June 12, 2012
A few weeks back, I was informed by my manager that my company was looking for an information security engineer to help us round out our team. In a team meeting, my peers and I were asked if we would be willing to recommend someone for the role. During the meeting, we were asked if we could publicize this opening to our professional networks, specifically LinkedIN.
As a good employee and team player I have done this, and posted the position to both my networks and the LinkedIN groups where this type of role would be suitable. My initial thought was that this would be quite easy, as my positing would net a couple of qualified folks, and the hiring process would be smooth.
This has not been the case. In fact it has been a nightmare.
Since positing the role, I have received over 70 inquiries about the position. This has included many people who are either not qualified for the role, do not live anywhere near the position’s location, have greatly surpassed this type of position, and some whom I know well enough to know that I would not want to work with them. The responses have included resumes being sent to my personal address, phone calls off hours, and other intrusions that really lay outside the context of my role. I simply do not have time to respond to all of these people, am unsure of the proper etiquette and I feel that in doing so, I may damage some of my relationships
I wanted to raise this point out to the Infosecleaders community and wanted to see if you had any advice for me – to help relieve me from the burden of my current situation.
You are witnessing first hand that it is not that there are a lot of personal obligations that go along with engaging your network, especially in the context of recruiting.
Let me give you two pieces of advice that may help you alleviate your current pain:
1) The first is to change the LinkedIN posting or take it down. If you decide to take it down, make sure you speak with your manager, and let them know why you are doing so, and the problem this has caused you. If you do decide to keep it up, what I want you to do is to attach a line to the bottom of the positing that states:
“PLEASE DO NOT CONTACT ME DIRECTLY. AS PER CORPORATE POLICY I AM NOT AT LIBERTY TO PROVIDE ANY ADDITIONAL INFORMATION ABOUT THIS OPPORTUNITY BEYOND THE POSTING. PLEASE ADDRESS ALL INQUIRIES TO- (ENTER YOUR HR BUSINESS PARTNER’S EMAIL ADDRESS)”
Something like this should help you draw some clear guidelines and remove you from the communication loop.
2) What I would do would be to collect the e-mail addresses of all 70 folks that have responded to this posting and write an e-mail with a confidential distribution list that states the following – (please make sure that the distribution list is confidential)
Thank you all for your response to my posting. I have sent all of your responses to our human resources representative who is responsible for the recruitment process for this position. Your credentials will be reviewed by the hiring manager (which is not me!) and if there is interest, you will be contacted to engage in our interview process. I wish you all well in your pursuit of this opportunity. As you progress deeper in the interview process, I would be happy to share with you my personal experiences as an employee of _______________________ and as a member of the Information Security team.
Hopefully this advice will alleviate this burden and help you return your focus to your role as an information security professional and your recruitment career will be a brief one!
Hope this helps,
May 8, 2012
I have a question that should be right up your alley and I believe you can provide me with the best advice.
About a week ago, I was contacted by an executive recruiter about a position that interested me. Although I have never worked with the recruiter before, (or new of their firm) they told a good story about their client and the role, how they found me (via LinkedIn) and they seemed professional. During our conversation, they claimed that they were retained and exclusive on the opportunity.
Even though I had not worked with them in the past, I consented to my interest and sent them my resume. I did not do so without hesitation, but I figured since they were “retained” and “exclusive” this would be my only avenue for introduction.
Two weeks went by nothing has happened. I never received an interview. My phone calls were not returned, and I have had nothing but “dead air” and I thought the opportunity was dead.
Last week, I received a call from an information security recruiter whom I have worked with in the past (Taking your advice, I do work with folks outside of LJ Kushner) and whose opinion I have grown to respect. He called me to introduce the same opportunity that I had been previously introduced to.
He shared with me that the client did not retain him that the role had been open for more than 90 days and they had not seen any candidates that were interesting to them
I shared with them my experience and that I had been exposed to the opportunity by another firm. Since I trust this recruiter,and I believe that they have some solid access into the client/opportunity, I asked if they could represent me.
They told me that they would be able to.
Is this accurate? Can I have two recruiters working for me for the same opportunity? Can I be hurting myself in anyway? What should I say to the first recruitment firm?
I will say that I believe you find yourself in a bad situation and I am not sure if you are getting real good advice or guidance from either of your recruitment firms.
First of all, if the initial client were exclusive to the opportunity there would not be any way that another firm would have access to the position. When a company grants an executive search firm exclusivity they are doing because of expertise and simplicity. Having a single point of contact on a senior position is a benefit so that messages can be kept consistent, timelines can be managed, and for simple efficiency.
Based on this, I think you were tricked into sending and consenting to send your resume to the unfamiliar firm who found you on LinkedIn.
