January 24, 2012
My question comes from a different angle than most of the questions that you address on your blog – I am an information security leader, and I have been trying to hire some key technical information security engineers for my team, and I have not had much luck.
I have been looking for these positions for close to six months, and the only thing that I have to show for it is three rejected offers of employment and a good deal of wasted time. The candidates have rejected our offers for a variety of reasons: compensation, expectations associated with the position, and one of the candidates never every responded to the offer.
I think that my internal recruitment team has written the positions off and we do not have any budget to hire external search firms to help locate this talent. I have posted these roles on internet websites, and I can not tell you how many resumes we have received which do not nearly resemble the skill combinations and experience which I outlined in the job description.
I guess I would like to know if you have any advice for me. We are committed to hiring the right people for the roles, but I am at the point that I will settle for someone with a pulse and some passion.
Is there any advice that you can share with me to help me solve this issue and hire some future information security leaders.
Looking for Mr. (or Ms.) Goodbar?
Dear Info Sec Leader:
There is no simple solution to hiring the correct talent for your information security team. It appears from your note that you are resource constrained on many levels – compensation, internal support, and external budget. Although these are substantial obstacles to overcome, they are not insurmountable.
The first thing that I would do would be to look at your job description, and determine which skills are absolutely necessary to perform the position that you are looking to fill. Sometimes job descriptions are filled with a good number of “nice to have” bullets, and they overshadow the “need to have” requirements. It is logical that the candidates that you have been interested in have a good amount of the experiences that you request, but your budget simply cannot afford that level of resource.
What you should do is to winnow the amount of experience down to the skills and experience to reflect a level that you can actually afford. You should understand that it is one thing to attract candidates, hiring them is completely different. If you lessen some of your requirements, and require that candidates who lack certain experiences make up for it by displaying “passion” and “drive”, during your interviews, you should be able to locate a candidate that you can afford.
When you design a position to inspire professional growth and career acceleration, you will generally attract candidates who have a high level of motivation and professional pride. So, what they lack in experience, they will make up in aptitude and “passion”. It will be important that you screen for these intangibles in the interview process. Constructing your position in the matter will truly turn it into an “opportunity” as opposed to what your past candidate pool has viewed it as; “a job.”
As far as building your relationships with human resources and your internal recruitment team, my suggestion would be for you to schedule some time to reengage them and start anew. During this time, you may be able to educate them on your new requirements, provide them some good screening questions, and adjust some of the elements of the job description to reflect less experience and more passion. You can accomplish this by screening the candidates for things that reflect this, like conference attendance, industry involvement, and logical career investments. I would then educate them on potential sources in your market for these skills, so that they may be able to do better in pre-screening resumes. Try to schedule a weekly meeting with them to both provide status on their efforts, and to give them a regular opportunity to ask questions. The more that you engage them in the process, the more they will want to help you.
Although you cannot use external agencies, you can still post the position on internal and external websites. In posting the position, try to do so in a way that reflects the type of career opportunity that is available and the candidate profile you are attempting to attract. I would use words that could possibly encourage more affordable and slightly more junior candidates to respond. A good exercise would be to think back of your career, and think about the things that would attract you to a role like the one that you are offering. When the candidate eventually comes to the interview, utilize these examples as selling points as to why this role will benefit their professional development and their career as an aspiring information security leader.
Feel comfort that your experience is not unique. Do the best you can with what you have, and keep your expectations realistic.
Hopefully this helps, and you will fill your roles in the next 30 days.
January 17, 2012
I have recently applied for a position that I believe will advance my information security career. In submitting my resume via the company’s internet posting, I tailored many of my accomplishments directly to the criteria of the position description. I have to admit that I am a very skilled wordsmith, and may have taken some liberties in the description and the scope of the work that I have performed.
For example, I often serve as a team lead and project manager for technical engagements, but I have never managed people directly. The role that I am applying for has direct reports. Also, the position description calls for an understanding of some specific information security tools that the company uses – like data loss prevention and GRC compliance software. While I have experience with these concepts and similar tools, in depth knowledge and experience with these particular tools has eluded me. Finally, the position calls for the ability to travel 50% of the time. I am really not interested in this amount of travel, but I have a friend that works there and she told me that she does not travel any more than 25%.
I am now scheduled to have my first conversation for the interview, a phone conversation with the human resources/internal recruiter – given the things that I have shared with you, do you have any advice on how I should handle her questions? I know that she is going to read the JD verbatim, and ask me questions where my answers may exclude me from consideration.
