Tuesday, July 06, 2010
The Fourth Career Mistake...
Many practitioners believe I have a great resume and that anyone would/should hire me in a heartbeat. The challenge however is not with practitioners nor their executives but one of recruiters and their understanding of IT. Let's acknowledge that the vast majority of IT positions that one may learn about, the very first stop on the journey is in talking with a recruiter.
The first entry on my resume is for an investment advisory/brokerage firm I worked for in the late 80's where I was a systems administrator for HP3000's. I typically do not list the fact that I started in IT in high school where I worked at Cigna in their data center changing out IBM terminal controllers after hours or how I had to write an application to keep track of all of my work since it would appear strange to the recruiting crowd that I had over 25 years experience in IT but otherwise am on the low side of 40's.
The funny thing is that I used to work a 35 hour week while in high school. Back then the work day hadn't yet converted to even being a 40 hour work week. So, do I count this as fulltime experience? Anyway, back to the brokerage firm position. Did you know that I also did C/Windows SDK programming?
A theme started to emerge in my background where I was doing both infrastructure and software development at the same time. Since most people don't have this as a background, this tends to feel strange to the otherwise boolean questions asked by recruiters.
In 1993, I jumped into consulting and worked for a regional consulting firm named Command Systems where I was technology director. Did you know that I literally achieved my Certified PowerBuilder Developer (CPD) and Microsoft Certified Systems Engineer in the same day! How could one be proficient in both infrastructure and networking? As a recruiter, would you think this candidate was bullshitting? Interestingly enough I have externally visible proof that I was doing both at extremely high levels of competency.
In 1996, I wrote a sample application that shipped with PowerBuilder 4.0 in the box. It had the most kick-ass about box eyecandy logic of its time. Also, in 1996, I won the Microsoft Solutions in Action award for the most mature implementation of Microsoft Exchange Server in a corporate setting. Sadly, most recruiters will assume not spend time looking at the evidence and instead make a gut feel call.
In 1998, I fell in love with the internet and was fascinated in how people could make so much money by giving away lots of stuff for free. I wanted my share. Did you know that I led a team of 25 people to develop an online bank in six months? Not only did I lead the development of software, I also took personal interest in building out the infrastructure.
As you can imagine, developing a bank from scratch requires one to think very deeply about security. I remember my first "review" by a respected individual whom I will refer to as Foster. After the review, he sent a humorous note to the CIO regarding my proposed architecture which read as follows:
- Excuse me, Mr. Bank Manager, we didn't have time to build the safes, but I got these nice sturdy paper bags for you to keep your money in...
I went on to lead a team to build out a mortgage platform for another Internet startup. In this scenario, I too not only did development but actually took my learnings one step further and started to rack servers and get involved in networking. My experiences led me to also achieve certifications in Cisco (I achieved CCNP status) as well as get hands-on with CheckPoint Firewall-1.
We all know what happened in 2001, where the dot-com bubble busted. At the time, there was another life event which was the birth of my first son and I knew I needed an old stodgy eight-hour a day job and landed at my current employer. Enterprise Architecture at the time was very infrastructure-centric but as someone with a development background, I wanted to influence in such a way that architecture conversations were more application-centric.
I remember an interesting debate I had with another enterprise architect back in 2003, where the notion of cross-site scripting was first discussed. He thought it was a useful feature where my security conscious knew better. The application at hand, captured lots of personally identifiable information. This was the first battle I lost and learned a valuable lesson that enterprise architecture sometimes isn't about architecture but the human aspects of technology.
As compliance started to grow, I saw an opportunity to turn personal philosophies into something that could be leveraged. We all know that compliance is the largest unmanaged spend within the enterprise and yet the vast majority of enterprise architects are blissfully ignorant when it comes to understanding compliance.
The funny thing about compliance-oriented projects are the fact that the business wants them to be completed in a timely manner, but otherwise don't care to be traditional business customers in terms of expressing requirements since they are already known. The side effect of this activity is that as an architect, one in essence can become their own customer. For example, whom would be better to pose requirements for complying with PCI Section 6 than an OWASP chapter leader?
So, in my current role am I an Enterprise Architect who understands Information Security or an Information Security Professional that understands Enterprise Architecture? The vast majority of information security professionals either came from some sort of accounting/auditing background or are from an infrastructure-centric background. Wait a minute, I know infrastructure too but why wouldn't folks in this camp accept my as one of them? Its not about competency but more about being operational in one's thought process.
To make a long story short, recruiters love to categorize individuals by placing them into nice neat boxes, but what box do I fit into? Most job requisitions do not specify that they want someone who is highly adaptive and can learn quickly but more are about an enumeration of skills and duration.
Am I a better candidate because I truly have over 20 years of experience and not one of the typical candidates they often see that has had one years of experience twenty times?
One should enjoy what they do in a work context, after all you spend a lot of time doing it so you may as well enjoy it. Likewise, you have to be cognizant of what you do and how others will interpret it regardless of how much business value it brings...
Links to this post: