Recruiter

How to be a GREAT Cybersecurity Recruiter

To be clear, I am not, nor have I ever been a cybersecurity recruiter. I’m not even saying I have what it takes to be one. What I’m saying is that, like cybersecurity itself, being a recruiter is very simple. Bloody difficult, but simple nonetheless. What’s more, cybersecurity recruiting is also about People Process, and Technology. Always in that order, and luckily to only technology you need to be a great recruiter is a phone and a laptop.

So while I cannot talk directly about the challenges faced by recruiters, I have however been on the other side of the process as both a candidate and a hiring manager. I can say that in almost 20 years I have yet to meet a recruiter for whom I would go out my way to recommend. Not one. In 20  years.

Not. One.

So if you are a recruiter who has engaged with me in the past, yes, this applies to you, without exception. If you want to know why, read on, and then be honest with yourself. Did you really provide the kind of service I describe below? Do you now?

The most frequent piece of advice I give anyone new to cybersecurity is to take your ego out the equation. That may sound odd coming from me, but even though I know a lot more than my clients about cybersecurity, it’s not about me. Of course I know more than my clients, that’s why they hired me! It’s about using my knowledge for the client’s benefit, not for appreciation, and certainly not for money. Both of those things should take care of themselves if I did my job correctly.

Again, this is no different from what you should be doing as a recruiter.

As a recruiter you have not one client, but 2, regardless of whom you represent; the candidate, and the hiring company. While this makes your task twice as difficult as mine, what you do is no more complicated. Like it or not, you are in the service industry, and neither the candidate nor end customer care what you want. But if that’s all you care about, you will rightly fail. Harsh, yes, but you chose this career.

Anyway, here’s my advice for what it’s worth.

How to be a Great Recruiter.

  1. Know what the hell you’re talking about – No, you don’t have to be an expert in cybersecurity, but there’s a very good chance the hiring company isn’t either. They will ask the wrong questions, it’s your job to give them what they need, not what they asked for. If you’re representing a person, you need to know their skill-set enough to determine a good fit. This means you have know what cybersecurity actually is, and no, not just the buzz-words and acronyms.
    o
  2. Know what the candidate wants – Like it or not, you have a responsibility to your candidates to help grow their career. This is their livelihood, and they trust that the power you have over their success is not misplaced. If all you care about is getting them off your plate and on to the next candidate, you are betraying their trust. If you don’t see you candidates as lifelong relationships, why are you doing this? Go sell used cars instead.
    o
  3. Send CVs that have been PROPERLY vetted – It’s tempting to scattershot all of your ‘cybersecurity expert’ CVs at every cybersecurity related job opening in the hope one sticks. Don’t. Do you homework, and if you don’t have someone that fits, pass. As a hiring manager I dismissed recruiters that consistently wasted my time. Earn the right of first refusal by being totally candid, that’s the most you can ask for with the amount of competition out there.
    o
  4. Provide unvarnished feedback – No matter how bad the feedback, pass it on completely unvarnished. If you don’t have the courage to do that, at least provide SOME feedback. I’ve lost count of the number of times a recruiter was all over me while I was still a viable candidate, then completely disappeared when it fell through. Obviously I didn’t get the job, which was bad enough, but for me to have to work that out by myself over the course of the next few weeks is unconscionable. While you may not be able to help your candidate from screwing up the next time, you’ll at least have a candidate who’ll talk to you again.
    o
  5. STAY in touch – Careers in cybersecurity can change on a dime, if you don’t maintain a relationship with your candidates you will become worthless. I’m not saying call every day, but is once a month too much to ask for a 30 minute catch-up? If it is, again, why are you doing this, you’re supposed to actually like people. Besides, if I trust you, who do you think is going to get all of my referrals?
    o
  6. Be pro-active – As a recruiter, you have unparalleled access to the demands of the market. What possible reason could have for not feeding that back to your candidates? By steering them into fields of high demand you are helping both them, and yourselves.
    o
  7. Love what you do – No-one wants to work with someone who could not care less about what they do. Love it, or get out.

Recruiters in every field have a horrible time fighting against their negative image. An image they have earned as a profession from being so filled with dross. Unfortunately cybersecurity is getting that way thanks to ambulance chasing vendors. Now combine the two; cybersecurity recruiter. The odds are against you, but it strikes me that anyone encompassing the above would be a beacon in an otherwise dismal landscape.

