Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for the Blog Category

10 Tips for Creating a Stand Out Information Security Resume

Let’s be honest – there are 100 million articles out there about how to write the best resume, right?  Right.  Well, after 20 years as a technical recruiter and nearly a decade of recruitment in information security, I know what makes a good resume in this industry.  Some of these tips are industry specific, some are (or should be) common knowledge.  Following these basic principles will ensure you have the right foundation to create a marketing piece (information security resume) that will catapult you into the next phase of your career. Read more

Relocation costs now a sticking point for job-hunting security managers

In an effort to cut costs, many companies hire local candidates to fill CSO positions. But are they also sacrificing quality for their security program?

By Bob Violino Follow
CSO | May 5, 2015 9:47 AM PT

http://www.csoonline.com/article/2918772/infosec-careers/relocation-costs-now-a-sticking-point-for-job-hunting-security-managers.html

IT Careers Leadership and Management
COMMENTS
With security executives and staff in such demand at many organizations today, is it possible that something like paying for relocation costs could get in the way of hiring a new employee to join the security program? Yes, according to a number of people in the industry.

“Companies are finally realizing that they need someone to lead their information security efforts. Unfortunately, [they’re] settling for available local talent instead of hiring the experienced talent they really need” because they don’t want to pay for relocation, says an information security executive who asked to remain anonymous because he’s actively looking for another job.

[ ALSO: IT careers: Security talent is red-hot ]

MORE ON CSO: The things end users do that drive security teams crazy
In some cases, it’s made clear that relocation compensation is not an option. “If you start looking at director or above in the job boards, few positions will state that relocation is provided and many will explicitly say that relocation is not provided,” the executive says. “Since I am looking for a new position, I have talked with several recruiters and heard the same story from them. Companies don’t want to invest in relocation and are looking at local candidates only.”

Recently, the executive talked with a large restaurant chain that is looking for a new CISO, and was told that the company liked him for the position, but did not want to deal with relocation costs. “They did finally find someone local who had one-third the experience and had never been a CISO before,” he says. “I will give them nine to 12 months—or a breach—for them to be looking again.”

It’s not unusual for employers to ask recruiters to focus on the local candidate pool so they do not have to relocate someone, says Kathy Lavinder, executive director of Security & Investigative Placement Consultants, a retained recruiting firm that finds and places security management and financial investigative personnel.

“That’s quite common in the larger metropolitan areas where the local candidate pool is likely to be sufficient,” Lavinder says. “That directive eliminates some strong non-local talent, but that appears to be a price some employers are willing to accept.”

Some of Lavinder’s clients have been trying to contain relocations costs when possible. “Some have reduced the number of house-hunting trips to the new location for the potential employee and his or her spouse,” she says. “I’ve seen them reduce the number of paid house-hunting trips to one, instead of two. I’ve also seen a few employers put a 30-day limit on the coverage of interim housing costs to spur the new employee to find permanent housing.”

Some larger companies are expressing a desire to avoid cross-country moves, Lavinder says. “In one recent instance, a multinational company headquartered in the New York metro area asked us to focus on candidates east of the Mississippi,” she says. “The company may have been concerned that someone from the western U.S. may not adapt to the New York area, but I suspect cost entered into their decision.”

Larger companies have always had more generous and comprehensive relocation packages than smaller and mid-size companies, Lavinder adds, “but even some of our larger clients are trimming relocation packages a little. In one case, the company cut out some minor things they had covered in the past, such as the cost of a new driver’s license and car registration. These are minimal costs and candidates would never know they had been covered in the past, so it’s easy for employers to make a change like that with little consequence.”

Another security executive recruiter, Wils Bell, president of SecurityHeadhunter.com, has encountered refusals by companies to cover relocation costs “on many occasions.”

One example was a larger company that was located in a big city. “Their position had been open almost a year when I was contacted about working on their search,” Bell says. “The position offered a good salary, career advancement for the right person, challenge, etc. What it did not offer was any type of relocation.”

Corporate leadership had decided that since the business was located in a larger city, it should be able to draw from the local market. “They still were holding onto this policy even after a year of searching and interviewing several candidates through numerous sources,” Bell says.

And among companies that do cover relocations costs, in many cases the offer is not as generous as in the past, Bell says.

“For the vast majority of positions, relocation has changed from years ago,” Bell says. “Getting a ‘Cadillac’ relocation package is many times being replaced by a specific dollar amount [such as] $3,000, $5,000 or $7,500, and you move yourself. Of course, you’ll need receipts to back up all expenses.”

These types of situations, with either no relocation packages or limited packages, have been on the rise, Bell says. “I don’t see it as often at the C-level as I do the mid- to senior-level positions, but it is definitely increasing,” he says.

Years ago, relocation packages and their perks were fairly standard, Bell says. “Over the years they have decreased in value,” he says. “In my opinion, money is the main driving factor. Firms could spend a great deal of money moving someone. The actual move, closing costs, house hunting trips, temporary housing, etc. all added up. It is easier for many firms to just offer a flat dollar amount.”

