Security pros: Knowing when it's time to move on (and how to do it)

Dominic Vogel draws on his recent experience to offer advice on job-changing strategies to security pros and others in IT when you realize it's time to recharge your career.

Spring is a time for growth and re-birth. It is an ideal time to reflect on your career. There was a time when most people worked for the same company their entire working lives. Given the current supply-demand mismatch in the information security job market (more open positions than qualified candidates), you may be hindering your long-term career growth by staying at the same company, hoping to be rewarded for your loyalty. You need to take active ownership and responsibility for your career, and need to be re-assessing your skills and career goals on a regular basis. A good rule of thumb is to think about shifting roles every three to five years (any more frequent and you may get labelled as a job hopper). I am not advocating switching companies but rather changing roles (you may need to leave your current employer in order to achieve that, however.) I recently went through this experience for the first time (having worked three years for the only company I've worked for since graduating from university). To help other infosec pros who find themselves in a similar situation, I would like to share some of my thoughts on the events that transpired leading up to my final day:

Realize when it is time to move on

If you feel that you have stopped learning to the point that your skills are regressing, it is likely time to move on. Having the self-awareness to realize that your career has stalled is imperative to long-term success. Unfortunately, once you get all cozy and comfortable, you've likely reached that glass ceiling and need to seek new opportunities and challenges.

Revitalizing the resume

The goal of the resume and cover letter is to land an interview. Making it past the gauntlet that is human resources is a daunting but not impossible task. In order to make your resume standout, list five key strengths near the top of the page, or include a personal branding message. When listing your work accomplishments try and include some quantifiable numbers. These seemingly insignificant changes can be effective in getting your resume noticed. See TechRepublic's Career Management blog for some great resume tips like these recent ones:

Beyond online job sites: Get involved with local security community

By only checking online job sites, you limit yourself to a smaller pool of opportunities. Being an active member of the security community (regularly attending conferences or membership in security associations such as ISACA or ISSA) allows you to leverage your network more effectively. The best job is often the one that is not widely advertised.

Seek out a recruiter -- a trusted adviser

I must confess that I once lumped recruiters in the same category as used car-salesmen, real-estate agents, politicians, and tax collectors. I could not have been more wrong. A great recruiter can serve not only as an adviser but can offer organizational insight into the companies to which you are applying. I was very fortunate to meet a terrific recruiter who provided invaluable guidance, and who I will consult on my future career moves. A trusted recruiter is like a trusted mechanic, they are hard to find, but when you find one, they will serve you in good stead throughout your career. There are countless recruiting firms to choose from, so some research may be needed beforehand (See "How to find a good recruiter in your area.")

Apply, rinse, and repeat

Do not shy away from applying to positions because there is something in that job description that doesn't appeal to you, or that you do not possess all the qualifications that are listed. Most job descriptions are written by someone in HR that has little understanding or knowledge of the intricacies and nuances that are required to work in information security. Nearly all the job postings online are formed from generic templates that do not necessarily reflect the skill nor the duties that the role requires. Do not be afraid to apply; after all nothing ventured is nothing gained.

Giving two-week notice

This was one of the hardest things I have ever had to do. I have the utmost respect and admiration for my former manger and mentor (he was the only one who was willing to give a fresh graduate the chance to work in the security field). Be sincere and heartfelt when delivering the news. Explain that you will do everything required to make the transition as smooth as possible. Most managers will be happy for you and realize that constant change is part of the modern business landscape.

Transition planning

It would be unprofessional to leave your co-workers and manager dangling without properly transitioning your duties. Fully documenting your "organizational knowledge" and processes/procedures that you follow for your day-to-day duties will make it much easier for your successors to continue your work with minimal trouble.

Saying goodbye

Hopefully, you will be leaving on good terms. The IT community (especially the IT security community) in some areas is very small, so it would be prudent to garner reference letters and LinkedIn recommendations. Be sure to exchange personal contact information as well. Former co-workers and mentors can serve as sounding boards when you come across new problems and challenges. In today's inter-connected world with applications such as Facebook, LinkedIn, and Twitter, keeping in professional contact has never been easier.

Hit the ground running

Ask as many questions as you can and meet as many of your new coworkers as possible. Don't just restrict yourself to people in your department. The best way to learn about the ins-and-outs of the business is by talking to with those out in the "trenches." As a security professional, this is a great way to learn about critical business processes and to get a chance to view security in a business context.

Leaving your coworkers and friends can be a very difficult experience. What is important are the relationships forged, and the experience and the skills gained over the course of your employment. Take the time to reflect on what you did well as well as areas for improvement. In IT (and especially security) we need to embrace and manage change as it is part of our daily working lives. I am eager for the changes and new experiences  that await me in my new role. That being said, I wish to extend a sincere thank you to my former colleagues for their mentoring over the years, and for giving this kid a chance to work in information security when no one else would.


Dominic Vogel is currently a security analyst for a financial institution in beautiful Vancouver, British Columbia.


Hello Dominic, First of all, thank you very much for the tips. I'm not sure if here is the right place, but what's the most important certifications in the security field? I'm graduating in Computer Engineering and want to prosper in IT security. I live in Brazil, but if I need I'll travel to another country to study and get some of these important certifications. I'm not too young like you seems to be (I'm 35) but that's what I want. Thanks again. Best regards. Marcus.


Dominic, I can relate to this article SO MUCH. I've been working for my current company for over 14 years, the last 11 in IT. About 5 years ago I realized that I had stopped growing at my current position, Comp Sys Analyst (fancy title for Support Specialist although I do networking and InfoPath/SharePoint minor dev work). Although there are many things I could have done earlier to put myself in a better position, I decided to go back to college in 2007 and finish my BS. I finally graduated last year and am now in the process of obtaining certifications that I should have gotten many years ago (as I pointed out earlier I slacked off here). I tried talking to my boss about expanding my responsibilities order to get better pay but it never materialized. I have enjoyed my time with my company and have made so many friends but the truth is that sometimes, you just KNOW when it's time to move on. It will be hard when the day comes but I have to grow professionally and in my case (small IT dept.) it will come via another job elsewhere. I do not blame my company, as I mentioned, I could have done more and perhaps made the move earlier but at least I am doing something about it now. I particularly liked the advice to apply for some jobs even if one does not know how to do everything in the job description. I was recently contact by a company about a Jr. Developer job and because I do not develop InfoPath/SharePoint using code, I was hesitant to apply. I did anyway and they were clear that what they really wanted was InfoPath/SharePoint knowledge.


Hi mvcandido, I'd say that strictly security certs are Comptia's Security+ and ISC2 CISSP, the latter is much more challenging as you need to already work in IT/Security for at least 4 years if you have a BS and have an endorsement from a CISSP certified individual before you can take the exam. ISC2 does have other security certifications but my understanding is that CISSP carries the most weight/respect in the industry. Cisco also offers some certs on security, but it is vendor specific, AFAIK. That being said, I think if you want a solid track to IT Security, I'd start with Comptia's A+, Network+ then Security+ before getting into the other certs. You may also want to go for the CEH, Certified Ethical Hacker. Good luck to you!


Thank you very much I'll take a look on those certs you said. Best regards!

Editor's Picks