For those who have the temerity to ask for exclusive deals up front, try earning it instead. Given the state of recruiting these days it should not be that difficult.

Finally, at the end of my blog; Cybersecurity Recruiters, The Gauntlet Is Thrown! I stated my ultimate purpose was to find the great recruiters I know are out there.

I’m still looking.

[If you liked this article, please share! Want more like it, subscribe!]

Change

Cybersecurity Professionals: Don’t Change by Not Changing at All

Yes, I stole this line from Pearl Jam’s 1993 song; ‘Elderly Woman Behind the Counter in a Small Town‘. But in my defence, I have always loved the line and I did wait for almost a quarter of a century before I stole it.

The very simple, yet extraordinarily powerful message is one that applies equally to your personal and professional lives. Though I for one have never believed that you can keep your work and home life separate. They overlap in just too many ways. We used to have communities to fulfil our Maslow’s sense of belonging, now we have the companies we work for. We used to derive our sense of self-worth from taking care of our families, now it’s from a big annual bonus, a cheap award, or worse, a title.

But I digress. Already.

In a previous blog; So You Want to be a Cybersecurity Professional, I posited that you really only have 2 career choices; 1) specialise, or 2) generalise. “You cannot be both, there are just too many aspects of cybersecurity. Medicine, law, engineering, and a whole host of other careers are the same, you must find what suits you best.”

Unfortunately, if you’re not careful, both of these choices have a significant downside; if your knowledge stands still, your skill-set will become obsolete. As technology continues to advance, and the corresponding social issues (privacy for example) become more complicated, cybersecurity professionals have to adapt to an ever-changing array of requirements. While I find the vast majority of job descriptions ridiculous in the extreme, you only have to look at what employers are asking for to see the writing on the wall.

In Europe, for example, if you can’t speak at east relatively competently about technology issues as they relate to the GDPR or even PSD2, you are not setting yourself apart. Not in a good way at least. And if you are not adapting to the current cycle of distributed processing (i.e. The Cloud, containers, FaaS and so on), then your ability to administer physical assets is not likely to take you as far as you’d like.

I have never hidden my disdain for our over-reliance on IT/IS certifications. But even I find myself back in the study/test cycle in an attempt to render my skill-set a little more relevant. I have signed up for both the Certified Information Privacy Technologist (CIPT) and the Certified Information Privacy Professional / Europe (CIPP/E) in an attempt to make my individual ‘service offerings’ more attractive. I’m not saying that the certs will do that by themselves, you have to actually read the regulations to which they refer, but it’s a start. So is talking to people in related fields.

I would say that it’s the specialist career which is actually the most at risk, especially given the ridiculous number of ‘new’ technologies that have hit the market. Almost on a daily basis it seems. Tie yourself to one of these ‘acronyms‘ and it’s unlikely you’ll be relevant for more than a year or so. Unfortunately, cybersecurity is not so much an evolution of responsible services, it’s a cycle of vendor-defined demand generation predicated on buzz-words and F.U.D.

Perhaps I’m only seeing all this from my own ‘generic’ and slightly jaded perspective. I have largely removed myself from individual security technologies to focus on the basics. While the basics (or as I call them, the Core Concepts) of security will never change, even these need to be refreshed in light of evolving business needs and priorities.

In the end I think a lot of our problem in cybersecurity is that we think we’re a department alone. I believe we are the exact opposite, we are the one who need to be in on everything. After all are not data assets the crown jewels of most organisations?

With that in mind, here’s how to embrace change:

o

  1. Read – Most of us subscribe to things of direct interest, but few of us subscribe to things outside of that limited sphere. Like it or not, IT and IS departments are only there to enable, so you need to know what impacts other department like finance and legal if you want to stay ahead of the game;
    o
  2. Talk to People – Probably the hardest one for me, but IT and IS do not exist in a vacuum. What scares the crap out of all the other departments? You’ll find out eventually, don’t let it be the hard way;
    o
  3. Training & Certification – While you don’t need to go the whole hog and collect another almost meaningless acronym, at least get yourself trained by an expert in something with which you are currently unfamiliar. GPDR for example, or PSD2 if you’re in the payments space, or even PCI if you’re really desperate;
    o
  4. Self Reflection – Unless you’re one of the lucky ones who’s in a career they chose, you likely found you way into cybersecurity by accident. Or in my case, a comedy of errors. This does not mean it can’t be a perfect fit, you just have to be extra aware of your talents and skills to not find yourself in a position for which you are wholly unsuited;
    o
  5. Find a Mentor – This does not mean you have to get a hands-on mentor, even following a person whom you respect on LinkedIn is a good thing. Find someone(s) who are were you want to be, they’ve already made a lot of the decisions you are going to face.

