Problem solve Get help with specific problems with your technologies, process and projects.

When to leave a job: Deciding to look for a new job in IT security

Knowing when to leave a job can be difficult, as transitions and building clout in the new position take time. In this expert tip, learn how to know when it's worthwhile to scope new security jobs.

We generally advise people that the best job they can get is the one they currently have, because they know the lay of the land, the players, the processes and procedures.
Most people have had jobs that they fantasized about quitting. Almost everyone has, at one point or another, wanted to storm into their boss's office and tell him all the things they hate about him, the company and the ridiculous business practices that he enforces.

However, most of us have bills to pay and financial obligations to meet. so we bite our tongues and continue to go about our routines, hoping the day will come when we will find greener pastures and an opportunity that aligns better with our short- and long-term career goals. In our career surveys, we have found that at least half of information security professionals are less than satisfied with their current jobs. The people whom we speak with about their careers often tell us they can't wait for the day when they find an opportunity that will enable them to maximize their abilities. But the unfortunate truth is no one is guaranteed that any other job will be better than his or her current one.

Simply finding a new position does not mean that current work-related issues will disappear. What many information security professionals do not realize is there are many advantages to trying to make their current role a success as opposed to finding a new position. When we speak at conferences, we generally advise people that the best job they can get is the one they currently have, because they know the lay of the land, the players, the processes and procedures and have built up a base of political capital that they'll have to reacquire if they join a new company or jump to a new role.

In many ways, deciding when to leave a job is like getting a divorce. You have a relationship with the current job and company that has, built into it, some degree of history, shared knowledge and practice, and established interpersonal relationships. By leaving the company, you're giving up all of those things. When you leave the role, you will have to consider how to explain your decisions to others, in both your personal and professional life. You will feel obligated to provide justification for your actions, and logic behind your decision. Before you decide to separate from your current company, you need to take stock of the relationship and its value. That value will be somewhat commensurate with time: If you've been at the company for six months, the amount of political capital and familiarity that you have built will be significantly less than if you've been at the company for 20 years. Also, the longer you work within an information security environment, the more familiar you are with the technology that you have been securing and the security policies which impact your company.

But how do you know when it's time to leave?

Impending corporate failure
First and foremost, it's always a good idea to leave if the ship is sinking. The most relevant example in today's world may be the Gulf of Mexico oil spill and BP's role in it: the financial implications of such an event will impact all employees throughout the organization. The business may become a target of an acquisition or be forced to file for bankruptcy protection. It's necessary to be aware that these events could result in layoffs firings and significant corporate tumult.

A similarly career-altering business circumstance for a security professional might be a publicized data breach. An event like this can bring increased scrutiny on the corporate information security program, and executive management could be motivated to make changes at all levels of the information security team. We talked about this a great deal in our incident response podcast series. If you think the company might be coming up on layoffs or worse, it's worth taking stock of the situation and considering whether being the first one off the sinking ship is a good idea.

Of course, that's the easy case.

About the authors

The columnists, Lee Kushner and Mike Murray, bring with them different perspectives on career related topics. Together Lee and Mike have advised many information security professionals in various stages of their career development and are regular speakers at industry conferences on information security career-related topics.

Their blog can be found at

Lee Kushner is the President of LJ Kushner and Associates, an executive search firm that has been dedicated to the information security profession since 1999.

Mike Murray is an information security professional and career coach. Mike has held leadership positions in environments that include professional services, security product vendors, and corporate environments.
What's your open-market value?
Additionally, you need to consider the difference between the value of your position within your company and your value on the open market. You may have specific information security skills and relevant knowledge that make you significantly more valuable to the current company than you are to other companies. For example, if you work in a retail environment, having in-depth knowledge of PCI DSS would have a great deal of value. However, this value may be diminished if you decided to pursue work in health care or manufacturing. Before deciding to leave your current environment, honestly assess the skills that you possess, and their market value to other possible employers.

Is the current job unbearable?
The final thing to consider is why you're leaving. Only you can determine how difficult your situation is: Are you really miserable, or just mildly frustrated? How much worse is your frustration in this role than in previous roles? How long has it been going on -- a month or a year?

One thing to consider is the amount of time that you're spending in terms of staying in the role. One of the worst career mistakes an information security professional can make is to remain stagnate and neglect skill development. If you find yourself spending a good deal of time trying to overcome political or interpersonal issues associated with your job, which are diverting your time and energy from either developing new technical skills, addressing security- related business issues, or hindering pursuing your development as a leader, you may want to consider looking for other jobs in information security. It is important to consider your time as a finite resource, and the slowing of your professional development may cause you to lag behind others who are better able to focus their efforts and energies. If you are thinking about leaving your position, you may want to ask yourself a few important questions that may help provide you with additional clarity:

  • Do you have a different philosophy on information security than your organization and your manager?
  • Do you believe your career development interests are not being considered by your company?
  • Have your career goals changed? Does your current position keep you on your desired information security career path, or does it divert you from your ultimate career goal?
  • Do your ethics remain aligned with your manager? With your company?
  • Have you lost respect for your management? Has he or she lost confidence in you?

While there are many other contributing factors when considering whether to leave a job -- coworkers, bosses, commutes, benefits, etc. -- remember, leaving the circumstances you know is merely a roll of the dice, because you never know how many of these factors will negatively affect your success at a new job until you start doing it on a daily basis. That's why a decision to leave should come only after you've done everything reasonable to make your situation work, as switching jobs is costly and stressful.

This was last published in July 2010

Dig Deeper on Information security certifications, training and jobs

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.