Secondly, once you are submitted to an opportunity by a one recruitment firm, you should not consent to be submitted by another recruitment firm. The fact that your other recruiter advised you that this would not be a problem on a contingency assignment is incorrect. This is the case for the following reasons:
1) Almost all of the time companies will honor (and pay) the first firm that submits a candidate’s resume to them. No matter what the relationship, in the end they want to only pay one recruitment fee, and honoring a second submission would place them in a bind. This would be the kind of thing that would cause a corporate recruiter to potentially lose their job.
2) If your resume comes to a company from two sources it is a poor reflection on you and your ability to communicate. By allowing two firms to submit you to the same opportunity it makes it appear that you are disorganized, non selective, and that your interest in not necessarily sincere. These are not qualities that many companies look for in their information security leaders.
What you can do is the following; keep calling the first firm until they answer. When you get them on the phone, confirm that they are exclusive (and what their definition of this term is) and then explain to them that you are asking because another firm about the same role contacted you and that you wanted to make them aware. Their reaction should be telling.
To the second firm, simply state that you have already been presented the opportunity and that you do not wish to complicate matters. You can simply share with them that you appreciate them contacting you, and hope that they will do so again in the future about a similar or better role.
In closing, be leery of people reaching out to you who you do not know or do not have trusted relationships with. Before submitting your resume, you can always do two things – validate the track record of the firm that the person is contacting you from, or run the opportunity by a recruiter you have worked with in the past, and trust, and see if they are working on the role. If indeed they are, you may ask for them first why they did not contact you on the opportunity, and if you remain interested, ask them if they would be open to representing you.
Please make sure that you control distribution of your resume and manage your job search process. These are key first impressions and reflections on you.
Hope this helps,
February 26, 2012
Would like the Infosecleaders community to know that I will be hosting a session of Career Advice Tuesday – “Live” – from SF Security B-Sides. The session will take place at 12:00 noon (PST) on Tuesday, February 28th.
In addition to accepting questions from the B-Sides attendees, I would like to give any Infosecleaders community members the opportunity to ask their career related questions, so that they may be shared with the audience. From what I understand the session will be streamed live from B-Sides.
Questions can included any Information Security career related topics – career planning, position selection, professional development, career investments, brand building, compensation, relationship with management– or anything else that may be appropriate.
Questions can be asked any of the following methods:
If you would like for your question to be asked anonymously, or if you would like to create your own pseudonym (as many of you have) please feel free to do so.
Thank you in advance for your participation. If you are in attendance at either B-Sides or RSA (Booth 650), please make sure that you come by and introduce yourself.
December 15, 2010
Wanted everyone to know that I (Lee) am going to be a guest of the Securabit podcast this evening. I will be discussing and answering questions about career planning, the employment market, compensation, and general information security career advice. I will also be giving a preview of the Professional Development Track at the RSA Conference, which will be offered on Monday afternoon, prior to the standard conference sessions.
If you have any question that you would like to have answered anonymously (similar to Career Advice Tuesday format) -please send them today to firstname.lastname@example.org – I will be happy to try to incorporate them in the discussion.
Infosec Recruiting Social Media Experiment – “Unique Entry Level Opportunity for Future Infosecleaders”
August 13, 2010
Mike and I have often debated the power and practical applications of social networks. Mike regularly urges me to utilize social media in our recruitment process – and I regularly object. In addition, we have read and fielded many questions about entry level positions and “breaking into” the information security industry – and the fact that there are not many solid entry level roles (1st or 2nd jobs) for bright, talented “future” infosecleaders .
Recently, I have come across an opportunity through my recruiting business where we have the opportunity to combine the two – and I have decided to utilize Twitter and our blog to introduce this opportunity to the Infosecleaders community, and find the right candidate for our customer.
I am looking forward to seeing the outcome.
Here is the position description:
The client is a well respected, highly specialized security consulting firm that has Tier 1 clients – most of them based on the West Coast. The position that we are searching for would be based in Seattle (near their corporate HQ))- and there would be limited travel.
The client has been in business for close to a decade. They are comprised of some very well recognized information security professionals who built their careers at some of the leading edge security companies in the earlier part of this century.
The client offers a flexible work environment, predicated upon the maturity of the candidate and the ability to service their customers. The client is supportive of a constructive industry presence – whether it is related research, public speaking at local or national security events, or writing.
Our client is looking for an information security professional with both aptitude and passion, and an interest in software security and a desire to learn about security in the software development life cycle.
The candidate that we are searching for will ideally have some work experience – 1-4 years, or have recently graduated from a respected university (either bachelors or masters or Ph.D) with a degree in computer science, computer security, or other related disciplines. Ideally the recent graduate would have had some practical experience through the course of their studies.
Experience in environments that include information security consulting, software development, quality assurance, web app development or penetration testing – would be beneficial – but not a hard and fast requirement.
It would be great if the candidate came with a good foundation of technical skills – but if your skills are just good – but you have aspiration for them to be great – that could be acceptable as well. If this is the case, we will ask you to demonstrate examples of this desire during our pre screening process.
