Career Advice Tueday – “Biting Off More Than I Can Chew”

August 14, 2012

Dear Infosecleaders:

I have been working in the IT industry for many years and have been dabbling in the Information Security realm for about 5 years now, but am having a hard time getting the experience I would like

I was recently asked by a friend to help with a side job which required a Security Assessment to be performed.    I have never had to perform a Security Assessment so I am a little hesitant making the jump because if I accept the assignment, I want to do it correctly. 

I’m not one of those guys that will take the job, if I do not believe I can perform it correctly.  I do not want to be put in a position where I do a crappy job due to the fact that I do not know what I am doing.

How do I get the experience I would like,  so I can take “jobs” like this one with confidence?  I have a good reputation and I want to keep it that way.

Any advice you could give, I would be grateful.


“Biting Off More Than I Can Chew”


Dear “Big Mouth”:

I agree with your sentiments.  You only have one reputation and anything that you do that detracts from your reputation will only stay with you through the course of your career.   In the end, your work is a reflection of you, and it eventually will define you and become your “brand”.

I give you a good deal of credit for having the integrity to know that this position maybe beyond your scope of knowledge and “more than you can chew” at this point in your career.

I can offer you a couple of different options –

1) I would ask your friend if you would be open to “sub contracting” the assignment to someone that you trust.   If they say that is OK – what you could do is to ask around your network or on Twitter – if anyone is interested in a consulting assignment – with the caveat that if they take the job – that they will let you shadow them on the assignment and teach you.    This could be the best way to get practical experience – in essence you can learn – and someone else would get the revenue from the assignment.  This would be viewed as quite an even trade!

2) Another option would be to get formalized hands on training.   Now, I do realize that if you did take training, you would not be ready for this current assignment – however, with some foresight this could possibly give you the confidence to know that you would do a good job the next time that you get the opportunity to perform this type of work.

The key to this is to get “hands-on” training  – not just some certification – that will give you the confidence that you will do the job correctly.  Understand that you are doing for yourself, not someone else evaluating the value of the certification and utilizing that to judge your competency.     In this case, you need to overcome your fear of failure – practical experience, even in a training or lab environment should enable you to simulate a real world “assessment”.  It may not be live – but it is the next best thing.

With the right training, you should be able to do a “good job” on  future assessments,  and when you do, you can be sure that you will get additional opportunities to practice your craft.

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Career Investments, Networking, Planning, Skills, Uncategorized | Comments Off 

Career Advice Tuesday – “A Little Nudge”

May 22, 2012

Dear Infosecleaders:

I have been searching on my own for employment as an information security architect for the past couple of months, and I am hoping that you can help me with the mechanics of my job search.

First of all, in a former life I ran security architecture for a notable financial services institution and most recently served as an technical security architect for a professional services and information security product company.  My skills are current, my compensation requests are reasonable, and I have very good references.

The main reason that I am looking for work is that the travel associated with my current role is just no longer conducive to my family situation and the life that my wife and I would like to lead with our young children.

Through a colleague, I was introduced to the hiring manager at a pretty well known company with some interesting technologies that align with my skills.   Upon introduction, I both spoke and met with the hiring manager within a week, was told that that I was a good fit, and that I would be engaged by HR to complete the interview process.   A week later, I had a brief 15 minute phone call with HR, which went well (not much was discussed), and was told that a final interview would be scheduled for the following week.

Well, that was about 30 days ago.   I have not heard back from them.  But, I have heard from another company (a distant second choice) and I have been told that they are going to be making an offer within the next week.

Do you have any advice as how to (re)-engage the initial firm and help get me to the finish line – and to understand if they are going to want t hire me or not?