I really want a chance to speak to the hiring manager and fellow info sec professionals in the group, to articulate my experiences and demonstrate that I have what it takes to be a viable candidate for the role.
Any words of advice.
I would like to provide you with some advice that is two-fold for your exact situation. First, is that some of the deficiencies that you have pointed our in your skill set may be deal breakers with the resident information security leader, so please tread carefully in your presentation in the skills that you have to offer. There are many items in a job description that are truly requirements of a position, and no matter how great your ambition or creative your presentation, you may have to accept that your skills are going to fall short of expectations.
For example, the role may really need someone who has strong people management skills, which is not found in a “team lead” or “project manager”. The utilization and knowledge of specific tools may be a success factor in the role, and although your friend only travels 25% in their role, this position may require double that amount of travel.
All that being said, I agree with you 100% that the decision should be placed in the hands of the hiring manager and not the internal recruiter/human resources professional. Ideally, the Infosecleader and hiring manager are the ones that best understand their needs, and no matter how adept their level of communication, something get lost in translation – specifically granular job requirements.
You should understand that this misunderstanding is not the fault or responsibility of the internal human resources/recruiter, as it is nearly impossible for someone who works in a general capacity, to understand the nuances of what it takes to understand the specific nature of the role that you are pursuing. However, there are certain elements of the role that HR will understand – the company’s definition of a “Manager”, the importance of specific tool knowledge (although they may not be able to make the jump from tool (i.e. Checkpoint) to concept (Firewalls)), or the amount of travel.
Independent, after doing my job for 15 years, I am of firm belief that it should be every information security professional’s goal to get to the decision maker during an interview process. This is where your “sales skills” should come into play. My advice for you would be to engage the internal recruiter, and leave them with enough confidence from your discussion to move you forward in the interview process.
This will enable you to get the real answers to your questions and demonstrate your level of competence to a knowledgeable party who has the ability to make an evaluation of your skills. When you do get to that level of the interview, you have a responsibility to make it clear to the hiring manager, what your true capabilities are as it relates to the job requirements that they articulate during your discussion.
Hope this helps,
January 10, 2012
I am embarking on a job search and I am looking for some help. My first ten years of my information security career has placed me in some interesting environments – serving as a technical information security engineer, working as an information security professional services practice in the area of risk and compliance, and working as a pre-sales engineer for a large information security product vendor.
The truth is, I have enjoyed all of these three roles, and I am interested in a wide variety of opportunities. I feel that my experience and versatility is a good thing, and it allows me to investigate many different career paths.
The question that I have, relates to my resume. Do you have any advice for me on how to craft my resume – to both illustrate my versatility and breadth of experience, and to accurately align my skills and qualifications simultaneously with different opportunities?
Dear Mr. Furley:
Good for you for having three unique and successful career experiences at this point in your career. I can only imagine that you have developed and maintained a set of skills that include technical expertise, customer skills, and persuasive communication and presentation skills.
If my assumption is accurate, you are correct that these skills are in high demand and will appeal to many diverse environments. Since you will be applying to roles in these different types of environments – I will make two suggestions regarding your resume –
The first being that you can write three separate resumes – one tailored to internal information security engineering roles, one tailored to professional services/consulting opportunities, and one tailored to pre-sales opportunities. If you decide to go this route, what I would do, would be to keep the qualifications of the position you are applying for in mind, as you create each resume and highlight the skills that you have acquired in your three different roles. Ideally, each resume will have a “theme” to it, which will align with the specific role that you are attempting to pursue.
For example, if you apply for an internal technical information security position, I would make sure that you make your bullets from your sales engineering role are technical in nature. I would try to find a way to point out the depth of your technical skills in the context of that role.
The second option that you can have would be to utilize the same resume, but to write three unique objective statements that can align with the types of roles that you are applying for. What I would do in each of these statements, would be to allude to the facts that your diverse experiences has provided you with unique perspectives on how information security problems are solved – from an internal perspective, from an external perspective, and with the aid of information security products. By demonstrating these three different perspectives in the body of your resume, and associating your skills with each of your three roles, should create a consistent overall theme.
In closing, having three diverse experiences and perspectives as an information security professional is a very good thing, and provides you with a great foundation
The combination of a well-written resume, and an astute employer who can connect the dots, should provide you with access to many roles that could serve as a springboard to the next stage of your information security career.
