Career Advice Tuesday – Special Addition – Live At Black Hat – Your Questions Are Welcomed
July 26, 2010
On Thursday, July 29th, at The Black Hat Briefings, we are presenting a live version of “Career Advice Tuesday” at the conference. The session, “Things You Wanted To Know, But Were Afraid to Ask, About Managing Your Information Security Career”, will enable any attendee to have their career questions answered directly. It is a part of the Special Events Track, in Forum 25, from 1:45 – 3:00PM.
During the session, we will address any career related topic. It will be completely up to the audience – there are not any boundaries.
Topics covered will include the following:
Career Planning
Career Investment Strategies
Position Selection
Networking and Personal Branding
Interview Tips and Techniques
Compensation Negotiation
Employee/Employer Relations
We realize that many of our readers are attending the conference, but may elect to attend a different session or may want to ask their question anonymously. If this is the case, we welcome you to submit your question to the website, and include in your question that you will be in attendance at Black Hat. We will do our best to have your questions answered during the session. All questions that are asked, during the presentation or via the website, will be transcribed and featured in future Career Advice Tuesday’s.
We will return next week with an enhanced version of our regular Career Advice Tuesday segment.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
Career Advice Tueday – “Ideal Graduate Course”
July 20, 2010
Dear Infosecleaders:
If you could only have one information security course as part of a graduate program for IT managers, what, in your opinion, should it contain?
Sincerely,
Professor Plum
Dear Professor Plum:
We are not sure if you can select only one class, but if we had to choose one information security course for IT managers - it would be titled, “Enabling Business with Information Security.”
The lesson plans for the course would contain the following:
1) Reasons for Business to Reject Security – this would include examples of how information security negatively hinders productivity in a corporate environment
2) Business Security Requirements - these lectures would demonstrate the necessity of security – regulatory aspects, secure business transactions, breach prevention
3) How Information Security Can Make You Money – these lectures will demonstrate using real life cases of how contracts have been won, brands have been built, and trust is developed by building security into business processes – these lectures will show both the winning and losing perspective – and the effects on stock prices
4) Building a Win-Win Relationship with Your Security Leader- these lectures will focus on communication and developing mutually beneficial relationships between yourself, security, and the business – these lectures will explore all parties perspectives- and demonstrate how everyone can accomplish their goals – by cooperation as opposed to conflict
5) Spreading the Word- These last sessions will demonstrate how you can utilize both internal and external marketing messages to create internal awareness, build external trust, and brand your company as a “secure business environment” - guest speakers will come in to talk about dealing with the media, investor relations, and the creation of internal security awareness campaigns.
We figure that each of these topics can go for 2 -3 weeks – and this should leave plenty of time for mid terms – and finals!
Hope this helps!
Lee and Mike
Career Advice Tuesday – “What If I Am Late”
May 18, 2010
Dear Infosecleaders:
I have a simple question – what can I do if I am late to an interview? Is there anyway to save myself? I am not going to make excuses – (traffic on the beltway was horrible) but that is not an excuse, I have lived in the Washington DC area for some time now and I should have anticipated it.
Fact is, I really think that the information security role that I interviewed for is the right job for me and I am the right person for them. It has been a week since my interview, I have not had any feedback and I am kicking myself.
Any words of encouragement?
Signed,
Big Ben
Dear Ben:
Unfortunately when you arrive late for an interview, you are basically at the mercy of the company that is making the decision about your future. Some employers will unilaterally disqualify you from consideration based on this criteria alone, for that you will have no defense.
You should be hopeful that your new employer has enough insight, sees the big picture and understands their ultimate goal of their interview (to hire the best person). Most important you should hope that the skills that you bring to the position are different than all of your competitors.
For example, if you were hiring for a position and two people were equally impressive – but one of them arrived on time, and the other was 15 minutes late – whom would you hire? See my point.
I give you credit for not making excuses (sort of) and taking responsibility for your actions, which is definitely a good thing and can be viewed positively. You should hope that some of the decision makers that you met with have experienced the same problem and that they are understanding. If you are really lucky, maybe one of them were late to an interview, and can truly relate.
If you do receive a call from the employer – please make sure that you arrive 10 minutes early for your next interview, and be prompt with every action item that goes along with the interview process (completing applications, background consent forms, etc.) You will have to start rebuilding your internal brand right away!
Good luck. Let us know how this turns out.
Regards,
Lee and Mike
4 Information Security Career Planning Steps To Follow
May 10, 2010
As part of our ongoing relatioship with Tech Target, please see our recent article in the May issue of the magazine. In this article, we oultine 4 key steps to follow as you develop your personal information security career plan.
