Here are my thoughts:

While I agree that Mobile Security is going to be an information security skill in demand, I do not believe it is the only skill that companies will look for in 2012.   Have no fear – companies will still have a high level of demand for knowledge in the areas of Cloud, GRC, SIEM, DLP, PCI, Software Security, Identity Management, and overall IT Risk Management.  In addition, while I do believe that it is a good idea to have a blend of technology and business skills, there is still a very strong market for information security professionals that have hard core technical skills – and that should never be forgotten or overlooked.  The technical information security professionals with developed knowledge and enterprise experience in securing networks, operating systems, applications and databases will do just fine as well.  Also, all of the penetration testers out there can sleep easy your skills will still be needed and remain in demand.
Below you will find my biggest objection – and probably the information that I find to be the most inaccurate.

Here are my disclaimers -

I would like to state that I do not personally know Mr. Snyder, nor have I had any dealings with him.  

I have read his securityrecruiter.com blog on a number of occasions, and I find his perspectives to be both unique and entertaining.

To my knowledge, Mr. Snyder and my firm do not compete within any of my recruitment customers, and although we are in the same profession and industry, our paths do not seem to cross, except when quoted in articles about information security careers.

As per the author of the Tech Target article – please find a quote from Mr. Snyder -

“When companies are using a search firm to fill a position, then they’re going to usually expect that a candidate’s going to have industry experience,” he said. “In other words, if it’s a bank, they want someone who’s coming out of a bank; if it’s a retailer, they want someone coming out of retail; and if somebody’s going after that job on their own, then the bar isn’t usually sent quite as high.”  – Jeff Snyder

The Accuracy

The main point of the quote is accurate.  When companies are looking to find information security leaders, independent of the source, they ideally would like to locate people who possess applicable industry knowledge.  This is generally one of the core criteria of an information security leadership or CISO level search.

Like Mr. Snyder points out – a retail organization would ideally like to hire an information security professional who understands the information security challenges that a retail business faces and who has experience solving those problems.   You can apply the same logic to industries that include health care, high technology, manufacturing, financial services, media and entertainment, and any other business.

The Inaccuracy -

Mr. Snyder’s quote infers that a company has more stringent requirements when they engage an executive search firm.   His statement that  ” …..if somebody’s going after that job on their own, then the bar isn’t usually sent quite as high.”  - can be interpreted in a way that leads information security professionals to believe that they can afford to be less qualified, if they decide to apply for positions on their own – and not through an executive search firm.

THIS IS DEAD WRONG

First of all, the decision to engage an executive search firm is generally based on a company’s desire to insure that they get access to a qualified candidate pool in a time efficient manner.  The business decision to engage a search firm is the same type of decision making methodology that can be applied to engaging a professional services firm to provide a service that the company does not believe that they can perform effectively with internal resources.  The budgets for engaging executive search firms either come from a general corporate budget or from a specific business unit who can justify the value and the return on investment for the cost associated with the search firm’s fee.    In addition, the amount of the search fee does not have any impact on the compensation offered to the candidate.

Mr. Snyder is correct in his inference, that when companies engage an executive search firm, they are expecting to get value for their dollars.  This will take the form of, industry intelligence, compensation data, a professionally managed recruitment process, and eventually the placement of a successful candidate to fill the duties of the information security leadership role.   In exchange for money, the companies are going to expect an executive recruitment firm to deliver a candidate who is going to match the key criteria that they have outlined for the position.

Just like anyone who pays for a service, companies who engage executive search firms have the right to have realistic expectations of competence and results when retaining them to help fill a position.  However, in my 15 years of experience, I have never witnessed a situation where a company that is committed to recruiting the correct information security leader, will agree to hire a less competent candidate, solely because they were introduced to them directly, and not through an executive search process.

In 2012, and in the future, completion for Information Security leadership roles is going to intensify,  Companies are going to continue set the bar high for finding the correct  talent match, no matter what method they select to recruit for these positions.  In addition, the more influence and importance that an information security role has to an organization, the more detailed the requirements will be and the more demanding the interview process.

To all current and aspiring information security leaders, for 2012, I am urging you to take a proactive approach to developing a career plan, honing your skills, investing in yourself, and make wise choices about selecting the right positions to help accomplish your career and life goals.