Some organizations are more likely to provide relocation packages only for the higher-level security jobs.

“Often, organizations see the value of finding the precise organizational and skill-set fit at or above the director level, making relocation necessary,” says Domini Clark, principal at Blackmere Consulting, which recruits information security professionals.

“Below that level, however, it is often very difficult to find organizations willing to cover the costs of relocation,” Clark says. “Unfortunately, the majority of the hiring necessary in any organization goes on at this level, which causes issues with positions being open much longer than necessary or not being filled at all.”

Some recruiters, however, say they’ve not encountered any major issues regarding relocation costs.

“We have filled some of the most prestigious CISO roles as well as companies hiring first-time CISOs, and for the most part they understand the demand for these executives is very high and are providing relocation packages,” says Joyce Brocaglia, founder of Alta Associates, an executive search firm specializing in information security and IT risk.

“We have filled over 20 information security positions in the first quarter, and the majority of companies were willing to relocate candidates,” Brocaglia says. “The only times we see companies not wanting to fund relocation expenses are for junior level to entry level manager roles that they believe they can find local talent. Even in those cases, the majority of companies are willing to provide some type of sign-on to defer expenses.”

As the demand for talent has increased the past few years, “I’ve had more companies offering relocation packages than I did in the 2008 to 2011 timeframe,” adds Jeff Snyder, president of SecurityRecruiter.com.

[ The CSO Security Career Survival Guide ]

“It is safest for a job candidate today to be prepared for reimbursement for a pack and move where the company will pay for a rental truck and maybe packing and a month or two of storage on the destination end of the relocation,” Snyder says. “If a company offers a relocation package that includes assistance with selling a home or even outright buying a candidate’s home, this is what I would consider to be a package with gravy.”

Nevertheless, containing relocation costs now appears to be a reality that recruiters, candidates and hiring managers must acknowledge and in most cases accept, Lavinder says. “This trend began during the recession and is ongoing,” she says.

Unrealistic expectations by candidates

The unwillingness of many companies to pay for relocation costs when hiring security executives and staff is having an impact in several ways, according to recruitment experts.

“This can make the jobs of recruiters and internal talent acquisition personnel more difficult,” Lavinder says.

“Candidates can have some fairly unrealistic expectations around relocation,” Lavinder says. “They’ve heard stories from peers about deluxe relocation packages and do not realize those are the exception, not the norm. Managing the expectations of candidates, as well as the relocation discussion and process, is how a good recruiter can add value and help the employer find the talent needed.”

One major effect of the decrease in relocation package offerings is that company’s limit their choices and might not be able to hire the best candidate for the position, Bell says.

“This is especially true at senior leadership levels,” Bell says. “When you consider what even a small breach can cost a firm in lost profits, reputation damage, loss of client’s, remediation efforts, etc., then hiring the best candidate, regardless of relocation, just makes good business sense.”

The trend means recruiters in some cases have to work harder to get companies to be more flexible if they want to bring in people with the needed security experience.

“Nobody ever wants to back off of their list of wants, needs and desires, but depending on the size of the local market a [company is] in, I have to convince employers that they have to find flexibility somewhere or lower their standards,” Snyder says.

“The types of roles I work on are not roles where companies can afford to lower their standards,” Snyder says.

Another consequence of the hesitance to pay relocation costs is that more and more work is being done remotely, Clark says.

“In many cases, the technology is there to make this effective,” Clark says. “However, leadership is often uncomfortable with this shifting tide. It ‘feels’ less like they have the control they need to know what’s happening with their department if they can’t do a walk through or hold an in-person meeting. If companies are unwilling to assist the right talent with meaningful relocation offerings or remote work possibilities, their positions will remain open or they will compromise on candidate quality.”

Analysts: Cybersecurity staffing shortages negatively affect national security – Domini Clark to Stars & Stripes

Blackmere founder Domini Clark‘s insights on cybersecurity staffing shortages were used for a recent article in Stars &  Stripes.  The article appeared here.


The nation’s colleges and universities are scrambling to add courses to prepare students to fill the huge number of cybersecurity jobs that have arisen due to exponential growth in hacking worldwide.

The extent of the problem isn’t clear; analysts say the number of job vacancies ranges from 100,000 to 350,000, with as many as 45,000 positions in California.

Ashton Mozano, a cybersecurity professor at the University of San Diego, says there are thousands of $80,000 entry-level jobs available to applicants who have nothing more than an undergraduate degree in computer science or computer engineering.

Analysts are trying to nail down the actual number of openings.

“The cybersecurity industry does not have the best track record when it comes to quantification,” said Stephen Cobb, a senior researcher in the San Diego office of ESET, a digital security company.

But the shortfall is real.

And a lot of the blame has been placed on academia for failing to train large numbers of students with targeted skills. Industry and government officials also are being criticized for failing to define their needs more clearly — a key component for helping colleges solve the labor shortage.

Academia is trying to fix the problem, especially in San Diego County, where hackers routinely assault the region’s huge military, defense and science communities, as well as the assets of consumers.

