New job, thinking of going already...

tripleatriplea Member Posts: 190 ■■■■□□□□□□
Hi,

Ok a little background..

I've had 4 IT related jobs since jobs since 1989 and have just started a 5th as an Information Security Officer. For the last 6 years Ive got involved in the infosec side of things whilst also being a systems admin and at the beginning of the year decided to make the jump. After 3 different interviews I got hired as an IS Officer. As you can see I cant be considered a 'job hopper'

So I started my new job 5 weeks ago. Really pleased, really keen.

Since then Ive realised that theres no one to really show me the ropes ( they knew my background and I was a career changer in the majority ). Documentation from the last guy who left 6 months ago is all over the place ( Im to be managing the ISO27001 Information Security Management System ). My boss has given me a very high level overview but hasnt really run me through anything ( I literally had to make a sheet of what I think I should be doing in the role and other job areas and get him to run through it during a meeting I had to arrange? )

I have now basically told him that I signed myself up to a Udemy course to teach myself how the ISMS should be run and how it works. I done the course and this has been way more useful than the very limited info I have been given. Im matching that up to documentation/spreadsheets that relate to the ISMS and trying to bring them up to something I can use ( not been updated for 6 months in many cases ). I have no idea if what I am doing is correct as I have no one to check against and its very hard to get my boss to reply to any emails ( I sometimes get something, sometimes 'I'll look at it when I get the chance', sometimes nothing.. )

So I am literally going on best assumption of what I know from the last job ( I only got involved with parts of it there and asking for some guidence from my old infosec buddies. I could of course be making a real hash or this or be 100% spot on but Im not getting any feedback and theres always the 'I dont know X because I havent worked here so wouldnt know X does this or causes that'

Hes out a couple of days a week working from home and already Ive got to the point of looking forward to these for the wrong reasons. Glad as Ive got no one looking across at me and having to think 'does he think I know what Im doing if hes not telling me? what does he think Im doing? answer some emails and you'll know. Im really trying to get this up and running again with no help or guidence!

Its now to the point Im already thinking about making an exit plan and putting this down as all my eggs in one basket as Im looking at 1 person to assist me here and no team around me. This was my original reservation and when I got offered this job still interviewed for a job where there would be 6 similar people in the team. Basically I have viewed the last 5 weeks as a training course that I think I've learnt loads from but no way of clarifying. At worst I now do know what things mean and some of the things that are required and what to look out for.

I know I should give it a chance and its a good company and a very good position but Im sure I shouldnt be looking at job sites again already. If I go the change of job title should help even if just to get me past HR filters.

What are you're thoughts or what would you do please? I would try and have a conversation but already it seems a very uphill struggle.

Thanks.

AAA

Comments

  • techfiendtechfiend Member Posts: 1,481 ■■■■□□□□□□
    I had a similar experience, no real documentation, replacing someone that left, no one else having the same responsibilities. During the first 3 months I encountered some of the most stressful times of my life and it was ruining my personal life. Once I realized that I have a great opportunity to learn and succeed I started getting it. 3 months later I was confident taking on everything thrown my way and my personal life was starting to prosper. After 2 years I left because the challenges ran out. It turned out being my most enjoyable position in my career and it took me places quicker than I ever expected.
    2018 AWS Solutions Architect - Associate (Apr) 2017 VCAP6-DCV Deploy (Oct) 2016 Storage+ (Jan)
    2015 Start WGU (Feb) Net+ (Feb) Sec+ (Mar) Project+ (Apr) Other WGU (Jun) CCENT (Jul) CCNA (Aug) CCNA Security (Aug) MCP 2012 (Sep) MCSA 2012 (Oct) Linux+ (Nov) Capstone/BS (Nov) VCP6-DCV (Dec) ITILF (Dec)
  • Neil86Neil86 Member Posts: 182 ■■■■□□□□□□
    If you haven't seen it, there is a good thread about situations like these:

    http://www.techexams.net/forums/jobs-degrees/133777-you-only-grow-when-you-uncomfortable-challenge-yourself.html

    Like techfiend said, it may be stressful now, but you may hit a stride and figure things out. Or, maybe not. But at least you're trying.