Happy and Healthy New Year,

Lee Kushner

I am writing to ask you a question about my current interview process and I hope that you can help.   To provide some context, I am interviewing for a senior information security management role, and the compensation package is targeted around 200K.

The crux of my issue is that my interview process has been going on for an extended and I am losing my patience.   Over the past two months I have utilized four vacation days, missed parts of five days off of work,  gone on a total of eight interviews (in person and via phone), met with over 15 people (from infosec engineers to executive management), and have subjected myself to a half day of psychological testing, and I still do not know where I stand.

It has been a week since my last meeting and I have not received any communication from my potential “future” employer.   It has really left me confused and frustrated, which leads to my questions:

First, how can I get an answer from the company?  Next, if they offer me the position, do I really want it?  How should I interpret this behavior?  Should I doubt their confidence in my ability to do perform in the role?

Any help I can get would be appreciated.

Signed,

Dick Van Patten

Dear Dick:

The first thing I would tell you is that a lengthy interview process for a CISO or an Information Security leadership position is commonplace.  It is often difficult to coordinate schedules for the necessary decision makers, especially during the summer time months when many are on vacation.

All this being said, eight separate interviews is excessive.  I think that it is important for all “candidates” to make themselves available for interviews, but to communicate to the hiring party, that it is their expectation that their time be maximized when scheduling.

I will also say this, that when a senior candidate is “too accommodating” and always adjusts their calendars to accommodate the interviewers, it is sometimes interpreted as a sign of weakness senior level decision makers.

As far as interpreting this behavior, I think that you were fine, until the last delay in your process. When you are receiving “dead air” from the hiring party after 8 interviews and a week since your last conversation, you are most likely either going to be rejected, or they are stalling you, waiting for a decision from another candidate, whom they like better.    It is the lack of information that should be very concerning, and should serve as an indication that they are not sure that you are the correct fit, or they believe that there are better options.   In the end, if they do hire you, and your do not live up to expectations or if there is a security issue, they are going to second guess themselves, and more than likely “reevaluate” your hiring.

As far as forcing a decision, I think it becomes a question of how assertive you would like to be, and if you would like to regain control over the interview process – independent of the outcome.  At this point, I do not believe you have anything to lose.

If you really want to know how they feel about you, call the internal HR person until you speak with them, and let them know that you need to have an answer, based on a new development in your current position.  Tell them that you will need to have an answer on their direction “by the end of the week”, or you will have to remove yourself from consideration.

I do believe that by doing this, you are going to receive closure, and they will either reveal the truth (that you are a second choice), or that they do not believe that you are the right person for their role.

Again, without knowing all the details or the hiring party, I cannot be 100% accurate, but based on my experience this is the best guidance that I am able to provide.

Good luck in your continued pursuits.   Let us know the outcome.

Lee and Mike

Dear InfoSec Leaders:

I am writing to you with the hope of getting some career advice. I am consultant for one of the leading security vendors’ GRC products. I help customers set up their compliance programs with the product as the backbone. It’s been about 4 years of doing this and I now feel it’s time for a change. My career goal is to become a CISO someday and want to work towards that. I have two very different job opportunities and would like your thoughts as to which one aligns well with my goals.

One is that of a Product Manager with the same vendor for the same product. The position will give me immense exposure to senior security management folks across customers. I will also help me gain understating of their GRC efforts and pain points. The other position is that of a Security Architect with a large retailer. This team has been recently formed in the organization and is doing some exciting stuff. This position could possibly give me exposure across different security areas beyond GRC. Both these positions have pros and cons, for e.g. I’m not sure if staying with a vendor is a good career move or is the other side of the table a better option.

As you can tell, I have a lot of questions and very few convincing answers. I’m not sure if I should specialize in the GRC space (via the vendor) or gain exposure to have a holistic view of security.

I’d appreciate any words of wisdom you can send my way.

Signed,

“Fork in the Road”

Dear Fork:

Please understand that before we start, the advice that we are giving is based exclusively on the information that you have provided to us in your note, and that we do not have any additional background.

