview of the results are featured in today’s issue of Dark Reading, in an article by Kelly Jackson Higgins.

On Thursday, August 4th, at 1:45 PM PST,  as the first part of our Professional Development Workshop at Black Hat, we are going to announce the full results.

We were very happy to receive 1349 respondents to the survey, and from reviewing the background of the respondents we find it to be a very good sampling of the Information Security industry:

2/3 of the respondents have worked in information security for more than 6 years

25% of the respondents have worked in the industry for more than 12 years

1000 of our respondents either hold or have held an information security certification  (Yes, exactly 1000)

699 of the respondents hold or have held the CISSP  (667 current/ 32 no longer)

50% percent of the respondents earn 100K or more

35% have a long term career goal of becoming a CISO or CSO, an additional 10% aspire to be a CTO or CIO – (Competition should remain fierce for these roles!)

25% of the respondents said that they had a Written Career Plan – (which means that we are making progress)

These results are just the tip of the iceberg – you will have to come to our session at Black Hat if you want the full release.   Anyone who is not in attendance at the conference and would like a copy of the results after the conference, you can sign up at Infosecleaders – Research – shortly after the release.

A special thanks to all of those who participated.  Thanks for making this a great success.    Stay tuned for our next industry survey!

Regards,

Lee and Mike

 

Posted by lee | Filed Under Behavior, Planning, Resume, Security Industry, Skills, Survey | 2 Comments 

Career Advice Tuesday – “Black Hat Preview – Professional Development Workshop”

July 26, 2011

For today’s Career Advice Tuesday – we wanted to share a more detailed look at our Black Hat Professional Development workshop.  The workshop will take place on Thursday afternoon – from 1:45 – 6:00PM.    Anyone in attendance can come to either any individual session or stay for the whole program.

If you are at Black Hat, please come by and introduce yourselves.

 

InfoSec 2001 – A Career Odyssey

The Professional Development workshop is a half-day program that is designed to inspire the Black Hat attendee to think about their career as an information security professional and assist them in their journey towards the achievement of their long term career goals.

The Professional Development workshop will be divided into five (5) unique information security career topics that will be linked by a common theme – Skill Development and Differentiation.

The program will consist of the following:

1)    “The Value of Information Security Certifications Survey” – Research Revealed – 1350 information security professionals responded to an independent survey on the topic – the research will be revealed

2)   “Second Place Sucks” – A presentation geared toward differentiating yourself from your peers (and your competition)

3)   The Information Security Leader of The Future” -  a presentation that will outline the skills that employers are looking for when identifying and selecting their information security leaders.

4)   “The Other Side of The Desk” – a panel that will explore the different attitudes and beliefs by job applicant and employer during the interview process

5)   “Future Predictions” and “Career Advice Tuesday- Live” – Future trends will be discussed and explored – and attendees will have the opportunity to ask questions about infosec related career topics

The workshop is designed as an interactive forum that should inspire some shared thought and debate between audience members and the presenters.

Attendees should understand that they can elect to either participate in the entire workshop, or to pick and choose from select sessions that have a particular interest to them.


Session Previews:

Session 1  – 1:45 – 3:00

“The Value of Information Security Certifications Survey”

Presenters – Mike Murray and Lee Kushner – Infosecleaders.com  

In February of 2011, Infosecleaders.com launched an independent survey on the value of information security certifications.   The value of InfoSec certifications is a highly debated topic in the industry, and this is the first independent survey that asks questions to information security professionals (certified or not) – their opinions on topics that include – the motivations for certifications, the impression of the certification bodies, the value of skills vs. certifications, and certifications effect on employment.  With over 1350 respondents, the results should be revealing and eye-opening.

Second Place Sucks -

Presenter – Mike Murray

So, if certifications are no longer the magic bullet to get you to your career goals, then what is.  The topic of strategic career investments and personal branding will be the focus of this presentation.  The presentation will be spent on how you can plan and execute on career investment strategies that will enable you to differentiate from your peers and successfully compete for promotions and external information security leadership opportunities.