Like to hear your thoughts, comments and questions.
Career Advice Tuesday – “Interpreting Compensation Data Found on WebSites”
May 4, 2010
Dear Infosecleaders:
I recently was offered a position that is truly exciting to me and represents a good logical step in my career progression as an Information Security professional. The opportunity will enable me to leverage my current skills, develop new ones, and attain certifications and receive training that should benefit me as I progress toward my ultimate career goal.
During the interview process, when asked about compensation, I provided the new company some information regarding my desired compensation. To my new employers credit, they prepared an offer for me that was equivalent to my request. The offer was about 20% greater in total compensation (base and bonus) then what I am currently earning.
I wanted to reflect for a day or so before formally accepting the offer to join the new firm (although my decision was basically made). During that evening I went on some websites that offered position descriptions of what I believe corresponded to my new role. What I discovered in my research was that the salary listed for these positions were more than the offer that was made. Learning this provided me with some second thoughts.
I decided to accept the offer, but I kind of feel that I may have left some money on the table. Quite frankly, since I accepted the offer, I have not slept that well. Did I interpret this data correctly?
Sincerely,
“Rip Van Winkle”
Dear “Mr. Van Winkle”:
The first thing that I can say to you is that the web is full of information, some of it is valid and some of it is not. Many websites that quote compensation with under broad titles are poor sources of information due to the fact that they make broad generalizations about compensation without proper context. The data associated with these position descriptions may not take into consideration the specific information about the position that you are applying and the value that you, yourself, bring to the new role.
Some of the variables that are not factored in include, the amount of experience that is necessary for the position, the type of experience that is of value to the employer, the nature of the work that would be performed, the training and education experience, and most important your career development. Also, many of these sites do not take into consideration the industry that you would be working in. For example the same role in financial services will more than likely pay more than it would in health care. In addition, the job titles linked to these roles, may mean different things to different organizations (a Vice President position in one organization may not equate to a Vice President role in another organization). In conclusion, there just are too many variables that are not known to the provider of this data to properly relate it to your personal situation.
What I think should be most important to you is that your new employer listened to your initial request, extended an offer that met your demands, provided you a meaningful increase (20% is a huge number in the current economy. In addition, the new role that you have accepted is going to help you develop the skills that you have recognized as important to your career development.
The positions that you researched on the website may pay more, but they may offer you less. Sometimes more money, does not equate to greater growth and long term development.
Good for you for doing your research. But, please feel good about accepting your new role and this new opportunity. It appears that you have made a very good decision and that your new employer has demonstrated their desire to have you be a part of their team.
Hopefully, after you have developed your new skills, you will make yourself significantly more marketable in the future. If this is the case, the money will come.
Good luck in your new role.
Pleasant Dreams!
Mike and Lee
Career Advice Tuesday – “Converting CERTS Into $$”
April 13, 2010
Dear Infosecleaders:
I am a CISSP with programming experience, static code analysis and web penetration testing. I am thinking about taking the CSSLP or GIAC Certification – I was thinking that having these certs will enable me to attain more work and increase my hourly rates, like to know what you guys think.
Sincerely,
“CERTainly Want To Improve”
Dear “CERTainly”:
It is quite possible that acquiring either certification (the CSSLP or the GIAC Secure Software) could enhance both your rate and your credibility as a specialized software security consultant. Many companies that are looking for these skills view the certification as an indication of proficiency, and in these cases the certification will provide them the required “signal” to authorize your engagement or your rate.
However, companies that are hiring full time staff traditionally apply a greater level of scrutiny during their interview process, and place less emphasis on these certifications, either when selecting the candidate or determining compensation. I do agree that either of these certification will help “get your foot in the door” , with perspective clients/customers and should significantly enhance you the chance to be seriously considered for contracting work, or full time employment
As you go through your selection process (on which certifcation to pursue), you have to keep the the big picture of your career in mind. I think that you should place a good deal of emphasis on the certification that helps you acquire skills that you believe would be useful in furthering your career, and developing your personal brand as both a software security consultant and an information security professional.
There is no question that either of these certifications can help you accomplish the goal of being branded as a software security professional, but this may only serve as a component of your long term career goals. For example, you may want to select the certification that you may be able to more effectively leverage in attaining broader credibility (for example if you want to become a GIAC Expert, you may want to select the GIAC Cert, if you want to become a CISSP, you may want to select the CSSLP)
Like any information security career investment, you should try to determine your desired result and the desired sacrifice (money and time) that you need to complete it. In your case, you should make sure that you keep your initial goals in site, more consistent work and a higher rates, as this may provide you with the quick return on investment that you are searching for.
