Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the Blog Category

In Cybersecurity Recruiting, Should You Go Internal Or External?

cybersecurity recruiting

This article was originally published on Forbes by Domini Clark, Forbes Council Member and Founder and CEO of the cybersecurity recruiting executive search firm Blackmere Consulting

Cybersecurity talent represents one of the biggest challenges in recruiting, across all functions. If you are responsible for your security team, you know the stakes are high — especially if you have a senior-level opening. According to the Ponemon Institute’s “2018 Cost of Data Breach Study,” the global average cost of a data breach was $3.86 million, or $148 per data record last year. Unless you are flush with grade-A security talent and turning away applicants at the door, any opening raises your company’s risk level. There are options to help you hire the best and hire quickly, but how do you know which one is right?

Is Your Internal Team Up To It?

One option, of course, is to hand the search over to your company’s internal human resources team. That team probably includes talented recruiters who have spent years honing their search strengths and crafting their negotiation skills in the business. Some cybersecurity leaders may be wondering why it is, then, that they don’t often seem to land great cybersecurity candidates.

The reality is that most internal recruiters are handling many difficult-to-fill jobs, and cybersecurity is often just one of their many areas of focus. They simply don’t have the bandwidth to create the necessary industry relationships. Rarely are they able to hit the most important conferences, and few have the cybersecurity training necessary to recognize true talent.

Another option is employee referrals, generally one of the most successful avenues for internal recruiting. Members of your organization’s C-suite often sit on boards with the executive talent you’re looking for. Engineers, architects and consultants socialize ideas and challenges with friends in the industry. Your team is not only adept at recognizing technical talent in another expert, but they also know the people they want to work with on a team. The downside to this strategy is that team members have only so many friends in the industry. If they continue to call on the same people over and over again, they risk ruining friendships, and you risk future relationships.

Going External

HR teams are often wary of external recruiters, fearing it will be too costly or that outsiders could threaten their “process ownership.” But given the cost of having any seat open plus the multimillion-dollar risk to the company, recruiting fees are a drop in the proverbial bucket.

More importantly, an external specialist in cybersecurity talent offers what your internal generalist recruiters cannot. This is a networking play with a high-touch approach. Cybersecurity professionals tend to be skilled at dismissing the large number of solicitations they receive regularly. System-generated emails won’t get through their personal firewalls. Specialist recruiters, however, have cultivated networks and relationships that are needed to make contact.

The cost of external recruitment will depend on the model you choose and the specifications that you negotiate. In general, expect to be presented with three main options: retained search, contingency and container.

How To Select A Recruiter

You can’t expect to pay Walmart-level prices and get Nordstrom-level service, so you want to ensure you get excellent value for your investment. The cost to your company may be one consideration, but to get the value you deserve, also factor in these elements.

• Ethics: Some of the most highly recognized firms will not sign noncompete agreements. In other words, they may be ushering talent in the front door and escorting them out the back door at the same time. Make sure you know their policy.

• Guarantees: Make sure you are covered if your candidate walks out or is unable to live up to the hype after they’ve been onboarded.

• Chemistry: If a potential recruiter feels smarmy, evasive or bullish to you, chances are good that your targeted talent will feel the same way. If the chemistry isn’t there, find someone else.

• Networks: If a prospective recruiter has 50 LinkedIn connections in the field of home repair, keep looking. Make sure they have spent enough time in the industry to make the right connections.

• Engagement: Once you’ve chosen, give the recruiter feedback on candidates, their process and your experience, especially if they are new to you. Great recruiters learn quickly and appreciate feedback, even when it’s not flattering.

The Bottom Line

Ultimately, you’ll have to decide which options are right for you and your organization. There are pros and cons to each. But don’t underestimate the risks. Most organizations are capable of defending against the daily onslaught of run-of-the-mill malware, brute-force DNS attacks and script-kiddie hacks. However, few organizations are prepared to protect their assets against a nation-state or non-state-actor attack, something the U.S. Director of National Intelligence has said is a stark reality today. It’s only with a complete and competent cybersecurity team that your organization can be truly prepared.

Aron Derbidge Joins Blackmere Consulting as Chief Revenue Officer

Aron Derbidge and Domini Clark of Blackmere Consulting at black hat 2019Derbidge pictured with Clark at Black Hat 2019

Blackmere Consulting is pleased to welcome Aron Derbidge as its Chief Revenue Officer.  Derbidge has spent the last 20 years leading and managing teams across a number of industries, and will lead business development for the firm.  Other responsibilities Derbidge will take on include marketing, contracting, and development and maintenance of the management systems.

“We are excited about Aron’s fresh perspective and approach to growing the business,” said Domini Clark, CEO of Blackmere Consulting.  “He demonstrates a passion for the cybersecurity industry, which, coupled with the credibility that is crucial to this role, is a combination that makes him a valuable addition to the team.