(15 minute break)

Session 2 – 3:15 – 4:45PM

3:15 – 3:45PM

“The Information Security Leader of the Future” –

Presenter – Lee Kushner

The skills for information security leaders are changing quite rapidly.  As many companies are aligning information security with their core business and branding, information security professionals will need to evolve as well.  The presentation will break down the core skill components of what information security professional will need to acquire and demonstrate to be considered for leadership roles in the future.

 

3:45PM – 4:45PM

The Other Side of the Desk – Different Perspectives on the Interview Process

Moderator – Mike Murray

Candidate Perspective – Lee Kushner

Hiring Managers Perspective –    

Bill Phelps, Executive Director Accenture  

Justin Somaini, CISO at Yahoo!

Abstract:

There are two parties involved in every interview process, the information security professional (the applicant) and the hiring manager (the decision maker).   While in essence, both parties ultimately desire the same outcome, their motivations lie in different places.   This portion of the presentation will present to the audience the perspective of the candidate and the perspective of the hiring manager, in a way that will educate both parties and enable them to social engineer the interview process, to work to their personal advantage.

Bill Phelps:

Bill Phelps is an Executive Director in Accenture’s security practice, and has spent the past 25 years in technology services.  In the past decade, Bill has been a practice leader, company founder, board member and trusted advisor helping organizations with complex management and technology challenges in the areas of information security, data center transformation and technology strategy.     Bill currently has overall responsibility for Accenture’s security business in North America.  Bill is aggressively growing Accenture’s security team, and plans to hire over security 200 professionals in the coming year.

Justin Somaini:

Justin Somaini is the Chief Information Security Officer at Yahoo! where he’s responsible for all aspects of Yahoo!’s Information Security strategy.  With over 15 years of Information Security experience he’s seen as a leader in industry by promoting an evolution of the security and risk management models.  Through his public speaking and industry involvement he’s given extensive talks and interviews on the threat landscape, public policy, security management and risk management.  Prior to joining Yahoo!, Justin was the CISO at Symantec.  Justin has also held security leadership roles at VeriSign, Charles Schwab and PricewaterhouseCoopers LLP.

4:45 – 6:00PM

Predictions for the Future and Career Advice Tuesday – “Live”

Presenters – Lee Kushner and Mike Murray

The employment market is dramatically changing – and the closing session will begin with information security employment predictions (based on experience and research) for the next ten years.  Once completed, this will be followed by a version of “Career Advice Tuesday” – “Live”.   All attendees can have their personal information security career questions answered in an open forum.   Topics will include skill development, compensation negotiation, career investments, career planning, and anything else you want to ask about your Information Security Career.

Posted by lee | Filed Under "The Other Side of The Desk", Advice, Behavior, Branding, Career Advice Tuesday, Compensation, Interviewing, Networking, Planning, Position Selection, Presentation, Recruiting, Resume, Security Industry, Skills, Survey, Uncategorized | 1 Comment 

Career Advice Tuesday – A Conference First Timer’s Guide (Part I)

July 12, 2011

Dear Infosecleaders,

I had a quick question.  Blackhat and Defcon are coming up and I get to go for the first time.  Do you have any advice on what I can do to get the most out of my conference experience?

Conference Rookie

Dear Rookie,

It’s definitely conference time for much of the information security industry.  Recon was last weekend, the big Blackhat / Defcon / BSidesLV triumverate is coming up, and there are a bunch more coming up in August and September that are worth going to as well.  And we’re really glad you asked this one, as it’s definitely something that far too few people actually think about: most people just show up at the conference, follow along with the good time that they’re having, and come away with whatever stories that they come away with.