Based on your career goal to become a CISO, we believe that it would best for you to leave the product arena and accept the job as an Information Security Architect with the large retailer that has been recently formed.   Our answer is based on the following reasons, that coincide with your long term career goal.

1)   The group is newly formed

When someone tells us this, the first thing that comes to my mind is opportunity.  Newly formed information security functions generally provide environments for information security professionals opportunities to leverage their current areas of expertise (in your case GRC) to develop broader skills in other areas.   The biggest mistake that many infosec pros make when entering into a organization in this state, is to limit their contributions to their “job description”, and opportunity like one the one that you described should provide you with  the framework  to push yourself to develop new areas of expertise, as opposed to limiting yourself to the world of GRC.

2)   Retail experience should be valuable in the future

Due to the importance of PCI, many retailers and e-tailers are placing increased emphasis and dedicating additional resources toward information security programs.   Currently, many retailers are not making past “retail” experience a job requirement, however this will most likely change in the next few years.  Having this industry knowledge as part of your skill matrix, could become a differentiating factor when looking at the next step in your career.

3)   Product Management is not a requirement to become a CISO
There is no doubt that working as a Product Manager will help you develop skills that could be advantageous as a CISO – included customer skills, presentation skills, sales skills, market knowledge, and subject matter expertise.   However, when making a transition toward a CISO career path, you will encounter people in the hiring process who will have built in prejudices against hiring candidates who come from the “Product/Vendor” side at a high entry point.   For you to make this direct transition, you are going to have to find yourself a forward thinking CISO who will value this experience, and believe that the skills as a Product Manager will directly translate to their environment.   Our belief is that if you remain as a Product Manager , you will eventually have to make the transition toward an internal infosec role, (in your case – architect) at some point in time, so why delay.   You have the opportunity in front of you, now is the time to determine if transitioning to corporate information security function is right for you.

Again, our advice is based exclusively on the information that you have provided from your note, and based on generalities.

If you would like to contact us directly via phone to discuss your particular circumstances we welcome you to do so.

Good luck in making your decision.

Lee and Mike

“Your Information Security Career and the Job Market” — Tech Target – July 2011 – Editor Michael Mimoso

Working as an information security recruiter and career advisor, many of my conversations begin with the question, “How is the market?”  While the question at face value appears to be simple, the answer is complex, and greatly dependent on variables uniquely associated with the individual.

Information security professionals possess many different skill combinations. Some refer to themselves as generalists, having broad knowledge that includes technical, organizational and management skills. Others categorize themselves as specialists or subject matter experts who have deep expertise in a discipline such as penetration testing, network security, application security or forensics. Just as there are a variety of skills profiles, there are a variety of markets for these individuals and their information security career. These markets are driven by two external factors: broader-based technology trends, and locally based corporate and industry trends. Broader market trends for information security professionals often involve the emergence of new technology trends that drive demand for specific talent.  Technical trends enhance the market for subject matter experts and have little effect on generalists.

The emergence and importance of Web-based applications is an example of a recent business trend driving the market for Web application penetration testers. The emergence of this broader market force drove up the value and demand for information security professionals with these specific Web application testing skills and technical foundations, and, conversely, drove down the demand and compensation for traditional network penetration testers. (Understand that a global trend will rarely affect industry-leading talent.) Traditional network penetration testers who recognized this and were capable of learning Web application testing skills were able to make the adjustment and create additional value because of their skill blend. In turn, they created a secondary market, based on their skill combination. On the other hand, traditional network penetration testers who decided not to adapt or were not capable, have seen the market for their skills shrink dramatically.

Currently, some of the emerging global information security technology trends include the implementation of security information and event management tools, data loss prevention tools, cloud computing, software security and protecting company’s against advanced persistent threats.  In all of these skill disciplines, there are more ongoing projects than there are competent security professionals to execute upon them. Information security professionals who have documented successful experience with these technologies currently have the luxury of a strong employment market.

Another prime market driver for information security professionals are industry trends.  Over the last few years, companies have become more exposed to the consequences of not protecting their data and their customer information. Through breach notification legislation, regulations (primarily PCI DSS), hacktivism and the media, information security concerns have moved to the forefront of many businesses that have never properly invested in the development of an information security program.

