Career Advice Tuesday – ” Noone Will Come Work For Me”
January 24, 2012
Dear Infosecleaders:
My question comes from a different angle than most of the questions that you address on your blog – I am an information security leader, and I have been trying to hire some key technical information security engineers for my team, and I have not had much luck.
I have been looking for these positions for close to six months, and the only thing that I have to show for it is three rejected offers of employment and a good deal of wasted time. The candidates have rejected our offers for a variety of reasons: compensation, expectations associated with the position, and one of the candidates never every responded to the offer.
I think that my internal recruitment team has written the positions off and we do not have any budget to hire external search firms to help locate this talent. I have posted these roles on internet websites, and I can not tell you how many resumes we have received which do not nearly resemble the skill combinations and experience which I outlined in the job description.
I guess I would like to know if you have any advice for me. We are committed to hiring the right people for the roles, but I am at the point that I will settle for someone with a pulse and some passion.
Is there any advice that you can share with me to help me solve this issue and hire some future information security leaders.
Signed,
Looking for Mr. (or Ms.) Goodbar?
Dear Info Sec Leader:
There is no simple solution to hiring the correct talent for your information security team. It appears from your note that you are resource constrained on many levels – compensation, internal support, and external budget. Although these are substantial obstacles to overcome, they are not insurmountable.
The first thing that I would do would be to look at your job description, and determine which skills are absolutely necessary to perform the position that you are looking to fill. Sometimes job descriptions are filled with a good number of “nice to have” bullets, and they overshadow the “need to have” requirements. It is logical that the candidates that you have been interested in have a good amount of the experiences that you request, but your budget simply cannot afford that level of resource.
What you should do is to winnow the amount of experience down to the skills and experience to reflect a level that you can actually afford. You should understand that it is one thing to attract candidates, hiring them is completely different. If you lessen some of your requirements, and require that candidates who lack certain experiences make up for it by displaying “passion” and “drive”, during your interviews, you should be able to locate a candidate that you can afford.
When you design a position to inspire professional growth and career acceleration, you will generally attract candidates who have a high level of motivation and professional pride. So, what they lack in experience, they will make up in aptitude and “passion”. It will be important that you screen for these intangibles in the interview process. Constructing your position in the matter will truly turn it into an “opportunity” as opposed to what your past candidate pool has viewed it as; “a job.”
As far as building your relationships with human resources and your internal recruitment team, my suggestion would be for you to schedule some time to reengage them and start anew. During this time, you may be able to educate them on your new requirements, provide them some good screening questions, and adjust some of the elements of the job description to reflect less experience and more passion. You can accomplish this by screening the candidates for things that reflect this, like conference attendance, industry involvement, and logical career investments. I would then educate them on potential sources in your market for these skills, so that they may be able to do better in pre-screening resumes. Try to schedule a weekly meeting with them to both provide status on their efforts, and to give them a regular opportunity to ask questions. The more that you engage them in the process, the more they will want to help you.
Although you cannot use external agencies, you can still post the position on internal and external websites. In posting the position, try to do so in a way that reflects the type of career opportunity that is available and the candidate profile you are attempting to attract. I would use words that could possibly encourage more affordable and slightly more junior candidates to respond. A good exercise would be to think back of your career, and think about the things that would attract you to a role like the one that you are offering. When the candidate eventually comes to the interview, utilize these examples as selling points as to why this role will benefit their professional development and their career as an aspiring information security leader.
Feel comfort that your experience is not unique. Do the best you can with what you have, and keep your expectations realistic.
Hopefully this helps, and you will fill your roles in the next 30 days.
Sincerely,
Lee Kushner
Posted by lee | Filed Under Advice, Career Advice Tuesday, Interviewing, Leadership, Recruiting, Security Industry, Skills | 1 Comment
Career Advice Tueday – “Getting Past the Gate-Keeper”
January 17, 2012
Dear Infosecleaders:
I have recently applied for a position that I believe will advance my information security career. In submitting my resume via the company’s internet posting, I tailored many of my accomplishments directly to the criteria of the position description. I have to admit that I am a very skilled wordsmith, and may have taken some liberties in the description and the scope of the work that I have performed.
