Security Career Thoughts

I get a bunch of calls throughout a year from recruiters and practitioners alike.  After having dinner with an old friend last night talking about how various people have managed their careers, I thought I would give my top thoughts on how one managing through the security industry.

For Practitioners 

First, never wait for a role to find you, you must find it. To do that you need to get out in front of the recruiters.  For the majority of security roles I strongly suggest getting in touch with Lee Kushner (  He's been focused on the security industry for over 17 years and has deep roots all round the US.  For CISO types of roles, one has to get in front of executive recruiters like Spencer Stuart or Korn Ferry.  Since the CISO role is so small there are no real executive recruiters completely focused on it.  As a result, being in their database is good.  The worst thing anyone can do is to wait until there's a layoff, life event or something else to start this process.  It takes time to get known by people so starting when things are good can be very beneficial.

 Managing your career is more successful than dumb luck.  I've gotten pretty lucky at some points in my career but a recruiter once told me that the most successful people he's seen actually map their placement.  To do that it's mapping what company, location and position you want and then starting to build the connections to get there.  The vast majority of people don't do this.  That's why they only see a very small portion of positions that recruiters find them or they hear about.  Being proactive in relationships on where you want to be can be significant.

 If no one knows you, you'll never get a call.  I love my industry but one of the most beneficial things I have done in my career is public speaking and writing.  It's through these things that others connect with you and your industry social network grows.  In addition, recruiters, external and in-house, are more able to find you.  A lot of people shy away from speaking their opinions publicly but I've always found that to be increadibly rewarding.  Doing articles for SC or CSO, submitting panel and topics at RSA or even just starting a blog and talking about your thoughts can open so many doors.

For Employers

Get professional help.  Like security job hunters getting a specialized recruiter in this area can save you a ton of money and time.  We all know that finding security people is hard but finding good ones is really hard.  Placing a call to Lee Kushner can help a ton.   I've even talked to CISO's where they know about their attrition problems and keep an ongoing retainer and process to identify candidates all year round.

If you can't find them, grow them.  I've always created in-house training programs for my teams.  Usually, that's a two year program where outside classes, books, job rotations, etc are implemented to grow a team members skills.  Assuming you can find someone with all of the technical, interpersonal and business skills is like catching a unicorn.  If you can grow them you'll not only get the skills of what you want but also higher retention. 

Location, location, location.  I've never been a huge fan of everyone needing to be in the same office.  Where managing remote / home employees is difficult, developing a team in another corporate office can help dramatically in recruiting and retention.  This is especially important as places like Bangalore, San Francisco and others are highly competitive.  Great locations like Austin, Boston, NYC, etc have helped dramatically.