When companies begin to formally commit to the construction of an information security program, or make the decision to upgrade their existing programs, professionals with broader information security skills generally stand to benefit. In these types of scenarios, companies are most concerned about securing their businesses and managing risk, and are prone to hire information security leaders who can help ingrain information security into the fabric of the business.  Information security professionals who have specific industry knowledge, and excellent communication skills, generally can benefit from these situations.

Broader forces influence the market at large for information security professionals, but the individual determines their career market.  Although skills are the most important component to the equation, it is the personal factors that ultimately play an equal role in determining the market for your skills. Many times, in order to advance your information security career and maximize your skills, you need to be willing to make some sacrifices that include travel, additional commuting and relocation.  Many information security professionals find there is a market for their skill, but the required personal sacrifices prohibit them from recognizing the market opportunity.

If I had to answer the initial question, I would say the overall market for information security professionals is quite healthy.  The combination of the pent up demand created by the economic slowdown and the continued emergence of information security as a business enabler and differentiator, has provided a rebirth of opportunity for highly skilled information security professionals. However, many of these newly created positions come with increased personal demands, including long work hours, extensive travel and a high level of scrutiny.

As in the past, you are the determining factor for the market for your skills. Competition, both in the present and the future, will continue to increase, and the proactive management of your information security career, through continued skill development and by making strategic career investment, is the only way to insure the market for your skills remains strong.

Love to hear your thoughts.

Lee and Mike

I hate to bring up what seems to be the elephant in the room within information security and penetration testing in particular, but how exactly are people getting the gigs doing this.  Personally, I have tons of training, 15+ years experience in the realm, business experience to match and every time I ask this question, nobody seems to want to answer/discuss it.

It is a known fact that the big companies (IBM, the Big X, large telcos,etc) sell it as a service to existing companies but there are A LOT of two-three man pen testing teams that seem to stay busy constantly. I understand that people don’t want to give out there client attraction methods and strategy but I have yet to see this topic covered. There has to be a lot of others with the necessary experience asking the same thing.

Anyway, just can’t seem to tackle the elephant in the room. Nobody wants to cover it. 

Thanks guys and unique blog for the infosec community.

Signed,

The ZooKeeper

Dear Zookeeper-

To be candid, I had to look at your question a number of times before I was able to formulate a response.  It is my interpretation that the crux of your question is, how do you begin your own information security consulting business – particularly in the field of penetration testing.  In addition, you would like to know why others are successful,  and why some (you) can’t seem to get off the ground.

First of all, I should start by telling you that all businesses are similar – and beginning a penetration testing consulting business is no different than starting any other services business – such as lawn care, pool service, or home painting.   When people decide to buy any service, they look for certain elements – experience, competency, price, and reliability.    Anyone who has been successful in beginning a small information security business has been able to personally demonstrate these qualities in their previous life, prior to forming their own company.  It is from this reputation and personal brand, that they are able to attract some of their initial customers, which provide them with experience and references, which they should be able to leverage into new business opportunities.

Another essential component of any business (and career) is the ability to sell and market ones services and one’s self.   It is this skill that often separates the successful from the remainder of the pack.  Selling ones talents and branding ones skills in the marketplace and information security is often overlooked as the key factor in determining success.   Many information security professionals have focused their professional development on their technical skills, but at the same time they have neglected to attempt to develop their business/sales/presentation skills.

Long and short, there are many technical “rock stars” that have failed on their own as business people, but once partnered with competent business people, have achieved great things.

I have learned over the years that business is about surrounding yourself with great people who compliment your strengths.  Maybe it would be best for you to find someone who can help “open some doors” and help sell your talents.  Or, maybe you need to reevaluate your assessment of your business skills, and try to honestly assess some of the obstacles that are standing in your way in getting your business off the ground.

Understand that it is easy to prove technical competency, but in the world of business, the proof of competency solely lies in the color of the ink – “red” or “black”.

In closing, our note does not mean to come across as harsh, but it is meant to be direct.

Hopefully some of this advice and insight helps, and your infosec consulting business will get off the ground soon.