For example, I often serve as a team lead and project manager for technical engagements, but I have never managed people directly. The role that I am applying for has direct reports. Also, the position description calls for an understanding of some specific information security tools that the company uses – like data loss prevention and GRC compliance software. While I have experience with these concepts and similar tools, in depth knowledge and experience with these particular tools has eluded me. Finally, the position calls for the ability to travel 50% of the time. I am really not interested in this amount of travel, but I have a friend that works there and she told me that she does not travel any more than 25%.
I am now scheduled to have my first conversation for the interview, a phone conversation with the human resources/internal recruiter – given the things that I have shared with you, do you have any advice on how I should handle her questions? I know that she is going to read the JD verbatim, and ask me questions where my answers may exclude me from consideration.
I really want a chance to speak to the hiring manager and fellow info sec professionals in the group, to articulate my experiences and demonstrate that I have what it takes to be a viable candidate for the role.
Any words of advice.
Sincerely,
Michaele Salahi
Dear Michaele:
I would like to provide you with some advice that is two-fold for your exact situation. First, is that some of the deficiencies that you have pointed our in your skill set may be deal breakers with the resident information security leader, so please tread carefully in your presentation in the skills that you have to offer. There are many items in a job description that are truly requirements of a position, and no matter how great your ambition or creative your presentation, you may have to accept that your skills are going to fall short of expectations.
For example, the role may really need someone who has strong people management skills, which is not found in a “team lead” or “project manager”. The utilization and knowledge of specific tools may be a success factor in the role, and although your friend only travels 25% in their role, this position may require double that amount of travel.
All that being said, I agree with you 100% that the decision should be placed in the hands of the hiring manager and not the internal recruiter/human resources professional. Ideally, the Infosecleader and hiring manager are the ones that best understand their needs, and no matter how adept their level of communication, something get lost in translation – specifically granular job requirements.
You should understand that this misunderstanding is not the fault or responsibility of the internal human resources/recruiter, as it is nearly impossible for someone who works in a general capacity, to understand the nuances of what it takes to understand the specific nature of the role that you are pursuing. However, there are certain elements of the role that HR will understand – the company’s definition of a “Manager”, the importance of specific tool knowledge (although they may not be able to make the jump from tool (i.e. Checkpoint) to concept (Firewalls)), or the amount of travel.
Independent, after doing my job for 15 years, I am of firm belief that it should be every information security professional’s goal to get to the decision maker during an interview process. This is where your “sales skills” should come into play. My advice for you would be to engage the internal recruiter, and leave them with enough confidence from your discussion to move you forward in the interview process.
This will enable you to get the real answers to your questions and demonstrate your level of competence to a knowledgeable party who has the ability to make an evaluation of your skills. When you do get to that level of the interview, you have a responsibility to make it clear to the hiring manager, what your true capabilities are as it relates to the job requirements that they articulate during your discussion.
Hope this helps,
Lee Kushner
Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Recruiting, Resume, Skills | Leave a Comment
Career Advice Tuesday – “Three Experiences – One Resume”
January 10, 2012
Dear Infosecleaders:
I am embarking on a job search and I am looking for some help. My first ten years of my information security career has placed me in some interesting environments – serving as a technical information security engineer, working as an information security professional services practice in the area of risk and compliance, and working as a pre-sales engineer for a large information security product vendor.
The truth is, I have enjoyed all of these three roles, and I am interested in a wide variety of opportunities. I feel that my experience and versatility is a good thing, and it allows me to investigate many different career paths.
The question that I have, relates to my resume. Do you have any advice for me on how to craft my resume – to both illustrate my versatility and breadth of experience, and to accurately align my skills and qualifications simultaneously with different opportunities?
Sincerely,
Ralph Furley
Dear Mr. Furley:
Good for you for having three unique and successful career experiences at this point in your career. I can only imagine that you have developed and maintained a set of skills that include technical expertise, customer skills, and persuasive communication and presentation skills.
