Career Advice Tuesday – ” Noone Will Come Work For Me”

January 24, 2012

Dear Infosecleaders:

My question comes from a different angle than most of the questions that you address on your blog – I am an information security leader, and I have been trying to hire some key technical information security engineers for my team, and I have not had much luck.

I have been looking for these positions for close to six months, and the only thing that I have to show for it is three rejected offers of employment and a good deal of wasted time.  The candidates have rejected our offers for a variety of reasons:  compensation, expectations associated with the position, and one of the candidates never every responded to the offer. 

I think that my internal recruitment team has written the positions off and we do not have any budget to hire external search firms to help locate this talent.  I have posted these roles on internet websites, and I can not tell you how many resumes we have received which do not nearly resemble the skill combinations and experience which I outlined in the job description.

I guess I would like to know if you have any advice for me.  We are committed to hiring the right people for the roles, but I am at the point that I will settle for someone with a pulse and some passion.

Is there any advice that you can share with me to help me solve this issue and hire some future information security leaders.

Signed,

Looking for Mr. (or Ms.) Goodbar?

 

Dear Info Sec Leader:

There is no simple solution to hiring the correct talent for your information security team.  It appears from your note that you are resource constrained on many levels – compensation, internal support, and external budget.  Although these are substantial obstacles to overcome, they are not insurmountable.

The first thing that I would do would be to look at your job description, and determine which skills are absolutely necessary to perform the position that you are looking to fill.  Sometimes job descriptions are filled with a good number of “nice to have” bullets, and they overshadow the “need to have” requirements.   It is logical that the candidates that you have been interested in have a good amount of the experiences that you request,  but your budget simply cannot afford that level of resource.

What you should do is to winnow the amount of experience down to the skills and experience to reflect a level that you can actually afford.  You should understand that it is one thing to attract candidates, hiring them is completely different.    If you lessen some of your requirements, and require that candidates who lack certain experiences make up for it by displaying “passion” and “drive”, during your interviews, you should be able to locate a candidate that you can afford.

When you design a position to inspire professional growth and career acceleration, you will generally attract candidates who have a high level of motivation and professional pride.  So, what they lack in experience, they will make up in aptitude and “passion”.  It will be important that you screen for these intangibles in the interview process.   Constructing your position in the matter will truly turn it into an “opportunity” as opposed to what your past candidate pool has viewed it as; “a job.”

As far as building your relationships with human resources and your internal recruitment team, my suggestion would be for you to schedule some time to reengage them and start anew.  During this time, you may be able to educate them on your new requirements, provide them some good screening questions, and adjust some of the elements of the job description to reflect less experience and more passion.  You can accomplish this by screening the candidates for things that reflect this, like conference attendance, industry involvement, and logical career investments.   I would then educate them on potential sources in your market for these skills, so that they may be able to do better in pre-screening resumes.   Try to schedule a weekly meeting with them to both provide status on their efforts, and to give them a regular opportunity to ask questions.    The more that you engage them in the process, the more they will want to help you.

Although you cannot use external agencies, you can still post the position on internal and external websites.   In posting the position, try to do so in a way that reflects the type of career opportunity that is available and the candidate profile you are attempting to attract.   I would use words that could possibly encourage more affordable and slightly more junior candidates to respond.  A good exercise would be to think back of your career, and think about the things that would attract you to a role like the one that you are offering.   When the candidate eventually comes to the interview, utilize these examples as selling points as to why this role will benefit their professional development and their career as an aspiring information security leader.

Feel comfort that your experience is not unique.  Do the best you can with what you have, and keep your expectations realistic.

Hopefully this helps, and you will fill your roles in the next 30 days.

Sincerely,

Lee Kushner

Posted by lee | Filed Under Advice, Career Advice Tuesday, Interviewing, Leadership, Recruiting, Security Industry, Skills | 2 Comments 

CAT – Clearing Some Things Up – Advice and Predictions for 2012

January 3, 2012

Recently, I was cited in an article for Search Security , where I was asked about my opinions for the information security industry employment market for 2012 .   I will say that the author did not misquote me at all, however, upon reading the article I felt that it was necessary to clear up some things that I found inaccurate – and I wanted to make sure that the Infosecleaders.com audience knows exactly where I stand on the topics covered.