History is full of people who could not imagine becoming obsolete. I’m going to go out on a limb and say that these people ended up with significant regret.

[If you liked this article, please share! Want more like it, subscribe!]

Wishes

So You Want to be a Cybersecurity Professional? – Redux

At the end of last year I wrote a blog that proved to be my most popular yet, by several orders of magnitude. In So You Want to be a Cybersecurity Professional? I threw together some very high-level thoughts for those wishing to get into the field. However, it’s wasn’t until the last week or so that it occurred to me to question why this blog in particular resonated as it did.

On the assumption that it’s because there are literally thousands of people out there struggling to find their way into security, I figured I’d expand a little on the original.

With the proliferation of both certifications and U”niversity degrees, there are many avenues that attempt to fast-track cybersecurity careers. Add to this a ridiculous number of ‘new’ technologies all claiming to address a rapidly growing number of threats and regulatory compliance regimes, and you have a combination that could not be better planned to lead candidates to a career dead-end.

The new modus operandi for cybersecurity professionals seems to be; University degree > industry certifications > Technology. But if your ultimate goal is CSO/CISO you have derailed yourself even before you start. I do not know one CSO/CISO who is primarily focused on technology …not any good ones anyway. It’s the people and processes that give technology context, not the other way around.

No course on the planet can teach you people and process, that’s something you must to learn for yourself. In security, experience is key.

While technology is an indispensable aspect of security, the majority of the product and security vendors who say they are trying to help are actually causing enormous damage. In their mad rush to stake a claim to a piece of multi-billion $/£/€/¥ security industry (and still growing), they are developing technologies so far removed from the basic principles as to be almost unrecognisable. Not only are these largely inappropriate to most businesses, but far too fleeting and ethereal to ever be rely on as a career foundation.

While I assume most University degrees will cover the ages-old basics of governance, policy & procedure, risk management etc. (like the CISSP’s CBKs do), without a real-world understanding of their implementation you will never be able to put a technology into a context your clients or employer has the right to expect. Basically you will be lost in a never-ending cycle of throwing technology after technology at something that could likely be fixed by adjusting the very business processes you’re trying to protect. Technology can only enhance what’s already working, it cannot fix what’s broken.

So where should new candidates start? I have no issue with University degrees or certifications, but from my own experience it was starting out at the most basic level that gave me the greatest foundation. From firewall and IDS administrator, to a stint in a 24X7 managed security service security operations centre I received an education that has stood the test of time. Networking, protocols, secure architecture, system management, incident response / disaster recovery, and just as important; the power of great paperwork. There is no-one who appreciates a comprehensive set of procedures and standards as someone who has just taken down a client’s firewall.

For the next phase of my career I was, for want of a better word, lucky. PCI was just kicking off and the desperate shortage of QSAs meant it was relatively easy for me to become one and be thrown immediately in front of customers. I learned as much in the next year as I did in the preceding 5. Not technical stuff per se, though that was certainly part of it, but the soft skills necessary to provide a good service.

From that point forward I have stayed in consulting, as I am fully aware of that is where both my interest and skill-set lay. I am not technical, never have been, so I’ll leave that up to others. I have also never wanted to be a high-level executive, that’s too far removed from anything I have ever enjoyed. What this means is, I already know a CISO role is very likely not in my future, and I’m absolutely fine with that.

I have my own thoughts in what a CISO is anyway.

I’m not saying that CSO/CISO need be your goal, if you’re quite happy managing firewalls, that’s great, but you absolutely have to know what your goal is or you’ll flounder around the edges of security missing every boat that comes along.