If my assumption is accurate, you are correct that these skills are in high demand and will appeal to many diverse environments. Since you will be applying to roles in these different types of environments – I will make two suggestions regarding your resume –
The first being that you can write three separate resumes – one tailored to internal information security engineering roles, one tailored to professional services/consulting opportunities, and one tailored to pre-sales opportunities. If you decide to go this route, what I would do, would be to keep the qualifications of the position you are applying for in mind, as you create each resume and highlight the skills that you have acquired in your three different roles. Ideally, each resume will have a “theme” to it, which will align with the specific role that you are attempting to pursue.
For example, if you apply for an internal technical information security position, I would make sure that you make your bullets from your sales engineering role are technical in nature. I would try to find a way to point out the depth of your technical skills in the context of that role.
The second option that you can have would be to utilize the same resume, but to write three unique objective statements that can align with the types of roles that you are applying for. What I would do in each of these statements, would be to allude to the facts that your diverse experiences has provided you with unique perspectives on how information security problems are solved – from an internal perspective, from an external perspective, and with the aid of information security products. By demonstrating these three different perspectives in the body of your resume, and associating your skills with each of your three roles, should create a consistent overall theme.
In closing, having three diverse experiences and perspectives as an information security professional is a very good thing, and provides you with a great foundation
The combination of a well-written resume, and an astute employer who can connect the dots, should provide you with access to many roles that could serve as a springboard to the next stage of your information security career.
Good luck in your job search,
Lee Kushner
Posted by lee | Filed Under Advice, Career Advice Tuesday, Planning, Position Selection, Resume, Skills | Leave a Comment
CAT – Clearing Some Things Up – Advice and Predictions for 2012
January 3, 2012
Recently, I was cited in an article for Search Security , where I was asked about my opinions for the information security industry employment market for 2012 . I will say that the author did not misquote me at all, however, upon reading the article I felt that it was necessary to clear up some things that I found inaccurate – and I wanted to make sure that the Infosecleaders.com audience knows exactly where I stand on the topics covered.
Here are my thoughts:
While I agree that Mobile Security is going to be an information security skill in demand, I do not believe it is the only skill that companies will look for in 2012. Have no fear – companies will still have a high level of demand for knowledge in the areas of Cloud, GRC, SIEM, DLP, PCI, Software Security, Identity Management, and overall IT Risk Management. In addition, while I do believe that it is a good idea to have a blend of technology and business skills, there is still a very strong market for information security professionals that have hard core technical skills – and that should never be forgotten or overlooked. The technical information security professionals with developed knowledge and enterprise experience in securing networks, operating systems, applications and databases will do just fine as well. Also, all of the penetration testers out there can sleep easy your skills will still be needed and remain in demand.
Below you will find my biggest objection – and probably the information that I find to be the most inaccurate.
Here are my disclaimers -
I would like to state that I do not personally know Mr. Snyder, nor have I had any dealings with him.
I have read his securityrecruiter.com blog on a number of occasions, and I find his perspectives to be both unique and entertaining.
To my knowledge, Mr. Snyder and my firm do not compete within any of my recruitment customers, and although we are in the same profession and industry, our paths do not seem to cross, except when quoted in articles about information security careers.
As per the author of the Tech Target article – please find a quote from Mr. Snyder -
“When companies are using a search firm to fill a position, then they’re going to usually expect that a candidate’s going to have industry experience,” he said. “In other words, if it’s a bank, they want someone who’s coming out of a bank; if it’s a retailer, they want someone coming out of retail; and if somebody’s going after that job on their own, then the bar isn’t usually sent quite as high.” – Jeff Snyder
The Accuracy
The main point of the quote is accurate. When companies are looking to find information security leaders, independent of the source, they ideally would like to locate people who possess applicable industry knowledge. This is generally one of the core criteria of an information security leadership or CISO level search.
Like Mr. Snyder points out – a retail organization would ideally like to hire an information security professional who understands the information security challenges that a retail business faces and who has experience solving those problems. You can apply the same logic to industries that include health care, high technology, manufacturing, financial services, media and entertainment, and any other business.
The Inaccuracy -
Mr. Snyder’s quote infers that a company has more stringent requirements when they engage an executive search firm. His statement that ” …..if somebody’s going after that job on their own, then the bar isn’t usually sent quite as high.” - can be interpreted in a way that leads information security professionals to believe that they can afford to be less qualified, if they decide to apply for positions on their own – and not through an executive search firm.
