October 23, 2012
I write to you seeking career advice. I graduated from college in 2005 with a B.S. in Computer Science (programming). I was unable to timely find a job in my field of studies, so I accepted an offer to become an IT Auditor. I’ve been an IT Auditor ever since in two different business environments (banking and government).
Because of my background in programming, I absolutely enjoy undertaking tasks that are related to business analytics, data mining, re-performance, etc. However, my current line of work does not require or provide for that. In addition, I have become greatly interested in security, but while I feel that I am very capable of learning effectively and efficiently, I do not have a strong foundation on networks.
In order to push myself to strive for more, I have looked at the option of becoming CISSP certified. However, I am not sure if the SSCP would be a better choice for me based on my knowledge level.
I am currently CISA certified and know that having another, more technical certification, will better position me in my job or others.
What would you suggest? Thanks in advance for your help.
Programming My Future
The best suggestion that I have for you is not to pursue any certifications for the sake of positioning yourself in your current role or others. The certification alone will not help you, finding an environment where your skills are valued for their unique combination is the best way to further your career.
To begin with you have a degree in Computer Science and a background in programming. Next, you have 5-7 years of real world experience in IT Audit and you are a CISA. On top of that, you have an interest in security, and you have a history of gravitating to more technical projects.
The combination of these skills and your interests are unique. Your skills have a great deal of value to an organization who realizes how to utilize them and leverage them for their benefit.
Recently we have been engaged in a number of searches that are looking to find technical information security professionals to work in IT Audit environments. The primary reason for this is that corporations are recognizing that it is critical for these two business functions to understand each other, and the key to this is to either have audit minded security professionals or technically and security astute IT Auditors.
This being said, it is good that you recognize that your lack of networking experience is a shortcoming and a potential skill gap. My feeling would be for you to find a way to work on developing this skill and knowledge. This could begin by reading some books on the topic, taking some vendor based training, and maybe eventually getting a certification that demonstrates and reinforces this knowledge.
If successful, this may be 2-3 year undertaking. If you begin down this road and it “does not take”, then I would suggest you refocus your energies on you’re the enhancement of your strengths – and maybe learn some new programming languages, application security, code review, or other related skills.
If you are interested in learning about some of these blended opportunities, do not hesitate to contact us at LJ Kushner (firstname.lastname@example.org) . If you do so, in your e-mail please mention – Career Advice Tuesday!
Hope this helps,
September 12, 2012
Currently I am at the end of a job search. The interviews have gone great, I really like the company, and I am on the verge of becoming a CISO for the first time in my career. For about 95% of the process, I have been on “Cloud Nine”.
Unfortunately, my process may have hit a snag, and I really need your advice to potentially avert a catastrophe.
On the company’s application they asked me to list my current professional certifications. I listed my CISSP and my CISA, which I know are current, but I also listed a couple of technical information security certifications that I received earlier in my career. My assumption was that these certifications were current.
I received a call the other day from the background check company asking me to provide some proof of these certifications. I did some checking, and I do have the actual certificates, however the during my discovery I learned that these certifications have definitely expired.
Here is my issue; technically, I have misrepresented myself on the background check form, which I know speaks to my credibility. At the same time, these certifications are not even applicable to my hiring or the qualifications that this information security leadership role requires.
Do you have any advice on how I should handle this situations, to preserve this opportunity? On one hand I want to come clean and let them know of my oversight, on the other hand, since these certs are secondary, they may not even be verifiable, which would mean I would draw attention to something that will be irrelevant.
If you could let me know, that would be great.
My advice is simple but it is two-fold. It will be short but sweet.
First of all, “tell the truth”. What you need to do is to be in front of the story and to let them know that you made a mistake, and you want to bring it to their attention. You can let them know that your assumption was that these certifications were granted for life, and to your knowledge you did not need to renew them. If they question your sincerity, you can point to both your CISSP and your CISA, which are both current and in good standing, to demonstrate that renewing your certifications is a standard operating procedure for you. In addition, the fact that you can produce the actual certificate as proof, will at least demonstrate to your new employer and their background check company that you did actually achieve the certification and your initial statement was indeed accurate.
