Security pros: Knowing when it's time to move on (and how to do it)

Dominic Vogel draws on his recent experience to offer advice on job-changing strategies to security pros and others in IT when you realize it's time to recharge your career.

Spring is a time for growth and re-birth. It is an ideal time to reflect on your career. There was a time when most people worked for the same company their entire working lives. Given the current supply-demand mismatch in the information security job market (more open positions than qualified candidates), you may be hindering your long-term career growth by staying at the same company, hoping to be rewarded for your loyalty. You need to take active ownership and responsibility for your career, and need to be re-assessing your skills and career goals on a regular basis. A good rule of thumb is to think about shifting roles every three to five years (any more frequent and you may get labelled as a job hopper). I am not advocating switching companies but rather changing roles (you may need to leave your current employer in order to achieve that, however.) I recently went through this experience for the first time (having worked three years for the only company I've worked for since graduating from university). To help other infosec pros who find themselves in a similar situation, I would like to share some of my thoughts on the events that transpired leading up to my final day:

Realize when it is time to move on

If you feel that you have stopped learning to the point that your skills are regressing, it is likely time to move on. Having the self-awareness to realize that your career has stalled is imperative to long-term success. Unfortunately, once you get all cozy and comfortable, you've likely reached that glass ceiling and need to seek new opportunities and challenges.

Revitalizing the resume

The goal of the resume and cover letter is to land an interview. Making it past the gauntlet that is human resources is a daunting but not impossible task. In order to make your resume standout, list five key strengths near the top of the page, or include a personal branding message. When listing your work accomplishments try and include some quantifiable numbers. These seemingly insignificant changes can be effective in getting your resume noticed. See TechRepublic's Career Management blog for some great resume tips like these recent ones:

Beyond online job sites: Get involved with local security community

By only checking online job sites, you limit yourself to a smaller pool of opportunities. Being an active member of the security community (regularly attending conferences or membership in security associations such as ISACA or ISSA) allows you to leverage your network more effectively. The best job is often the one that is not widely advertised.

Seek out a recruiter -- a trusted adviser

I must confess that I once lumped recruiters in the same category as used car-salesmen, real-estate agents, politicians, and tax collectors. I could not have been more wrong. A great recruiter can serve not only as an adviser but can offer organizational insight into the companies to which you are applying. I was very fortunate to meet a terrific recruiter who provided invaluable guidance, and who I will consult on my future career moves. A trusted recruiter is like a trusted mechanic, they are hard to find, but when you find one, they will serve you in good stead throughout your career. There are countless recruiting firms to choose from, so some research may be needed beforehand (See "How to find a good recruiter in your area.")

Apply, rinse, and repeat

Do not shy away from applying to positions because there is something in that job description that doesn't appeal to you, or that you do not possess all the qualifications that are listed. Most job descriptions are written by someone in HR that has little understanding or knowledge of the intricacies and nuances that are required to work in information security. Nearly all the job postings online are formed from generic templates that do not necessarily reflect the skill nor the duties that the role requires. Do not be afraid to apply; after all nothing ventured is nothing gained.

Giving two-week notice

This was one of the hardest things I have ever had to do. I have the utmost respect and admiration for my former manger and mentor (he was the only one who was willing to give a fresh graduate the chance to work in the security field). Be sincere and heartfelt when delivering the news. Explain that you will do everything required to make the transition as smooth as possible. Most managers will be happy for you and realize that constant change is part of the modern business landscape.

Transition planning

It would be unprofessional to leave your co-workers and manager dangling without properly transitioning your duties. Fully documenting your "organizational knowledge" and processes/procedures that you follow for your day-to-day duties will make it much easier for your successors to continue your work with minimal trouble.

Saying goodbye

Hopefully, you will be leaving on good terms. The IT community (especially the IT security community) in some areas is very small, so it would be prudent to garner reference letters and LinkedIn recommendations. Be sure to exchange personal contact information as well. Former co-workers and mentors can serve as sounding boards when you come across new problems and challenges. In today's inter-connected world with applications such as Facebook, LinkedIn, and Twitter, keeping in professional contact has never been easier.

Hit the ground running

Ask as many questions as you can and meet as many of your new coworkers as possible. Don't just restrict yourself to people in your department. The best way to learn about the ins-and-outs of the business is by talking to with those out in the "trenches." As a security professional, this is a great way to learn about critical business processes and to get a chance to view security in a business context.

Leaving your coworkers and friends can be a very difficult experience. What is important are the relationships forged, and the experience and the skills gained over the course of your employment. Take the time to reflect on what you did well as well as areas for improvement. In IT (and especially security) we need to embrace and manage change as it is part of our daily working lives. I am eager for the changes and new experiences  that await me in my new role. That being said, I wish to extend a sincere thank you to my former colleagues for their mentoring over the years, and for giving this kid a chance to work in information security when no one else would.