THIS IS DEAD WRONG
First of all, the decision to engage an executive search firm is generally based on a company’s desire to insure that they get access to a qualified candidate pool in a time efficient manner. The business decision to engage a search firm is the same type of decision making methodology that can be applied to engaging a professional services firm to provide a service that the company does not believe that they can perform effectively with internal resources. The budgets for engaging executive search firms either come from a general corporate budget or from a specific business unit who can justify the value and the return on investment for the cost associated with the search firm’s fee. In addition, the amount of the search fee does not have any impact on the compensation offered to the candidate.
Mr. Snyder is correct in his inference, that when companies engage an executive search firm, they are expecting to get value for their dollars. This will take the form of, industry intelligence, compensation data, a professionally managed recruitment process, and eventually the placement of a successful candidate to fill the duties of the information security leadership role. In exchange for money, the companies are going to expect an executive recruitment firm to deliver a candidate who is going to match the key criteria that they have outlined for the position.
Just like anyone who pays for a service, companies who engage executive search firms have the right to have realistic expectations of competence and results when retaining them to help fill a position. However, in my 15 years of experience, I have never witnessed a situation where a company that is committed to recruiting the correct information security leader, will agree to hire a less competent candidate, solely because they were introduced to them directly, and not through an executive search process.
In 2012, and in the future, completion for Information Security leadership roles is going to intensify, Companies are going to continue set the bar high for finding the correct talent match, no matter what method they select to recruit for these positions. In addition, the more influence and importance that an information security role has to an organization, the more detailed the requirements will be and the more demanding the interview process.
To all current and aspiring information security leaders, for 2012, I am urging you to take a proactive approach to developing a career plan, honing your skills, investing in yourself, and make wise choices about selecting the right positions to help accomplish your career and life goals.
Happy and Healthy New Year,
Lee Kushner
Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Leadership, Recruiting, Security Industry, Skills, Uncategorized | 1 Comment
Career Advice Tuesday – “Resume Hurdle”
September 27, 2011
Dear Infosecleaders:
I am writing to see if you can help me with a situation that seems to be haunting me as I look for a new job.
I have been working as an information security engineer for the past 10 years, mostly on long term contracts. Each of my contract assignments for the past five years are through the same contracting firm. During these past five years, I have supported over 8 different Fortune 500 customers, in the implementation of various security technologies ranging from IDS, Firewalls, SIEM, DLP, etc. Each of the assignments have spanned from 4 months (shortest) to 16 months (longest). On my resume, I outline each of these projects, listing the customer, the scope fo the project, the duration, and the impact of my efforts.
Now that I am looking for a full time job, in my opinion my resume makes my employment look inconsistent, although I have been working for the same employer (contracting agency) for the past five years.
Do you have any tips on what I can do to overcome this hurdle?
Signed,
Edwin Moses
Dear Edwin:
This may turn out to be our shortest response, but your answer is a simple one.
What you need to do is to create a resume entry, before the projects, demonstrating that you worked with the same company for the past five years. (2-3 lines). Underneath the employer and the date,, you should write a short term description about the company and the nature of your work as a security consultant servicing Fortune clients.
Your resume should read no different then a person who has worked as an information security consultant for for a large consultancy – like a Big X or a large systems integrator – with the exception of being able to demonstrate career progression or titles.
If you are able to place this experience under the larger umbrella, it will let employers know that you are both loyal and have a good deal of diverse information security experience.
That should lift some of your hurdles and help you in your transition.
Hope this helps,
Lee and Mike
Posted by lee | Filed Under Advice, Branding, Career Advice Tuesday, Interviewing, Resume, Skills | 1 Comment
Career Advice Tuesday – “Adoro la seguridad de información (I Love InfoSec)”
September 20, 2011
Dear Infosecleaders:
I graduated college with a B.A. in Spanish. However, I find myself intrigued by the Information Security field as I love a challenge and I am a problem-solver with an analytical mind. I am looking into Master’s programs for IS, but I am worried about finding a job with a Master’s and no relevant IS experience upon graduating.
