Career Advice for Security Geeks, Part 1
by Bill Pennington
Many of my contacts in the security sphere have recently gone through the dreaded layoff. Many of them have come to me for advice on finding a new position, and many of them ask me why they were in the position to be laid-off in the first place. I have had to layoff people in the past; sometimes it is easy and sometimes it is hard. Usually the first round of layoffs are the easiest for the person picking the victims. A few reasons why people are chosen in the first round of layoffs:
1. Attitude – Are you the one always complaining about stuff like no free drinks, not enough vacation days, or having to work a few hours late every once in a while? Guess what? You are inching yourself closer to the top of the list for layoffs. If the manager has to cut, they are going to make it easier on themselves by cutting the people who make their job harder. If you need constant care and feeding, your boss is not going to have time to do that after he cuts 20% of his staff. However, if you are always the person who stays late, asks for extra work, and has a can-do attitude, then you are going to be much further down the list of causalities.
2. Aptitude – Then we get to the basic question; are you good at what you do? I am far more likely to keep the person who can do the work of three people vs. the person who is barely handling his current work load. Remember, I have to not only cut budget by 20% but also have to figure out how I am going to keep up with the current workload after I make those cuts. Which leads to…
3. Specialist vs. Generalist – This one gets a bit tricky, but for the most part I am going to keep a generalist around as opposed to a specialist, since my generalist can cover for the specialist. The generalist might take a bit longer to get something done, but it will get done. If I keep the specialist I am going to have a hard time getting them to do something outside their specialty. Again, it is important to understand the dynamics. I have no choice but to let some people go, and being human, don’t want to be let go the next time around. I don’t want to give my boss a reason to put me on the layoff list. This is totally selfish but a very realistic reaction. The team I have left is going to have to do just as much, if not more, after I let people go. If you find yourself becoming a one-trick-pony, work harder to diversify and learn new skills. Don’t be the CheckPoint Firewall guru and only the Checkpoint Firewall guru; the more you know and can do the more likely it is that you will survive the first round layoffs.
4. Say “Yes”, always – This is a tough one for security people, since we are generally used to dealing with absolutes. It is pretty clear to us that deploying an unpatched Windows XP system on the internet is a bad idea. Deploying ATMs based on an unpatched Windows XP system and then hooking that to the internet makes me want to scream, “Nooooooooo!” but from a business standpoint that might be an acceptable risk. I always say “This is what we need to do in order for that to be secure.” Since you are not the “always-say-no” security guy, the more people who like you, the safer you are.
5. Sometimes you’re just unlucky – If I have to make cuts and everyone is great, it is going to come down to a “gut” call. All the above points are going to come into play, but in the end the differences are going to be so small that you really could not have done anything more to stay off the list.
If you find yourself in this unfortunate position, I will discuss ways to get out of it in Career Advice for Security Geeks, Part 2.