Here are my thoughts:

While I agree that Mobile Security is going to be an information security skill in demand, I do not believe it is the only skill that companies will look for in 2012.   Have no fear – companies will still have a high level of demand for knowledge in the areas of Cloud, GRC, SIEM, DLP, PCI, Software Security, Identity Management, and overall IT Risk Management.  In addition, while I do believe that it is a good idea to have a blend of technology and business skills, there is still a very strong market for information security professionals that have hard core technical skills – and that should never be forgotten or overlooked.  The technical information security professionals with developed knowledge and enterprise experience in securing networks, operating systems, applications and databases will do just fine as well.  Also, all of the penetration testers out there can sleep easy your skills will still be needed and remain in demand.
Below you will find my biggest objection – and probably the information that I find to be the most inaccurate.

Here are my disclaimers -

I would like to state that I do not personally know Mr. Snyder, nor have I had any dealings with him.  

I have read his securityrecruiter.com blog on a number of occasions, and I find his perspectives to be both unique and entertaining.

To my knowledge, Mr. Snyder and my firm do not compete within any of my recruitment customers, and although we are in the same profession and industry, our paths do not seem to cross, except when quoted in articles about information security careers.

As per the author of the Tech Target article – please find a quote from Mr. Snyder -

“When companies are using a search firm to fill a position, then they’re going to usually expect that a candidate’s going to have industry experience,” he said. “In other words, if it’s a bank, they want someone who’s coming out of a bank; if it’s a retailer, they want someone coming out of retail; and if somebody’s going after that job on their own, then the bar isn’t usually sent quite as high.”  – Jeff Snyder

The Accuracy

The main point of the quote is accurate.  When companies are looking to find information security leaders, independent of the source, they ideally would like to locate people who possess applicable industry knowledge.  This is generally one of the core criteria of an information security leadership or CISO level search.

Like Mr. Snyder points out – a retail organization would ideally like to hire an information security professional who understands the information security challenges that a retail business faces and who has experience solving those problems.   You can apply the same logic to industries that include health care, high technology, manufacturing, financial services, media and entertainment, and any other business.

The Inaccuracy -

Mr. Snyder’s quote infers that a company has more stringent requirements when they engage an executive search firm.   His statement that  ” …..if somebody’s going after that job on their own, then the bar isn’t usually sent quite as high.”  - can be interpreted in a way that leads information security professionals to believe that they can afford to be less qualified, if they decide to apply for positions on their own – and not through an executive search firm.

THIS IS DEAD WRONG

First of all, the decision to engage an executive search firm is generally based on a company’s desire to insure that they get access to a qualified candidate pool in a time efficient manner.  The business decision to engage a search firm is the same type of decision making methodology that can be applied to engaging a professional services firm to provide a service that the company does not believe that they can perform effectively with internal resources.  The budgets for engaging executive search firms either come from a general corporate budget or from a specific business unit who can justify the value and the return on investment for the cost associated with the search firm’s fee.    In addition, the amount of the search fee does not have any impact on the compensation offered to the candidate.

Mr. Snyder is correct in his inference, that when companies engage an executive search firm, they are expecting to get value for their dollars.  This will take the form of, industry intelligence, compensation data, a professionally managed recruitment process, and eventually the placement of a successful candidate to fill the duties of the information security leadership role.   In exchange for money, the companies are going to expect an executive recruitment firm to deliver a candidate who is going to match the key criteria that they have outlined for the position.

Just like anyone who pays for a service, companies who engage executive search firms have the right to have realistic expectations of competence and results when retaining them to help fill a position.  However, in my 15 years of experience, I have never witnessed a situation where a company that is committed to recruiting the correct information security leader, will agree to hire a less competent candidate, solely because they were introduced to them directly, and not through an executive search process.

In 2012, and in the future, completion for Information Security leadership roles is going to intensify,  Companies are going to continue set the bar high for finding the correct  talent match, no matter what method they select to recruit for these positions.  In addition, the more influence and importance that an information security role has to an organization, the more detailed the requirements will be and the more demanding the interview process.

To all current and aspiring information security leaders, for 2012, I am urging you to take a proactive approach to developing a career plan, honing your skills, investing in yourself, and make wise choices about selecting the right positions to help accomplish your career and life goals.

Happy and Healthy New Year,

Lee Kushner

 

 

 

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Leadership, Recruiting, Security Industry, Skills, Uncategorized | 1 Comment 

Career Advice Tuesday- ” Help! New CISO Has A Bad Reputation”

December 13, 2011

Dear Infosecleaders:

About three weeks ago, I accepted a new position with a company, where I am going to be reporting to a new CISO.  During the interview process I was told by the CISO that my position was going to be the “first key hire” as the company begins to revamp their information security program.   However, since the interview process concluded and I accepted my position I have found out differently.

