Friday, January 30, 2015

So you want to hire an InfoSecurity professional? [Part 1]

The following posting is an opinion piece.  It's based on personal experiences and anecdotal information.  deal with it.

So your organization is looking to hire one or more Information Security Professionals.  Maybe you are growing your InfoSec organization, adding to your IT organization, or realizing that, yes, you need to create an InfoSec group.  (all those big breaches in the news have you running scared)

Do you have a good idea of what you need in terms of skills, knowledge, and experience?  Do you have a good idea what kind of role you are trying to fill?  Do you have an idea of salary candidates with the skills you need are expecting?  You best figure this out soon. (hopefully you've consulted with professionals to help you out, and I don't mean recruiters.)  Here are some things to consider.

Now, a word of warning.  It may seem that I am stating the obvious at several points, and in a condescending manner.  But the sad thing is that in speaking with recruiters and HR people is that they don't seem to understand these points.  As an infosec professional, this p*sses me off, and so I feel I need to state the obvious for those who don't get it.

* Experience Level

So what level of experience are you looking for?  Entry level (2-3 years), mid-level (3-7) years, senior level (7+)?  Are you looking for someone at the executive level (10+) for a position as director of security or CISO?  This is important as the higher the level of experience the more skills and knowledge the person has.  Certain certifications can only be obtained at higher levels of experience.  And higher levels of experience expect a higher level of pay.

Also some things to understand.  Most IT people are more hands on in their early career, becoming less hands on as they move up their career ladder and supervise newer people.  We start off as specialists in a few areas, become generalists in more areas, again, as we move up the career ladder.  In other words, don't dink a senior level candidate for not being hands-on.  A senior level person won't be.

Also, as we moved up the career ladder, we often times aren't too keen with going back to doing the stuff we did 3-5 years ago.  That seems to be a step backwards for us.  For instance, I used to build servers earlier in my career.  I've moved beyond that where I set down the standards those servers are built to, or ensure that servers are in compliance with standards.  Don't ask me to go back to building servers, thank you very much.

* Skill Set

So what skills are you looking for?  And you need to be reasonable here.  Don't list the skill set of an entire InfoSec department for one person.  It rarely works that way.  In a department, tasks are divided among a group ranging from 2-6 to a dozen or more.  People focus on their tasks and too often won't get experience outside of their area, at least not deep experience.  People who focus on certain areas often won't get experience in others.  Understand that some skill areas are reserved for more experienced people.  An entry level person is not going to get experience in governance, risk, and compliance.  Someone doing end point protection is not going to get experience in programming security and so forth.  Entry level people are going to be given easy, repeatable things to do, not handed the "keys to the kingdom", like managing firewalls.

Some possible skills for security people include- Pentesting, vulnerability scanning, governance, risk, and compliance (GRC), email security, forensics, eDiscovery, full disk encryption, PCI, data loss prevention, advanced persistent threats (APT), distributed denial of service attacks (DDOS), access control, secure software development, application security, web security, database security and encryption, metrics, business continuity/disaster recovery, incident response, system hardening, data encryption, intrusion detection/prevention, auditing (ISO/IEC 27001/2, FISMA, GLBA, SOX, PCI-DSS, HIPAA, NIST CSF, COSO, etc), and others.

So make a reasonable list of skills you want.  Be sure to be clear on "must have" skills vs "nice to have" skills.

Also keep in mind that not every organization uses the same set of tools yours uses.  You use X for your antivirus, another org uses Y.  You use A for your vulnerability scanner, another org uses B.  Yet another might use the same AV app as you, but a different firewall.

And just as important, your focus should be on "can the person do the job", and less on "has the person done this task or that task."  IT/IS people can learn new stuff and most want/like to.  They see this as a challenge they look forward to.

And yet another thing to keep in mind is that InfoSecurity people are NOT system/server admins or network admins.  System admins are responsible for setting up and managing systems (servers, desktops, laptops), including configuration and patching them.  Network admins manage the networking equipment, meaning routers, switches, and bridges.  These are separate groups within IT from IS.  Many IS people used to work in those areas, but not always, and now that they are in IS they no longer do those roles, nor should they.  (look up the concept of "segregation of duties")  So please don't expect your IS people to do double/triple duty as your system and network admins.  They shouldn't (it violates segregation of duties) nor would many want to.

* Role

What kind of role are you looking to fill.  Is it a security analyst?  Security auditor?  Security administrator?  Security engineer?  Security architect?  Security manager?  Director of security?  Information Security Officer (ISO) or CISO?  These are all different roles with different skills, responsibilities, and experiences.  Some are at higher levels then others.  Security architects, managers, directors, officers are higher levels then analysts and admins.  Security admins and engineers are often more hands-on then, say architects or others.