National University, the University of San Diego, San Diego State University, UC San Diego Extension and Palomar College now teach courses that weren’t available 5 to 10 years ago.

USD also closely works with Circadence Corp., a company in Kearny Mesa that specializes in the “gamification” of cybersecurity training. Students are exposed to high-resolution videos and graphics that give them a sense of what a real “hack attack” is like. They also use the immersive software to learn how to spot and prevent digital assaults.

The company is led by Mozano, who is also part of USD’s growing cyber program.

He’s trying to change the way students are taught in hopes to drawing larger numbers of people into the field quickly.

“Unfortunately, presenting technical training in an aesthetically pleasant way does not seem to be a high priority among course material developers,” Mozano said.

“Certain academic fields in mathematics and engineering are infamous for presenting material in drab, monotonic, esoteric, non-interactive manners.”

Analysts said that compounds the problem because cybersecurity already suffers from an image problem.

The field pays well, but many computer-science students would rather create new products and technologies for Apple and Google than design and operate systems that spot, resist and mitigate a widening variety of attacks.

“Computer science is sexy. Cyber isn’t,” said P.K. Agarwal, regional dean of Northeastern University’s Silicon Valley campuses, which teach cybersecurity.

“Cybersecurity can be a high-stress job where you can get fired if things go wrong, and no one pats you on the back if there were no problems overnight,” he added.

Analysts said the industry needs to jazz things up and highlight job opportunities.

“The chances are excellent for graduates of homeland security and cyber security degree programs to enter the job market directly out of college,” said Lance Larson, assistant director of the Graduate Program in Homeland Security at SDSU.

“The reality for recent graduates is that they need a degree, experience, and certification; this is really the perfect trifecta for graduates to have a powerful job seeker portfolio.

“At San Diego State University’s Graduate Program we are requiring students to intern, starting with our 2018 graduate class, to allow students to gain practical experience required for the job market.”

San Diego-based National University also is emphasizing practicality.

“One thing we do to improve students’ skills and make them more marketable is provide opportunities to work with local small businesses and nonprofits to conduct free security assessments as part of their final Capstone project,” said Chris Simpson, director of National’s Center for Cybersecurity

“Students who gain experience from this applied learning and who have the opportunity to network within the tech community have shared with us how well-prepared they are for the job market.”

The staffing shortage is serious enough that, “The president should … train 100,000 new cybersecurity practitioners by 2020,” the Commission on Enhancing National Cybersecurity said on Dec. 1.

The shortage also means “you’ll see more things like the Tesco attack, which targeted bank accounts (in England), and a greater risk to health-care records and everyday devices like your phone,” said John Callahan, director of cybersecurity programs at the University of San Diego.

“In the digital age, this is potentially the greatest period of risk that consumers have ever faced.”

There’s special concern about ransomware, a type of malicious software that hackers can use to remotely take control of computers, including those in automobiles. In most cases, victims have paid money — from hundreds to tens of thousands of dollars — to regain control. For example, hackers carried out such an attack against Hollywood Presbyterian Medical Center in February, forcing the hospital to pay $17,000 in ransom.

The U.S. Justice Department estimates there are about 4,000 attempted ransomware attacks each day against individuals, companies and the government, and that many of them are successful.

“Based on FBI statistics, bank robbery in the U.S. is a $40 million a year problem, whereas cyber criminals using ransomware are making over $200 million per quarter,” said Cobb at ESET.

“And while a handful of bank robbers are shot dead every year, there are no reports of cyber criminals ever being killed in the commission of a crime,” he added.

The federal government and the military began to significantly ramp up their efforts to fight cyber attacks about a decade ago. Security firms and a wide range of companies did the same.

The results have been mixed.

Analysts said most cyber attacks, including some pretty sophisticated ones, are blocked or minimized. But hackers have quickly adapted to every method used to stop them, leading to damaging and embarrassing breaches amid an ongoing game of cat and mouse.

Earlier this year, hackers stole digital spying tools thought to belong to the super-secret National Security Agency. Hackers also stole data from the Democratic National Committee and Hillary Clinton’s campaign in an apparent attempt to influence the presidential election.

In late November, a hacker disabled the fare system for the San Francisco Municipal Transportation Agency, forcing it to give commuters free rides until proper operations were restored.

Experts said these kinds of intrusions underscore the need to develop a huge professional class of cyber professionals — and to market the field as a noble and dynamic domain where well-regarded, highly valued specialists defend precious assets and protect the public’s safety.

“Some people think of cyber as the I.T. guy, which is wrong,” said Callahan at the University of San Diego.

While the staffing estimates vary, analysts agree on the huge need for qualified workers in the cyber industry.

Northeastern University’s Agarwal estimates there are 100,000 of these unfilled jobs nationwide. Peninsula Press, a journalism program at Stanford University, puts the figure at 209,000. Cyber Seek, an industry-government coalition, said the number could be about 350,000 when including positions that require at least some cyber abilities.

