What it’s like to run into the layoff buzzsaw (repeatedly)

Ken Pfeil considers himself lucky to be an employed CSO today. He’s been on the other side. More than once.

You’ve no doubt seen many headlines over the years about companies merging and cutting duplicate positions. Pfeil has been the odd man out several times. He’s learned that you’re never too valuable to be cut, and it’s best to make peace with that ugly fact.

[ Need to buff up your resume? Follow these 5 tips to make your security resume shine ]

In one misadventure, he left the safe confines of Microsoft to be CISO of a startup company for twice the salary, plus stock options and other dotcom-era perks. “While I managed to ask all the typical geek questions in interviews, such as about the technology, personnel and relevant strategies, it didn’t occur to me at the time to ask the tougher questions, such as capital run and burn rate, attrition, company finances,” he says. “Had I known the incredible burn rate on capital before and predicted the dry-up in venture capital funds that year, I never would have left Microsoft--especially after learning that when you leave Microsoft, you can never go back.”

After leaving the startup, it seemed like a good idea to work for a biometric authentication company. It was after 9/11, and security theater was just ramping up. Surely, this would be a long-term job.

“I was wearing many different hats and really enjoying my work there,” he says. “The company was a public company, financially viable and a leader in the market. But I had assumed after a merger with another biometric company was announced that because we were the majority and the larger partner, we would be holding all the right cards. Evidently the new board didn’t see it in this light.”

The CEO told him, “Just between you and me: If you have another job lined up, take it. There are going to be some major changes very soon.”

It turns out the smaller partner in this merger was a big presence where Pfeil lived. And since the president and CEO of the new company was from the smaller firm, Pfeil was going to be out of luck. He was never offered the chance to relocate.Lesson: Politics will often override sensibility and financial factors. Always consider the political side of things when evaluating a potentially career-changing event.

Web security was an integral part of Pfeil’s next job as the newly minted manager of platform security at a large online bookseller. Finding flaws in the platform and online systems was challenging and rewarding, and “probably the most fun anyone should be allowed to have while still calling what they do work.” (Also see How to use Web application security scanners.)

What wasn’t fun was making recommendations no one wanted to act on until a customer (and consequently the media) found out about the problems. Problems like being able to alter anyone else’s profile or even change an order without ever logging into the system.

“In a shoot-the-messenger approach, nearly everyone was ‘right-sized.’ Another gentleman and I survived the purge only to be told by the new CTO that we would no longer be doing security, but networking instead,” Pfeil says. “The CTO’s voice is vividly etched in my memory: ‘We don’t need that much security. We’re not a bank, we just sell books.’?”

The company was eventually fined by the Attorney General and forced to create a security program that was even more comprehensive than it had been before the incident. But for Pfeil, the love affair was over.

Later, he was appointed CSO of a midmarket startup company. He was the first (and only) CSO the company ever had. He was assured the company was not looking to be bought or otherwise change course in any way. “Believe none of what you hear and half of what you see,” he says. “After about a year on the job, I was taken aside into a conference room by one of the founders. ‘Today we are going to announce that we are being acquired,’ I was told. ‘You don’t need to worry about anything. Nothing will change, and we still need you as CSO,’ he said. ‘Fine,’ I thought to myself. ‘We’ll just switch gears from operational to integration mode. They’ll need due diligence and documented assurances in order to complete the acquisition and leverage a better purchase price.’?”

After almost a year and many hours working to integrate the company into its new parent, he was again called into a conference room. He remembers the one-sided conversation this way:

“There’s no easy way to tell you this, so I’m just going to come right out and say it. We’re letting you go. We’ve decided we don’t need a thought leader anymore.”

His advice: Build a short list of recruiters and friends in the industry that know their way around the block. A useless recruiter will hamper your search more than help it. If he can’t articulate exactly what qualities he is looking for in a candidate or can’t tell you exactly what the role entails, you should cut your losses and remove him from the Rolodex.

What it’s like to…

• …get hit with a DDoS attack
• …steal someone’s identity
• …dodge IED bombs
• …see all our “What it’s like” stories