The Waiting Place


Dear Mordecai van Allen O’Shea:

The answer to your question is simple -  you need to write an e-mail to the hiring manager explaining the situation and ask for their help and guidance.  In the letter you should state the following:

1)   Your last discussion with HR was 30 days ago

2)   It was left that you would be contacted about setting up a final interview

3)   You have a real interest in the role

4)   You have another suitor, who albeit worthy, is not your first choice

5)   You will need to make a decision in the next 10 business days.  (This gives them time to react)

First, the reason that you send the e-mail (initially) is so that the note may be forwarded to others in the company.   (You should follow up with a phone call, for a personal touch)  Second, there is nothing wrong in giving your potential employer the courtesy of a reminder of your candidacy, and providing them with an understanding that you will not be waiting around forever for them to execute.  Finally, the goal of this letter is to inspire an action – either a message that they will be scheduling the final interview,  or some notification that you are no longer in consideration.    By gaining an understanding of this, you can figure out how to deal with the other suitor, and manage the remainder of your job search.

I guess the best thing to share with you is that sometimes people get sidetracked, interview processes get mismanaged, and recruiting takes a back seat to other pressing issues.

You should not be offended by this, and do not take this personally.

Sending a friendly and polite reminder, to inspire an action, is perfectly acceptable, especially if it is handled with tact and respect and gets you to the Places That You Want to Go!

Hopefully this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Position Selection, Recruiting, Uncategorized | Comments Off 

Career Advice Tuesday – Why Info Sec Position Go Unfilled

May 15, 2012

Dear Infosecleaders Readers-

Below you will find the unedited version of my latest article for Tech Target/Search Security – Information Security Magazine.  The article is designed to shed some light as to why companies have such a difficult time in filling information security roles.

Let me know what you think.

Lee Kushner


Why Information Security Positions Go Unfilled


While the national unemployment rate has been steadying between 8-9%, information security professionals have been enjoying newfound prosperity.   Until recently, the information security function primarily held importance to industries whose success and market perception were tied directly to their customer’s trust, like financial services, and the federal government.  Due to a unique combination of technological innovation, increased regulatory scrutiny, external threat, and social activism, corporations in industries who have traditionally ignored information security,  have began to realize that the development of a competent information security function is a worthwhile and necessary investment.


When companies recognize that they are going to make this type of organizational commitment, their first order of business is to find competent information security talent to bridge their talent gap to address these issues.   However, finding and attracting competent information security professionals to a new position is a lot more difficult than it appears.   Companies quickly learn that the same strategies and processes that they apply to filling more generic business and technology roles, do not necessarily translate to the recruitment of information security professionals.    It is important for organizations and information security leaders to comprehend why information security positions go unfilled, so that they can make the proper adjustments to attract and hire this talent is a reasonable time frame.


The primary impediment to filling information security positions is geography.   In many cases, the talent and skills alone would be difficult to find, however the need for an employee to based in a certain location significantly impacts the depth of the candidate pool.   For example, although the NY Metro area is filled with companies, positions based in locations like Long Island, Central New Jersey, and Southern Connecticut will greatly reduce the candidate pool due to commuting time.  Conversely, there are many information security professionals who would not want to incur the additional cost of commuting into Manhattan.  In the past, companies were much more amenable to relocating candidates to fill positions, however the economic events and the housing bubble has greatly reduced the ability for people to relocate or companies willing to subsidize these costs. In general, companies relocation packages have become less encompassing, saddling the candidate with additional expenditures if they decide to accept an opportunity and relocate.   In these instances, the candidate can simply not afford to accept the position, even though it aligns with their career plan and professional development.


The next major component in the breakdown of a recruitment process is in the area of compensation. When corporations are determining the compensation value of their job openings they traditionally consult specialized market research firms that provide them with this information.  This compensation information generally equates to what the candidate, with the skills, already in the position should be paid.  While this should serve as a good baseline, it does not take into consideration the recruitment premium that an information security professional, currently performing a similar role at a similar organization would need to leave the comfort of their existing environment.  For example, if a Senior Information Security Architect is earning “X” in their current role, the market data may be correct and instruct you to price the position at “X”.  However, in order to be successful in attracting the Senior Security Architect to your team, your will need to price that position at “X + 10- 20%” In addition, many times compensation packages neglect to address existing financial and non-financial benefits associated with tenure at a current employer.    Because money is fungible, financial benefits are more easily replaceable, however non-financial benefits are often more difficult to address. Information security professionals can place greater value on vacation time, flexible work hours, and telecommuting, and may be unwilling to relinquish these benefits.  Corporate human resource policies may not allow you the flexibility to provide alternatives for these privileges.