The job descriptions range from security analysts to network engineers to software developers to risk managers. Some lower-level positions pay as much as $70,000 per year, and management positions can hit $235,000 or higher.

Experts are eager to see the applicant pool widen, and they’re looking for specific types of candidates.

“The best cybersecurity professionals think like criminals,” said Domini Clark, an Idaho-based recruiter at the recruiting company Decision Toolbox. “The joke in the industry is that superstars have an ‘evil bit’ in the code of their personalities. They know better than to have a high-profile online presence. ‘Paranoid’ is too strong a word, but they tend to be hyper-cautious and some take pride in operating in ‘stealth mode.’”

Those people tend to be coveted, so low-ball employment offers just don’t work.

“(Some) companies are doing lip service, not willing to fund the important roles that are necessary for the growing security issues,” said Kirsten Bay, chief executive of the firm Cyber adAPT in Half Moon Bay. “There is a desperate need for technologists who can speak at both the engineering and board levels, candidates who can understand technology and yet speak to the business case for security.”

Clark at Decision Toolbox agrees, noting: “About half of cybersecurity professionals are contacted by a recruiter at least once a week. If you post a standard H.R. job description of duties and requirements, it will wash out among all the other background noise … (Candidates) want to do intriguing work that is varied and unique. Let them use their devious creativity to your company’s advantage.”

Bridging the Talent Gap in Cybersecurity: Domini Clark to SC Magazine

Blackmere founder Domini Clark  contributed a byline article to SC Magazine, sharing her tips on how employers should be bridging the talent gap in cybersecurity.

The article originally appeared here, and an excerpt is below.

***

Major companies are investing to increase diversity in their workforce, says recruiter Domini Clark.

The talent gap in technology came into sharp relief in 2014 when Google, Yahoo! and Apple, among other industry leaders, started releasing data on diversity among their employees. All three companies are investing in increasing diversity and they are making progress, but the problem won’t be solved overnight. As you might expect, the problem is particularly acute in cybersecurity, where the scarcity of talent is hard to over-estimate.

According to the Bureau of Labor statistics, of the employed adult population, about 47 percent are women, 12 percent are African-American, 16 percent are Hispanic and 5.8 percent are Asian-American. In contrast, the National Cybersecurity Institute reports that women make up only about 20 percent of that profession and African-Americans, Hispanics and Asian-Americans combined make up only 12 percent.

Make your environment welcoming – If those industry giants are challenged, what can the rest of us do? A good first step is a long, hard look at your own organization. Even if there is no active discrimination, lack of diversity can make cybersecurity departments look like good ol’ boys clubs, further discouraging members of under-represented groups from pursuing careers in this space.

Leaders in the field need to make a point of integrating and welcoming women and minorities, ensuring that they are engaged, contributing members of the team. “Women at the senior level are beacons for other women,” says Elizabeth Ames, the Anita Borg Institute’s senior vice president of marketing, alliances and programs. Undoubtedly this is true for people of color as well.

Outreach and engagement – Another strategy is to promote outreach programs that engage women and minorities. According to the Wall Street Journal, big banks like J.P. Morgan Chase and Citigroup are getting results through programs targeting different groups. Some have even started “re-entry” programs to attract women who took a career break to care for dependents or others.

You might post openings on job boards of associations and magazines, like the National Black MBA Association, Ascend Pan-Asian Leaders, National Association of Professional Women, Association of Latino Professionals for America, and others. For entry-level roles, recruit from colleges and universities that have large numbers of students from underrepresented groups.

Enhance your employment brand – Members of under-represented groups can promote their own interests by getting involved with organizations like the Women in Security special interest group within ISSA, Women in Technology (WIT), Blacks in Technology (BIT), the International Consortium of Minority Cybersecurity Professionals (ICMCP), and others. Your company should also get involved in these kinds of organizations to establish a reputation for supporting diversity in cybersecurity.

According to Sharon Florentine of CIO.com, two other big issues are: access to and the cost of training. Even entry-level classes can cost thousands. However, organizations like Cybrary.it and SANS CyberAces are trying to fight that by offering free online courses covering the most current topics.

Women and minorities should be encouraged to explore cybersecurity at a young age. Melinda Gates, for example, recently launched a new initiative to attract and retain women in tech fields, citing a “leaky pipeline” in education as a key issue. According to her, solutions have to start at the elementary school level. If your company has an opportunity to attend career events at high schools and even middle schools, be sure to promote the field. If you can send employees who represent the target demographics, so much the better.

The demand for cybersecurity talent will continue to grow, and it is in everyone’s interest to promote growth on the supply side.

Studies are nice, but women in security say it’s time for the next step: Domini Clark to Naked Security

Blackmere founder Domini Clark weighed in on the current state of women in security and how to improve the status quo.  The article originally appeared on Naked Security by Sophos here.

****

Studies are nice, but women in security say it’s time for the next step

There’s been no shortage of studies over the years about the fairness gap between men and women in security, not to mention every other industry.

Now comes one from the Center for Cyber Safety and Education and the Executive Women’s Forum showing that women make up only 11% of the cyber security workforce.