Hope this helps,

Lee and Mike

On the surface, that should be great news.  However, with choices come decisions.    With decisions come mistakes.   It is our goal at Infosecleaders, to provide you with information and frameworks, to minimize your risks, and maximize your rewards!

Thanks to Jeff, Ping, and the folks  at Black Hat, today we have a platform to do this.

This afternoon, at the Black Hat Briefings in the Florentine Room – Mike and I are going to share our collected data on InfoSec Certifications (The Value of Cert Survey), help you beat out your competition for the “Good Jobs”  (Second Place Sucks),  provide you with a road map for developing your “future skills” (Infosec Leader of the Future), shed insight into the real world of hiring, recruiting, and interviewing  (The Other Side of The Desk), and  provide an open forum for you to ask your Information Security Career Questions (Career Advice Tuesday – Live – (in Vegas, it is always someone’s Tuesday).

Schedule- Florentine Room

1:45 – 3PM – Value of Certification Results & Second Place Sucks

3:15 – 4:45PM – InfoSec Leader of the Future & Other Side of the Desk

4:45 – 6PM – Career Advice Tuesday Live  and Predictions for the Future

We hope that if you are attending Black Hat, you choose to spend some of your afternoon with us, and take something away from the conference that you can apply to your professional growth and career development.

Look forward to seeing you,

Lee and Mike

If you are at Black Hat, please come by and introduce yourselves.

InfoSec 2001 – A Career Odyssey

The Professional Development workshop is a half-day program that is designed to inspire the Black Hat attendee to think about their career as an information security professional and assist them in their journey towards the achievement of their long term career goals.

The Professional Development workshop will be divided into five (5) unique information security career topics that will be linked by a common theme – Skill Development and Differentiation.

The program will consist of the following:

1)    “The Value of Information Security Certifications Survey” – Research Revealed – 1350 information security professionals responded to an independent survey on the topic – the research will be revealed

2)   “Second Place Sucks” – A presentation geared toward differentiating yourself from your peers (and your competition)

3)   The Information Security Leader of The Future” -  a presentation that will outline the skills that employers are looking for when identifying and selecting their information security leaders.

4)   “The Other Side of The Desk” – a panel that will explore the different attitudes and beliefs by job applicant and employer during the interview process

5)   “Future Predictions” and “Career Advice Tuesday- Live” – Future trends will be discussed and explored – and attendees will have the opportunity to ask questions about infosec related career topics

The workshop is designed as an interactive forum that should inspire some shared thought and debate between audience members and the presenters.

Attendees should understand that they can elect to either participate in the entire workshop, or to pick and choose from select sessions that have a particular interest to them.

Session Previews:

Session 1  – 1:45 – 3:00

“The Value of Information Security Certifications Survey”

Presenters – Mike Murray and Lee Kushner – Infosecleaders.com  

In February of 2011, Infosecleaders.com launched an independent survey on the value of information security certifications.   The value of InfoSec certifications is a highly debated topic in the industry, and this is the first independent survey that asks questions to information security professionals (certified or not) – their opinions on topics that include – the motivations for certifications, the impression of the certification bodies, the value of skills vs. certifications, and certifications effect on employment.  With over 1350 respondents, the results should be revealing and eye-opening.

Second Place Sucks -

Presenter – Mike Murray

So, if certifications are no longer the magic bullet to get you to your career goals, then what is.  The topic of strategic career investments and personal branding will be the focus of this presentation.  The presentation will be spent on how you can plan and execute on career investment strategies that will enable you to differentiate from your peers and successfully compete for promotions and external information security leadership opportunities.

(15 minute break)

Session 2 – 3:15 – 4:45PM

3:15 – 3:45PM

“The Information Security Leader of the Future” –

Presenter – Lee Kushner

The skills for information security leaders are changing quite rapidly.  As many companies are aligning information security with their core business and branding, information security professionals will need to evolve as well.  The presentation will break down the core skill components of what information security professional will need to acquire and demonstrate to be considered for leadership roles in the future.

3:45PM – 4:45PM

The Other Side of the Desk – Different Perspectives on the Interview Process

Moderator – Mike Murray

Candidate Perspective – Lee Kushner

Hiring Managers Perspective –    

Bill Phelps, Executive Director Accenture  

Justin Somaini, CISO at Yahoo!