I learned that one of my friends and industry colleagues was contacted by a similar position at the same company – he was told almost exactly the same thing that I was – that this position was the “first key hire”.   When he learned of this, he played dumb.   My friend (who is a little better connected than I am) called a couple of his Linked IN connections who were directly connected to the new CISO (my new boss) and he told me that what he learned was less than complimentary.

He told me that the CISO left his last employer in a mess, there was a mutiny from the staff, and that the guy has a reputation of being self-serving and has questionable ethics. 

What makes matters worse for me is that I have already resigned my job.  I am relocating to accept this position, and I fee that I am walking into a bad situation. 

What should I do?

Sincerely,

JJ Blackheart

 

Dear JJ:

There is no question that you should value the opinions of others whom you trust, however it is often a mistake to accept their opinions without first hand experience and extensive validation from multiple sources.

The first thing that I would do, would be to try to locate someone from the CISO’s former employer, who was a direct report to the CISO.  I would pick up the phone and introduce myself, explain my situation, and ask them if they have any helpful hints on how to succeed under your new boss’ management style.     It is possible that this person can provide you with some new perspective, it is also possible that this person will decline your request to share any details – and in that case  – a red flag should go up.

I would tell you that if you do not feel comfortable with your decision you can do the following – contact your old employer back, and ask them if they would let you take back your resignation (this is why it is always good to leave on positive terms) and have your old position back, or contact others in your geography to see if you could locate a position similar to your old one (quickly).  If neither of these works, begin work at your new employer.

If you decide to begin your new job, you need to suspend all of your relocation activities, immediately.  The reason for this is that you do not want to compound your mistakes.  In addition, if you received a relocation package, you do not want to be in a situation where you have to return your relocation monies, if you decide that you do not want to remain at your new job.

Once in your new job, I would begin to look for things that would either validate or refute your earlier suspicions.  I would look for ways that your new CISO manages, how he communicates with subordinates, and for the consistency of his/her messages.   You should use the first 90 days of your employment to see if you could work with this person long term and evaluate the prospects of a satisfying work relationship.

Simultaneously, you should continue to look for suitable opportunities in your former location, as a contingency plan.  If one of those opportunities comes to fruition, you can compare it with your current position at your new employer, and then make a decision.

My advice would be to either put an end to this before it starts, or within 90-120 days after you begin work.

Hope this helps,

Lee Kushner

Posted by lee | Filed Under Advice, Behavior, Career Advice Tuesday, Interviewing, Leadership, Position Selection, Recruiting | 1 Comment 

Career Advice Tuesday – “Change In Command”

October 4, 2011

Dear Infosecleaders:

I recently have found myself in a precarious situation and I am hoping that you can help me get through this.

Recently, about four months ago, I accepted a Director of Information Security position, reporting into the CISO of a 10,000 person company.    The position that I left to accept the role, Manager of Policy and Compliance, I held for 18 months.  While I was not looking for a new job at the time, the Director role was too good to pass up, both from a career and a financial perspective. 

Six weeks ago, I received an e-mail from the General Counsel letting me know that the CISO, who just hired me, was “relieved” of his duties and would no longer be working at the company.  The CISO was one of the main reasons that I accepted the position, and in a short time I had established a good working relationship and I respected his management style. 

The search for the new CISO is currently underway, and they are interviewing potential successors. – both internal and external.  I have met the final two candidates, and quite frankly I am not pleased with either of the options.  Their backgrounds and views on information security are much different than mine and I just do not get a good vibe.

Additionally, I am well aware that if they get hired, they will most likely be able to select their teams and their direct reports, so my time here is probably limited. 

Any advice on how I can deal with this situation?  If I am forced to leave, how can I explain the fact that my last two jobs lasted for such a short period of time?

Sincerely,

Gomer Pyle

 

Dear Gomer:

The best thing that I can tell you is that you need to accept that change is coming, and you need to figure out a way to deal with it and make the best of things.  The way that I would look at this is as an opportunity to hone your interpersonal communication and relationship skills.

The truth is that at your level of seniority, you cannot really afford another short stint of employment, especially after an implied promotion.  If you can not show some accomplishments in this current role, future employers will most likely look at this as a failure, no matter how you spin it.  (Personally, I think this is unfair, but those are the rules of the game that we play by – and perception is often viewed as reality)

Whomever they decide to hire, I think that you should embrace and support with your fullest ability.  I think that a good way to demonstrate this is to attempt to relate to your new manager (CISO) on a personal level, letting them know that you are both in the same boat (as new employees), and by demonstrating as much willingness and flexibility as possible to help them out.   The best way to do this is to go outside your job description, and take on additional responsibilities that may be in your current sphere of knowledge, or from previous professional experience.