    Sounds like there is just a lot of questions but no answers. Time to find those answers. You're doing the right thing by studying up, so keep doing it. No one knows everything about a new job when they get into it, there will always be things to figure out.
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    Who do you actually report to? And are you one of several ISOs or are you the ISO?

    What you describe for an ISO doesn't seem particularly unusual. An ISO runs or develops the security program. It's you that's suppose to provide guidance to your management - not the other way around. Usually management would provide guidance on risk tolerance but that all that I would expect.

    Sounds like you have a pretty clean slate to start from - which could be good or bad :D depending on the company.
  • MeanDrunkR2D2MeanDrunkR2D2 Member Posts: 899 ■■■■■□□□□□
    Looks like the boss trusts you from your background to know that you won't make a taboo mistake. You are methodical and you take your time to learn things as you encounter them. Maybe it could be beneficial to you to join a local tech group that specializes in this line of work and there would be opportunities to bounce thoughts off of others, especially if you find someone kind of like a mentor to you.
  • tripleatriplea Member Posts: 190 ■■■■□□□□□□
    Thanks for the replies so far.

    I report to the head of security. Im sure as Im not coming directly from this background he should be keeping an eye on what Im doing more (I would)

    How do I know how Im doing with no feedback?
  • Azt7Azt7 Member Posts: 121 ■■■■□□□□□□
    You're doing just fine. Because you were smart enough to realize that you lack knowledge so you went to seek it. I'm sure with your experience, you realize that people are not that smart.

    In my small experience, I have realized that most of those high level bosses are not that knowledgeable or are not interested in these type of tasks. My advice to you would be to learn everything from scratch just as you are doing and figure everything out.

    It doesn't seem like your boss will be on your back so I will assume your job is safe. You've now realized that he doesn't provide feedback, I will just show how you've taken ownership of everything. Some people just want things to be done without caring how.
    Certifications : ITIL, MCSA Office 365, MCSE Productivity, AWS CSAA, Azure Architect, CCSK, TOGAF
    Studying for :  TBD
  • tripleatriplea Member Posts: 190 ■■■■□□□□□□
    So thank you for all the replies, from what’s suggested it seems like I am going about it the best way even without any feedback.

    What I decided to do today was create a to go and to stay list. I had 10 good reasons to stay and 13 to go. Against each one of the to go list I was able to put a reasonable argument mainly to do with finding help other ways or taking what I can away from it. For instance I don’t know X but how can I if I’ve not worked here before.

    Got on with building a security incident register from scratch almost and managed to make my way through most of this and also learned a few things on the way. Spoke to my Infosec guy from the old place and it’s almost the same as they do it and they retained iso27001 certification so must be right direction at least.

    I’ve decided to look at this as a training ground exercise. If in 18 months we don’t get a renewal (it’s a full check every 3 years) then it’s not down to me but I should be getting regular feed back. If it seems to work then I can take what I have learned to a new place and try it with the kinks worked out there. Bound to have picked a lot of info up on the way anyway. Either way Im still getting paid much more for my time and the time in a new job cant hurt my CV/resume.

    I've decided to schedule a meeting, I could actually be way in front of where he expects me to be at this point as a new hire with a career change?
  • UnixGuyUnixGuy Mod Posts: 4,570 Mod
    Mate this is your chance to become an absolute expert at ISO 27001 !! This is an opportunity to learn the ins and outs of ISO27001, apply everything you learn at work. Eat breathe live ISO 27001. Who cares what the boss think, in a short time you can become more knowleagble in it. It's not that hard, so it shouldn't take you a lot of time either.