Abstract:

There are two parties involved in every interview process, the information security professional (the applicant) and the hiring manager (the decision maker).   While in essence, both parties ultimately desire the same outcome, their motivations lie in different places.   This portion of the presentation will present to the audience the perspective of the candidate and the perspective of the hiring manager, in a way that will educate both parties and enable them to social engineer the interview process, to work to their personal advantage.

Bill Phelps:

Bill Phelps is an Executive Director in Accenture’s security practice, and has spent the past 25 years in technology services.  In the past decade, Bill has been a practice leader, company founder, board member and trusted advisor helping organizations with complex management and technology challenges in the areas of information security, data center transformation and technology strategy.     Bill currently has overall responsibility for Accenture’s security business in North America.  Bill is aggressively growing Accenture’s security team, and plans to hire over security 200 professionals in the coming year.

Justin Somaini:

Justin Somaini is the Chief Information Security Officer at Yahoo! where he’s responsible for all aspects of Yahoo!’s Information Security strategy.  With over 15 years of Information Security experience he’s seen as a leader in industry by promoting an evolution of the security and risk management models.  Through his public speaking and industry involvement he’s given extensive talks and interviews on the threat landscape, public policy, security management and risk management.  Prior to joining Yahoo!, Justin was the CISO at Symantec.  Justin has also held security leadership roles at VeriSign, Charles Schwab and PricewaterhouseCoopers LLP.

4:45 – 6:00PM

Predictions for the Future and Career Advice Tuesday – “Live”

Presenters – Lee Kushner and Mike Murray

The employment market is dramatically changing – and the closing session will begin with information security employment predictions (based on experience and research) for the next ten years.  Once completed, this will be followed by a version of “Career Advice Tuesday” – “Live”.   All attendees can have their personal information security career questions answered in an open forum.   Topics will include skill development, compensation negotiation, career investments, career planning, and anything else you want to ask about your Information Security Career.

I have been working in a company for over two (2) years now, and for the last eighteen months I have been focused on Privacy Controls Implementation.

Plain and simple, I find this work to be boring.  I have a difficult focusing on my current job and I feel that my work is suffering due to my lack of enthusiasm and the loss of passion.

My initial goal would be to remain with my company, but my manager is not open to my request and simply told me to “keep my head down” and focus on my current project.

I would really like to begin a search for another employer, and to find an opportunity that lets me shift my focus, and let me utilize some of my other skills as an information security professional.   However, I have a history of changing positions every two years, and I have run into the obstacle of being labeled as a “job hopper”.

For the record – I have worked for six companies in my 14 year information security career.

I am not sure how to overcome this obstacle, and progress toward my career goal.   Do you have any suggestions on how I can implement a strategy to change roles and overcome the perception of my lack of commitment?

Any ideas would be welcomed.

Sincerely,

“Frog Man”

Dear “Froggy”:

Unfortunately, we do not have much help for you.   The best that I can offer is to utilize your experience to help others, so that they can utilize this as a learning tool for their own careers.

The fact is that history is a very good predictor of future results, and to any new employer it is logical for them to assume that you will only remain at your current position for two years (or slightly more) at a time.   The fact that this is a repeatable pattern – not just once, twice or three times – but six times – is a good indication that you will not stay with your next employer much longer.

In this day and age, hiring managers are facing greater scrutiny when hiring external resources, and if they decide to provide you with an opportunity for employment it is likely that their judgment is going to come into question by their managers.   Many hiring mangers are unwilling to take this risk, as the competition for their jobs is greater.

Therefore your dilemma, Froggy.

If any of you beginning information security professionals are reading this, this should be a lesson and a situation that you need to avoid.   You have to understand that your career and your career choices tell a story, and are a reflection of your decision making, your intangibles, and your personal make-up.   It is often very easy to pick up and leave your employer, however the decision that provides you with instant gratification, often has longer term implications.  This will limit your choices and create an obstacle that you may not be able to overcome.

Take a lesson from Froggy – and try to make sure that you exhaust all internal options prior to making a career decision.   Understand that when you decide to change jobs, try to determine if there is room for growth, and work with your manager to determine the best way to develop your skills and create opportunities for yourself that challenge you and grow.

