Sitting on the plane coming back home to the U.S. from our head office in Europe, I had a good deal of time to reflect upon my current employment situation and, consequently, what will most likely be my sixth employer change in the past 10 years.
As tough as this has been, there is a great deal that I’ve learned from each path traveled. And while some of these paths were voluntarily taken, the majority weren’t. Considering the average stay at a company in our field is approximately 18 months, there are a lot of us that have been forced in another career direction within the past few years.
If I had a dollar for every time a recruiter or human resource person asked about my “sketchy” job history, I’d be a very rich man. By the same token, I know of very few people who have been fortunate enough to have lasted five or more years in a strictly information security-related function at one company. There are many times I’ve thought about getting out of security altogether, but opening a dollar store and raising alpacas seemed like more trouble than it’s worth.
Having said this, each career change has brought about a unique learning opportunity. These are experiences that you won’t find in any book nor learn at any business school. Sometimes the school of hard knocks can be the best teacher.
Lesson 1: Look before you leap
The grass isn’t always greener on the other side. This is a common phrase that we hear from time to time and one that definitely had more than a ring of truth to it in the late 1990s. I had left the relatively safe pastures of Microsoft to pursue an opportunity as CISO at a startup company for twice the salary, stock options and other associated dotcom perks of the era. While I managed to ask all the typical geek questions in interviews, such as about the technology, personnel and relevant strategies, it didn’t occur to me at the time to ask the tougher questions such as capital run and burn rate, attrition, company finances, etc. Had I known the incredible burn rate on capital before and predicted the dry-up in venture capital funds that year, I never would have left Microsoft. And, as I found out much later in an interview, once you leave Microsoft you can never go back. Learn to ask the hard questions and know what you don’t know.
Lesson: Do the math. Consult a mentor, financial consultant or career coach if you are unsure of how to ask about a company’s long-term viability.
Lesson 2: You are not always as smart as you think
Security is something that many businesses don’t realize they need until it’s gone. And when your e-commerce platform gets hacked and placed in the media spotlight, you’ll often realize it sooner rather than later. When you view security in the same light as having a fire extinguisher on hand, you’re begging for trouble. As the newly minted manager of platform security at a large online bookseller, Web security was naturally an integral part of the job. Finding flaws in the platform and online systems was incredibly challenging and rewarding, and probably the most fun that anyone should be allowed to have while still calling what they do work.
What was not as fun was making recommendations that would not be acted upon until a customer (and consequently the media) found out for themselves, like how you could change anyone else’s profile or even change an order without ever logging into the system? In a “shoot the messenger” approach, nearly everyone was “right-sized.” Another gentleman and I survived the purge only to be told by the new CTO that we would no longer be doing security, but networking instead. The CTO’s voice is vividly etched into my memory: “We don’t need that much security. We’re not a bank, we just sell books.”
The company was subsequently fined by the Attorney General and forced to reinstate a security program that was even more comprehensive in nature than before the incident. I won’t even comment on the massive Klez virus outbreak they suffered.
Lesson: Security is not something you can put off, sweep under the rug or buy in a box. Take what we do very seriously.
Lesson 3: You are just as expendable as anyone else After learning from lesson one, I was appointed CSO of a moderately sized startup company. I was the first (and only) CSO the company had ever had. There were press releases and interviews touting my appointment, and the company and I managed to turn what we were doing with security into a significant competitive advantage. I was assured by the founders that the company was not looking to be bought or otherwise change course in any way. There is another lesson here: Believe none of what you hear and half of what you see. After about a year on the job, I was taken aside into a conference room by one of the founders. “Today we are going to announce that we are being acquired,” I was told. “You don’t need to worry about anything. Nothing will change, and we still need you as CSO,” he said. “Fine,” I thought to myself. “We’ll just switch gears from operational to integration mode. They’ll need due diligence and documented assurances in order to complete the acquisition and leverage a better purchase price.” After almost a year and many hours working to integrate our company into our newfound parent, I was called yet again into a conference room. “There’s no easy way to tell you this, so I’m just going to come right out and say it. We’re letting you go. We’ve decided we don’t need a thought leader anymore.”
Lesson: No matter who tells you or how loudly they say you’ve got nothing to worry about, worry anyway. Don’t ever fall into the mind-set of, “They can’t get rid of us. They need security.” Don’t lose hair or sleep over it, but be proactive instead of reactive.
Lesson 4: Smaller fish can sometimes swallow larger fish
Working for a biometric authentication company seemed like the wave of the future. This was post 9-11, and security theater was just winding the corner. This just had to be a long-term job. I was wearing many different hats and really enjoying my work there. The company was a public company, financially viable and a leader in the market. But I had assumed after a merger with another biometric company was announced that because we were the majority and the larger partner, we would be holding all of the right cards. Evidently the board didn’t think of it in this same light. Shortly after the merger was announced I, was speaking at a conference in Florida. I spoke with our CEO and he told me, “Just between you and me: If you have another job lined up, take it. There are going to be some major changes very soon.” The smaller partner of this merger had a large presence in the area where I lived. And since the new president and CEO of the resulting merged company was from the other company, I was out of luck. Relocation was never even offered as an option.
Lesson: Similar to lesson three. Politics will often override sensibility and financial factors. Always consider the political side of things when evaluating a potentially career-changing event.
My current employment situation is very tricky. While I enjoy working here immensely, I can clearly see the writing on the wall. The winds are changing. We are being forced by the E.U. to make drastic changes, and much of this has been well-publicized. We’ve eliminated many jobs in the past year and with more cuts on the way. We’ve gotten very lean, very quickly. We’ve gone from burning fat to burning muscle. In my humble opinion, there are very few ways this will end. 1) Merger with another institution, or 2) Breakup and sale of our institution. While we position ourselves for option one, I’m not content to sit back and wait for the political winds to shift a given way. Having learned and applied lessons one through four, I’ve come to the conclusion that the right thing to do at this point is to position information security as a vital service, and not merely an offshoot or task of IT. By providing core services for security that are vital to the operation of any resulting merged organization, we can accommodate nearly any governance framework or management structure. And if we do perform services better than anyone else at a lower operating cost, we’ll be successful. I’d like to leave you with some additional job-seeker advice. To the recently unemployed, don’t fret. Things will turn around; they always do. The job market really does stink at the moment, but there are things that even a caveman can do to make himself more marketable. Take the opportunity to consult, speak at industry events and write about your experiences. I know one recruiter who relies mainly on the nomination list of one of the best security awards that money can buy where you pay your $150 fee, nominate yourself and make their list of security luminaries. One final piece of advice: Build a short list of recruiters and friends in the industry that know their way around the block. A useless recruiter will hamper your search more than help it. If they can’t articulate exactly what qualities they are looking for in a candidate or can’t tell you exactly what the role entails, you should cut your losses and remove them from the Rolodex. Good luck.
The author is currently employed as the security chief at a global financial services firm.