    It's a work in progress as well, so the program doesn't have to be perfect from the get go! you get audited, and then you plan to improve the gaps. There is TONS of resources online (such as Udemy course that you used) to teach you everything you know and more! Learn, and do the best that you can! Become an expert in ISO 27001....Ask your boss for training as well!
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Learn GRC! GRC Mastery : https://grcmastery.com 

  • MeanDrunkR2D2MeanDrunkR2D2 Member Posts: 899 ■■■■■□□□□□
    It's probably worth a shot to try to set up a twice a month sync up meeting with your boss to go over what you've been working on as well as your goals for the next 2 weeks. It would end seen as proactive on your part and be a positive to make sure you are on the right path.
  • anthonxanthonx Member Posts: 109 ■■■□□□□□□□
    triplea wrote: »
    So thank you for all the replies, from what’s suggested it seems like I am going about it the best way even without any feedback.

    I’ve decided to look at this as a training ground exercise. If in 18 months we don’t get a renewal (it’s a full check every 3 years) then it’s not down to me but I should be getting regular feed back. If it seems to work then I can take what I have learned to a new place and try it with the kinks worked out there. Bound to have picked a lot of info up on the way anyway. Either way Im still getting paid much more for my time and the time in a new job cant hurt my CV/resume.

    I've decided to schedule a meeting, I could actually be way in front of where he expects me to be at this point as a new hire with a career change?

    You will be the GO TO guy on anything to do with ISO27001. So if we have questions about ISO27001, we can go to you. LOL

    A mentor would be nice but where are you going to get a mentor outside of your current company? I've been thinking about getting a mentor myself but on another area. Good luck and I will be looking forward to see any new developments in your career change.
    AnthonX
  • DatabaseHeadDatabaseHead Member Posts: 2,760 ■■■■■■■■■■
    Mentors are unrealistic at those levels. In fact some executives actually pay former executives to be their mentor, this is true.

    With that said, trust your abilities you can power through and what comes out of this will be exciting. It comes with a cost, but one that IMO will be worth it.

    I've not held a position of this magnitude, however I have gone from help desk to managing a brand new infrastructure project. I was completely overwhelmed, but man at the end of that meat grinder I learned a TON! In fact I even surprised myself on how well I did. I was studying PM and Service Management methodologies and even had to re learn cost accounting for some of the billing gaps I had.

    I find the higher I go up the more ambiguous the positions are. They want you to solve for them, not provide questions. What you did with Udemy was a good idea, obviously. Isn't their an ISO 27001 certification you can take?

    Either way you got this, believe in yourself.
  • tripleatriplea Member Posts: 190 ■■■■□□□□□□
    Well this is interesting!
    My boss let me know this morning that he is going to another job, not with any malice, just his choice.
    So he’s let me know that I’ve hit the ground running and I’m doing very well and I seem to have an aptitude for this. That’s good.
    So that’s 3 months away so end of Jan.
    Now because he’s the boss of several ‘risk’ roles I suspect my new boss will not have the extensive security/IT knowledge that my current boss has (maybe but not likely)
    So I’m now faced with another dilemma. If I stay (and I was intending to now) I will probably end up with more IT/Security knowledge that the new boss (may not be the case but likely)
    Which means either I’m either going to grow very quickly in the new role but looks like I will get huge amounts of responsibility which I don’t necessarily feel comfortable with as I should have someone ‘over me’ in my mind. I’m quite happy to do the day to day stuff but believe I should have a security manager, not just me as the officer. I, at this point, will now have no mentor – AT ALL!
    I’ve escalated the need to get on an official course (firebrand training and the ISO27001 lead implementer) before he goes and he’s happy to put that up even though I’m on probation.
    So now my other choice is to grab the job for as long as I can then look for another role (as I now have an official security title and from past job quite a bit of experience security wise). Also I should have the EJPT and the iso27001 LI certs under my belt during that time.
    The other side of the coin is I could be looking to ask for a better pay rise (they only happen every April) as I am now the single role/point of failure. Of course that depends how I get on.
    Must admit if I would have known I would have been in this position I would probably have kept on looking when I took this job.
    Thoughts appreciated…..
  • Jon_CiscoJon_Cisco Member Posts: 1,772 ■■■■■■■■□□
    If I am correct you didn't really like the old boss situation. This just seems to be a bonus.