Can you please offer me any advice? I really see myself enjoying a career in IS.
Signed,
Quiero ser un pirata informático
Dear “Pirata”:
The best way to respond is that your professional career will most likely span between 30-40 years, so you have a long time to make the transition that you desire. At this point in your career, your decision to study Spanish in college as opposed to information security or computer science, should not be viewed as an impediment to your future career, in fact you should figure out how to utilize this knowledge as a future enhancement.
The first piece of advice I would like to give to you is to not go back to school to get a Masters degree. Instead, what I would suggest would be to either go back to school to take some technology related classes and look into an eduational program that will provide you with some first hand experience working in technololgy. You should be able to take some of these clasess concurrently. Simultaneously, you should attempt to find an entry level position – even part time – to do some computer related work, so that you can get some exposure and practical knowledge. This can include roles like working in a computer lab, working third shift in a network or security operations center, or something of that sort. Once you feel comfortable with a base line of knowledge, maybe in about 18 months – you can attempt to attain an information security certification – something that reflects your technical knowledge. This will help provide you with some external branding as an information security professional.
Once this is completed, my advice to you is to combine your experiences – your newly created technical skills and your Spanish undergraduate degree. Due to the growing Spanish population and the global economy, being able to communicate in Spanish (or any foreign language) is a unique skill that will differentiate you from others. In fact, it is likely that you will be more attractive to company’s doing business with Spanish speaking customers than more qualified information security professionals without ability to communciate. When you begin to look for jobs, it is these companies and these geographies that you should focus your search.
I would not be surprised if you could find a company that would give you the opportuntiy to serve as a conduit between a technical information security function with any of their Spanish speaking business units.
In the end, please let us know if it is easier to teach a Spanish major information security, or an information security professional Spanish.
Hope this helps,
Lee and Mike
Posted by lee | Filed Under Advice, Career Advice Tuesday, Planning, Skills | Comments Off
Career Advice Tuesday – “Fork In The Road”
August 30, 2011
Due to the Hurricane, we are publishing a Career Advice Tuesday that we wrote for Tech Target – and our monthly advice column. Below you will find the unedited version of our column.
Dear InfoSec Leaders:
I am writing to you with the hope of getting some career advice. I am consultant for one of the leading security vendors’ GRC products. I help customers set up their compliance programs with the product as the backbone. It’s been about 4 years of doing this and I now feel it’s time for a change. My career goal is to become a CISO someday and want to work towards that. I have two very different job opportunities and would like your thoughts as to which one aligns well with my goals.
One is that of a Product Manager with the same vendor for the same product. The position will give me immense exposure to senior security management folks across customers. I will also help me gain understating of their GRC efforts and pain points. The other position is that of a Security Architect with a large retailer. This team has been recently formed in the organization and is doing some exciting stuff. This position could possibly give me exposure across different security areas beyond GRC. Both these positions have pros and cons, for e.g. I’m not sure if staying with a vendor is a good career move or is the other side of the table a better option.
As you can tell, I have a lot of questions and very few convincing answers. I’m not sure if I should specialize in the GRC space (via the vendor) or gain exposure to have a holistic view of security.
I’d appreciate any words of wisdom you can send my way.
Signed,
“Fork in the Road”
Dear Fork:
Please understand that before we start, the advice that we are giving is based exclusively on the information that you have provided to us in your note, and that we do not have any additional background.
Based on your career goal to become a CISO, we believe that it would best for you to leave the product arena and accept the job as an Information Security Architect with the large retailer that has been recently formed. Our answer is based on the following reasons, that coincide with your long term career goal.
1) The group is newly formed
When someone tells us this, the first thing that comes to my mind is opportunity. Newly formed information security functions generally provide environments for information security professionals opportunities to leverage their current areas of expertise (in your case GRC) to develop broader skills in other areas. The biggest mistake that many infosec pros make when entering into a organization in this state, is to limit their contributions to their “job description”, and opportunity like one the one that you described should provide you with the framework to push yourself to develop new areas of expertise, as opposed to limiting yourself to the world of GRC.