An additional compensation based reason that information security positions go unfilled is due to internal equity.   Internal equity is the belief that any new employee’s compensation cannot be significantly more than their functional or organizational peers.   It is the information security leader’s responsibility to both address this within their teams and to educate their human resources staff  about the uniqueness of the skill combinations that they are attempting to recruit.


Before any major recruitment initiative, the information security leader must partner with human resources and perform a market based assessment of the skills and functions already performed by current information security team members.  The question that should be asked is, “If I had to replace that person, what would I have to pay them?”  In addition, the information security leaders should be aware of the value of their employee’s skills in the market place, and be proactive in their approach to aligning their compensation with both their internal contributions and external value.


In addition, it is common place for human resources teams to align information security compensation with other technical functions like network engineers, systems administrators, or software developers.   It is essential for information security leadership to sit down with human resources and articulate to them why the skill combinations associated with the roles that they are attempting to fill are more complex and scarce, than these technical resources.  The information security leader should have a great deal of incentive to win this argument, because if the compensation packages are insufficient, positions will remain open for long period of time or will be filled with substandard talent.


While these factors contribute to unsuccessful recruitment processes, the primary reason that positions go unfilled is the failure of the information security leader (hiring authority) to think like the candidate that they are attempting to attract.   All information security leaders at one time had to interview for a job.  It can be assumed that when they contemplated their last job change, they created a list of criteria that become key factors in their decision making process.    Some of these factors will include the commitment of the organization, the level of responsibility associated with the role, the career path for the position, professional development opportunities, title, and compensation.  In summary, most likely they changed positions because the new opportunity represented increased opportunity and personal satisfaction. Often, information security leaders forget their own motivations, and ignore the fact that their applicant pool are driven by similar forces.


One of the biggest mistakes is that hiring managers only focus on their organizational “need” as opposed to taking into consideration what the applicant “wants”.   When information security leaders begin designing their job descriptions, it is essential that they understand the appeal of the opportunity and what types of candidates it will attract.  When they conduct their interview process, they should be taking into the consideration the candidate’s point of view, and determine if the position and the environment can serve as the framework for their candidate to accomplish their professional goals and develop their information security career.   By viewing the position form the candidate’s perspective, information security leaders will find themselves prepared to communicate the merits of the position during a recruitment process, which should make a positive impact on the candidate’s interpretation of the career opportunity.


One of the best way to evaluate leadership is by the caliber of the people with whom they surround themselves.  Attracting top information security talent to your team can be both time consuming and frustrating.  Building an effective recruitment strategy, addressing potential obstacles, building organizational partnerships and understanding the motivations of your future employees are key ingredients to efficiently filling your information security openings.

Posted by lee | Filed Under Advice, Career Advice Tuesday, Interviewing, Leadership, Recruiting, Security Industry, Skills, Uncategorized | 5 Comments 

Career Advice Tuesday – ” Better Job, Less $$$”

April 24, 2012

Dear Infosecleaders:

I wanted to ask a question about compensation as it relates to an opportunity that I am currently pursuing.  First I would like to describe my current situation –

Right now I have a position that I do not enjoy very much.  I work as an identity and access management consultant where I implement enterprise technologies at large companies.  I have been working in this capacity for the past five years.  I travel a great deal (about 80%) – basically every Monday through Thursday.

Due to a combination of my technical skills, my willingness to travel, and my ability to communicate to senior management at my clients I have been paid quite well.  My current compensation is about 200K.  In addition, since I have been traveling so much, I have been able to reduce my living expenses considerably allowing me to save about 300K.

Recently my life has changed a bit.  I have met someone and I want to settle down and find a position that allows me to stay in one place and at the same time challenges me.   Through my network of friends and colleagues, I have located a position that accomplishes these objectives.

There is one catch.  The compensation.