Secondly, whenever you speak about this, and to whomever you discuss it with, make sure that you do not make this a “big deal”. You should not send e-mails, or contact the senior members of the interview team – you should just deal with the background check company – and should do so via the phone, so that nothing can get forwarded to people with decision making authority for your hiring, who may have dogmatic views about this violation/oversight.
If you make it a big deal, it looks like you are attempting to cover it up and you got caught. If you make it like it is just an honest mistake, you may get them to overlook it altogether and it will most likely become a foot note, and not even become an issue.
What can be learned from this is that when filling out an application, less is more. Only include things that are essential and you know your can verify. If you can not be 100% accurate, omit it, you can always complete it at a later date.
Hope this helps and it works out for you.
August 14, 2012
I have been working in the IT industry for many years and have been dabbling in the Information Security realm for about 5 years now, but am having a hard time getting the experience I would like
I was recently asked by a friend to help with a side job which required a Security Assessment to be performed. I have never had to perform a Security Assessment so I am a little hesitant making the jump because if I accept the assignment, I want to do it correctly.
I’m not one of those guys that will take the job, if I do not believe I can perform it correctly. I do not want to be put in a position where I do a crappy job due to the fact that I do not know what I am doing.
How do I get the experience I would like, so I can take “jobs” like this one with confidence? I have a good reputation and I want to keep it that way.
Any advice you could give, I would be grateful.
“Biting Off More Than I Can Chew”
Dear “Big Mouth”:
I agree with your sentiments. You only have one reputation and anything that you do that detracts from your reputation will only stay with you through the course of your career. In the end, your work is a reflection of you, and it eventually will define you and become your “brand”.
I give you a good deal of credit for having the integrity to know that this position maybe beyond your scope of knowledge and “more than you can chew” at this point in your career.
I can offer you a couple of different options –
1) I would ask your friend if you would be open to “sub contracting” the assignment to someone that you trust. If they say that is OK – what you could do is to ask around your network or on Twitter – if anyone is interested in a consulting assignment – with the caveat that if they take the job – that they will let you shadow them on the assignment and teach you. This could be the best way to get practical experience – in essence you can learn – and someone else would get the revenue from the assignment. This would be viewed as quite an even trade!
2) Another option would be to get formalized hands on training. Now, I do realize that if you did take training, you would not be ready for this current assignment – however, with some foresight this could possibly give you the confidence to know that you would do a good job the next time that you get the opportunity to perform this type of work.
The key to this is to get “hands-on” training – not just some certification – that will give you the confidence that you will do the job correctly. Understand that you are doing for yourself, not someone else evaluating the value of the certification and utilizing that to judge your competency. In this case, you need to overcome your fear of failure – practical experience, even in a training or lab environment should enable you to simulate a real world “assessment”. It may not be live – but it is the next best thing.
With the right training, you should be able to do a “good job” on future assessments, and when you do, you can be sure that you will get additional opportunities to practice your craft.
Hope this helps,
August 7, 2012
I am currently working as a penetration tester for a pretty large company. Prior to this, I worked for another large company, doing similar work. My current job is going well, I have a very good mentor, my company has been supportive of my professional development, and I like my hiring manager – as I feel that we have established an open line of communication.
I do have two complaints. First of all, I believe I can do more. Secondly, I believe that I travel way more than necessary to perform my duties.
I recently completed an interview process with a much smaller company that is in the middle of a growth spurt. Although they are much less structured, the people are very smart, and they have some focus in an area that interests me a great deal, Mobile Security. I believe that it is set up to enable me to take some leadership in this area. The position does not require a great deal of travel, and it will allow me more time to get involved in my local professional community.