That hasn’t ever been our approach to conferences.  As two guys who run their own businesses, we can’t afford to just show up – conferences like Blackhat are where we do a lot of business, and making sure that we have a productive time is what allows us to succeed.

But that’s not just a business thing – we did that before we were running our own companies as well.  To that end, we have three main tips to succeeding at conferences – and this post is going to be long enough that we’re going to spread it over two Tuesdays.

Tip #1 – Have a Plan

What far too few people do before they leave for a conference is to have a plan.   They may know that they want to see a particular talk or go to a particular party, but far too few people that I’ve met go in to the conference with a legitimate plan.

You should approach every conference that you attend like a sales person – know what you want to get out of the conference.  Sometimes, that’s information – you want to learn about a particular topic from a speaker or a trainer.

But most often, there’s something you want currently in your career: to move in a different direction, to get a new job, to move up the ladder at your current job, etc.  And there is almost always going on or someone there who can help you out with that.  But it requires that you actually sit down and figure out who / what that thing is and how you can get involved with them.

Networking expert Keith Ferrazzi said it best: “[G]et focused. Take time weeks before the conference to think through and write down why you are attending. What do you want to achieve? Who do you want to meet? The more clearly you articulate what you want and need from the conference, the more likely you can plan and execute your mission.

This week, you should be sitting down and figuring out what your goal for your first time at each of these conferences is.  Who do you want to meet?  What experiences do you want to have?  What talks do you want to see?

I promise, the conferences will be much more fun when you know in advance what you want to do.

As an aside, there’s something that you definitely should be doing on Thursday afternoon at Blackhat:  We (and some special guest friends) are doing a full afternoon workshop on getting the most out of your information security career.  It’s going to be full of all of our latest research (and the results of our 2011 Value of Certifications Survey) and some really great advice.  As well as an opportunity to ask us questions live.  Make sure that’s on your plan.

Once you have a plan, stay tuned for part II next week….

Lee & Mike

Posted by mmurray | Filed Under Career Advice Tuesday, Planning, Security Industry | 3 Comments 

Career Advice Tuesday – “Potential Whistleblower”

July 5, 2011

Dear Infosecleaders:

My company has recently hired a Chief Information Security Officer, and I have some big concerns about their competence and their ethics.

I was a part of the interview committee that interviewed them, and I did not believe that they had the knowledge of current issues that are facing our company to be an effective information security leader.   In addition, I am a member of some closed on-line communities, where there has been postings about the individual’s ethics, including items like falsifying information, taking kick backs from vendors, and other claims that question his worthiness of being considered an information security professional, let alone a Chief Information Security Officer.

Any advice?

Sincerely,

“Jeffrey Wigand” 

(The Question of course is Anonymous – Anyone get the reference)

 

Dear Jeffrey:

The advice I am going to give you may be a bit unpopular, but my advice is to do nothing, wait it out, but have a contingency plan.     In cases like this, if the allegations are correct, it will not be that long before your new CISO shows their true colors and incompetency.  However, you may find it impossible to support their actions and follow their lead, and in that case you need to protect yourself and begin exploring your external options.

I also want to let you know that currently you do not have a shred of concrete evidence that your allegations of wrongdoing and poor ethics are accurate – just other people’s opinions.   The only thing concrete you have is your appraisal and evaluation of their performance during your time together in their interview.

One thing that I will bring to light is the fact that your company ignored your feedback in the candidates interview process, which is something that you may want to think more deeply about.

Here is a series of questions that I would like for you to answer on your own:

First I will ask: “How may candidates did you have the opportunity to  interview?”

If the answer is : “More than one” – the next question that I would ask is, how many of the candidates did you like?

If the answer is:  “You liked others better“-  Then you should begin to think about the skills that your company values in their leaders and in their information security professionals.   When you have thought that through, you should think about your skills, and how they align.  If there is a disconnect, then I think you should begin to polish your resume and look for external opportunities.  It does not seem that you will see eye to eye with your new manager/boss, so you may want to get out before you are placed in any awkward situations.