In addition, you should plan to demonstrate your work ethic, your integrity, and support at any opportunity.  This should include coming early, staying late, accepting unpopular assignments, whatever it takes.   By demonstrating this level of leadership and commitment, you are going to win this new person over – and they will have no other choice to view you as a valuable asset.

If you can win them over, and convince the new manager (CISO) that you make his job and his life easier, he will have no choice but to keep you.

If you are able to accomplish this, you will not have to explain your short duration of employment.  If it is all right with you, we will save that question/answer for another Tuesday.

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Advice, Branding, Career Advice Tuesday, Leadership, Planning, Position Selection | 1 Comment 

Leadership in Other Ways – Seeking Help and Support From The Infosecleader Communtiy for Charity

July 27, 2011

Dear Infosecleader Community:

For the past couple of years Mike and I have written about information security career topics and spoken about the importance of leadership, in all forms.  One of the things that we have suggested in many of our posts, has been to find opportunities to demonstrate leadership outside of the work environment.

Recently, I have decided to follow my advice, and take a leadership role in the origination of a charity event that blends a number of things that I am passionate about:  Children, Community, and Athletics.

For the past three years I have been playing in an over-35 fast pitch softball league, called MVP Softball, where I play on the Central Jersey Trees.  About a year ago, we began discussing the concept of joining together and putting together a softball charity event that could benefit needy, local families and children in  our community.

After agreeing on the idea, we began thinking about charities that we could support that could accomplish our mission.    In the end, we decided upon two charities – the Monmouth County Challenger Leagues  (Freehold and CYSP of Lincroft) and The Chariot Riders.

Here is a brief synopsis -  The Challenger Sports Programs are designed to provide sports programs and activities for children who are both physically and mentally challenged.  The local challenger programs participate in sports that include baseball, basketball, soccer, tennis, golf, and cheer leading.

The Chariot Riders program provides therapeutic horseback riding for physically and mentally challenged children and adults to improve the quality of their physical, emotional, mental and social well-being.

After selecting our charities, we partnered with a local volunteer organization named Play2Win Foundation, who has a mission statement that aligns with our event.  Play2Win is a 5013c entity, and takes absolutely no money in administrative fees.  They have been instrumental in providing us with the infrastructure and operational help to pull the event together.

The Event itself is titled the Extrainnings Classic.   The event has 4 key components -

1) A 100 inning marathon softball game -

2) A Youth Skills Competition Called “The Baseball/Softball Olympics” – where children of all abilities, including the Challenger Athletes, will compete side by side in a series of baseball/softball skills challenges – in hitting, running, and throwing events.  We received sponsorship from a local baseball facility to help with the operations and the coaching.

3) The Challenger Baseball Exhibition – both of the Challenger Leagues will participate in an hour long exhibition that showcases the abilities of these special athletes.  The game will be the showcase of the event.

4) The Home Run Derby – where some of the leagues big hitters will test their skills in a “All-Star” Game style Home Run Derby - as a point of note – I have been installed as the morning line favorite.

The main purpose behind this blog entry is to ask for your help in supporting these events.  Personally, I have made it a goal of mine to raise up to $5000 for the event – and the only way that I can accomplish this is with your support.

I would like to ask anyone who received some good, useful advice from the blog or from our research to help me support these great causes, and pledge a donation – per inning of the softball game.  (Very similar to sponsoring someone per mile for a marathon or bicycle race)

F0r example;

$1 per inning = $100

$.50 per inning = $50

$.25 per inning = $25

$.10 per inning $10

My goal is to raise $2500 in contributions, and then I will write a matching check to the charities for any amount that is donated.

All donations are tax deductible to the fullest extent allowed by law – (disclaimer – I am not an accountant).

Donations can be made by clicking on my donation page on the Extrainnings Classic website, through either a CC or PayPal account.   If you would prefer, you could always write a check to Play2Win Foundation, and mail it to my office at 36 West Main Street, Suite 302, Freehold NJ 07728.

I really appreciate any support that you can provide for these worthy charities, the families, and most importantly the children.

Thank you for listening,

 

Lee Kushner

Central Jersey Trees, 1st Base, #33

 

 

Posted by lee | Filed Under Behavior, Leadership, Personal | Comments Off