The money for the position is very similar to my current role, however the position offers some stock, which is a exciting to me.
I have listened you’re your advice in the past about avoiding jobs that just provide the opportunity to “Change Golf Shirts”. Would like to know if you think I am doing this if I join the new company and accept the offer?
Any advice would be appreciated.
Based on your description above, I do not think you are “Changing Golf Shirts” at all, in fact, I think that these two opportunities are unique and very different.
Here are my thoughts:
1) First of all, the company you are joining appears to be a “Start-Up”, and it does not appear that you have any of that experience. Having the experience working at a “Start-Up” is unique, and I think that if you enter into that environment you will learn things about yourself that you would not have in the larger companies that you have worked for.
2) The new company appears to have some good alignment with your interests, which is great. Not saying that your current employer doesn’t, but it appears that you will be able to take more of a leadership role in this area in the new company. Smaller companies are great for this experience. Where in a larger company, there are more resources to compete with, a smaller company provides more opportunities to create more of a “Professional Brand.”
3) You are going to work with “Smart People”. Not that you do not already, but the only thing better than “Smart People” you know, is “Smart People” you do not know – because if you take this job, your “network of Smart People” just got much larger.
4) You have some earning potential with the stock options. No, you probably will not retire, but stock options provide some upside earning potential that you are not getting in your current role. As a “Pen Tester” there is a standard comp range that you are restricted to, based on the market – so compensation for a new job, is never going to be that significant of an increase, in that case, Stock Options provide you with a possible accelerator of you earnings. Even if they are worth nothing, there is no risk for you – as your compensation is going to be equivalent.
5) You can always go back to the big company. Even if your current company will not have you back, there will be another big company that will take you back, and they will probably be willing to pay you a little more money to go work there, again you do not have any risk.
My feeling to you is to take a shot on the new company, and see where it goes. Use the opportunity of not traveling to become more involved in your local community, become known to more people, and really sink your teeth into your interest in “Mobile Security” – and become more visible.
If you maximize this opportunity, it will be much better than trading for a “New Golf Shirt.”
Hope this helps,
July 10, 2012
I am about to transition from Military to the Civilian work force. I am a IT Support and Security Professional. I am currently working to gain the CISSP through the SANS Security S+ course. My question is will this class help with gaining the knowledge I “really need” to pass the CISSP and will this help with the progressing in the civilian work force? This course is expensive but it come highly recommended from some of the professionals that I work with. Need some guidance.
First of all, let me say a big THANK YOU for your service to our country.
As a disclaimer – I am not familiar with the particular topics covered in the SANS Security S+ course – so my answer to your question will be a more general one.
The first thing that I want to say is that I question the concept that you actually “really need” to pass the CISSP to work as an information security professional in the civilian work force. Most of the customers that we support, are more interested in the candidate’s talent – as opposed to their certifications.
I believe that the question that you should be asking yourself is, “Which training class will enable me to develop my skills and make a smoother transition to work in a commercial environment?”
One of the best ways to determine this will be to first understand the foundation of your current skills and the strengths that you can be leverage. Generally speaking, these skills will be more “technical “ in nature – centering on either networking, operating systems, software development, etc. Once you are comfortable with this assessment, you may want to look at a training class that can help supplement these skills – possibly something in the area of incident response, security event management, penetration testing, etc.
In developing these skills and skill combinations, you should be able to place yourself in a professional information security environment that will provide you with some exposure to the “domains of knowledge” encompassed by the “CISSP Certification”. In the context of the job, engaging your peers, the purchase of some relatively cheap study guides, and some initiative you should be able to pass the CISSP (at a substantially lower price point)– if you decide at that this is a worthwhile career investment as you aspire toward your ultimate career destination.
Hope this helps,
June 19, 2012
I am an information security engineer, and about six months ago I decided to change employers. The main reason for accepting the role was based on the connection and confidence that I had developed with the CISO., during the interview process.