In the end, I do not think that either selection is a bad choice, but depending on your personal circumstances and career goals, one may have more benefits than the other.
Hope this helps,
Lee and Mike
Career Advice Tuesday – “Is This A Good Career Plan?”
March 23, 2010
Career Advice Tuesday – Following Up
March 16, 2010
Dear Lee & Mike,
I just came back from RSA with a pile of business cards an inch thick. I know that all of the networking books say that I’m supposed to follow up with everyone I meet. But really? Does anybody really sit down and email all of these people?
What are the ground-rules here?
Networking Newbie
Dear Newbie,
The short answer: “Yes, really”.
While it can be exhausting and overwhelming, following up on the meetings you have at a conference is one of the most important relationship building steps. And your decision to follow up will set you apart from all of those out there who just go to conferences and let all of the valuable contacts that they make fall on the floor.
This doesn’t mean that the process of following up needs to be arduous. While that pile of business cards may seem daunting, it’s entirely possible to follow up with every one of your new contacts over the course of a couple of hours. You don’t need to write a novel to each of the people you met – a simple “hi, great meeting you” is perfectly effective.
Mike works with one of the masters of follow-up, his partner Dean Pace at MAD Security. Dean’s follow ups are the picture of efficiency and effectiveness – when he finishes a conference (like RSA), he sits down on the return flight and writes a quick note to each of the people he met at the conference. A sample of one of his notes is below:
Subject: Nice meeting you
Hi ….,
It was nice meeting you at the RSA show. It is always good to put a face with a name. Let’s keep in touch to see how we may be able to do some business together. Maybe you, Aaron and I could jump on a call one day soon to discuss a plan. Safe Travels!
Cheers,
Dean
That’s about as long as Dean goes. He usually personalizes the note to be about whatever he talked with the person about at the show, but it’s never more than a paragraph or two.
And it’s what sets Dean apart as a great networker. Because people remember the small touches and they come to trust Dean over the years.
The answer to the question is simple: sit down with each of your cards and write a quick email. Don’t pass up the opportunity to make really powerful connections with the people you have just met.
Mike & Lee
Career Advice Tuesday – “First Time Job Changer Seeks Advice”
January 26, 2010
Dear Infosecleaders:
I am hoping for some guidance on how to approach my first professional information security job change. First, here is some background – I was recruited out of college to go work for the security consulting practice of a Big X firm. I have spent the past three years working on many different clients and some pretty interesting projects. In addition to developing some of my technical skills – assessments, forensics, network design – I have also developed some good skills in the area of project management (rudimentary), client presentations, written communication (we write a lot of reports) and verbal communications.
I will say that the Big X experience has been good for me, but I have determined that my long term career goal lies in working in an internal security program, actually doing secruity work, as opposed to selling it.
My concern about pursuing a corporate information security career is based on the fact that I fear that a corporate environment may limit my professional growth. I want to make sure that if I move to a corporate info sec function that I do not get boxed in to performing one task, as opposed to the diversity of challenges that I have experienced in consulting.
Can you help me try to avoid making this mistake?
Signed,
“First Time Job Changer”
Dear “First Timer”:
I believe that for many people the first job change is the most difficult and the one that causes information security professionals the greatest apprehension. The main reason is that you are choosing to give up the safety and “security” of a position that you enjoy, for the unknown.
I guess that the best thing that I can tell you is that you should not worry if your new job does not work out. Here are a few reasons why: from what you described, you have developed a good skill foundation that will be valued by other companies (both consulting and corporate), you represent good value (the Big X develops great talent but they pay relatively poorly at junior levels), and you have three years of experience with one respected employer (even if the next job only last 6 months, you would not be labeled a job hopper – it will be viewed as simply a mistake). Hopefully, this will make you breathe a bit easier.
The best way to avoid being “pigeon holed” by your next employer is to make sure that you identify components of the employer that will lend to your professional development and skill diversification. It will be your responsibility to figure this out in the interview process.
Do not expect the interviewers to willfully divulge this information, you are going to have to make sure that you ask probing questions to get the answers to help you arrive at your conclusion.
The first thing that I would find is an employer where information security is a key component of their business strategy. Generally speaking, the more serious an employer takes security, the better it is for the information security professional. This can be demonstrated by asking questions during your interview about current security initiatives, training budgets, and tools.
