CAT – Clearing Some Things Up – Advice and Predictions for 2012
January 3, 2012
Recently, I was cited in an article for Search Security , where I was asked about my opinions for the information security industry employment market for 2012 . I will say that the author did not misquote me at all, however, upon reading the article I felt that it was necessary to clear up some things that I found inaccurate – and I wanted to make sure that the Infosecleaders.com audience knows exactly where I stand on the topics covered.
Here are my thoughts:
While I agree that Mobile Security is going to be an information security skill in demand, I do not believe it is the only skill that companies will look for in 2012. Have no fear – companies will still have a high level of demand for knowledge in the areas of Cloud, GRC, SIEM, DLP, PCI, Software Security, Identity Management, and overall IT Risk Management. In addition, while I do believe that it is a good idea to have a blend of technology and business skills, there is still a very strong market for information security professionals that have hard core technical skills – and that should never be forgotten or overlooked. The technical information security professionals with developed knowledge and enterprise experience in securing networks, operating systems, applications and databases will do just fine as well. Also, all of the penetration testers out there can sleep easy your skills will still be needed and remain in demand.
Below you will find my biggest objection – and probably the information that I find to be the most inaccurate.
Here are my disclaimers -
I would like to state that I do not personally know Mr. Snyder, nor have I had any dealings with him.
I have read his securityrecruiter.com blog on a number of occasions, and I find his perspectives to be both unique and entertaining.
To my knowledge, Mr. Snyder and my firm do not compete within any of my recruitment customers, and although we are in the same profession and industry, our paths do not seem to cross, except when quoted in articles about information security careers.
As per the author of the Tech Target article – please find a quote from Mr. Snyder -
“When companies are using a search firm to fill a position, then they’re going to usually expect that a candidate’s going to have industry experience,” he said. “In other words, if it’s a bank, they want someone who’s coming out of a bank; if it’s a retailer, they want someone coming out of retail; and if somebody’s going after that job on their own, then the bar isn’t usually sent quite as high.” – Jeff Snyder
The main point of the quote is accurate. When companies are looking to find information security leaders, independent of the source, they ideally would like to locate people who possess applicable industry knowledge. This is generally one of the core criteria of an information security leadership or CISO level search.
Like Mr. Snyder points out – a retail organization would ideally like to hire an information security professional who understands the information security challenges that a retail business faces and who has experience solving those problems. You can apply the same logic to industries that include health care, high technology, manufacturing, financial services, media and entertainment, and any other business.
The Inaccuracy -
Mr. Snyder’s quote infers that a company has more stringent requirements when they engage an executive search firm. His statement that ” …..if somebody’s going after that job on their own, then the bar isn’t usually sent quite as high.” - can be interpreted in a way that leads information security professionals to believe that they can afford to be less qualified, if they decide to apply for positions on their own – and not through an executive search firm.
THIS IS DEAD WRONG
First of all, the decision to engage an executive search firm is generally based on a company’s desire to insure that they get access to a qualified candidate pool in a time efficient manner. The business decision to engage a search firm is the same type of decision making methodology that can be applied to engaging a professional services firm to provide a service that the company does not believe that they can perform effectively with internal resources. The budgets for engaging executive search firms either come from a general corporate budget or from a specific business unit who can justify the value and the return on investment for the cost associated with the search firm’s fee. In addition, the amount of the search fee does not have any impact on the compensation offered to the candidate.
Mr. Snyder is correct in his inference, that when companies engage an executive search firm, they are expecting to get value for their dollars. This will take the form of, industry intelligence, compensation data, a professionally managed recruitment process, and eventually the placement of a successful candidate to fill the duties of the information security leadership role. In exchange for money, the companies are going to expect an executive recruitment firm to deliver a candidate who is going to match the key criteria that they have outlined for the position.
Just like anyone who pays for a service, companies who engage executive search firms have the right to have realistic expectations of competence and results when retaining them to help fill a position. However, in my 15 years of experience, I have never witnessed a situation where a company that is committed to recruiting the correct information security leader, will agree to hire a less competent candidate, solely because they were introduced to them directly, and not through an executive search process.
In 2012, and in the future, completion for Information Security leadership roles is going to intensify, Companies are going to continue set the bar high for finding the correct talent match, no matter what method they select to recruit for these positions. In addition, the more influence and importance that an information security role has to an organization, the more detailed the requirements will be and the more demanding the interview process.
To all current and aspiring information security leaders, for 2012, I am urging you to take a proactive approach to developing a career plan, honing your skills, investing in yourself, and make wise choices about selecting the right positions to help accomplish your career and life goals.
Happy and Healthy New Year,