The position pays  a salary of 135K and does not have a bonus. 

I would really like to accept the position but I am having a hard time getting over this hurdle.  In addition, I am not sure how to answer the employers question about my willingness to accept 1/3 less compensation than my current role. 

Any advice would be appreciated,

Settling Dan


Dear Dan:

Let me answer your second question first – the best way to answer your future employer about your willingness to accept considerably less compensation is honestly.    I would explain to them very simply that you understood that your past role was more of a 1099 assignment as opposed to a full time position – where you were receiving a 33% premium for your skill and willingness to live on an airplane.

You should explain to them that you had come to terms with yourself that you were going to sacrifice your personal life in exchange for the ability to save money and develop skill.  In addition, you can explain to them that by being financially responsible you have put yourself in a situation where you could focus on your career – and not be as concerned about money.    If you would like, you could also explain to them that you have met a significant other, and your desire to spend more time with your partner outweighs your desire to earn an additional 65K

This being said, you need to make sure that you are careful to let your future employer know that your drive and your desire to produce excellent results remains with you, and that your work ethic will not change, although you have more of a financial cushion.  The best way to do this would be to demonstrate some examples from your past that can illustrate this characteristic in both personal and professional environments.

To answer your question about money, my feeling is that this is a very personal choice and one that you, yourself will need to deal with and come to terms with .  65K is a large sum of money, however the only positions that will enable you to maintain your compensation will be ones that place you in the same environment as your current role.

If you are offered the role, (before you accept it) – I would like for you to make a list of the things in your life that you will be able to take advantage of with the new role, and to make a list of the things that you will be giving up without the 65K.  In addition, you should also look five and ten years into the future, to see if by accepting this new role, you can place yourself on a trajectory to recapture these earnings in the future.

In the end, if you want to, you can always get back on the airplane, and do the consulting.  My advice is to make the most of your relationship, and to see if you can excel in a new environment better suited for your new life.

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Career Advice Tuesday, Compensation, Position Selection, Skills, Uncategorized | Comments Off 

Infosecleaders at #BSidesSF

February 27, 2012

Good morning Infosecleaders community!

I am looking forward to an exciting two days at Security BSides, and meeting many of you whom I have communicated with about your Information Security careers over the past year(s).

If you are not in attendance, you can view my presentations and all of the content at #BSidesSF live stream:
Track 1 -
Track 2 –

My presentations are scheduled as follows:

Monday (Today) February 27   -  Track 1  – 9:40PST/12:40 EDT – 10:00PST/ 1:00PST

B-Sides Welcome Address –

It is such an honor to have been asked by the folks at B-Sides to give the welcome address.  I plan to share some of my thoughts about the importance of community in the development of a successful Information Security Career.

Tuesday – February 28th    Track 2    – 11:00AM PST/ 2:00PM EDT – 12 noon PST/3:00PM EDT

The Other Side of The Desk: Different Perspectives on The Interviewing/Recruitment Process  -

Lenny Zeltser and I take a look at the recruitment and hiring process from two unique angles – the hiring manager (Lenny) and the information security professional/ job candidate (Lee).  The presentation is designed to provide the attendees some insight into the minds of the other party – in the simultaneous pursuit of talent and opportunity.

Tuesday – February 28th   Tracks 1 and 2    Career Advice Tuesday  – Live

12 noon PST/3:00PM EDT – 1PM PST/4:00PM EDT

This is the opportunity to ask your information security career questions live.  You can ask them either as yourself or anonymously – and I will answer them live.  If you would like to ask your questions prior to the sessions -  follow these instructions – or come see me at BSides today.

Enjoy the Conference.  Make the Most of It!

Lee Kushner

Posted by lee | Filed Under "The Other Side of The Desk", Advice, Behavior, Personal, Position Selection, Presentation, Recruiting, Security Industry, Skills | Comments Off 

Career Advice Tueday “RFQ” – Request For Questions – Streaming Live From #BSidesSF

February 26, 2012

Would like the Infosecleaders community to know that I will be hosting a session of Career Advice Tuesday – “Live” – from SF Security B-Sides. The session will take place at 12:00 noon (PST) on Tuesday, February 28th.