    One thing I know for sure is that every company has issues and most employees think their boss should do things differently. You seem to be put in a position where you will be allowed and expected to learn. A lot of people would love that opportunity. If you are lucky the replacement and you will get along great.

    Good Luck!
  • tripleatriplea Member Posts: 190 ■■■■□□□□□□
    Decided to look at it this way.

    I'm learning and getting new info on how this all works every day. I should be having iso27001 training in the new year which should make me a iso27001 lead implementer ( I raised the urgency on getting this )

    2019 is only a recertification audit rather than the full 2020 audit. By this point I will either feel comfortable or be looking to have left with a min of 12 months infosec/iso27001 experience.
    I may end up with no formal manager just an exec that I report direct to. I look at this that its either sink or swim. If I fail then that’s a flaw of higher management. I should be guided, either way it cant be my fault if I was genuinely putting in the effort I thought was required ( again formal training should be my check anyway hopefully. )

    I will have at least 6 months of being in the job experience minimum by the time he gets here. Can’t be a bad thing.
    If I recall as part of my first systems admin job I was there about a month then the manager mentioned she would be on 9 months maternity leave. There was only the 2 of us! I survived that so using the same mental approach.

    See what happens.





  • DatabaseHeadDatabaseHead Member Posts: 2,760 ■■■■■■■■■■
    Sounds like a plan. Worse case it doesn't work out and you move on..... Best case you learn some new things and continue to grow.
  • tripleatriplea Member Posts: 190 ■■■■□□□□□□
    Not that I dont enjoy a challenge but now it looks like my equivilent on the Security OPS side is now going. Hes been here 5 years so now Im literally going to be the only one left after Christmas. Even when they get replaced I'll only have 5.5 months knowledge at that point.

    Beginning to lose my sense of humour icon_smile.gif
  • scaredoftestsscaredoftests Mod Posts: 2,780 Mod
    So, are you staying or leaving?
    Never let your fear decide your fate....
  • tripleatriplea Member Posts: 190 ■■■■□□□□□□
    At this point......

    Really dont know...
  • ThePawofRizzoThePawofRizzo Member Posts: 389 ■■■■□□□□□□
    I don't work in our security roles at our organization, however it seems the IT security is hot. Hence I suspect your co-workers are taking their experience to other employers for better salaries. If they are leaving it only makes your job more secure, even if you make some mistakes in the process. May be worth trying to wade through the stress some, and see where you end up. The additional experience could be helpful for your next role. Our IT security has had to replace about three analysts in two years due mostly, it seems, to better opportunities once their current analysts got some more training and experience under their belts, and these analysts were actually rather green to IT in general. So, I have to imagine once you have some solid experience that you'll be in really good shape.
  • tripleatriplea Member Posts: 190 ■■■■□□□□□□
    my boss has done nearly 20 years and now wants a new challenge ciso level or above , the other guys just become CISSP so not blaming them but now feel like its all been dropped in my lap and no real guidance from here onwards for the next 3 months, then a fresh manager but not just and IT security manager so might be no help to me at all in some respects as he wont know the company either. Same with the replacement security engineer.

    literally teaching this to myself as a career changer. luckily have my old infosec manager and officer verifying what Im doing is correct ( current manager doesnt really seem interested anymore ) Haven't even had a 'how you getting on with it' meeting and I've been here 3 months now. Very tiny amounts of feedback ( though Im told by others that Ive hit the ground running )

    Feeling VERY frustrated!

    There is an opportunity literally on my door step in local education doing the same role for more money. I would look at this but suspect 3 months as an information security officer on my CV would look very iffy even with a couple of security certs and 17 years technical behind me? Thoughts to this anyone please?
  • scaredoftestsscaredoftests Mod Posts: 2,780 Mod
    Do what is right for you.
    Never let your fear decide your fate....
Sign In or Register to comment.