These studies are well intentioned. But according to several women in the industry who spoke with Naked Security, it’s time to move beyond the studies and focus on actually changing the culture. One of them is Magen Wu, a security consultant with Rapid 7.

She said the latest survey is a great example of awareness on an issue that has been long debated in the industry. But the data reads a lot like a phishing report.

It’s good to have the numbers on who opened the email versus who clicked the link or filled out the form. But unless we do something with that information, it serves little purpose other than to generate awareness that we have a problem.

The latest study

For this latest study, the Center for Cyber Safety and Education and the Executive Women’s Forum surveyed more than 19,000 participants from around the world. It painted the following picture:

  • Women are globally underrepresented in the cybersecurity profession at 11%, much lower than the representation of women in the overall global workforce
  • Globally men are four times more likely to hold C- and executive-level positions, and nine times more likely to hold managerial positions than women.
  • 51% of women report various forms of discrimination in the cybersecurity workforce
  • Women who feel valued in the workplace have also benefited from leadership development programs in greater numbers than women who feel undervalued.
  • In 2016 women in cybersecurity earned less than men at every level.

Indeed, those statistics resonate for some of the women we interviewed. One San Francisco-based infosec professional, who asked that her name not be used because of potential repercussions at work, explained how she was encouraged to apply for a position within her company on an all-male team only to be told later that those who encouraged her didn’t really think she’d fit in. She pressed them for examples of why she wouldn’t work out and got no answer. She believes the real issue was gender.

A call to action

Those interviewed said it’s time to move beyond studies and surveys that merely illustrate an already understood problem and start focusing on some action items that’ll lead to meaningful progress.

Wu would like to see reports and articles that are more a call to action on what can be done at the individual, corporate, and community level to positively impact the numbers:

For example, do the women who are in the industry today get into it because of a mentor? If so, we should try and be more proactive about reaching out to people about mentorships or establishing mentorship programs at conferences and work. We are asking some of the right questions, but it may be time to shift focus from why there are so few women to why do the women who are here stay.

As the industry grows, so does female representation

Some say surveys like this are flawed for a variety of reasons. The questions don’t dig deep enough into the respondent’s skills or match up with the actual roles they have in their companies. It also doesn’t paint a full picture of areas where progress has been made.

Allison Miller has seen the good and bad in the industry over her career, which includes technical and leadership roles in several industries and now product strategy for Google Security. With a seat on the (ISC)2 board of directors and on selection committees for popular security industry events, she has an even broader view. She said:

As the industry overall has expanded, the representation of women has kept up and in some sectors even grown.

 

Domini Clark, a recruitment partner at Decision Toolbox,  said she has seen the challenges over the course of steering people toward jobs in the industry. But things are improving:

There is far greater awareness than there was when I was going to school, but the tide has not shifted completely. 
Women often face other issues that men traditionally have not faced like family care and being stretched too thin on all sides personally and professionally. Culturally, I think that is changing some as well.

The way forward

Miller said the she has worked across the spectrum, in “amazing, inclusive cultures” and places that were not. Women should research the culture at the places they’re looking at. They should learn all they can about the management. Above all, they should play to win.

My strategy for women in any industry is, compete and win. Really go for greatness. What we need is people who want to be here [in cybersecurity] and are really willing to work hard, set the bar higher. Only by being competitive can we get a seat at the table.

Top Strategies For Engaging Cybersecurity Talent: Domini Clark Advises Recruiting Trends

Blackmere founder Domini Clark  contributed a byline article to Recruiting Trends, sharing top strategies for engaging cybersecurity talent.

The article originally appeared here, and an excerpt is below.

***

Top Strategies for Engaging Cybersecurity Talent

Lots of companies are competing for these professionals. How do you stand out amidst the noise?

When it comes to cyber-attacks on your company, it isn’t a matter of if, but of when. Cyber-attacks are on the rise. According to PwC’s Global State of Information Security Survey 2016, there were 38-percent more security incidents in 2015 than in 2014, across all industries.

It doesn’t just happen to giant corporations like Yahoo!, Sony and T-Mobile. SmallBizTrends.com estimates that 43 percent of attacks target small businesses. Large or small, it can cost you plenty. The average cost of a single data breach is $7 million — up from $5.4 million in 2013 — according to the 2016 Ponemon Cost of Data Breach Study. More than half of these costs are related to lost business due to customer churn.

Since the best approach is to prevent the hacks, attacks and breeches from occurring in the first place, cybersecurity needs to be part of your IT program. However, as you are aware, talented cybersecurity professionals are in serious short supply. They’re a bit of a unique beast, so you’ll need a recruitment approach for engaging cybersecurity talent that’s different from the ones you’re using with other positions — even other IT positions.

A Breed Apart

The best cybersecurity professionals think like the criminals they oppose. That enables them to anticipate what hackers might try, and to identify weak points in system defenses. The joke in the industry is that superstars have an “evil bit” (as in bits and bytes) in the code of their personalities. With this mind-set, they won’t have a high-profile online presence. “Paranoid” is too strong a word, but they tend to be hyper-cautious, and some take pride in operating under the radar.