In addition to accepting questions from the B-Sides attendees, I would like to give any Infosecleaders community members the opportunity to ask their career related questions, so that they may be shared with the audience. From what I understand the session will be streamed live from B-Sides.

Questions can included any Information Security career related topics – career planning, position selection, professional development, career investments, brand building, compensation, relationship with management– or anything else that may be appropriate.

Questions can be asked any of the following methods:

Go to the Infosecleaders Website and go to “Ask Lee and Mike”
Tweet or DM to @ljkush or @SecurityBSides
E-mail :

If you would like for your question to be asked anonymously, or if you would like to create your own pseudonym (as many of you have) please feel free to do so.

Thank you in advance for your participation. If you are in attendance at either B-Sides or RSA (Booth 650), please make sure that you come by and introduce yourself.

Posted by lee | Filed Under Advice, Career Advice Tuesday, Presentation, Security Industry, Social Media | 1 Comment 

CAT – Clearing Some Things Up – Advice and Predictions for 2012

January 3, 2012

Recently, I was cited in an article for Search Security , where I was asked about my opinions for the information security industry employment market for 2012 .   I will say that the author did not misquote me at all, however, upon reading the article I felt that it was necessary to clear up some things that I found inaccurate – and I wanted to make sure that the audience knows exactly where I stand on the topics covered.

Here are my thoughts:

While I agree that Mobile Security is going to be an information security skill in demand, I do not believe it is the only skill that companies will look for in 2012.   Have no fear – companies will still have a high level of demand for knowledge in the areas of Cloud, GRC, SIEM, DLP, PCI, Software Security, Identity Management, and overall IT Risk Management.  In addition, while I do believe that it is a good idea to have a blend of technology and business skills, there is still a very strong market for information security professionals that have hard core technical skills – and that should never be forgotten or overlooked.  The technical information security professionals with developed knowledge and enterprise experience in securing networks, operating systems, applications and databases will do just fine as well.  Also, all of the penetration testers out there can sleep easy your skills will still be needed and remain in demand.
Below you will find my biggest objection – and probably the information that I find to be the most inaccurate.

Here are my disclaimers -

I would like to state that I do not personally know Mr. Snyder, nor have I had any dealings with him.  

I have read his blog on a number of occasions, and I find his perspectives to be both unique and entertaining.

To my knowledge, Mr. Snyder and my firm do not compete within any of my recruitment customers, and although we are in the same profession and industry, our paths do not seem to cross, except when quoted in articles about information security careers.

As per the author of the Tech Target article – please find a quote from Mr. Snyder -

“When companies are using a search firm to fill a position, then they’re going to usually expect that a candidate’s going to have industry experience,” he said. “In other words, if it’s a bank, they want someone who’s coming out of a bank; if it’s a retailer, they want someone coming out of retail; and if somebody’s going after that job on their own, then the bar isn’t usually sent quite as high.”  – Jeff Snyder

The Accuracy

The main point of the quote is accurate.  When companies are looking to find information security leaders, independent of the source, they ideally would like to locate people who possess applicable industry knowledge.  This is generally one of the core criteria of an information security leadership or CISO level search.

Like Mr. Snyder points out – a retail organization would ideally like to hire an information security professional who understands the information security challenges that a retail business faces and who has experience solving those problems.   You can apply the same logic to industries that include health care, high technology, manufacturing, financial services, media and entertainment, and any other business.

The Inaccuracy -

Mr. Snyder’s quote infers that a company has more stringent requirements when they engage an executive search firm.   His statement that  ” …..if somebody’s going after that job on their own, then the bar isn’t usually sent quite as high.”  - can be interpreted in a way that leads information security professionals to believe that they can afford to be less qualified, if they decide to apply for positions on their own – and not through an executive search firm.


