As tough as this has been, there is a great deal that I've learned from each path traveled. And while some of these paths were voluntarily taken, the majority weren't. Considering the average stay at a company in our field is approximately 18 months, there are a lot of us that have been forced in another career direction within the past few years [see also: ]. If I had a dollar for every time a recruiter or human resource person asked about my "sketchy" job history, I'd be a very rich man [see also: ]. By the same token, I know of very few people who have been fortunate enough to have lasted five or more years in a strictly information security-related function at one company. There are many times I've thought about getting out of security altogether, but opening a dollar store and raising alpacas seemed like more trouble than it's worth.
Having said this, each . These are experiences that you won't find in any book nor learn at any business school. Sometimes the school of hard knocks can be the best teacher.
Lesson 1: Look before you leapThe grass isn't always greener on the other side. This is a common phrase that we hear from time to time and one that definitely had more than a ring of truth to it in the late 1990s. I had left the relatively safe pastures of Microsoft to pursue an opportunity as CISO at a startup company for twice the salary, stock options and other associated dotcom perks of the era. While I managed to ask all the typical geek questions in interviews, such as about the technology, personnel and relevant strategies, it didn't occur to me at the time to ask the tougher questions such as capital run and burn rate, attrition, company finances, etc. Had I known the incredible burn rate on capital before and predicted the dry-up in venture capital funds that year, I never would have left Microsoft. And, as I found out much later in an interview, once you leave Microsoft you can never go back. Learn to ask the hard questions and know what you don't know. Lesson: Do the math. Consult a mentor, financial consultant or career coach if you are unsure of how to ask about a company's long-term viability.
Lesson 2: You are not always as smart as you thinkSecurity is something that many businesses don't realize they need until it's gone. And when your e-commerce platform gets hacked and placed in the media spotlight, you'll often realize it sooner rather than later. When you view security in the same light as having a fire extinguisher on hand, you're begging for trouble. As the newly minted manager of platform security at a large online bookseller, Web security was naturally an integral part of the job. Finding flaws in the platform and online systems was incredibly challenging and rewarding, and probably the most fun that anyone should be allowed to have while still calling what they do work.
What was not as fun was making recommendations that would not be acted upon until a customer (and consequently the media) found out for themselves, like how you could change anyone else's profile or even change an order without ever logging into the system? In a "shoot the messenger" approach, nearly everyone was "right-sized." Another gentleman and I survived the purge only to be told by the new CTO that we would no longer be doing security, but networking instead. The CTO's voice is vividly etched into my memory: "We don't need that much security. We're not a bank, we just sell books."