Derbidge has worked in both large and small companies.  He is excited to be part of a small team that is ready to grow, in an industry that makes a difference, he says. ” The cyber world allows me to be in a fast paced environment with real world mission implications,” said Derbidge.  “Helping our clients fill their critical roles in an industry that helps keep businesses, governments and individuals safer is an incredible opportunity.”

He is a proud father of 2 independent young women and proud husband to a long term special educator. The family also includes four legged members including a black Labrador retriever and an English bulldog. Derbidge is passionate about reading and learning and loves to be in the great outdoors.

Those who have the chance to speak with Aron in the future are advised to ask him about the time his bulldog met a goat.  You won’t be disappointed.

Blackmere Consulting Certified By the Women’s Business Enterprise National Council (WBENC)

Blackmere Consulting Certified WBENC Women Owned Business

Blackmere Consulting, a technical and executive recruiting firm dedicated to Cybersecurity and Information Technology, is proud to announce national certification as a Women’s Business Enterprise by the Women’s Business Enterprise National Council (WBENC).

“Over the last decade, Blackmere has proven itself as a leader in technical and executive recruitment, particularly in the cyber security sector,” said Domini Clark, CEO, Blackmere Consulting. “We are now in a place where we are pursuing mindful growth with a focus on what makes us unique.  Pursuing the Woman Owned Business Certification was a natural next step as we reach this important 10 year milestone.  We are pleased that this certification allows our partners to reap the full benefits of working with a woman-owned business including supplier diversity and tax incentives.  In the world if information security, credibility has always been and will continue to be a main priority for us. Attaining this certification proves once again we are living our values of integrity, diversity and thought innovation every day.”

WBENC’s national standard of certification implemented by the Name of RPO is a meticulous process including an in-depth review of the business and site inspection. The certification process is designed to confirm the business is at least 51% owned, operated and controlled by a woman or women.

By including women-owned businesses among their suppliers, corporations and government agencies demonstrate their commitment to fostering diversity and the continued development of their supplier diversity programs.

About Blackmere Consulting:

About WBENC:
Founded in 1997, WBENC is the nation’s leader in women’s business development and the leading third-party certifier of businesses owned and operated by women, with more than 13,000 certified Women’s Business Enterprises, 14 national Regional Partner Organizations, and over 300 Corporate Members. More than 1,000 corporations representing America’s most prestigious brands as well as many states, cities, and other entities accept WBENC Certification. For more information, visit www.wbenc.org.

Top Five Insights from Talent42 2019

By Domini Clark, CEO, Blackmere Consulting

Recently I had to the privilege to rub shoulders with some of the best and brightest technical recruiters at the Talent42 conference in Seattle.  Known for its edgy and practical feel, the 100% tech-focused conference attracts big name companies like Google, Amazon and Expedia, as well as smaller organizations all fighting for the same technical talent. These were the key takeaways for me.

Re-defining “talent”

As the job market and economy evolve, the most cutting edge companies are taking a good hard look at what “talent” means in their environment. How do we truly achieve diversity and, in fact, what should diversity look like in our company? Are we putting up barriers for candidates without realizing it, such as making bachelor’s degrees a hard and fast requirement?

Technology is ephemeral, relationships are not

More and more, technical talent is making the choice to connect only with people and situations that “feel” right. This means that it is more important than ever to take the time to make a real connection with candidates, network peers and others.

De-Clutter the hiring process

Companies big and small have created hiring processes with rules, regulations, and excuses that have built up over time andoften are defended tooth and nail. That distracts us from the fact that talent acquisition is a very human endeavor, and real people — with other jobs and other job offers — can get stuck in the processes. With unemployment close to an all-time low, cumbersome processes simply don’t pay. To stay ahead of the game and win top talent, we need to take the clutter out of our hiring processes — make it easy for the candidates you want to want you, too.

Stories matter

Everyone knows that most technical talent, from software engineers to cybersecurity architects, have their pick of opportunities. Gone are the days of posting an HR-generated job description, sitting back and waiting for the talent to come to you. Instead, we need to tell the stories that leverage our greatness, whatever that may be. Maybe your data center is run with 100% sustainable energy, or your founder is a female combat veteran. Tell your story. The right person will be drawn to you and the culture that makes your company unique.

You can’t get away with anything

It was always a goal of the Internet to make massive amounts of information available to everyone. Be careful what you wish for! If you think your code review questions aren’t on the Internet, think again. That candidate you put through five interviews but then forgot to follow up with? She shared that on her blog and social media posts. There are “underground” sites in plain view listing companies that require whiteboard exercises. Staying mindful of the vast reach of communication may help drive better processes and will certainly keep you on your toes!

