Dear Infosecleaders:
About three weeks ago, I accepted a new position with a company, where I am going to be reporting to a new CISO. During the interview process I was told by the CISO that my position was going to be the “first key hire” as the company begins to revamp their information security program. However, since the interview process concluded and I accepted my position I have found out differently.
I learned that one of my friends and industry colleagues was contacted by a similar position at the same company – he was told almost exactly the same thing that I was – that this position was the “first key hire”. When he learned of this, he played dumb. My friend (who is a little better connected than I am) called a couple of his Linked IN connections who were directly connected to the new CISO (my new boss) and he told me that what he learned was less than complimentary.
He told me that the CISO left his last employer in a mess, there was a mutiny from the staff, and that the guy has a reputation of being self-serving and has questionable ethics.
What makes matters worse for me is that I have already resigned my job. I am relocating to accept this position, and I fee that I am walking into a bad situation.
What should I do?
Sincerely,
JJ Blackheart
Dear JJ:
There is no question that you should value the opinions of others whom you trust, however it is often a mistake to accept their opinions without first hand experience and extensive validation from multiple sources.
The first thing that I would do, would be to try to locate someone from the CISO’s former employer, who was a direct report to the CISO. I would pick up the phone and introduce myself, explain my situation, and ask them if they have any helpful hints on how to succeed under your new boss’ management style. It is possible that this person can provide you with some new perspective, it is also possible that this person will decline your request to share any details – and in that case – a red flag should go up.
I would tell you that if you do not feel comfortable with your decision you can do the following – contact your old employer back, and ask them if they would let you take back your resignation (this is why it is always good to leave on positive terms) and have your old position back, or contact others in your geography to see if you could locate a position similar to your old one (quickly). If neither of these works, begin work at your new employer.
If you decide to begin your new job, you need to suspend all of your relocation activities, immediately. The reason for this is that you do not want to compound your mistakes. In addition, if you received a relocation package, you do not want to be in a situation where you have to return your relocation monies, if you decide that you do not want to remain at your new job.
Once in your new job, I would begin to look for things that would either validate or refute your earlier suspicions. I would look for ways that your new CISO manages, how he communicates with subordinates, and for the consistency of his/her messages. You should use the first 90 days of your employment to see if you could work with this person long term and evaluate the prospects of a satisfying work relationship.
Simultaneously, you should continue to look for suitable opportunities in your former location, as a contingency plan. If one of those opportunities comes to fruition, you can compare it with your current position at your new employer, and then make a decision.
My advice would be to either put an end to this before it starts, or within 90-120 days after you begin work.
Hope this helps,
Lee Kushner