When I initially interviewed for the role, I was on the fence about accepting the offer. However, I had a dinner with the CISO and we spent the time together speaking about professional development and he assured me of his commitment to expose me to more of the business side of information security. The trade off was that I had to give him 12-18 months in a security engineering capacity. During this meeting he even shared with me about his own progression and how he had a mentor who helped him along the way in his professional development and ultimate transition form techie to Info Sec leader.
Well I bought in.
About a month ago, I learned that corporate decided to make a decision and they have forced him to resign. In his place, they have brought in someone internally, who is not an information security professional (we will leave it at that) – and while he understands the company, he has demonstrated to me (and others) that he just does not understand the perspective of information security professionals or relate to them. I know that many of my peers are actively interviewing and others have “checked out” hoping that the new leader fails.
As part of the transition, I had a meeting with him , and I shared with him the commitment that the former leader made to me to help develop my career beyond information security engineering., Although he was polite, my feeling was that he was not going to honor the ex-CISO’s promise to me.
Do I need to begin looking for a new job? Any advice?
Vote Of No Confidence
One of my favorite sayings is that in the end you do not work for companies but you work for people. In essence the company provides the framework but your manager has the real impact on your success and happiness.
You seem to be experiencing this first hand!
I think that what is particularly hard for you is that your decision to leave a good position was based upon the promises that your ex CISO made to you, and your assumption that these promises are going to be ignored. It also appears that you do not have any confidence that the new CISO is going to make good decisions which are conducive to the development of the information security program and in essence your career.
Right now, the best advice that I can share with you is that you should give this person a chance. Considering that your new manager is going to be evaluating your contributions to the company, you should in turn be evaluating their performance as well , as it relates to the development of your career. Considering that the person is new to the role, and not an infosec professional - my advice is to be the best information security engineer possible – and really demonstrate your talents, your passion, and your willingness to make positive contributions. I would make it a point to really embrace the new leader, and demonstrate that you are their to support them.
Given the attitude of your peers, your positive attitude and work ethic should really stand out!
After doing this for ninety days or so, ask for a meeting. At that meeting, you should revisit your conversation and your career goals. At that point, you should see how receptive the new leader is.
If the new leader is receptive, you may have found a way to accelerate your career. Keep working hard and contributing and see if you can produce some measurable results.
If the new leader is giving you lip service, ignoring you, and dismissing your requests – it is time to look for another role. If the new leader does not recognize or appreciate you and your loyalty during this transition, it is likely that they are never going to connect with you or support your career development efforts.
At best you will be pleasantly surprised, at worse you can dust off the resume!
Hope this helps,
June 5, 2012
My question centers around my resume and my application for an information security position.
First some background. I used to work as an information security consultant at one of the largest PCI consulting firms. When I worked at the company, I was a QSA and held other related PCI Certs. When I left that firm, I went to work in a consulting firm that was not a QSA, so I had to allow my QSA to lapse.
Recently I have decided to leave consulting in order to locate a position at a corporation, where I can help them with their governance, risk, and compliance initiatives. I have located an opportunity with a retailer, who has posted for such a position, but the job description states that all applicants must be QSA Certified.
I know that I can do the job. My skills as a QSA have not lapsed. Quite frankly they were not that difficult to acquire. However, I cannot claim that I am currently a “QSA”.
I think that I have two options – either to list it on my resume, and explain it later – or to list on my resume that I am a former “QSA” – however, I feel that this could be received negatively by the internal screener.
Can you provide me some advice?
“The Artist Formerly Known As “QSA”
This is a very interesting situation.
Your example points out the exact problem with key word screening criteria, and job descriptions written by the uniformed. What may also be funny is if the internal screener was also screening out candidates who currently work at consulting firms – which in essence would eliminate the entire candidate pool and leave the position unfilled.
First of all, you can never ever misrepresent the truth on a resume. This is a show- stopper, a red flag, and questions your integrity and ethics. Companies will check your certifications, and when it comes up that you do not hold the QSA, your interview process will come to an abrupt end.
The best advice that I can give you is to list on your resume: “Former QSA” – Your Certification Number – and the Years You Held The Certification. You can also list your other PCI related certifications as well with a similar format.
Underneath your certifications and in the body of your resume, you should explain in one sentence or bullet point as to why your QSA certification lapsed. You need to show the screener – that it is impossible to maintain a QSA without working at a Certified Assessor. If necessary – you can link a website –that could reference this, so that they can validate it.
Unfortunately, we live in a world where not all involved in the decision making process understand the nature of qualifications for information security roles. Considering that many in the HR field are trained to exclude on “key words” and not to investigate further, it is very possible to be overlooked for a role for which you are qualified and are an excellent candidate.
I would like to reiterate to all of the Infosecleaders in the audience, that it is in your best interest to assist your HR team members and educate them when you are enlisting their help in recruiting for an experienced information security professional.
Hope this helps,
May 15, 2012
Dear Infosecleaders Readers-
Below you will find the unedited version of my latest article for Tech Target/Search Security – Information Security Magazine. The article is designed to shed some light as to why companies have such a difficult time in filling information security roles.
Let me know what you think.
Why Information Security Positions Go Unfilled
While the national unemployment rate has been steadying between 8-9%, information security professionals have been enjoying newfound prosperity. Until recently, the information security function primarily held importance to industries whose success and market perception were tied directly to their customer’s trust, like financial services, and the federal government. Due to a unique combination of technological innovation, increased regulatory scrutiny, external threat, and social activism, corporations in industries who have traditionally ignored information security, have began to realize that the development of a competent information security function is a worthwhile and necessary investment.
When companies recognize that they are going to make this type of organizational commitment, their first order of business is to find competent information security talent to bridge their talent gap to address these issues. However, finding and attracting competent information security professionals to a new position is a lot more difficult than it appears. Companies quickly learn that the same strategies and processes that they apply to filling more generic business and technology roles, do not necessarily translate to the recruitment of information security professionals. It is important for organizations and information security leaders to comprehend why information security positions go unfilled, so that they can make the proper adjustments to attract and hire this talent is a reasonable time frame.
The primary impediment to filling information security positions is geography. In many cases, the talent and skills alone would be difficult to find, however the need for an employee to based in a certain location significantly impacts the depth of the candidate pool. For example, although the NY Metro area is filled with companies, positions based in locations like Long Island, Central New Jersey, and Southern Connecticut will greatly reduce the candidate pool due to commuting time. Conversely, there are many information security professionals who would not want to incur the additional cost of commuting into Manhattan. In the past, companies were much more amenable to relocating candidates to fill positions, however the economic events and the housing bubble has greatly reduced the ability for people to relocate or companies willing to subsidize these costs. In general, companies relocation packages have become less encompassing, saddling the candidate with additional expenditures if they decide to accept an opportunity and relocate. In these instances, the candidate can simply not afford to accept the position, even though it aligns with their career plan and professional development.
The next major component in the breakdown of a recruitment process is in the area of compensation. When corporations are determining the compensation value of their job openings they traditionally consult specialized market research firms that provide them with this information. This compensation information generally equates to what the candidate, with the skills, already in the position should be paid. While this should serve as a good baseline, it does not take into consideration the recruitment premium that an information security professional, currently performing a similar role at a similar organization would need to leave the comfort of their existing environment. For example, if a Senior Information Security Architect is earning “X” in their current role, the market data may be correct and instruct you to price the position at “X”. However, in order to be successful in attracting the Senior Security Architect to your team, your will need to price that position at “X + 10- 20%” In addition, many times compensation packages neglect to address existing financial and non-financial benefits associated with tenure at a current employer. Because money is fungible, financial benefits are more easily replaceable, however non-financial benefits are often more difficult to address. Information security professionals can place greater value on vacation time, flexible work hours, and telecommuting, and may be unwilling to relinquish these benefits. Corporate human resource policies may not allow you the flexibility to provide alternatives for these privileges.