Back to you Froggy – you are going to have to grit it out- and try your best to convince your manager to provide you with an opportunity that will renew your passion.  You need to demonstrate this by finding it within yourself to become the best Privacy Controls Implementation professional possible, and seek out opportunities that allow you to leverage this expertise into new roles with your current employer.

Give yourself an additional year to do this, and see how it turns out.    In the meantime, take the year to make some personal career investments that may align with your future goals.   When the time is right to go for another interview, you can tell a better story – about how you “stuck it out”,  “tried your best to make it work” – and rededicated yourself to your career -  that is a powerful story that any progressive hiring manager will like to hear – and can sell to their management when asked about your employment history and ”job hopping”.

Write us in a year, let us know how this turns out.

Wish we could be more immediate help,

Lee and Mike

Currently I am an unemployed information security professional and I have been actively interviewing for two opportunities.   Both of the opportunities are better than being unemployed but one is clearly better than the other.

The lesser of the two opportunities was brought to my attention by a fellow information security professional who endorsed me to their supervisor.  That interview process has been completed and they have told me that they want to offer me a position.

The better of the two opportunities has completed their interview process, have provided me with positive feedback, but has yet to make me an offer of employment.  This is the opportunity that I really want however it may be an additional week before I have a firm commitment.

My predicament is that I do not want to be unemployed, but I also do not want to accept the “lesser” opportunity and then go back on my word, leaving my friend who did me a favor in a bad spot.  However, although it looks promising there is no guarantee that the “greater” opportunity will come to fruition and I will be offered the job.

Is there any advice you can give me to manage this situation.

Signed,

“The Bird In The Bush”

Dear  “Tweety”:

I am a firm believer that the people that you answer too are first yourself and then the ones that love you and count on you.   So, the first thing that I can tell you is that you have to make your decision based on what you can live with.   The next thing I will tell you is that you have to have a handle on your financial and personal responsibilities, and factor that into your equation.

All of that being said, the best advice that I can give you is to speak to your friend who introduced the “lesser” opportunity to you, and let him know what you are thinking.  Honesty being the best policy, this should at least clear your conscious and at best, provide you with some advice on how to deal with this new potential manager through this process.

Simultaneously, I would contact either the hiring manager, the human resources person, or your recruiter – and make them aware of your situation and ask if it is possible to expedite their decision making process.    You should make it clear to them that the opportunity at their company is preferred and that if offered (and provided fair compensation) you would accept it.  You can also share with them that ethically you are torn, and you do not want to accept the other opportunity out of need, only to go back on your word.    This may provide them with an insight and more validation on what type of person that they are getting if they hire you.

I would appeal to their personal sense, and tell them if they are not interested, that is fine, but to please be candid with you so that you can move forward with the other opportunity.

Really, let’s hope that the “better” opportunity gets back to you soon – so that you can move forward and avoid this type of decision.

Let us know how this turns out.

Hope this helps,

Lee and Mike

The presentation is designed to help you, the information security professional manage your career as if it were your business, and you were the CEO.  

Here is the full abstract:

The information security profession is becoming increasingly competitive. In the employment market place of the future,certifications and education alone will not be enough to ensure achievement of your long term career goals. The increasing popularityof the profession and the competence of your competition will require that you take the reins of your career.

As companies focus more on profits and revenues, they are diverting resources away from the development of their employees. This attitude has greatly impacted the shared loyalty between employee and employer. In the future, the more effective you are in the management of your information security career, the greater the likelihood that you will achieve professional satisfaction. In essence, your career will be your business, and you will be the CEO.

The goal of this session will be to provide you with a framework for managing your information security career. By relating the different components of career management to traditional business functions, you will get a detailed understanding of how your career should be managed and how you can move past your peers by more than just luck. Subjects covered will include career planning, career investments, effective career marketing and branding, position selection and compensation negotiation.

You will leave the session with a solid foundation to enable you to better achieve your long term career goals and increase your satisfaction with both your current job and with the jobs you select in the future.

I will be happy to take questions during the meeting and after my presentations, provided that time allows.

Hope to see you all there.

Lee