So:

  1. If you want to be a CISO, remember that the vast majority of the CISO function is just a series of consulting projects designed to help the business meet its goals. The final aspect of a CSO’s job borders of politics, so that had better be what you want.
  2. If you love technology, great, but get an understanding of how your technology(ies) fits into the client’s business goals before trying to shove it down their throats. And jumping straight out of Uni into a technology start-up may seem like a good move, but only 1 in 1,000 companies make any difference. Be prepared to fail many times.
  3. If consulting is your thing, stay high-level and stay with the basics. Be the person that your clients come to to solve their challenges, regardless of who ends up performing the actual remediation. A Trusted Advisor is a very rare thing, and very few ever earn it.

Regardless of your career goal, the basics of security will never change, and you will only be at the top of your game when what you are doing benefits everyone involved.

Finally, a warning: if you think anyone other than those making a career out of it care about security, you are mistaken. Not one, I repeat not ONE of my clients actually cares about security, they care about things ranging from genuine concern for their customers to just money. Security is only, and will only ever be, a means to an end. It enables a business, it does not direct one. It’s these things that you cannot learn from school or from technology alone.

Get a mentor, one who has been where you are and is where you want to be. And never, I mean NEVER follow the money.

[If you liked this article, please share! Want more like it, subscribe!]

CISO Sacrifice

How to Hire a CISO

In my experience, the hiring of a CISO is one of the last things on the minds of the overwhelming majority of Board of Directors (BoD). Well, maybe more accurately; it’s the last role they want to hire. Who wants to spend money on security? Where’s the ROI? While there is often significant kudos for corporate responsibility, its effects on the bottom line are invariably lost in translation.

I’ve written more than enough blogs on why cybersecurity is so essential to every organisation. Even tried to spell out some of its many benefits, but 180 subscribers will hardly change the course of a multi-billion £/€/$/¥ industry.

However, I will count this blog a HUGE success if I succeed in one, and especially both of the following:

  1. An organisation hires the exact right person for their cybersecurity needs; and/or
    o
  2. A prospective CISO asks all the right questions and gets the right job for them.

By far the biggest challenge for organisations in hiring a CISO is doing it for the right reason(s). Unfortunately the reason, 99 times out of 100, is necessity. From landing a big contract, to regulatory compliance, to post-breach PR, the CISO role is often nothing more than an empty suit. Compound this with the BoD having no idea of the right questions to ask the prospective candidates, the whole thing likely started out with little idea of what they were actually trying to achieve.

Security is not about technical requirements, it is a business process, and until the BoD see it as such no CISO job description (JD) will ever land the right candidates. In security, if you’re not an expert, never ask for what you want, find someone  who can fully detail the things you need. You’d be amazed how often these things are very different.

Steps to Hiring the Perfect CISO

But first, we need to stop thinking about the CISO as a person, CISO is a function. Or rather, a series of projects that culminates in a function. Security begins with a plan, then evolves through several phases into a coherent cycle of business enabling processes. I’ve never met a single individual with either the skill-set, or even the interest, to perform all of these phases. I for one would rather chew tinfoil than babysit something that does not require fixing.

Second, I am going to assume that the hiring of the CISO is going to be managed by the BoD, if not, none of these steps make sense.

Finally, I am going to use the types of CISO I defined in The 3 Types of CISO: Know Which You Need to illustrate my point.

Step 1: BoD must finalise three things: 1) their Mission Statement, 2) their Value Statement(s), and 3) their short / medium / long-term business goals.

Step 2: BoD uses all resources at their disposal to find the right resource(s) to turn the Mission/Values/Goals into an appropriate security strategy.

Step 3: Hire a p-CISO (Planner) for Phase 1 – skill-set prerequisites must include:

  • drafting Governance charters and policy sets;
  • standardising and performing initial risk assessments;
  • controls gap analysis;
  • developing business impact analyses (BIA);
  • defining a basic set of minimum security controls; and
  • chairing a Governance Committee meeting (this is a requirement across all 3 CISO types).

[Once Phase 1 tasking is roughly 75% complete, Phase 2 can begin. the p-CISO will be expected to fine-tune the draft JD for the e-CISO and hand over all relevant knowledge / duties.]

Step 4: Hire an e-CISO (Executor) for Phase 2 – skill-set prerequisites must include:

  • matching Policy Set with both business goals and the prevailing corporate culture;
  • socialisation and distribution of procedure and standard document coordination to relevant SMEs;
  • integration and centralisation of security control output into a unified incident response capability;
  • assignment and formalisation of all security responsibilities; and
  • implementation of disaster recovery (DR) and business continuity planning (BCP).