You likely won’t find their résumé on CareerBuilder or LinkedIn, so you’ll need to leverage your best networking skills and hardcore power-searching techniques. If your quarries think like a criminal, you have to think like Sherlock Holmes to track them down. Don’t email them a link to apply as they won’t click on a link from an unknown source (and neither should you). Send them a PDF with instructions for connecting with you.

It’s Not a Posting, It’s a Pitch

The demand for these professionals means they’re constantly hearing from recruiters. InformationWeek’s DarkReading.com cites new research by Enterprise Strategy Group and the Information Systems Security Association indicating that about half of cybersecurity professionals are contacted by a recruiter at least once a week. If you post a standard HR job description of duties and requirements, it will wash out among all the other background noise.

In today’s market you have to court talent, and that is especially true of cybersecurity professionals. Don’t think of it as a job posting, think of it as a sales pitch. Resist the ingrained habit of listing what your company needs, and focus instead on what will engage the interest of your target audience.

Appeal to the Hot Buttons

In general, cybersecurity professionals want to:

*Take on intriguing work that is varied and unique. Let them use their devious creativity to your company’s advantage.

*Try new tools and techniques to keep up with the ever-evolving threat landscape. If you’ve got the coolest technology, your pitch should highlight that.

* Do more than just scratch the surface — offer them opportunities not only to look under the hood, but also to take some deep dives into your systems and code.

* Have the option to work remotely. Your organization may cling to traditional models, but if virtual options give you an edge in the talent war, then it’s time to loosen up.

* Feel appreciated and valued for their contributions — just like other employees in your company. If you don’t have a proactive recognition and rewards program in place, now’s the time.

Keep Your Social-Media Buzz Fresh

This is good general recruiting advice, but definitely important for this group. The content doesn’t have to be about job openings (although you should push those out, too). Instead, think of social media as digital pheromones that make your company attractive. Blogs and tweets help establish your company as a thought leader, enhancing your brand. They also increase the likelihood that hard-to-find candidates will stumble across your company.

Share great insights and ideas your team has, and be sure some of your efforts target the cybersecurity community — it’s not ALL underground. Join cybersecurity forums and discussion groups, for example. Encourage your existing cybersecurity talent and ranking IT leaders to write blog posts and white papers on the topic. Spray those pheromones where they’ll get the best results.

Hang Loose

There are definite qualities to look for in cybersecurity candidates, but you can’t run an effective search if you focus only on screening people out. The pool’s just too small. It may be hard to convince hiring managers to loosen up, but you can point out that, given that security threats are constantly evolving, a degree probably isn’t as important as current experience. Or consider recruiting recent graduates by offering the opportunity to gain valuable hands-on experience. Another tactic: Instead of asking for five to seven years of experience, ask for three to five and highlight the opportunity for career growth.

You can try retraining existing IT staff, but keep in mind that success in cybersecurity takes a certain mind-set. Ideally, you have a system administrator who can channel her inner hacker and ask, “What would I do if I wanted to get past our own security measures?”

Hopefully you weren’t expecting fast and easy tips for engaging cybersecurity talent. You’ll have to invest time and money, but you can think of it as insurance against multimillion-dollar losses.

Looking to Attract Cybersecurity Talent? Enhance Your Covert Ops. Domini Clark to The Staffing Stream

Blackmere founder and cybersecurity recruiting expert Domini Clark shared her tips on how to attract cybersecurity talent in a recent article in The Staffing Stream.

Excerpt from the article:

Cyber-attacks are on the rise, with a 38% jump in security incidents from 2014 to 2015. Companies in all industries are vulnerable, regardless of size – some 43% of attacks target small business. Attacks can cost into the millions for a single data breach, and more than half of these costs are related to lost business due to customer churn.

Since the best approach is prevention, it’s clear that cybersecurity needs to be part of your IT program. Finding the right talent is not so clear. Cybersecurity professionals are a unique group, so you’ll need a recruitment approach that is different from what you’re using with other positions.

A Unique Profile

The best in the trade think like the criminals they oppose, enabling them to anticipate hacker tactics and identify chinks in a system’s armor. Insiders joke that superstars have an “evil bit” (as in bits and bytes) in the code of their personalities. “Paranoid” is too strong a word, but they tend to be hyper-cautious, and some take pride in operating under the radar.

Very few post résumés, so you’ll need to leverage your best networking skills and hardcore power searching techniques. Be creative, Sherlock. But don’t email a link — they don’t click on links from unknown sources. Send a PDF with instructions for connecting with you.

Sell, Sell, Sell

Some estimate that half of cybersecurity professionals get a recruitment call at least once a week. If you reach out with a standard list of duties and requirements, your message will wash out among all the other background noise. You have to court talent in all areas, especially with hard-to-fill roles. Don’t think of it as a job posting, think of it as a sales pitch. Instead of focusing on what your company needs, lead with the selling points that will engage your target audience.