First of all, the decision to engage an executive search firm is generally based on a company’s desire to insure that they get access to a qualified candidate pool in a time efficient manner.  The business decision to engage a search firm is the same type of decision making methodology that can be applied to engaging a professional services firm to provide a service that the company does not believe that they can perform effectively with internal resources.  The budgets for engaging executive search firms either come from a general corporate budget or from a specific business unit who can justify the value and the return on investment for the cost associated with the search firm’s fee.    In addition, the amount of the search fee does not have any impact on the compensation offered to the candidate.

Mr. Snyder is correct in his inference, that when companies engage an executive search firm, they are expecting to get value for their dollars.  This will take the form of, industry intelligence, compensation data, a professionally managed recruitment process, and eventually the placement of a successful candidate to fill the duties of the information security leadership role.   In exchange for money, the companies are going to expect an executive recruitment firm to deliver a candidate who is going to match the key criteria that they have outlined for the position.

Just like anyone who pays for a service, companies who engage executive search firms have the right to have realistic expectations of competence and results when retaining them to help fill a position.  However, in my 15 years of experience, I have never witnessed a situation where a company that is committed to recruiting the correct information security leader, will agree to hire a less competent candidate, solely because they were introduced to them directly, and not through an executive search process.

In 2012, and in the future, completion for Information Security leadership roles is going to intensify,  Companies are going to continue set the bar high for finding the correct  talent match, no matter what method they select to recruit for these positions.  In addition, the more influence and importance that an information security role has to an organization, the more detailed the requirements will be and the more demanding the interview process.

To all current and aspiring information security leaders, for 2012, I am urging you to take a proactive approach to developing a career plan, honing your skills, investing in yourself, and make wise choices about selecting the right positions to help accomplish your career and life goals.

Happy and Healthy New Year,

Lee Kushner




Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Leadership, Recruiting, Security Industry, Skills, Uncategorized | 1 Comment 

Career Advice Tuesday – “Eight Is Enough”

September 13, 2011

Dear Infosecleaders:

I am writing to ask you a question about my current interview process and I hope that you can help.   To provide some context, I am interviewing for a senior information security management role, and the compensation package is targeted around 200K.

The crux of my issue is that my interview process has been going on for an extended and I am losing my patience.   Over the past two months I have utilized four vacation days, missed parts of five days off of work,  gone on a total of eight interviews (in person and via phone), met with over 15 people (from infosec engineers to executive management), and have subjected myself to a half day of psychological testing, and I still do not know where I stand.

It has been a week since my last meeting and I have not received any communication from my potential “future” employer.   It has really left me confused and frustrated, which leads to my questions:

First, how can I get an answer from the company?  Next, if they offer me the position, do I really want it?  How should I interpret this behavior?  Should I doubt their confidence in my ability to do perform in the role?

Any help I can get would be appreciated.


Dick Van Patten


Dear Dick:

The first thing I would tell you is that a lengthy interview process for a CISO or an Information Security leadership position is commonplace.  It is often difficult to coordinate schedules for the necessary decision makers, especially during the summer time months when many are on vacation.

All this being said, eight separate interviews is excessive.  I think that it is important for all “candidates” to make themselves available for interviews, but to communicate to the hiring party, that it is their expectation that their time be maximized when scheduling.

I will also say this, that when a senior candidate is “too accommodating” and always adjusts their calendars to accommodate the interviewers, it is sometimes interpreted as a sign of weakness senior level decision makers.

As far as interpreting this behavior, I think that you were fine, until the last delay in your process. When you are receiving “dead air” from the hiring party after 8 interviews and a week since your last conversation, you are most likely either going to be rejected, or they are stalling you, waiting for a decision from another candidate, whom they like better.    It is the lack of information that should be very concerning, and should serve as an indication that they are not sure that you are the correct fit, or they believe that there are better options.   In the end, if they do hire you, and your do not live up to expectations or if there is a security issue, they are going to second guess themselves, and more than likely “reevaluate” your hiring.

As far as forcing a decision, I think it becomes a question of how assertive you would like to be, and if you would like to regain control over the interview process – independent of the outcome.  At this point, I do not believe you have anything to lose.

