Tuesday, August 02, 2011

Secuity Careers: Questions from an Information Risk Manager

Security Risk Management Career Questions from an Information Risk Manager at a Fortune 100 Company

Thanks for the advice you have provided me in the past regarding the security industry and general career advice. I would like to pose another question to you regarding career progression. I hope that your blog readers may find the topic relevant - should you choose to post it.
To provide some background, I am currently a risk manager at a large financial services organization. In this role, I am responsible for advising the business and technology teams on all things security/risk related and running projects to enhance the overall security program. I feel that I am doing well in this role, and am recognized for my accomplishments.  However, looking ahead, I also realize that the prospects for career progression from a people management perspective are limited without either leaving my group or role.  I am one of dozens of risk managers and we are a relatively flat organization.

I have recently interviewed at a much smaller organization (< 250 employees), which is currently undergoing rapid growth. This organization is in a completely different industry, and operates very much with a start-up type mentality. The company's management has recognized the importance of security in the organization, especially as their profile increases and clients are demanding more information around their information protection practices.

This is the first such position in the company and would essentially be building the security practices from the ground up.  The type of interaction with the technology teams would be a very similar advisory capacity, but this role would also have responsibility in communication with current and prospective clients on security practices.
My questions are:
Would moving to such a small organization limit my ability to go back to a larger corporate environment in the future? I am unsure how the security roles in smaller organizations are viewed by the Fortune 500.   

While the salary compensation is relatively similar, will the growth prospects in this area likely be limited as well?
Thanks in advance for your time.

First, I’m glad that I was able to help you in the past and although I don’t have the “final” answer for you today, perhaps I can give you a few ideas to ponder.
Many times, when I have information security jobs or cyber security jobs with larger Fortune 500 sized companies, hiring officials instruct me to deliver only candidates who have experience working in similar sized organizations.  I’m not suggesting that this approach is either right or wrong.  I’m simply telling you that these are frequently the demands that are placed on me as a security recruiter.
The fact that you’ve worked in a Fortune 500 organization may be good enough in the future when a hiring manager is demanding that his / her recruiters deliver candidates who have Fortune 500 sized experience.  The longer you stick with the Fortune 500 path before venturing out to the smaller organization, the more likely the next Fortune 500 company will look beyond your small company experience to see where you invested significant time in a larger company.  I took a look at your LinkedIn profile and noticed that you have been with this large company for just over a year.  It would most likely be to your advantage to stay longer to show a future employer that you have the abilty to stick with what you start.
Small Company Advantages

One of the advantages you’re likely to see in a smaller company is that of wearing many hats.  As you’ve stated, there are dozens of people in your larger organization doing what you do.  Since I have to guess, I’ll guess that you and the dozens of people you have mentioned are somewhat pigeon holed when it comes to the breadth of your subject matter expertise.
Doing similar work in a smaller company where you are the only one doing it by default will stretch you horizontally.  Situations will no doubt arise in the smaller company that were not part of the job description you signed up for when you joined the organization.  Again, by default because you are the only security / risk management person on board, these unforeseen assignments will land on your desk.  This kind of being in the right place at the right time luck is less likely to come your way in a larger company because there are too many people to deal special assignments out to.

Building a Career
The building blocks of a career are just that, they’re carefully calculated steps along the way.  In general, if you’ve been at the large company long enough to make it count for your future, stepping into a smaller organization in order to broaden your skills may not be a bad idea. 
Will your growth prospects be limited in a smaller organization?  It might seem like they will be limited but allow me to share a brief story.

In 1992, I placed Sam in an HP/3000 Cobol System Analyst job.  I distinctly remember that Sam took this job for $38,000.  Fast forward nearly 20 years.  Sam remains a good friend of mine to this day.  He rose to become the CIO of the company where I placed him in 1992.  This work was done in my general IT recruiting days before 1995 when I began working in the security space.  Sam has risen above and beyond the CIO role and is now an Executive Vice President in this $100 Million Dollar company.  Sam’s office is next to the CEO / Founder’s office. 

The CEO in this case recognized that Sam’s potential extended far beyond IT.  Once the CEO leveraged everything he thought Sam could do to build up the company’s IT organization, he challenged Sam to grow in other ways that would ultimately grow the bottom line of the company.
Sam wasn’t worried about the $38,000 starting salary back in 1992.  He knew in his heart that if he was placed in the right company, he would find ways to grow.  Sam focused on producing, solving problems and identifying opportunities.  For that, he was promoted and I can tell you that Sam doesn’t have to worry about his paycheck today. 

Sure, this is an unusual story but I’m excited to share it with you because I placed Sam.  I’ve seen what happens when the right person joins the right company and they keep their eye on the ball. Had Sam not made the move to join this privately held company in 1992 and had he stayed with a Fortune 500 company, he very likely would have never seen the career growth opportunities he has been fortunate to experience.
I hope you find this information to be helpful.  If not, I’m a phone call away at 719 686 8810.

SecurityRecruiter.com's Security Recruiter Blog