In general, cybersecurity professionals want the opportunity to:

  • Take on intriguing work that is varied and unique.
  • Try new tools and techniques to keep up with the ever-evolving threat landscape.
  • Do more than just scratch the surface, including taking some deep dives into systems and code.
  • Work remotely, even if only two or three days a week.
  • Receive recognition and rewards, like the rest of us.

Apply Social Media Liberally

The content doesn’t have to be about job openings. Think of social media as digital pheromones that make your company attractive. Have team members in all disciplines share their ideas and insights. Blogs and tweets help establish your company as a thought leader, enhancing your brand.

But be sure to target the cybersecurity community specifically, including forums and discussion groups. Encourage your existing cybersecurity and IT talent to write blog posts and white papers on the topic. Spray those pheromones where they’ll get the best results.

Stay Loose

With a pool this small, you can’t run an effective search if you focus only on screening people out. Loosen the requirements. For example, since security threats are constantly evolving, a degree probably isn’t as important as current experience. Another tactic: Instead of asking for five to seven years of experience, ask for three to five and highlight the opportunity for career growth.

Hopefully you weren’t expecting fast and easy tips for recruiting cybersecurity talent. You’ll have to invest time and money, but you can think of it as insurance against multi-million dollar losses.

Hacked Again…It can happen to anyone, even a cybersecurity expert

By Guest Blogger Scott Schober

Hacked Again is the true story of my showdown with a daunting cyber-attack on my small company Berkeley Varitronics Systems, Inc. As a small business owner and security expert, I was naive in thinking I was immune to a cyber hack. After all, I regularly presented at security events, wrote on the subject frequently and taught others how to steer clear from online attacks and avoid cyber breaches.

The only thing that hit me quicker than the irony of a hacked cybersecuritry expert was the ugly truth that no one is completely safe from cyber hackers, especially when hackers have their sights set on you. My company suffered multiple credit and debit card compromises including $65,000 stolen from our checking account. In addition to monetary theft, my twitter account was also hijacked, and my company’s website security was “tested” by unknown cyber assailants. We even suffered repeated DDoS attacks that crippled our online store from selling our wireless security tools. A DDoS attack (Distributed Denial of Service) prevents legitimate users of your website from accessing it due to a flood of IP requests to the point of server shutdown. You might recall that recently DYN (a large domain name server for Twitter, NetFlix, LinkedIn) suffered a huge and devastating attack. I discuss details of this DDoS and the future of such attacks in one of my latest blogs entitled ‘IoT: the 21st Century Trojan Horse’ https://www.secureworldexpo.com/industry-news/iot-the-21st-century-trojan-horse

It’s been some time since I was hacked, but the ordeal is still a painful memory. I have learned valuable lessons on how to better protect my company and myself from hackers. My first instinct was to flee and hide the fact that my own company was hacked. But as I gained the courage to share my story, I learned that I was not alone. My company designs wireless threat detection tools used by cyber threat intelligence groups throughout government agencies so I can confidently share important security tips regarding wireless vulnerabilities that are often overlooked. I also delve into how to protect yourself from identity theft, malware and spam, and explain why it’s so dangerous to post too much personal information on social media as well as the importance of strong passwords which can never be overstated.

Here are a few key tips that will keep you safe from cyber hackers. I go into further depth in my book entitled Hacked Again.

  • Be careful whom you share your Wi-Fi password with. If you have not setup a guest network and have shared your password, change it to a stronger one immediately after they logout.
  • Never click on any attachment or link in an e-mail that you did not expect to receive no matter how legitimate it might look. This is a phishing attack and happens to millions of users everyday.
  • Make frequent backups. This prevents loss of precious data and is especially effective against ransomware threats.
  • Think before you put out personal information on any social media site or you might end up being a victim of identity theft.
  • Do not click on the bottom of a spam e-mails asking to be “unsubscribed”. You will likely receive more spam because they now know you are a real person using that email address. This increases the value of any email address substantially to thieves on the Dark Web.
  • Create Passwords that are long, strong, and unique.
  • It’s critical to have a password that is not easy to discover. Don’t use personal information in any of your passwords. Make sure that you don’t use the same password across multiple accounts.
  • It only takes one corrupt employee within an organization for a successful cyber crime to occur. Report all suspicious activity to your employer. Insider threats are dangerous to everyone within any organization.
  • Make sure you check your credit card statements regularly.
  • Never post your actual birth date on social media and do not use your actual birth date to answer security questions

For more of my story, you can get a copy of my book “Hacked Again” available at www.hackedagain.com

Scott Schober @ScottBVS

CEO | Author | Speaker | Cyber Security & Wireless Expert at Scott Schober LLC

Scott has presented extensively on cybersecurity and corporate espionage at conferences around the globe. He has recently overseen the development of several cell phone detection tools used to enforce a “no cell phone policy” in correctional, law enforcement, and secured government facilities. He is regularly interviewed for leading national publications and major network television stations including Fox, Bloomberg, Good Morning America, CNN, CCTV, CNBC, MSNBC and more. He is the author of “Hacked Again”, his latest book as well as a contributor for Huffington Post and guest blogs regularly for Tripwire’s State of Security series. Scott also writes for Business Value Exchange, Fortune Magazine, SecureWorld, and IBM Big Data & Analytics Hub.

