In their regular column for SearchSecurity.com, information security career experts Lee Kushner and Mike Murray
from InfoSecLeaders.com answer a reader’s information security careers question. This month, Lee and Mike help an infosec pro decide on the right security career path. For more information about InfoSecLeaders.com, or to ask a question, see below.
I am currently in the early stages of my information security career and I have a question about my career planning as I embark on my journey to become a Chief Information Security Officer (CISO).
About three years ago, I received a degree from a well-noted information security undergraduate program. During my course of study, I landed an information security internship with a large financial services company in New York. Upon completion of my degree, I received a job offer for a security analyst position at the company, and I have been employed there ever since.
Recently, I was approached about an external opportunity that I am considering. The job is at a smaller company, but the responsibilities are greater. The opportunity is intriguing, but I really have no reason to leave my current employer. My current employer has provided me with excellent internal and external training (I have a SANS certification, have been to Black Hat, and have been approved for additional certifications in the upcoming year). In addition, I believe I am paid fairly well, I am recognized for my work, and I have recently received a small promotion (I am now a senior analyst).
I have seen many posts from information security professionals about how changing jobs is a requirement for advancing an information security career, however, I am not sure this applies to me. I have also seen many posts that say if you remain with the same employer for a long period of time, future employers will question your motivation and desire to achieve.
I would like to ask your advice: Is it critical for me to change employers frequently in order to advance my career? Can I become a CISO if I spend 8-10 years with my current employer?
Look forward to your response.
Loyal To A Fault?
Dear Loyal –
Let me begin by saying that, “Beauty is always in the eye of the beholder.” What I mean by this is there are different schools of thought behind career progression. The main factor in determining whether you are making the right choice -- to change employers frequently, or to remain at one employer for a long time -- will be the eventual hiring manager at your next employer: does that person look favorably or negatively on hiring job-hoppers? That may play a large role in determining your likelihood of being selected – or even interviewed – for the position.
However, if you are looking for conventional wisdom, I would advise you that working for one employer and demonstrating consistency of employment will always trump job-hopping when it comes to fostering career development and advancement. (You may find this strange, since as you know that as an information security recruiter, I make my living from helping people change jobs.)
One of the main reasons many information security professionals believe they have to change jobs to advance their career is because their organizations have generally hired them to solve one particular technical information security issue, and once that issue is solved, their jobs become boring to them. Therefore, they feel that in order to grow their skills, they have to find a new organization, with a different or more pressing problem to solve.
If, alternatively, your career goal is to become a Chief Information Security Architect or Engineer, changing jobs regularly may be a good strategy, considering the diversity of challenges you will likely face as you attempt to solve intellectually challenging problems in diverse environments. However, by changing positions frequently, you do not receive the benefit of dealing with longstanding organizational issues that could provide the opportunity to develop your management and leadership skills.
Based on what you have stated and considering your long-term career goal is to become a Chief Information Security Officer, I think your best bet may be to remain at your current employer for the following reasons:
1) They initially recognized your talent out of school, and made you a job offer in what was a bad economy, especially for financial services firms.
2) They have provided you with the ability to grow your career through certifications, conference attendance and professional development.
3) You believe you are compensated fairly.
4) You just have received a promotion.
It appears to me your current employer has provided you with an environment for professional growth and development. What you may want to do is schedule some time with your manager, and have a discussion regarding your career progression and your future plans. You may even choose to mention you were recently approached by another employer about an opportunity, but, you turned it down because of your loyalty to and appreciation of your current employer. By doing this, you subtly put pressure on your current employer, and force the organization to consider giving you more opportunity to develop your “CISO” skills, or risk losing you to another employer.
In the end, there are many different paths to accomplish your career goal. As the information security profession is still in its formative stages, standard career progression does not necessarily exist, so either course of action is acceptable. However, as our profession matures and becomes more mainstream, we are going to have to accept that we will have to play by the standard human resources rules that other professions are governed by, and that includes answering more questions about “consistency of employment.”
Hope this helps,
Lee and Mike
Lee Kushner is the president of LJ Kushner and Associates an information security recruitment firm and co-founder of InfoSecLeaders.com, an information security career content website.
Mike Murray has spent his entire career in information security and currently leads the delivery arm of MAD Security. He is co-founder of InfoSecLeaders.com where he writes and talks about the skills and strategies for building a long-term career in information security.