If I were Looking for a Job Where Would I Look?
Here is a post for those that found this blog via the RSA Conference website.
Friends and ex-employees often ask me questions on a very similar theme; ”if you were looking for a job where would you look?”. I am of course fully engaged launching an early stage startup but I have been asked the question enough times to warrant a blog post. The information security industry has become so big and diverse that I can not hope to cover all potential options and need to generalize or stereotype my descriptions and thoughts. I have organized this list into two categories and provide some simple bullet points with pro’s and con’s of each type of opportunity to consider. They are of course just my opinions.
The two broad categories are “Services” and Corporate” as these are the only two I have any real experience with.
Services
Pros
Well Paid - in general services across the world pay well. This is of course true if you are doing services that are highly skilled and in demand and where the financial return on the services you deliver justifies the god salary. Many services are becoming commodities today and like it or not salaries will always follow the value of the services. If you deliver services that only a few people can deliver, expect to get paid like only a few people get paid! You can do the simple economics to determine potential salaries. Here are some “back of a cigarette packet” maths to consider. 225′ish possible billable days in a year. 80% billable utilization (more than that and you will get burnt out). Services companies will want to make 30 - 40 % profit margin. So if you bill at $200 an hour then you could bring in say 290K. Work out the salary, add on 30% to make it fully loaded (taxes, health, rent etc) and you can soon see the range of salary that a services company can justify and still make the profit margin. I used to have spreadsheets modeling out the justifiable salaries. Its just a numbers game!
It’s Nice to be Wanted - In general when someone pays you to do some services, its because they want you to do something. They want you to be there and they want you to be successful. Many corporate folks complain that they are not really wanted and have to spend much of their lives and effort selling security internally. In general that selling has already been done by the time you start in services.
Variety - Consultants usually get to experience a great deal of variety. Even those that do testing for big banks and complain day in about repetitive testing get to see a variety of applications! When I look back at sheer diversity of things I have done I am amazed.
Cons
Travel - There is no doubt a consulting lifestyle can be tough, especially if you have a young family. I did 200K airmiles last year and more the year before. If you are young and single then travel is great, when you have a family it’s hard. Flying around the world is glamorous for a few months but if you have to fly economy for 16 hours sandwiched between a bloke with bad breath and a woman with dandruff who snores, that glamour soon disappears. Check out the companies travel policy. When you travel a lot little things make a big difference. Can you choose the airline? Can you choose the car rental company? Can you take the gas option or do you have to waste value time finding a gas station?
Outsider Syndrome- No matter what companies tell you about services “partners” in my experience you are almost always on the outside. This means the really interesting projects are rarely staffed by consulting teams. You don’t get to build meaningful relationships and often feel like you have to parachute in and parachute out.
Surface Swimming - You rarely get the time dedicated to really get your feet under table and understand everything about a topic, system or problem.The very nature of consulting is that you are a billable resource and you have to move on. You often scratch the surface of lots of things but don’t get to the bottom of many.
For the record I spent my consulting career with Insight, ISS and Foundstone and on various occasions came close to various final fours.
Corporate
Pros
Deep Diving -You often get a chance to be involved with very interesting projects from beginning to end. By the nature of your employment you get to lift the lid off of problems and get to roll your sleeves up. I was involved in building an online bank and designing single-sign on for 30 credential stores with 40 million user accounts; some of the most rewarding projects I have worked on.
Lifestyle - Travel is part of work these days and any well paid job is likely to have an element, but in a corporate role its certainly less than consulting. The same I think is true in general of work hours. There seems to be a better work-life balance in corporate security roles.
World of Practitioners - I always felt I was privileged while working in corporate security departments. I was able to attend special interest groups that were only made up of peers and we never had to fight the thinly disguised vendor sales pitches. I had better access to standards bodies and regulatory authorities as well as the ability to interface with people doing leading edge work like (at the time for me) SAML authors, WS spec authors and Suns leading security architects. I saw a very different side of information security whenever I had a corporate role. A very different side with a very different view.
Cons
Lack of Variety - many corporate roles are for specific things such as as the responsibility for software security or policies and standards. Even a CSO role will be for a specific environment or industry. There is a perception of a lack of variety in corporate information security. I never experienced this and suspect it maybe perception.
Selling Security - if you are a consultant, chances are someone has already done the sales job and everyones already bought in to why information security is a benefit. I actually like selling the benefits of security but many people don’t.
For the record I have worked for ING -Barings, Dresdner Bank and Charles Schwab. I have of course seen many corporate departments in the course of consulting.