If the answer to the question is, “You did not like any of the candidates;”  – I would have to ask you if you felt that you should have been considered for the CISO job.  If this is the case, your employers may have fully dismissed all of your feedback as “sour grapes”.  If you feel that you should have been considered,  you may need to take an honest look at your skills,  and try to assess where your deficiencies are in accomplishing this step in your career .  In any case, by ignoring your feedback and not considering you for the job,  your employer has sent a clear signal that you are not in their future leadership plans.  Again, I would polish up the resume and take a proactive approach.

If word gets out that you did not endorse your new boss, and their character is as advertised, your do not have a long future at your employer.

If you do wish to stay, your real hope is that the new CISO gets fired, before he can get rid of you.

I will close by saying that I am making a great deal of assumptions.  This is a tricky situation, and unfortunately we rarely get a chance to pick our managers – this is one of the hazards of working as an information security professional in “Corporate America.”

Good luck,

Lee and Mike

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Recruiting, Security Industry | Comments Off 

Career Advice Tuesday – “InfoSec Pro Seeks Long Term Deal”

June 14, 2011

Dear Infosecleaders:

Currently I work as an Application Security Consultant where I have been engaged on a long term contract with a Fortune 1000 company.  The current engagement that I am working on, came about as a result of being laid off from a professional services firm during 2009.   I have approached the current client about becoming a full time employee, and they just do not have the ability to bring on a full time employee due to mandates that extend beyond information security and are dictated by the business at large.

Recently I was approached through a friend about an opportunity to become a Senior Application Security Engineer for a “Web 2.0” company.   There is no doubt that the work would be exciting and I would learn a great deal,  and on the surface the company seems like it is on good footing.  However, due to my past experiences I am not sure.

My current situation is a good one – I am paid well (more than the full time opportunity), I know that there is plenty of work for me, however there is not any real “career” opportunity because I am a consultant (and they will not make me an employee).    I think that for this reason, I would like to take the job with the “Web 2.0” company, but there is a voice inside of my head telling me that I should try to protect myself.

I am thinking about asking for a “2 year contract” in order to accept the role.  Is this possible?  If so, how should I ask the employer for this addition to the offer?

Regards,

LeBron

 

Dear LeBron:

Unfortunately for you, the rules that apply to highly talented all-star basketball players do not translate to highly skilled information security professionals.   The idea of a company extending a “2 year contract” to a senior engineer would be a new one for me.

To provide you with a point of reference, in 15 years of recruiting information security professionals,  I have never been a party to a search assignment that contained an employment contract like the one that you are requesting.   In fact, the longest severance package I have ever seen an employer offer was one-year, and that was offered to a CISO who was relocating his family to an area that he was unsure of moving to.

I am not sure that this will make you feel better, but in essence we are all free agents, and employees “at –will.”   As members of today’s information security work force, the development, maintenance , an constant enhancement of our skills serve as the fabric of our personal employment “contracts”.

Getting back to your current situation I do think that you should do some due diligence on your new employer and the role that you are considering.   I think that you should make sure for your own sanity that you do two things prior to accepting the role :

1) Make sure that you are comfortable with the career path that they have outlined for the position.    The reason I say this, is that if you do not think that the career path will help you grow your skills and prepare for the future, then stick with the contracting role – since the career path would be the main reason for leaving the world of contracting.

2) Make sure that you will excel at your new job.   Plain and simple, you are going to want to come in and make an impact – not struggle.  You want to make sure that you can exceed expectations and shine –not just be average.  Just being average will make you “another employee”, and in that case your career acceleration chances decrease.

Again, career acceleration and progression should be key, you want to make sure that you fee confident that these elements of your new role exist, and you can maximize them when they avail themselves to you.

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday, Compensation, Position Selection, Recruiting, Security Industry | 1 Comment 

« Previous PageNext Page »