For more details and definitions on unfamiliar terms please visit my cyber security dictionary:  www.cybersecuritydictionary.com

 

Fight against hackers hurt by huge shortage of cyber workers: Domini Clark to San Diego Union-Tribune

InfoSec Connect founder and cybersecurity recruiting expert Domini Clark weighed in on a recent San Diego Union-Tribune article about how the shortage of cyber workers is hurting the fight against hackers.

Excerpt from the article:

At the very moment hacking is expanding exponentially, analysts said, there are hundreds of thousands of cybersecurity jobs left unfilled in the U.S. The extent of this problem is the subject of debate; the estimated tally of vacancies ranges from 100,000 to 350,000, with as many as 45,000 in California.

While the staffing estimates vary, analysts agree on the huge need for qualified workers in the cyber industry.

Northeastern University’s Agarwal estimates there are 100,000 of these unfilled jobs nationwide. Peninsula Press, a journalism program at Stanford University, puts the figure at 209,000. Cyber Seek, an industry-government coalition, said the number could be about 350,000 when including positions that require at least some cyber abilities.

The job descriptions range from security analysts to network engineers to software developers to risk managers. Some lower-level positions pay as much as $70,000 per year, and management positions can hit $235,000 or higher.

Experts are eager to see the applicant pool widen, and they’re looking for specific types of candidates.

“The best cybersecurity professionals think like criminals,” said Domini Clark, an Idaho-based recruiter at the recruiting company Decision Toolbox. “The joke in the industry is that superstars have an ‘evil bit’ in the code of  their personalities. They know better than to have a high-profile online presence. ‘Paranoid’ is too strong a word, but they tend to be hyper-cautious and some take pride in operating in ‘stealth mode.’”

Those people tend to be coveted, so low-ball employment offers just don’t work.

“(Some) companies are doing lip service, not willing to fund the important roles that are necessary for the growing security issues,” said Kirsten Bay, chief executive of the firm Cyber adAPT in Half Moon Bay.  “There is a desperate need for technologists who can speak at both the engineering and board levels, candidates who can understand technology and yet speak to the business case for security.”

Clark at Decision Toolbox agrees, noting: “About half of cybersecurity professionals are contacted by a recruiter at least once a week. If you post a standard H.R. job description of duties and requirements, it will wash out among all the other background noise … (Candidates) want to do intriguing work that is varied and unique. Let them use their devious creativity to your company’s advantage.”

Read the full article here.

Domini Clark of Blackmere Consulting accepted into Forbes Human Resources Council

Forbes Human Resources Council is an Invitation-Only Community for HR Executives Across All Industries

Domini Clark, Founder and CEO, Blackmere Consulting, an executive search firm specializing in the cybersecurity industry, has been accepted into Forbes Human Resources Council, an invitation-only community for HR executives across all industries.

Clark was vetted and selected by a review committee based on the depth and diversity of her experience. Criteria for acceptance include a track record of successfully impacting business growth metrics, as well as personal and professional achievements and honors.

“We are honored to welcome Domini Clark into the community,” said Scott Gerber, founder of Forbes Councils, the collective that includes Forbes Human Resources Council. “Our mission with Forbes Councils is to bring together proven leaders from every industry, creating a curated, social capital-driven network that helps every member grow professionally and make an even greater impact on the business world.”

As an accepted member of the Council, Domini has access to a variety of exclusive opportunities designed to help her reach peak professional influence. She will connect and collaborate with other respected local leaders in a private forum. Domini will also be invited to work with a professional editorial team to share her expert insights in original business articles on Forbes.com, and to contribute to published Q&A panels alongside other experts.

Finally, Clark will benefit from exclusive access to vetted business service partners, membership-branded marketing collateral, and the high-touch support of the Forbes Councils member concierge team.

“I am honored to be invited into this community of professionals. The foundation of my business is based on meaningful relationships, mutual respect and trust.  The basis of the Forbes Human Resources Council is a logical fit for my organization and for my continuing leadership development,” said Domini Clark.

ABOUT FORBES COUNCILS

Forbes Councils is a collective of invitation-only communities created in partnership with Forbes and the expert community builders who founded Young Entrepreneur Council (YEC). In Forbes Councils, exceptional business owners and leaders come together with the people and resources that can help them thrive. The

For more information about Forbes Human Resources Council, visit forbeshrcouncil.com. To learn more about Forbes Councils, visit forbescouncils.com.

ABOUT BLACKMERE CONSULTING

Blackmere Consulting is a Technical and Executive Recruiting firm dedicated to Cybersecurity and Information Technology.  From Fortune 100 companies to emerging growth organizations, our focus is to pair talented professionals with companies who value them.

For more information about Blackmere Consulting, visit blackmereconsulting.com.