Taken all together, I think it means that robots will not be taking over our jobs as recruiters any time soon.  In fact, the more technical and more difficult the hiring becomes, the more human and efficient our processes must be. From tailoring our job descriptions to fit real people, to diving deep into the personal impact a job change has on our candidates, to making sure we’re telling the right story about our own unique culture, it’s clear that all of the technology in the world wont replace humanity in technical hiring.  

Skills in demand: Application Security Engineers

Skills in demand: Application Security Engineers

The need for Application Security Engineers has grown dramatically as legacy applications are moved to the web.  Application Security Engineers can be focused on enterprise or mobile applications, but their overall goal is similar:  consider all system vulnerabilities of applications from design/development through implementation and maintenance.  This is a subject matter expert with strong knowledge of IT architecture, hardware, web security, identity and access management, application firewalls, intrusion detection as well as threats and vulnerabilities.

What it takes

Hands on experience with secure code review, static analysis security testing, dynamic application security testing and strong knowledge of web development technologies.  A deep understanding of threat/attack modeling is also critical as well as the ability to interact with cross-functional teams.

Compensation
Base compensation can range from $100-175K, often with additional incentives.  Independent contract rates can be higher.

– Domini Clark, principal, Blackmere Consulting; founder and director of strategy, InfoSecConnect.com.

 

Cybersecurity Recruiting: Weigh Your Options To Find The Right Strategy

cybersecurity recruiting tips

cybersecurity recruiting tips

For chief information security officers (CISOs), finding cybersecurity talent is difficult and expensive. It can seem like the greater the need, the less available the talent is. That’s why I believe the most powerful weapon in a seasoned CISO’s arsenal is, hands down, a security-focused recruiter.

So Much At Stake

Even with all of the recruiting technology, internal resources, employee referral programs and other bells and whistles out there, you may truly need security-specific recruitment experts. A quick look at the state of the industry reveals a worldwide shortage of cyber talent, with some saying we have hit a crisis point. Highlights from ISACA’s 2018 “State of Cybersecurity Study,” which surveyed over 2,300 individuals across various industries, clearly explain today’s landscape:

• 80% of study respondents said it was “likely” or “very likely” their organization would experience a cyberattack this year.

• 50% noted their organization experienced an increase in the number of cyberattacks last year.

• 59% stated their organization had unfilled cybersecurity positions.

• 54% admitted that filling open cybersecurity positions took three-plus months, longer than other areas of IT and much longer than just about any other functional area.

Security Recruiting Is Unique

To begin with, one thing I’ve found through my work in executive recruiting for this industry is that strong security professionals often aren’t active in the market, but they are being hounded. According to an (ISC)2survey, nearly half of cybersecurity professionals are solicited on a weekly basis, yet only 14% are actively seeking a new gig. You can’t spam them through LinkedIn and expect a response. They will not click on a link embedded in your email, nor will they “apply online” without a conversation first — and good luck getting them on the phone.

The best candidates don’t post their resumes everywhere. The best ones are hiding on purpose; only their closest colleagues know how amazing their last project was. They don’t trust people who don’t have street cred in the community, and ironically, technical recruiting tools aren’t effective at finding these technical experts. The only way to succeed is through networking, relationships and personal trust. It’s a full-time job.

Chances are, your internal HR/recruitment team is already overwhelmed and is made up of generalists rather than specialists. In fact, they’ll probably agree that outsourcing is the way to go to find top cybersecurity talent. There are many ways to structure a relationship with a recruiting firm, but there are three main models your organization may choose from.

Retained Search: This model often is considered the most effective, and for good reason: A retained recruiter is 100% focused on your search. Traditionally associated with C-level and executive searches, it has become more common in cybersecurity due to the critical need. A good retained search provider will act as a consultant, helping you scope out the position, explore business goals, and set search strategy. On a tactical level they should set expectations, provide position and title insights, identify potential roadblocks, and provide compensation information. Be prepared to take an active role in this sort of relationship, including providing regular and frank feedback. Most retained search firms charge a percentage of the annual compensation (base plus bonus) for the candidate selected (often  20-30%).

Contingency Search: In this model you are only charged if you hire the candidate the contingency firm delivers. This is a great option if you want to give a new recruiting firm a trial run, or if your internal team simply needs additional resources. However, be aware that a contingency recruiter needs to work multiple other simultaneous searches to ensure revenue, and you won’t get a search expert’s full attention. As with retained search, fees are based on a percentage of the annual compensation for the selected candidate and can range from 15-30%.

Container/Engaged Search: This is a hybrid between retained and contingency where a payment is negotiated at the inception of the search, and the remainder of the fee is up for grabs at the time of offer. This is a great approach to ensure both sides (recruiter and hiring organization) have vested interests in the success of the search. The downside here is the same as with the contingency model: Container recruiters divide their time and attention among multiple searches.