The next thing that I would look for would be a company that is either looking to formally develop an information security function or a company that is looking to upgrade their information security posture. If you can find a company that is building something new, or trying to fix something that is broken – there will be opportunity for you to use more of your skills and take on more responsibility. Conversely, if you find a company that has a well developed program, they will most likely be relying on you for one specific skill that you possess. Generally, this is not a bad thing, but for the sake of your question I would avoid these companies.
The last thing that I would look for would be a company that has smart people that you can learn from and emulate. I would ask your interviewers about their backgrounds, why they enjoy working at the company, and their attitude toward sharing information security knowledge. You can also see if they are willing to share any stories during the interview about current (or past) information security employees career development. If you can find an environment where you can learn from talented, experienced information security professionals who are willing to share their knowledge with you, it should accelerate your professional development (just like it did in the Big X firm).
After you formal interview is complete, you should do some digging on your own. You should reach out to your network to see if you can attain a credible, unfiltered, and unbiased account of what it is like to work at the new company.
In closing, the best advice that I can give you (and all first time job changers) is do not be afraid to take a chance. Many first time job changers look for guarantees (that do not exist) and often reject well suited career opportunities because they want everything spelled out to them during the interview process.
Whenever you do arrive at your decision to switch positions, make the most of your new opportunity!
Go with your gut. Trust your instincts. Don’t look back.
Hope this helps and best of luck,
Mike and Lee
Career Advice Tuesday – “Aspiring CISO”
January 19, 2010
Dear Infosecleaders:
I have gone through your blog, its fascinating advice you have given to others queries.
Am seeking your opinion and help on getting where i really want to go…
My Aim: To be a CISO / CIO.
My Professional Background: Was into BCP / DRP kind of projects most of the time. Little exposure to Information Security.
Education: Commerce, MBA, CISA, now pursing CISM.
Strengths: Creative, Learning, Fascinated towards security loopholes, judgemental, and a good devils advocate.
Weaknesses: Not a tech pro, but can grasp and understand. No exposure to practical side of networks, applications, admin, etc.
With the given details, could you guide me and help me as to how I can achieve my goal. Without practical exposure to tech side, how feasible is to get such role, if not feasible, then what are the area of improvement and other workarounds if any… 
Regards,
The Aspirant
Dear “Aspiring CISO”:
Before we get into the meat of your question, I want to start out by saying that you have the ability to accomplish any goal that you can set your mind to, if you are willing to put in the hard work in order to achieve it.
It is great that you aspire to be a CISO, if you have goals, they should be big ones. In addition, I think that it is very important that you have identified your strengths and your weaknesses. The main weakness that you state is the “lack of exposure to the practical side of technology,” which can be a huge obstacle. There are some CISO positions that will deemphasize your degree of technical skill, but I would say that having some technical competency will be required to successfully interact with the Senior technical stakeholders and inspire confidence in your leadership from your technically focused direct reports.
The best thing about accurately defining your weakness is that you have the ability to do something about it. This can be done either formally (through education/training) or informally (through reading, webinars, conferences, etc). I would begin this process by identifying a few key areas that both interest you and that are considered important to the role of CISO. Set a goal to learn as much as you can about these topics in first a six month period, then a year. As you learn more about these topics, begin to volunteer your insight to security related projects in your current position, where you feel comfortable and confident that your opinion would have meaning and potential impact. If you can do this, you will find that you will be developing some practical experience, outside your regular responsibilities. Due to the background that you have (MBA, CISA, expected CISM) and your “fascination towards security loopholes,” I believe that you will be convincing enough to create this opportunity for yourself.
If you are able to pull this off, you should be able to create some good momentum for yourself when you have the chance to interview for a CISO role.
When you do eventually begin to search for this type of opportunity I would provide the following guidance. The first would be to find an organization that will emphasize your non technical strengths as more key component of their CISO position. The second would be to make sure that you can effectively compete with anyone else who possesses similar skills. The reasoning for this is that if you find an organization that relies on technology for their CISO role, you will be quickly dismissed based upon your degree of technical experience. In addition, when you are competing for your CISO role (and believe me there will be a great deal of competition), you want to make sure that you come out on top in any candidate comparison, when it comes to your less technical security skills ( policy, compliance, governance, risk, management, etc.) or the intangible skills that you would define as your strengths. In closing, in addition to developing your weakness, make sure that you spend additional time enhancing your competencies.
Beauty is in the eye of the beholder, and there are many skills that comprise effective CISO’s. You just need to find someone who thinks that your are beautiful – and the right person for their CISO role.
Keep following your dreams and pursuing your goal!
Hope this helps,
Lee and Mike