If you really want to know how they feel about you, call the internal HR person until you speak with them, and let them know that you need to have an answer, based on a new development in your current position.  Tell them that you will need to have an answer on their direction “by the end of the week”, or you will have to remove yourself from consideration.

I do believe that by doing this, you are going to receive closure, and they will either reveal the truth (that you are a second choice), or that they do not believe that you are the right person for their role.

Again, without knowing all the details or the hiring party, I cannot be 100% accurate, but based on my experience this is the best guidance that I am able to provide.

Good luck in your continued pursuits.   Let us know the outcome.

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday, Interviewing, Position Selection, Recruiting, Uncategorized | 1 Comment 

Career Advice Tuesday – “Fork In The Road”

August 30, 2011

Due to the Hurricane, we are publishing a Career Advice Tuesday that we wrote for Tech Target – and our monthly advice column.  Below you will find the unedited version of our column.

Dear InfoSec Leaders:

I am writing to you with the hope of getting some career advice. I am consultant for one of the leading security vendors’ GRC products. I help customers set up their compliance programs with the product as the backbone. It’s been about 4 years of doing this and I now feel it’s time for a change. My career goal is to become a CISO someday and want to work towards that. I have two very different job opportunities and would like your thoughts as to which one aligns well with my goals.

One is that of a Product Manager with the same vendor for the same product. The position will give me immense exposure to senior security management folks across customers. I will also help me gain understating of their GRC efforts and pain points. The other position is that of a Security Architect with a large retailer. This team has been recently formed in the organization and is doing some exciting stuff. This position could possibly give me exposure across different security areas beyond GRC. Both these positions have pros and cons, for e.g. I’m not sure if staying with a vendor is a good career move or is the other side of the table a better option.

As you can tell, I have a lot of questions and very few convincing answers. I’m not sure if I should specialize in the GRC space (via the vendor) or gain exposure to have a holistic view of security.

I’d appreciate any words of wisdom you can send my way.


“Fork in the Road”

Dear Fork:

Please understand that before we start, the advice that we are giving is based exclusively on the information that you have provided to us in your note, and that we do not have any additional background.

Based on your career goal to become a CISO, we believe that it would best for you to leave the product arena and accept the job as an Information Security Architect with the large retailer that has been recently formed.   Our answer is based on the following reasons, that coincide with your long term career goal.

1)   The group is newly formed

When someone tells us this, the first thing that comes to my mind is opportunity.  Newly formed information security functions generally provide environments for information security professionals opportunities to leverage their current areas of expertise (in your case GRC) to develop broader skills in other areas.   The biggest mistake that many infosec pros make when entering into a organization in this state, is to limit their contributions to their “job description”, and opportunity like one the one that you described should provide you with  the framework  to push yourself to develop new areas of expertise, as opposed to limiting yourself to the world of GRC.

2)   Retail experience should be valuable in the future

Due to the importance of PCI, many retailers and e-tailers are placing increased emphasis and dedicating additional resources toward information security programs.   Currently, many retailers are not making past “retail” experience a job requirement, however this will most likely change in the next few years.  Having this industry knowledge as part of your skill matrix, could become a differentiating factor when looking at the next step in your career.

3)   Product Management is not a requirement to become a CISO
There is no doubt that working as a Product Manager will help you develop skills that could be advantageous as a CISO – included customer skills, presentation skills, sales skills, market knowledge, and subject matter expertise.   However, when making a transition toward a CISO career path, you will encounter people in the hiring process who will have built in prejudices against hiring candidates who come from the “Product/Vendor” side at a high entry point.   For you to make this direct transition, you are going to have to find yourself a forward thinking CISO who will value this experience, and believe that the skills as a Product Manager will directly translate to their environment.   Our belief is that if you remain as a Product Manager , you will eventually have to make the transition toward an internal infosec role, (in your case – architect) at some point in time, so why delay.   You have the opportunity in front of you, now is the time to determine if transitioning to corporate information security function is right for you.

Again, our advice is based exclusively on the information that you have provided from your note, and based on generalities.

If you would like to contact us directly via phone to discuss your particular circumstances we welcome you to do so.

