I’m a senior executive, a subject matter expert, and an influential strategic leader in cyber security. Why would I always be looking for a job, why would I always be keeping my ear to the ground, and why would I job hop if needed? Why does this matter to industry?
To get to some of those answers I offer the following story. My great-grandfather, grandfather, and father all worked for the same companies they started their careers with for their entire careers. Other than tours in the military their career trajectories were straight. My grandfather was killed in an industrial accident, my father got cancer from working on nuclear power plants. Looking at them I may take away the wrong answer but my key takeaway is this.
Work is not your life, but your life is filled with your work. I like to travel, experience new things, bring success to the people I work with, and more importantly. I like to do cool stuff. I asked in a job interview for a leading tech company about work-life balance and they said that question meant I wasn’t right for the job. I’ve always thought of my job as my hobby not minding the constant connection of email, messaging, and video calls. Those are all features of information security community 24/7 culture and built into the compensation package. I’ve always thought, “work hard, play harder”, but some companies think “work hard, burn out”. That has strategic implications for the information security community of practice.
Why always looking for a job? Where companies do business intelligence I do career intelligence. I help companies stay secure. If asked I lead companies information security programs. Why would I not apply this same thinking to my career? I align the business lines with the security requirements and adjust as required. Do you want somebody who was the best candidate or is currently the best candidate to lead such a critical function? My resume is a pale reflection of my capability, but hopefully my reputation precedes me. I am constantly aware of my place in the information security ecosphere. I build on the areas I am weak in comparison to other candidates and ensure I am a top performer. I want to always be constantly improving my understanding of the domain I am expected to be an expert about. Want me to leave? Deny my request for training.
Why keep situational awareness of the job market? I always hire my replacements as subordinates. I want people who can replace me at any time in the future. If I leave, if I get promoted, I follow the principles of information security and ensure a resilient human resource pipeline. I have the unique capability to reach into the world around me and pull together a substantial team rather quickly. I always invest in the people I work with (time, effort, education, money, and honesty) so they are always willing to work with me. I am hyper-aware of changes and transitions in the information security market place. I build an awareness of risk organizationally, personal risk, and an early indicator of shifts in thinking about the domain of information security.
Who job hop? When I worked in industry a millennia ago I was told by a senior VP that they don’t give pay raises. If you want a pay raise go somewhere else. Mentally I always inject a maniacal doctor evil laugh as a period to that statement. Unfortunately it is true and I see it happening more and more. I was at Purdue Calumet for 8 years, NDU for 17 months, and Purdue again for 18 months. I hopped back to government at USACE for 9 months, and to my current job for about 8 months.
NDU was hit by sequestration and the president of the University said “JUMP!” and they slid 45% of the work force out the door. Returning to Purdue I hit the academic log jam of “Military ewwww” and went back to government. At USACE my mentors (seniors in government and industry) said I would only make it 6 months. I made it 9 months. I call that success as a first CISO at an organization fighting the trolls of government. I’ll take it. Now at DHS I work in the literally worst sub-agency according to the Federal Employee View Point Survey.
My government organization is 320 out 320 for job satisfaction. Helping to change that, reward the workforce, up their game in cyber threat intelligence, and give them some cyberspace thinking. All very rewarding. Challenge is a catalyst for innovation.
You job hop because opportunity doesn’t arrive on a schedule, adversity is really the shadow of opportunity, and if you do your job right from day one, you leave an organization better than you arrived. I really miss the long-term nature of an academic role, but offered them I’ve been intransigent in acceptance. I’m now a gray beard and see opportunities shrinking before me. Part of that is I’m way higher in the pyramid of leadership and there simply isn’t the opportunity to hop easily. Some of it is that technology is a youth culture. Part of it is that I’m unwilling to put up with ill informed, weak, and meager corporate leadership. I cherish the opportunities to help leadership succeed.
This is important to industry. Job hopping allows somebody in information security to see the diverse models and structures of security implementation. In the information security world of CISO and CIO I see a lot of lawyers and business types taking these roles. The blogosphere and punditry machinery cranks out how business is so much more important than information security at these levels. A West Point faculty member once told me, “Doc, I can teach an engineer history, but it is really hard to teach a historian engineering.” So, I hold on to my doctorate in digital forensics and incident response and show up when all the systems are broken. Strategically big corporation would be well versed to challenge their own paradigms. I’m not really expecting it to happen.
So what is perceived as a weakness is actually a strength. It has allowed me the time to study problems holistically (academia) that I experienced in depth (industry) and have determined the policy and regulatory issues (government). So, I don’t have a law degree or a business degree. From the outside I may know more about any one corporation’s line of business than anybody else not currently in their c-suite. That kind of knowledge is how you do real information security.