My conclusions: consulting can be a very rewarding and well paid career. You get variety, great experiences and meet some great people. On the flip side its a hard and often lonely life on the road. It was great in my 20’s but became hard in my 30 ’s. Corporate security offers opportunities to dive deep into subjects and a better work life balance than consulting.
So for the record if I wasn’t doing SourceClear what would I be looking for? I would be looking for a corporate CSO type job probably with a bank and probably in Europe.
May 31, 2007 at 4:34 pm
Mark,
How true all of this rings. I’ve done the corporate gig for Digital Insight and consulting for Foundstone. While consulting may have its lonely times (I even blogged about it…), it doesn’t feel like I’m on the hamster wheel spinning mindlessly away as I did in the corporate world. You forgot some of the other perks to consulting.
When you travel a lot, you collect a LOT of airline and hotel miles. Combined with the miles you can collect on your credit cards for all of your expenses, this can add up to a significant savings! This means free vacations for my wife and I at least once a year.
If your a food and beer snob ike me, you get to travel to some pretty interesting places where you can eat and drink things you might not be able to find at home. Of course, you’re doing this alone usually, but I need to eat anyway so I may as well enjoy it. The beer usually comes home in a way overstuffed suitcase if I found anything interesting in my travels.
Consulting also means meeting a lot of people and interacting with them in a professional setting that you don’t get when you do the corporate gig. Sometimes the relationships are good, other times they are challenging, but its always interesting. Spending 2 weeks in Sao Paolo was a great experience for me, especially with the great group of students I had who were able to introduce me to their city and culture in a way I could have never experienced on my own.
Finally, the best part about consulting is working from home. When I’m not on the road I’m at home working with the dogs at my feet. I can set my own schedule, listen to my own music as loud as I wish and I have a 10 second commute! The downside, of course, is that one never feels like they can get away from work when the office is right there, in the house. Its just waiting for me to go do one last thing… Of course, when I travel for pleasure or just take some time off I leave the laptop and RSA token behind so I can get away and leave the work behind for a few days.
Consulting can be a bitch. If you’re in it for the money you will burn out. You have to make the choice to pursue consulting because you like the work, the people, the experiences and the travel. Eventually I’ll go back to a corporate job… but not anytime in the near future. I can’t imagine having to go to an office and sit at a desk for 8+ hours a day anymore.
May 31, 2007 at 4:56 pm
it’s possible to work for the same company, fit into both of these roles, and go back and forth between them. it’s possible to own your own company, be your only employee, and fit into both these roles, as well
when i saw the title of this blog, i thought you were going to say where to work… as in places “to” work at. this got me very excited as it’s difficult to decide what to do with all of these security companies all over the place. i just moved to chicago, don’t really want to move again or change jobs - but there is so much opportunity. yet somehow i think that starting my own company is the best decision i can make
some of my favorite companies are matasano, ksr/neohapsis, korelogic, aspect security, accuvant, leviathan security, stach&liu, quietmove, fortifysoftware, cigital, coverity, ouncelabs, grammatech, spi dynamics, and whitehat security. they all seem to do the same type of “security consulting” or have a “security product” in the “application security” space. how does somebody sort through these companies and decide on just one? is application security even worthwhile? these are questions i ask myself every day and can’t solve
May 31, 2007 at 6:08 pm
Nice post. I agree with this so much, I’m linking to it on my blog. The title of the post is a little misleading tho. I renamed it when I linked it.
June 4, 2007 at 11:14 am
You know what’s interesting? I’ve done both jobs at the same company and hopped between them. Now the corporate role that I’m currently in is an anomaly in some ways–we usually don’t have security staff except as an assignment from the security services organization.
September 30, 2007 at 9:09 pm
Mark,
Your post was an interesting read. Here is perspective from someone who has been in the technology recruiting space for 17+ years.
I started recruiting in the IT Security space in the mid 1990s. Today, SecurityRecruiter.com handles a mix of corporate security roles (logical & physical), security vendor roles and security professional services roles.
The longer I recruit, the more I’m convinced that the most intriguing people I meet every day are those who are doing what they are passionate about doing. In other words, I can tell very quickly when someone is working in a job they aren’t excited about doing. I can also tell in a very short period of time when I’m working with someone who is passionate about their chosen profession and the particular role they’re working in currently.
Far too many people make career decisions based on money alone. Whether it is a corporate role or an outside consultant role, pursue the job you can become passionate about performing. Rewards will follow passionate performance.
Jeff Snyder
SecurityRecruiter.com
March 19, 2008 at 12:03 am
[...] over, never really “digging in” to anything. Mark once again has a good post on it here. In some ways the security industry moves quite fast, but in any “focused” area (like [...]