InfoSec Career Panel Thoughts

InfoSec Career Panel Thoughts

The BSides Chicago career panel generated a fair amount of buzz. The Rats and Rogues podcast brought members of the panel back for a reunion tour. The call featured Nick Donarski (@kizz_my_anthia), Todd Haverkos, Elizabeth Martin (@elizmmartin), and was moderated by Michael (@SecurityMoey). They invited me to join and share a hiring manager’s perspective. You can listen to the career panel here, and I’ve listed some thoughts below.

First, starting your own business remains a strong way to launch a career path. I mentioned the startup I did in my late teens and early twenties, where we served non-profits for free to build technical know-how and social contacts. Nick Donarski shared a similar experience. He started his own information security business at 17. Nick invested in training and used certifications “to leverage to get business. At the client side, the client also used [certifications] as a metric.”

The panel did revisit the certification question. Chris J came out strongly in favor of “use it or lose it”, mentioning that many paper CCNA certified techs could not even describe a subnet in a standard hiring review process. There was sense that some certification bodies may not be policing their ranks as well as they should. I mentioned “vote Wim Remes” as a rallying call, because I believe that people who feel the certification process should get involved. Remes joined the ISC2 board to raise the value of the CISSP. Todd Haverkos, too, sets a good example by participating on the LPT board.

“Education, Education, Education,” that was Elizabeth Martin’s take-away. Elizabeth drew an fascinating comparison between compliance and certification. In both, it is easier to meet the letter of the rules than it is to meet the spirit. Certification not about getting a couple letters after your name. It is about lifetime education that coincides with and is in support of your career path.

But what happens if your career path does not align with your organization’s needs? It comes down to negotiating with your management. Michael: “We are talking about having difficult conversations with you and your manager. The approach I have taken as of late is to be completely honest and transparent. And I don’t think anyone could ever fault you for that.” With a nod to BSides Chicago’s slogan this year, have these conversations early, have these conversations often.

Elizabeth Martin added: “It is the employer’s responsibility to provide you with the opportunities, the tools, and the training. It is up to you to set the path.” She recommended setting 10 year plans with milestones at 1, 3, 5, and 7 year marks. You can always change plans, but only if you have a plan.

We wrapped up the conversation talking about ways to build the next generation of information security professionals. Mentorship works and we are discussed ways to foster that within the local community. It takes a full commitment from all parties. As Todd put it, “In addition to us doing a better job mentoring and creating people, don’t sit idly by. You get what you go for.”

Such mentorship programs, too, should address the entire lifecycle of employment; from hiring to career changes. Then, Elizabeth and Michael took the wraps off a new project: the Mock InfoSec Job Board. Here, hiring managers can host interviews and help candidates hone their skills.

It was a good 90-minute chat and my brief summary does not do it justice. You can listen to the panel here at Rats and Rogues.

Key take-aways:

  • Certification is only one metric of many; consider the candidate’s experience and aptitude to get a broader perspective.
  • Volunteer with certification organizations if you are unhappy with the certification process.
  • Maintain alignment with your reports and with your managers by having regular conversations about career paths and goals.
  • Find ways to build up the next generation of information technology and information security professionals by volunteering in your local area.
  • People looking to practice their interview skills should check out the Mock InfoSec Job Board, and hiring managers looking to build the next generation should consider volunteering.


Posted by