By the way, while it may be tempting to hire multiple recruiters for a single search, it’s likely to backfire. Everyone working on a search probably will talk with the same 30 qualified candidates, which can be frustrating for each recruiter. In addition, top-tier candidates become annoyed quickly if they are approached by multiple recruiters regarding the same position.

Superior cybersecurity talent is essential to protecting and defending your corporation and your reputation. The right relationship with your external recruiting partner is essential to engaging superior talent.

This article was contributed to Forbes by Blackmere Founder and CEO Domini Clark, and was originally published on Forbes here

Skills in demand: Application Security Architect

Skills in demand: Application Security Architect

The need for Application Security experts has grown dramatically as enterprise systems become more and more complex.  While Application Security Engineers can be focused on a variety of enterprise or mobile applications, the Application Security Architect must understand how applications fit into a multi-tiered architecture.  They must consider all system vulnerabilities and their relationship to each application from design/development through implementation and maintenance.

What it takes

This is a subject matter expert with strong knowledge of IT architecture, hardware, web security, identity and access management, application firewalls, intrusion detection as well as threats and vulnerabilities.  AppSec Architects often have deep technical knowledge and hands on experience with secure code review, static analysis security testing, dynamic application security testing and strong knowledge of web development technologies.  An overall understanding of complex systems and expertise in threat/attack modeling is critical as well as the ability to interact with cross-functional teams.

Compensation
Base compensation can range from $150-200K, often with additional incentives.  Independent contract rates can be higher.

– Domini Clark, principal, Blackmere Consulting; founder and director of strategy, InfoSecConnect.com.

This was originally published in the June  2016 Issue of SCMagazine

Hacking the Applicant Tracking System: Resume Tips to Get Your Resume Found

Follow these 5 Applicant Tracking System resume tips to make sure your InfoSec resume doesn’t automatically get kicked out of the screening process

Dear ‘FirstName’ Unknown ‘LastName’ Unknown,

I am a recruiter – today I spent hours sourcing from one of the many career websites/resume databases that you carefully created a profile and uploaded your resume. I read the profiles and created the perfect candidate pool of job seekers that I wanted to target. I downloaded the resumes from the resume database and for HR compliance I uploaded them to my Applicant Tracking System (ATS). To my dismay, this step usually results in 50% of the resumes being unreadable and you my favorite candidate is now “Unknown Unknown”. I researched what was happening and found one common thread among these sourced candidates. The top of their resumes stated:

– Note: This is a converted Word document. An image of the resume is displayed rather than text.

Keep in mind ATS systems are now used by most companies to meet HR compliance and handle the 100’s of applicants they receive on most job postings. Recruiters generally upload their sourced resumes to these systems to meet HR compliance requirements. ATS systems parse resumes and compare the data against criteria in the job posting through key words, screening questions, etc. Most resumes are only seen by humans if they are actually sourced or if they pass the initial screenings completed solely by the computer.

Unfortunately, if you are one of the InfoSec folks who have converted your resume to the Word image format, it will be lost once the recruiter uploads it to the ATS or it will not succeed in passing most ATS initial screenings. Usually this means you will receive a rejection letter automatically from the system once they make their final selection. So here’s what happens – most resume parsers in ATS systems do not have optical character recognition (OCR) capabilities, therefore your resume image is simple unreadable by the computer systems.

InfoSec Connect wants to help you modify your resume to ensure you are being considered based on your skill set and not your resume format. Algorithms designed to screen resumes are systematic and minor things can kick your resume out of consideration. The rules are simple:

  • DO NOT convert your resume to an image
  • DO NOT put your name and contact information in the document header
  • DO keep your resume format simple – try to avoid advanced formatting such as tables, unique fonts, images, etc.
  • DO Clearly label the resume sections with standardized headings (best to use headings from postings such as Qualifications, Experience etc.)
  • DO use the keywords that you identified in the job posting – keep in mind that most ATS systems use outdated SEO methods for the initial screening.

Now go update that resume and get past those initial screenings!

Skills in demand: Cyber Threat Intelligence Analyst

Cyber security is changing and some organizations are beefing up their threat intelligence groups in order to get ahead of the attack.  The Cyber Threat Intelligence Analyst works closely with network defenders, incident responders, application security experts and threat hunting teams to collect, classify and exploit potential threats.  Responsibilities include:

  • Collection, validation and analysis of threat information from multiple, and often industry-specific, organizations
  • Generation threat intelligence for the purpose of detection and response to advanced persistent threats (APTs)
  • Research and creation of a variety of concise and actionable threat analysis and warnings which will be consumed by everyone from senior company executives to security analysts

This is an intelligence expert with the ability to influence immediate change within an organization in the midst of high pressure situations.

 

Interview tips: How to ACE Your Interview in 5 Steps

You’ve followed our tips for creating a standout information security resume, and you got a callback for an interview.  Well done. Now make the most of your investment in time so you are prepared to ace the interview and make yourself impossible to pass over. Read more