[Once Phase 2 tasking is roughly 75% complete, Phase 2 can begin. the o-CISO will be expected to fine-tune the draft JD for the o-CISO and hand over all relevant knowledge / duties.]

Step 5: Hire an o-CISO (Optimiser) for Phase 3 – skill-set prerequisites must include:

  • performing an objective review of all security controls including policies (with Internal Audit if available);
  • maintain their aspect of the company-wide Risk Register in-line with the security strategy and business goals;
  • formalise management information and security/risk metrics into a BoD-level reporting process; and
  • implement a cyclical program for continuous improvement.

Sample Phased Approach

That’s it, 5 simple steps. Very difficult and potentially expensive steps, yes, but simple nonetheless. Clearly these steps are VERY high level, and there is a lot more detail involved than that. This process could also take many months or even years. But the hiring of a CISO is not about finding people, it’s about committing to an idea and doing whatever it takes to bring that idea to life.

For that to happen, the BoD must stay involved. For the CISO roles as defined above to succeed the BoD needs to use as much of its influence as necessary to fully support them. A dotted line reporting structure directly to the BoD works best.

In my experience, if you’re looking to hire a CISO to sort out your security, you’ve already started down the wrong path. It’s the CISO who usually ends up paying the price.

If you’ve made it this far, you are probably thinking that the title of the blog should have been: How to Implement a Security Program. And you’d be right, it should, but the people wanting to hire a CISO probably wouldn’t have read it.

[If you liked this article, please share! Want more like it, subscribe!]

CISO Lifespan

Why CSOs / CISOs Only Have a 2 Year Lifespan

In previous blogs I expanded upon two main reasons why CISOs seem to have such a limited lifespan, and why the role is currently one of the most difficult senior leadership roles to both fulfil, and stay in long-term.

In Make the CSO Role a Board Appointment, or Don’t Bother Having One I touched upon the fact that so few CSOs; 1) are hired by the right people or for the right reasons, 2) report to the correct hierarchy, and 3) have the necessary support from the people from whom they need it most.

In The 3 Types of CISO: Know Which You Need I tried to explain why there is effectively no such thing as an ‘all-rounder’ CISO, so expectations are already completely out of line with reality.

I’ve now come up with a 3rd; Expecting the CISO alone to fix everything.

While this may be a byproduct of the first two, it is nevertheless important enough to be addressed by itself. And for once, I can’t actually blame the CEO entirely for this issue, the CISO is every bit as culpable.

Consider this scenario; An organisation, for whatever reason, decides it needs a security expert in senior management. Even if the BoD does get involved from the beginning, the organisation will end up writing a job description of some sort. This is no different from going to the Doctor’s, diagnosing yourself, and writing your own prescription.

This description will then be advertised in some fashion, guaranteeing that the only people who respond are the ones wholly unqualified to fill it. In the same way that anyone who wants to be in politics should be stopped from doing so, anyone who responds to a CISO role that they didn’t draft themselves has no idea what they are doing.

There is only one exception to this, and that’s if the organisation has already put the basics of a security program in place and need someone to optimise it. Everything before this is a series of consulting gigs, the aim of which is to prepare the organisation’s security program to the point a CISO can come in and run with it.

So, whether you’re an organisation looking for a long-term CISO, or a CISO looking for a long-term gig, what do you do?

A Security Program in 10 Difficult-as-Hell Steps

o

Clearly there are many steps in between these, as none of this appropriately addresses two of the most important aspects of any security program; 1) Senior Leadership’s role in changing the corporate culture, and 2) a Knowledge Management program personified by documented processes and procedures.

But in no way do I wish to downplay the CISO role to one of a babysitter, it is still one of the most difficult roles imaginable. However, I have never met a CISO who joined an organisation at Step 1, and was still the CISO a year or so later. Because the CISO role is perceived by many security professionals as the pinnacle of their career, too few ask the hard questions before committing;

  1. Has the organisation followed the 10 steps? – If no, where are they in the process?. If yes;
  2. Am I right for the job? – If no, can I help them find someone who is. If yes;
  3. Do I really want the job? – Go in with your eyes wide open, or again, walk away.

As long as both the organisation and the prospective CISO are fully aware of these issues, there is no reason a CISO can’t go the distance. That said, there is no reason a security program can’t be put on track without one…

[If you liked this article, please share! Want more like it, subscribe!]