Good evening, my fellow security professionals.
Since I find myself "in between jobs" (you have to love the euphemism), I wondered how many others of you are facing similar problems and decided to share a bit of my experience trying to land a new job.
One of the most frequent assessments one can have thrown back at them during the application / interview process is that they are "overqualified". Now, there could be several things at play here, as I'm sure you can agree: either the company looks at your resume and decides (based on previous jobs you've had) that you will not come to work for the salary they are offering, or, if you do join, you won't stay for long, or you would feel "underutilised", etc.
What I suspect is happening is that, in a buyer's market like the one we are now experiencing, organisations of all stripes can afford to be very choosy and the security generalist, however senior and accomplished and successful in their previous career, tends to lose out to the security specialist / niche expert.
I call this "we want an engineer, with a blue cap, a yellow screwdriver, fixing only green appliances, in this red procedural way" syndrome. So, companies want risk auditors / assessors with specific industry vertical experience (e.g. public sector vs. financial services vs. telco), or they require administrators / analysts fluent in certain security technologies and not others, rather than the well-rounded generalist.
Sure, the CISSP (and, I suspect, the CSSLP, in the medium term) qualifications do help, especially at the pre-selection stage before the interviews, but are not enough on their own to land a good security job.
The challenge for us moving jobs in this climate seems to be able to prove that we can both provide value for money for what the company needs now (the "yellow screwdriver .." etc), and also hint that they would be getting so much more by hiring us, so that, in effect, they are looking at a bargain!
This is how my job hunting strategy is shaping these days (I haven't landed yet, mind you).
I would love to hear about your experiences! Best of luck, Ionut.
That is certainly true.
What I do find is that I get far more jobs via my network than I do via normal applications. The good thing about going through your network, is that you also trust the people you'll be working with since you've worked with them professionally in the past.
My current contract ends in 3 weeks, so I've started looking again... some of the rates on offer are shocking.
Posted by: Yousef Syed | 28 May 2009 at 01:38 AM
Sorry to hear about your plight. . .
I switched companies in March and found in my interviewes that it wasnt a question of being overqualified (i have CISSP - ISSAP / ISSEP / ISSMP • CISA / CISM • GCFW / GSEC / GISP). . . but rather it was a question of whether or not i knew what i was doing beyond the letters. They were looking for tangible experience beyond the certification baseline of knowledge.
Speaking with those on my team after I settled into the new job, they told me that during the interview process they found about half the canidates with cissp or whatever cert, had the book knowledge -- but not the real world experience they were looking for. And that there was some disapointment by leadership about those who had the letters but not the skills to back them up.
That said, I was able to find this position through networking with recruiters via linkedin. My profile (linkedin.christoperj.com) was/remains a snapshot of my resume -- and a jumping off point in the conversations w/those who are looking for those with my skills.
Feel free to connect with me out there. Im connected with several hundered recruiters. If you find some who might be able to help, id be happy to introduce you.
Posted by: Christopher J. Marcinko | 28 May 2009 at 01:08 PM
I have to agree about being a security generalist. I'm also 'in-between', but only after experiencing what can happen when a CISSP finds themselves working for new, non-technical managers who suddenly don't understand why and what you've been doing ('hacking tools? those are auditing tools!')
I did so many different jobs in my previous position, security was part of all of them (sysadmin, dbadmin, SDL, policies/procedures, awareness training, etc.,) but it wasn't in my job title.
As a generalist, I do feel I have a 'broad brush' to offer, but time and again, have run up against the pure specialist position where yes, I have experience, but apparently not enough in that particular skillset.
So, I'm trying to find a new position and also do some consulting. Times are tight!
I attend the monthly ISSA meetings and the Seattle Agora meetings, got a scholarship to RSA this year, and work hard on my networking. Sooner or later, something's gotta happen!
Help and advice are ALWAYS APPRECIATED, and I'll do the same or you if at all possible.
My LinkedIn profile is at http://www.linkedin.com/in/billwildprett
Peace.
Posted by: Bill Wildprett | 28 May 2009 at 06:05 PM
Ionut:
I switched companies this year as well. My impressions from the job hunt were as follows:
- I got lots of calls and e-mails from recruiters who wanted me to move across country on my own dime for a 6-12 month contract. As a husband and father, that was a major turn off.
- I learned to make sure I got the details of what the prospective employer really wanted. Too often, the job descriptions were very vague or the requirements were piled on so high that no human being could fulfill them, even me.
- When I did interviews, I made sure I discussed trends in the field at length to prove that I knew more than the book. It also pays to know which parties are involved in the project. In the interview for my current job, I was able to drop names of people that I knew in the project that both my boss and have worked with.
Good luck and happy hunting. My firm is looking for qualified IA folks. You can send me your resume at dittmer_john@bah.com.
Posted by: John Dittmer | 15 June 2009 at 02:51 PM