The opportunity is two-fold. The first component of the opportunity is a bit more process focused and requires that the candidate to have some good organizational skills – serving as a central point of contact for the management of the operational tasks of a technical information security engagement. The opportunity will enable the candidate to get a first hand look into enterprise software security and how secure software development is done correctly. (This would be the part where you “pay your dues.”)
The second part of the opportunity is the ability to learn and evolve. (here is where aptitude and passion come into play) The candidate will undergo guided training by the senior members of the team in areas that include software security,web application security, penetration testing, and reverse engineering. (This will be the part where you accelerate your career.)
The idea, is that after some time – the candidate will evolve into a security professional with developed expertise in these areas. They will develop customer skills, organizational skills, consulting skills, and have exposure to world class clients.
The salary for this role will range between 55-85K – depending on the amount of work experience and the quality of education. I would say that the sweet spot is probably between 65-75K.
The candidate would also be eligible for a bonus – based on their performance and company success. The company has a demonstrated history of paying bonuses to their employees.
The company pays fully for individual/family medical benefits (health care and dental) – this is fairly unique in these economic times.
The company is willing to assist in the relocation to Seattle – as a guide, if you rent an apartment and can place your stuff in a u-Haul – you will be fully covered. If you own a home – this will be quite difficult.
My first expectation for this experiment is that people will only apply to the role if they fit the parameters that I have outlined in the description above.
For example – If you do not want to live in Seattle – please do not apply. If your salary demands are over 85K – please do not apply. If you do not have an interest or aptitude toward software security -please do not apply.
If you do fit the requirements, please submit your resume (word or Adobe format) to email@example.com – in the subject line please write “Recruiting Social Media Experiment”. I would also like to know what about the opportunity is particularly appealing to you.
All qualified submissions will receive a call from either myself or one of my experienced information security recruitment professionals – within 3 business days – to conduct a more detailed interview and to answer particular questions about the client and opportunity.
If you do not receive a call in 3 business days, please call my office directly at 732-577-8100 – sometimes e-mail gets swept inot junkmail folders.
As always, resumes will not be submitted to our client without your consent, after learning more about the opportunity. Confidentiality is always observed.
I am going to provide some regular updates (via the blog) on this experiment to chart the progress and share some issues. If it is successful, I may begin to utilzie this method more – for some unique opportunities.
Lets see how it goes.
May 29, 2009
Many times over the past year, we have provided advice regarding developing a public brand and professional image by utilizing social media. Recently, I have been able to see this in action.
(Due to the level of confidentiality involved in the interview process, I can not reveal the identity of my candidate, his blog, or his twitter feed, but the following will serve as a summary of the events that took place.)
The candidate’s career had taken him on a journey where Information Security was not the original function of his employment, but through his own personal interests, accomplishments, and commitment, his position had evolved into the company’s only dedicated information security professional. In his current role, he is well respected by management and has been capable of affecting positive change in both the areas of technology and business process. However, information security had only become his full time job function for the past six years, and some recent changes in corporate direction had caused him to begin searching for a new opportunity.
My client is the Information Security leader for a company that has a sizable commitment to Information Security. Due to this level of commitment, he was searching to hire a Senior team member to assist in carrying out their Information Security initiatives. The key term here is Senior, and the definition as it applied to his team.
The client was pretty stern in the fact that Senior meant having a minimum of ten years dedicated to the Information Security profession. This was a derived from his experiences in leading his organization and what he found to be effective in both hiring and retaining talent in his organization.
Remember – what I believe is not important in this situation. He is the customer, he is the Information Security leader, it is his team, and my job as a recruiter is to carry out his wishes and find the candidate best suitable for him. I have to trust that he knows his organization a lot better than I do, and his experiences hold the key to his success in team building. I also know that if we locate a candidate that meets his criteria, my candidate has a better chance of career satisfaction and longer term success.
Here is the problem – my candidate only was able to demonstrate 6 years of dedicated experience on his resume, and my client wanted a minimum of 10. When I spoke with my client, I urged him to reconsider his stance, and give my candidate credit for the other years of experience when Information Security was only a portion of his job function. In addition to that, the candidate had made us aware of some industry activities that he had participated in, conferences he attended, and his personal blog, He also let us know that he was a guest on a few security related podcasts. As part of our candidate presentation, we referred the client to these resources.
The next morning, we received a note from the client expressing how impressed he was with the candidates written communication skills, his thought processes, and the content contained on his blog and twitter feed. He said that it was possible that his initial impression may have caused him to overlook a solid candidate, and asked us to coordinate an interview and initiate the interview process.
What I can tell you, is that this is purely a case where it was not the resume that opened the door, it was his blogging and his demonstration of his knowledge in the public forum that provided him with the opportunity for consideration.
At this time, we are only at the beginning of the process and a lot is yet to be determined. I will let you know the results in a later blog entry.