Whether we change jobs out of boredom and are looking for new challenges, or the decision to depart is made for us, too often we don't take the time to evaluate what worked for us and what didn't in our previous job, and what we'd like to gain from our new job position. But, even if we can't predict what will be a good fit, I have found some principles that are essential to look at when considering a new job.
Understanding a company's standing is always important. Is the company losing revenue? Have executives and/or board members left? Is the company prime for a takeover? Are competitors dominating the industry? All of these questions help determine a company's health: a factor that will be critical to know if you're going to make the right move. While risks can pay off, you want to know what you are getting into. A company in turmoil will be more resistant to funding projects, hiring new staff, or making security a priority.
Review the 10k and 10Qs and do some analysis and check out the headlines – you'd be surprised what a simple Google search can yield. It's OK to enter a higher risk environment only if you are aware and prepared.
When possible, find out what the company spends on IT and security. The financial health of the IT and security group is important before taking over the role. The general rule is that five percent of IT spending goes to security. Of course, this will vary, but it can be used as a marker. If you are performing a security turnaround, there will be more capital expenditures in the first few years than normal. Does this seem possible given the company's financial outlook? Is the financial budgeting cycle ad-hoc or formal based on the annual fiscal cycle? Is there an IT budget governance committee managing it? How much was spent on security projects last year? It may not always be easy to get these answers, but they'll tell you a lot about what your job will look like once you take the reins.
One of the worst aspects of security groups, let alone IT, is staff management. It is common to have to restructure a team based on skills gaps. So always try to determine how large the team is in relation to the overall company and IT staffing. Typical security groups for companies of 10,000 to 15,000 full-time employees will have 25 to 30 staff. This does not include IT operational teams that I usually leave in a separate group. Is last year's attrition rate at the typical 10 to 15 percent? Is the staff located in key areas for the company? Are there cascading goals from corporate objectives? Are reviews done quarterly and historically attached to goals? What are the results of the latest employee survey? Has there been a layoff or hiring freeze in the past 18 months? As with financial assets, not having the right human capital will only make your job tougher, so ask the questions.
As with any security group, it is really the relationships with other groups that makes it a success or not. Understanding their structure and maturity goes a long way toward understanding what these relationships are. Get an overview of the organizational chart from the CEO to the third level down. Understanding attrition rate and longevity with the company will help you understand effectiveness and focus.
While these questions and thoughts will not bring everything to light, they will help. More importantly, the answers to these questions will help you to map your strengths and objectives a bit better to the situation that is before you. Before jumping into that next leadership role, it's important to know if the company is healthy and supports the function. Words are great, but actions speak much louder, and having some indicators where the company is can make the difference between success and failure.