2) Retail experience should be valuable in the future
Due to the importance of PCI, many retailers and e-tailers are placing increased emphasis and dedicating additional resources toward information security programs. Currently, many retailers are not making past “retail” experience a job requirement, however this will most likely change in the next few years. Having this industry knowledge as part of your skill matrix, could become a differentiating factor when looking at the next step in your career.
3) Product Management is not a requirement to become a CISO
There is no doubt that working as a Product Manager will help you develop skills that could be advantageous as a CISO – included customer skills, presentation skills, sales skills, market knowledge, and subject matter expertise. However, when making a transition toward a CISO career path, you will encounter people in the hiring process who will have built in prejudices against hiring candidates who come from the “Product/Vendor” side at a high entry point. For you to make this direct transition, you are going to have to find yourself a forward thinking CISO who will value this experience, and believe that the skills as a Product Manager will directly translate to their environment. Our belief is that if you remain as a Product Manager , you will eventually have to make the transition toward an internal infosec role, (in your case – architect) at some point in time, so why delay. You have the opportunity in front of you, now is the time to determine if transitioning to corporate information security function is right for you.
Again, our advice is based exclusively on the information that you have provided from your note, and based on generalities.
If you would like to contact us directly via phone to discuss your particular circumstances we welcome you to do so.
Good luck in making your decision.
Lee and Mike
Posted by lee | Filed Under Advice, Career Advice Tuesday, Planning, Position Selection, Security Industry, Skills, Uncategorized | Comments Off
Career Advice Tuesday – “Advice For Starting An Infosec Consultancy”
August 16, 2011
Dear Infosecleaders:
I hate to bring up what seems to be the elephant in the room within information security and penetration testing in particular, but how exactly are people getting the gigs doing this. Personally, I have tons of training, 15+ years experience in the realm, business experience to match and every time I ask this question, nobody seems to want to answer/discuss it.
It is a known fact that the big companies (IBM, the Big X, large telcos,etc) sell it as a service to existing companies but there are A LOT of two-three man pen testing teams that seem to stay busy constantly. I understand that people don’t want to give out there client attraction methods and strategy but I have yet to see this topic covered. There has to be a lot of others with the necessary experience asking the same thing.
Anyway, just can’t seem to tackle the elephant in the room. Nobody wants to cover it.
Thanks guys and unique blog for the infosec community.
Signed,
The ZooKeeper
Dear Zookeeper-
To be candid, I had to look at your question a number of times before I was able to formulate a response. It is my interpretation that the crux of your question is, how do you begin your own information security consulting business – particularly in the field of penetration testing. In addition, you would like to know why others are successful, and why some (you) can’t seem to get off the ground.
First of all, I should start by telling you that all businesses are similar – and beginning a penetration testing consulting business is no different than starting any other services business – such as lawn care, pool service, or home painting. When people decide to buy any service, they look for certain elements – experience, competency, price, and reliability. Anyone who has been successful in beginning a small information security business has been able to personally demonstrate these qualities in their previous life, prior to forming their own company. It is from this reputation and personal brand, that they are able to attract some of their initial customers, which provide them with experience and references, which they should be able to leverage into new business opportunities.
Another essential component of any business (and career) is the ability to sell and market ones services and one’s self. It is this skill that often separates the successful from the remainder of the pack. Selling ones talents and branding ones skills in the marketplace and information security is often overlooked as the key factor in determining success. Many information security professionals have focused their professional development on their technical skills, but at the same time they have neglected to attempt to develop their business/sales/presentation skills.
Long and short, there are many technical “rock stars” that have failed on their own as business people, but once partnered with competent business people, have achieved great things.
I have learned over the years that business is about surrounding yourself with great people who compliment your strengths. Maybe it would be best for you to find someone who can help “open some doors” and help sell your talents. Or, maybe you need to reevaluate your assessment of your business skills, and try to honestly assess some of the obstacles that are standing in your way in getting your business off the ground.
Understand that it is easy to prove technical competency, but in the world of business, the proof of competency solely lies in the color of the ink – “red” or “black”.
In closing, our note does not mean to come across as harsh, but it is meant to be direct.
Hopefully some of this advice and insight helps, and your infosec consulting business will get off the ground soon.
Hope this helps,
Lee and Mike
Posted by lee | Filed Under Advice, Branding, Career Advice Tuesday, Security Industry, Skills, Uncategorized | Comments Off
Career Advice Tuesday – “Should More Work Mean More Pay?”
August 2, 2011
Dear Infosecleaders:
The other day I learned that my information security program will be going through a reorganization.
The good news is that as a result, I am receiving increased responsibility, visibility and exposure. The bad news is that I am getting more work, more headaches, and I am not receiving any additional compensation.
Needless to say, I am angry.
I really like my employer, but I consistently fight battles with management and human resources about my compensation. Last year I received an “over market” increase (according to HR), which from my perspective was underwhelming, and did not reflect may contributions. When I brought them “data” about compensation, they dismissed it.
Here I am again. The pattern is repeating itself. I am planning on putting my thoughts down in writing, in a very direct letter to both may management and human resources, documenting and reflecting my feelings.
Do you approve of this approach?
Sincerely,
“Caesar Chavez”
Dear Caesar:
Before you decide to put your thoughts down in paper or in an e-mail, you need to ask yourself, “How good of a writer am I?” By writing a note, your thoughts are going to be contained forever, and can always be referenced. If your note takes an angry tone, it can be viewed as a line in the sand to your current manager and employer, and it can force an action – which may or may not be worth the risk.
Personally, I believe that you should express your opinions verbally, in a meeting setting with both your manager and human resources present. I think that you should set the tone of the meeting, by first letting them know that you appreciate their recognition of your contributions, by providing you with additional responsibility.
Once this point is conveyed, you should let them know that your expectation would be that once your prove yourself in this new capacity, that you be compensated commensurate with others across the organization who hold the same titles and responsibility. During this meeting, you should ask your manager to establish specific metrics on how your performance will be evaluated. In front of HR, you should ask for a follow up meeting so that these can be reviewed, and set up a timetable for an initial review (6 months may be ample time). In these 6 months, you should work your butt off, to overachieve, to show them that they made the correct choice in giving you this opportunity.
By handling it this way, you are demonstrating maturity in your approach. It is a common mistake for people to ask for money once given an “opportunity”, but the fact is that the extra money is earned once you prove that you can perform at this newly elevated level.
When the review cycle comes around, one of two things will happen – you will either be happy with you new position and increase, or your will be polishing off your resume, looking for an employer that appreciates your experience and newly learned skills.
Hope this helps,
Lee and Mike
Posted by lee | Filed Under Advice, Career Advice Tuesday, Compensation, Personal, Security Industry, Skills | 1 Comment
“Value of InfoSec Certification Survey” – Results Preview Featured in Dark Reading
July 28, 2011
Last year at RSA, we launched the “Value of Info Sec Certification” Survey.
A preview of the results are featured in today’s issue of Dark Reading, in an article by Kelly Jackson Higgins.
On Thursday, August 4th, at 1:45 PM PST, as the first part of our Professional Development Workshop at Black Hat, we are going to announce the full results.
We were very happy to receive 1349 respondents to the survey, and from reviewing the background of the respondents we find it to be a very good sampling of the Information Security industry:
2/3 of the respondents have worked in information security for more than 6 years
25% of the respondents have worked in the industry for more than 12 years
1000 of our respondents either hold or have held an information security certification (Yes, exactly 1000)
699 of the respondents hold or have held the CISSP (667 current/ 32 no longer)
50% percent of the respondents earn 100K or more
35% have a long term career goal of becoming a CISO or CSO, an additional 10% aspire to be a CTO or CIO – (Competition should remain fierce for these roles!)
25% of the respondents said that they had a Written Career Plan – (which means that we are making progress)
These results are just the tip of the iceberg – you will have to come to our session at Black Hat if you want the full release. Anyone who is not in attendance at the conference and would like a copy of the results after the conference, you can sign up at Infosecleaders – Research – shortly after the release.
A special thanks to all of those who participated. Thanks for making this a great success. Stay tuned for our next industry survey!
Regards,
Lee and Mike
Posted by lee | Filed Under Behavior, Planning, Resume, Security Industry, Skills, Survey | 2 Comments