Many IS people start off as analysts or admins, then move up to higher levels (in terms of duties, responsibilities, and yes pay).  As part of moving up in their career, they often times don't want to go back to doing what they used to do (remember, we covered this above).  Someone who moved from being a security admin to being a security manager probably doesn't want to go back to being a security admin.  And they certainly won't be happy if they apply for a job as a security manager and find they are being forced to be a security admin because higher ups don't understand what a security manager really does.  (yes, it happens.  I applied for an ISO position that appeared to be nothing more then a glorified security admin position.)

* Certifications

Do you expect the candidates to have certifications?  Do you know what relevant certifications there are and just as important what it takes to obtain them (in terms of experience, cost, etc)?  Security+, SSCP, CISSP, CISA, CISM, GIAC, CEH, and more are out there.  Some are specialized for certain areas, others more general.  The better ones require several years of experience (from 2-5), and can be very costly to obtain and maintain (several hundred or more for the test, and requiring several hours of continuing education each year plus annual fees).  Saying you want an entry level person (2-3 years) and then expecting them to have a senior level cert (5 years) just makes you look bad.  Or it makes people think the job is a senior level position (with appropriate pay) when it's really an entry level position (and pay).  And that just p*sses us off.

The main security certifications come from CompTIA, ISACA, ISC(2), SANS/GIAC, and EC-Council.

Also, some certifications (like certain skills) are "hot" and command a higher salary then others.  Be mindful of that as well.  If you're asking for certs that average over 100K, offering 60-80K is insulting.

* Pay

We've touched on this before, but I feel we need to focus specifically on this.

What do you expect to pay candidate?  And just as important, do you understand what InfoSec professionals are being paid?  You need to find out so you're not offering 10-20K LESS then what is expected.  Go out and do your research.  Don't base things on 10 years ago.  IT/IS salaries HAVE increased.  There is a reason several groups do annual salary surveys.

Starting salaries are about 75-80K.  Senior level people get into 100K and up.  CISOs run from 120/130 up to 500K.  Certain specialized skills have higher pay, such as pentesters.

Note that these are salaried amounts, with benefits.  If you're trying to get a contractor, they expect 20% or more to cover loss of benefits.

* Networking

While many may think of IT/IS focus as anti-social loners, many of us actually do network with our peers.  We attend InfoSec conferences and events.  We get involved with local InfoSec groups (local chapters of ISSA, ISACA, ISC(2), Infragard or independent local groups).  As part of this, we pass on info about job opening we hear of to our associates we know are looking for work, or whom we think would do well at those jobs.  Sometimes it's a new job where we work, or maybe something we heard from a recruiter or the like.

But the thing is, WE DO TALK.

And we also talk about our experiences, good or bad, with interviews.  So if your company does a really bad job of interviewing someone, guess what?  Others in the InfoSec community will likely hear about it.  And they'll think twice about sending you their resume.  Same thing regarding your corporate culture and environment.  If you're a cr*ppy place to work, we'll find out and not want to interview with you.

And your cr*ppy job posting?  Yeah, we're talking about that too and having a good laugh at your unreasonable expectations and poor pay offer (wanting a $100K person for $75K).   We probably aren't going to send you a resume either, or turn down that recruiter who brings it to us (and probably won't been too quick to get back to that recruiter if they bring us another position, good or bad).

And are you bringing back a job posting month after month without "finding" a candidate?  Yup, we're talking about that too.  We know exactly why you can't find someone, as we learn from others in the community that you turned down or ignored when you shouldn't have.  When we hear that good people are turned away, we know we have little chance and we aren't going to bother.  (good indication of a bad corporate culture.)

On the flip side, if you're trying to FIND that candidate, are YOU involved with the local IT/IS community?  A member of one of these groups (or have staff who are), attending local events to look for people?  If not, why not?

So keep all this in mind.

A note to recruiters.  If you are a recruiter reading this, great.  A lot of what is said here applies to you as well.  As someone who is helping your client (the company or organization fill a position), it's important you understand all of the above.  ESPECIALLY if you want to land that candidate at that position and get paid for it!  The point of this posting is that too many companies trying to fill information security positions don't understand these things.  People claim there is a cybersecurity skills gap, but when roles go unfilled and it's more due to unreasonable job descriptions (wanting "entry level" people with senior level skills and experience at entry level pay), those positions won't get filled.  A GOOD recruiter, especially those that focus on IT (including information security), should already understand the above and advise their clients on how they can fill their positions.  And that SHOULD include telling them that their salary offer is too low, the job description is poor, etc.  Otherwise YOU are the one who will look like an idiot when you reach out to IS pros looking for a job.  And if you bring us such cr*ppy positions, we aren't going to pass these along to our network and we are probably NOT going to return your calls.  This also includes bringing entry level positions to senior level professionals.  If I'm looking for a position as an IS Manager, ISO or the like at 100K+, I'm not going to look kindly on a recruiter that brings me an entry-level security admin position at 80K merely because it's a security job and they know I'm looking.  Same goes for when I'm in the market for a new position and you bring me one that I think is perfect for me, but you're more interested in using me to find someone else for it then presenting me for it.

So, what do others think?  Am I out of line here?  Please post your comments and experiences.

No comments:

Post a Comment