October 31, 2007 - #34

Mike's Pep Talk:

"Patty Frost: Michael... Myers.
Zach 'Z-Man' Garrett: Trick or treat, baby!"

- Halloween (2007)

BOO! It's Halloween and that's always a lot of fun. The kids get all dressed up and the Boss and I prepare for the inevitable sugar crash and burn that results from kids that collect at least their weight in candy.

For this week, let's deal with a downright spooky topic and one that pretty much scares the crap out of everyone. That's the idea of walking into the office one day and finding that our boss is dressed as Michael Myers and proceeds to cleave your head clear off.

That's right, what happens if you've been canned? That's pretty spooky, no? Since I've got a fair bit of experience in this very topic, I'm going to give you some thoughts that have served me well in a very stressful situation.

1. This too shall pass - I know it will feel like your world is ending and you aren't sure whether you'll ever work again. Since you are in a security role, I can pretty much guarantee that you'll find another job. Whether you want it is more of the more appropriate question.
2. Take some time off - I know a lot of folks that get so freaked out about not having a job that they jump at the first thing that is offered. I suggest you take at least a week off. That's right, don't start you job search for a week or more. Why? Because you need to get over your anger at getting canned (or laid off, etc). The last thing you want is to be seen as desperate, angry, or bitter. Let the road rash begin to heal before you jump back into the fray.
3. Figure out what you want to be when you grow up - This is critical. You need to candidly and dispassionately assess your last job and pinpoint what you liked and what you didn't. Look to do more of the things that you like, and less of the things you didn't like. I know it sounds simple, but most people don't take the time to really figure that out. So they keep making the same mistakes over and over again.
4. Leverage your network - Since you've all been good at meeting other security professionals in your area (RIGHT?), then you send out a little message that indicates you are looking for new opportunities and asking for referrals. For the folks that you know are super connected in your region, call them directly. See what's going on, what's happening in the area. There may not be anything immediately, but you won't know if you haven't cultivated your network.
5. Believe - It's hard when you are going through a dark time to continue to have faith and confidence in your abilities. But you have to or you won't get that job. Make sure you can clearly communicate the circumstances that caused your exit and what you learned from it. As a manager, I looked for people with some battle scars - as long as they could tell me what they learned.

I truly believe that change is good and sometimes forced change needs to happen. Obviously it's better if you have something else lined up before you leave your current gig, but sometimes that just isn't an option. As opposed to fretting about it (which doesn't really accomplish much of anything), you need to stay focused, believe in yourself, and look for the best fit. Not just the first thing that comes along.

In this week's issue:

• This week's P-CSO Tip: Market Thyself
• Blog post: Online service shuts down to fix security breach

This week's P-CSO Tip

Market Thyself

As a follow-up to the spooky scenario described above, how do you go about "marketing yourself" so that when you need to look for a job, you hit the ground running and maximize your chances to be successful. First of all, get involved in your local security community. Whether it's ISSA, InfraGard, ISACA, IIA or any other security/audit networking group - make sure you know the power brokers and they also know you.

Second, you should be quantifying your successes and analyzing your failures and be able to present a great case relative to how you'll handle your next job. That's where the Pragmatic CSO methodology is so powerful. By definition, you are focused on BUSINESS RESULTS and telling a compelling management-level story about your security program, including defining success, managing to objectives and hitting milestones.

When it comes time to meet with prospective employers, you take a two phase approach. In the first phase, you are describing you qualifications and learning about their environment. So you come armed with presentations you've given (without violating NDAs and other confidentiality agreements) and detail about how you've structured your "security business."

You need to also be aware of the challenges of the prospective employer and what BUSINESS problems they are trying to solve. Ask good questions and make sure you understand what they believe the challenges to be. DON'T ASSUME you know, even if they are exactly like your former employer. Just like when you go through Step 1 in the P-CSO, what you think doesn't matter. It's all about what THEY think.

When they invite you back for a second interview make sure you have mapped out a 100-day plan. If you've listened well and know your business, you'll have a great idea about what needs to be done. Don't be arrogant (like you know all the answers), but offer up a few suggestions about what you will do, when you get the job. Define milestones and make it very clear that you are willing and expect to be accountable for the results you map out.

Not only did I like to hire folks with battle scars and something to prove, but I also liked folks that took initiative and were willing to stick their necks out. It also makes your first 3 months easier because you already know what needs to get done.

Blog post: Measuring the "right" stuff

My last thought on the job search is to be able to substantiate the results you've gotten in your past gigs. Again, going through the P-CSO process will give you all the ammo that you need. If it's good enough for your former senior management, then it will most likely be good enough for the next one. At least to show that you know what you are doing and have walked the walk before.

This fairly dated post on the Intel blog makes a couple of good points about security measurement. Basically you want to measure just enough to achieve your objective. Just like you don't spend $10,000 to secure a $500 asset (though many of us probably do), you shouldn't spend tons of money gathering data and generating reports on things that your management doesn't care about.

So what are those metrics? I can't tell you, you need to figure that out for yourself. How? By talking to your senior management (Step 1) and going through the P-CSO process. As you are looking for your next gig, you need to be able to explain why the metrics you gathered were important to your former employer. They may not be important to your new employer, but again you trying to convince them you have done the job before and can be successful in this new environment.

Buy It Now!

Ready to buy the Pragmatic CSO right now? Good, I'm sure you'll find the process of value to your organization. But if not, then remember you've got 30 days to tell me it sucks and ask for your money back. Click on the links below and go right to the shopping cart. A journey of 1000 miles begins with one step, take that step today.

 

---