An additional compensation based reason that information security positions go unfilled is due to internal equity. Internal equity is the belief that any new employee’s compensation cannot be significantly more than their functional or organizational peers. It is the information security leader’s responsibility to both address this within their teams and to educate their human resources staff about the uniqueness of the skill combinations that they are attempting to recruit.
Before any major recruitment initiative, the information security leader must partner with human resources and perform a market based assessment of the skills and functions already performed by current information security team members. The question that should be asked is, “If I had to replace that person, what would I have to pay them?” In addition, the information security leaders should be aware of the value of their employee’s skills in the market place, and be proactive in their approach to aligning their compensation with both their internal contributions and external value.
In addition, it is common place for human resources teams to align information security compensation with other technical functions like network engineers, systems administrators, or software developers. It is essential for information security leadership to sit down with human resources and articulate to them why the skill combinations associated with the roles that they are attempting to fill are more complex and scarce, than these technical resources. The information security leader should have a great deal of incentive to win this argument, because if the compensation packages are insufficient, positions will remain open for long period of time or will be filled with substandard talent.
While these factors contribute to unsuccessful recruitment processes, the primary reason that positions go unfilled is the failure of the information security leader (hiring authority) to think like the candidate that they are attempting to attract. All information security leaders at one time had to interview for a job. It can be assumed that when they contemplated their last job change, they created a list of criteria that become key factors in their decision making process. Some of these factors will include the commitment of the organization, the level of responsibility associated with the role, the career path for the position, professional development opportunities, title, and compensation. In summary, most likely they changed positions because the new opportunity represented increased opportunity and personal satisfaction. Often, information security leaders forget their own motivations, and ignore the fact that their applicant pool are driven by similar forces.
One of the biggest mistakes is that hiring managers only focus on their organizational “need” as opposed to taking into consideration what the applicant “wants”. When information security leaders begin designing their job descriptions, it is essential that they understand the appeal of the opportunity and what types of candidates it will attract. When they conduct their interview process, they should be taking into the consideration the candidate’s point of view, and determine if the position and the environment can serve as the framework for their candidate to accomplish their professional goals and develop their information security career. By viewing the position form the candidate’s perspective, information security leaders will find themselves prepared to communicate the merits of the position during a recruitment process, which should make a positive impact on the candidate’s interpretation of the career opportunity.
One of the best way to evaluate leadership is by the caliber of the people with whom they surround themselves. Attracting top information security talent to your team can be both time consuming and frustrating. Building an effective recruitment strategy, addressing potential obstacles, building organizational partnerships and understanding the motivations of your future employees are key ingredients to efficiently filling your information security openings.
May 1, 2012
I am planning on moving back to the USA this fall, as I am currently living in Eastern Europe. As you may or may not know, the standard of life is poorer/lower than at the states. As I have heard on one of your presentations, one should ask for a salary maximum 20% of their current earnings. But the 20% would be not even close to what I would be satisfied with, or the standard for job class.
Do you have an opinion/recommendation on approach I should take, to get the salary I want and or deserve, regardless of my current pay?
Is Twenty Plenty?
Before I address your question, I want to make this very clear to all of the Infosecleaders audience:
I HAVE NEVER STATED THAT WHEN CHANGING JOBS YOU SHOULD ASK FOR A MINIMUM OF A 20% COMPENSATION PREMIUM OVER YOUR CURRENT ROLE
THIS IS FALSE, INCORRECT, UNREALISTIC AND SIMPLY WRONG!!!
Now to your question:
The real question about compensation can only be answered by understanding the market place value for your skills and experiences in your employer’s industry and geographic location. The best way to understand your marketplace value is to either survey your peers, (with similar skills) or people with industry knowledge (hiring managers and info sec recruiters) who can provide you with a benchmark of how you should be compensated.