Good luck in your job search,
January 3, 2012
Recently, I was cited in an article for Search Security , where I was asked about my opinions for the information security industry employment market for 2012 . I will say that the author did not misquote me at all, however, upon reading the article I felt that it was necessary to clear up some things that I found inaccurate – and I wanted to make sure that the Infosecleaders.com audience knows exactly where I stand on the topics covered.
Here are my thoughts:
While I agree that Mobile Security is going to be an information security skill in demand, I do not believe it is the only skill that companies will look for in 2012. Have no fear – companies will still have a high level of demand for knowledge in the areas of Cloud, GRC, SIEM, DLP, PCI, Software Security, Identity Management, and overall IT Risk Management. In addition, while I do believe that it is a good idea to have a blend of technology and business skills, there is still a very strong market for information security professionals that have hard core technical skills – and that should never be forgotten or overlooked. The technical information security professionals with developed knowledge and enterprise experience in securing networks, operating systems, applications and databases will do just fine as well. Also, all of the penetration testers out there can sleep easy your skills will still be needed and remain in demand.
Below you will find my biggest objection – and probably the information that I find to be the most inaccurate.
Here are my disclaimers -
I would like to state that I do not personally know Mr. Snyder, nor have I had any dealings with him.
I have read his securityrecruiter.com blog on a number of occasions, and I find his perspectives to be both unique and entertaining.
To my knowledge, Mr. Snyder and my firm do not compete within any of my recruitment customers, and although we are in the same profession and industry, our paths do not seem to cross, except when quoted in articles about information security careers.
As per the author of the Tech Target article – please find a quote from Mr. Snyder -
“When companies are using a search firm to fill a position, then they’re going to usually expect that a candidate’s going to have industry experience,” he said. “In other words, if it’s a bank, they want someone who’s coming out of a bank; if it’s a retailer, they want someone coming out of retail; and if somebody’s going after that job on their own, then the bar isn’t usually sent quite as high.” – Jeff Snyder
The main point of the quote is accurate. When companies are looking to find information security leaders, independent of the source, they ideally would like to locate people who possess applicable industry knowledge. This is generally one of the core criteria of an information security leadership or CISO level search.
Like Mr. Snyder points out – a retail organization would ideally like to hire an information security professional who understands the information security challenges that a retail business faces and who has experience solving those problems. You can apply the same logic to industries that include health care, high technology, manufacturing, financial services, media and entertainment, and any other business.
The Inaccuracy -
Mr. Snyder’s quote infers that a company has more stringent requirements when they engage an executive search firm. His statement that ” …..if somebody’s going after that job on their own, then the bar isn’t usually sent quite as high.” - can be interpreted in a way that leads information security professionals to believe that they can afford to be less qualified, if they decide to apply for positions on their own – and not through an executive search firm.
THIS IS DEAD WRONG
First of all, the decision to engage an executive search firm is generally based on a company’s desire to insure that they get access to a qualified candidate pool in a time efficient manner. The business decision to engage a search firm is the same type of decision making methodology that can be applied to engaging a professional services firm to provide a service that the company does not believe that they can perform effectively with internal resources. The budgets for engaging executive search firms either come from a general corporate budget or from a specific business unit who can justify the value and the return on investment for the cost associated with the search firm’s fee. In addition, the amount of the search fee does not have any impact on the compensation offered to the candidate.
Mr. Snyder is correct in his inference, that when companies engage an executive search firm, they are expecting to get value for their dollars. This will take the form of, industry intelligence, compensation data, a professionally managed recruitment process, and eventually the placement of a successful candidate to fill the duties of the information security leadership role. In exchange for money, the companies are going to expect an executive recruitment firm to deliver a candidate who is going to match the key criteria that they have outlined for the position.
Just like anyone who pays for a service, companies who engage executive search firms have the right to have realistic expectations of competence and results when retaining them to help fill a position. However, in my 15 years of experience, I have never witnessed a situation where a company that is committed to recruiting the correct information security leader, will agree to hire a less competent candidate, solely because they were introduced to them directly, and not through an executive search process.
In 2012, and in the future, completion for Information Security leadership roles is going to intensify, Companies are going to continue set the bar high for finding the correct talent match, no matter what method they select to recruit for these positions. In addition, the more influence and importance that an information security role has to an organization, the more detailed the requirements will be and the more demanding the interview process.
To all current and aspiring information security leaders, for 2012, I am urging you to take a proactive approach to developing a career plan, honing your skills, investing in yourself, and make wise choices about selecting the right positions to help accomplish your career and life goals.
Happy and Healthy New Year,