Good luck in making your decision.

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday, Planning, Position Selection, Security Industry, Skills, Uncategorized | Comments Off 

Career Advice Tuesday – “How Is The Market”

August 23, 2011

This career advice Tuesday is an article that we wrote for Tech Target and Information Security Magazine July issue- the article tackles the subject of how to determine the market value of your skills.

“Your Information Security Career and the Job Market” — Tech Target – July 2011 – Editor Michael Mimoso

Working as an information security recruiter and career advisor, many of my conversations begin with the question, “How is the market?”  While the question at face value appears to be simple, the answer is complex, and greatly dependent on variables uniquely associated with the individual.

Information security professionals possess many different skill combinations. Some refer to themselves as generalists, having broad knowledge that includes technical, organizational and management skills. Others categorize themselves as specialists or subject matter experts who have deep expertise in a discipline such as penetration testing, network security, application security or forensics. Just as there are a variety of skills profiles, there are a variety of markets for these individuals and their information security career. These markets are driven by two external factors: broader-based technology trends, and locally based corporate and industry trends. Broader market trends for information security professionals often involve the emergence of new technology trends that drive demand for specific talent.  Technical trends enhance the market for subject matter experts and have little effect on generalists.

The emergence and importance of Web-based applications is an example of a recent business trend driving the market for Web application penetration testers. The emergence of this broader market force drove up the value and demand for information security professionals with these specific Web application testing skills and technical foundations, and, conversely, drove down the demand and compensation for traditional network penetration testers. (Understand that a global trend will rarely affect industry-leading talent.) Traditional network penetration testers who recognized this and were capable of learning Web application testing skills were able to make the adjustment and create additional value because of their skill blend. In turn, they created a secondary market, based on their skill combination. On the other hand, traditional network penetration testers who decided not to adapt or were not capable, have seen the market for their skills shrink dramatically.

Currently, some of the emerging global information security technology trends include the implementation of security information and event management tools, data loss prevention tools, cloud computing, software security and protecting company’s against advanced persistent threats.  In all of these skill disciplines, there are more ongoing projects than there are competent security professionals to execute upon them. Information security professionals who have documented successful experience with these technologies currently have the luxury of a strong employment market.

Another prime market driver for information security professionals are industry trends.  Over the last few years, companies have become more exposed to the consequences of not protecting their data and their customer information. Through breach notification legislation, regulations (primarily PCI DSS), hacktivism and the media, information security concerns have moved to the forefront of many businesses that have never properly invested in the development of an information security program.

When companies begin to formally commit to the construction of an information security program, or make the decision to upgrade their existing programs, professionals with broader information security skills generally stand to benefit. In these types of scenarios, companies are most concerned about securing their businesses and managing risk, and are prone to hire information security leaders who can help ingrain information security into the fabric of the business.  Information security professionals who have specific industry knowledge, and excellent communication skills, generally can benefit from these situations.

Broader forces influence the market at large for information security professionals, but the individual determines their career market.  Although skills are the most important component to the equation, it is the personal factors that ultimately play an equal role in determining the market for your skills. Many times, in order to advance your information security career and maximize your skills, you need to be willing to make some sacrifices that include travel, additional commuting and relocation.  Many information security professionals find there is a market for their skill, but the required personal sacrifices prohibit them from recognizing the market opportunity.

If I had to answer the initial question, I would say the overall market for information security professionals is quite healthy.  The combination of the pent up demand created by the economic slowdown and the continued emergence of information security as a business enabler and differentiator, has provided a rebirth of opportunity for highly skilled information security professionals. However, many of these newly created positions come with increased personal demands, including long work hours, extensive travel and a high level of scrutiny.

As in the past, you are the determining factor for the market for your skills. Competition, both in the present and the future, will continue to increase, and the proactive management of your information security career, through continued skill development and by making strategic career investment, is the only way to insure the market for your skills remains strong.

Love to hear your thoughts.

Lee and Mike


Posted by lee | Filed Under Uncategorized | Comments Off 

Next Page »