Many information security professionals believe that the compensation for their individual specific skills should be treated differently than the market at large. This is a bad assumption and often leads to poor decision making about compensation expectations.
In general, compensation for similar skills in the same market will only fluctuate by about 10-20%. This fluctuation will be determined by seniority, alignment with the business need, urgency, the demands of the work environment and industry.
Given the above, your current salary is irrelevant to your future one, considering your change of location and the cost of living differences inherent to your move. However, before you embark on your job search you should get a better understanding of how your skills will be valued, and set some baselines and parameters with perspective employers as you begin your interview process.
Upon their assessment of your skills and your performance in the interview process they should be able to determine a suitable salary in their attempt to acquire your services. If you would like to keep them honest, interview with two companies simultaneously to see if the compensation they offer is similar.
My guess that the difference will be not much greater than 10%.
Hope this helps,
TO BE CLEAR
*** I HAVE NEVER STATED THAT WHEN CHANGING JOBS YOU SHOULD ASK FOR A MINIMUM OF A 20% COMPENSATION PREMIUM OVER YOUR CURRENT ROLE. THIS IS FALSE, INCORRECT, UNREALISTIC AND SIMPLY WRONG!!!***
April 24, 2012
I wanted to ask a question about compensation as it relates to an opportunity that I am currently pursuing. First I would like to describe my current situation –
Right now I have a position that I do not enjoy very much. I work as an identity and access management consultant where I implement enterprise technologies at large companies. I have been working in this capacity for the past five years. I travel a great deal (about 80%) – basically every Monday through Thursday.
Due to a combination of my technical skills, my willingness to travel, and my ability to communicate to senior management at my clients I have been paid quite well. My current compensation is about 200K. In addition, since I have been traveling so much, I have been able to reduce my living expenses considerably allowing me to save about 300K.
Recently my life has changed a bit. I have met someone and I want to settle down and find a position that allows me to stay in one place and at the same time challenges me. Through my network of friends and colleagues, I have located a position that accomplishes these objectives.
There is one catch. The compensation.
The position pays a salary of 135K and does not have a bonus.
I would really like to accept the position but I am having a hard time getting over this hurdle. In addition, I am not sure how to answer the employers question about my willingness to accept 1/3 less compensation than my current role.
Any advice would be appreciated,
Let me answer your second question first – the best way to answer your future employer about your willingness to accept considerably less compensation is honestly. I would explain to them very simply that you understood that your past role was more of a 1099 assignment as opposed to a full time position – where you were receiving a 33% premium for your skill and willingness to live on an airplane.
You should explain to them that you had come to terms with yourself that you were going to sacrifice your personal life in exchange for the ability to save money and develop skill. In addition, you can explain to them that by being financially responsible you have put yourself in a situation where you could focus on your career – and not be as concerned about money. If you would like, you could also explain to them that you have met a significant other, and your desire to spend more time with your partner outweighs your desire to earn an additional 65K
This being said, you need to make sure that you are careful to let your future employer know that your drive and your desire to produce excellent results remains with you, and that your work ethic will not change, although you have more of a financial cushion. The best way to do this would be to demonstrate some examples from your past that can illustrate this characteristic in both personal and professional environments.
To answer your question about money, my feeling is that this is a very personal choice and one that you, yourself will need to deal with and come to terms with . 65K is a large sum of money, however the only positions that will enable you to maintain your compensation will be ones that place you in the same environment as your current role.
If you are offered the role, (before you accept it) – I would like for you to make a list of the things in your life that you will be able to take advantage of with the new role, and to make a list of the things that you will be giving up without the 65K. In addition, you should also look five and ten years into the future, to see if by accepting this new role, you can place yourself on a trajectory to recapture these earnings in the future.
In the end, if you want to, you can always get back on the airplane, and do the consulting. My advice is to make the most of your relationship, and to see if you can excel in a new environment better suited for your new life.
Hope this helps,