Tips for Hiring Security and Disaster Recovery Professionals
By Leo A. Wrobel and Sharon M. Wrobel
Would anyone care to venture a guess as to what two of the most popular topics of interest are for NaSPA members? While we have not run a scientific study (yet), two topics come up again and again in our interactions with the membership. The first one is recruiting as it applies to the job market. No surprise there, given the state of the present economy. The second one, however, is Disaster Recovery. And no, the two are not necessarily interrelated even though the economy is arguably a disaster. All kidding aside, it occurred to us that if Disaster Recovery, Security and Recruitment were all of interest that perhaps we should try to combine them into an article, perhaps even two of them. Whether you are employed with an enterprise that is actively seeking to recruit a disaster recovery or security professional, or whether you are presently in the job market and considering such a position yourself, we think you will find some interesting tips in this article.
Enter Jeff Snyder, President of Colorado-based SecurityRecruiter.com (http://www.securityrecruiter.com). Jeff has probably forgotten more about this topic than Sharon and I know put together. Among other things, Jeff has the largest single group of Security professionals on LinkedIn (http://www.linkedin.com/in/securityrecruiter) with 10.3 million people tied to him in one way or the other. That's how we found him and we think you will find his insights to be of interest and value. Sharon interviewed Jeff in April and here are some of the ideas he conveyed to us and what their implications are in both the Disaster Recovery and recruitment markets.
Jeff began his IT recruiting career back in 1990. From 1995-1996, he was involved with Information Security along with Business Continuity and Disaster Recovery. In 2001, the focus changed to include Audit and Regulatory Compliance. Jeff made that adjustment which, without saying so, underscores a common theme in both Disaster Recovery and recruitment – the ability to adapt to changing markets, requirements and conditions. Another item, for which there is no substitute, is good communications skills. To quote Jeff directly:
"The most important skill, and I can't emphasize this enough, is communication, both verbal and written. This includes how well a resume is written in addition to presentation skills. Understanding the business that a person is working in and what drives that business would be the next most important."
Recognizing we had a unique opportunity to widen our horizons, Sharon queried Jeff further on what other attributes are desirable among security candidates. Jeff ticked them off one by one. Take them for what they are worth when you begin your search. In no particular order of importance, other attributes that Jeff looks for, or would look for in a job candidate would include:
We went on and asked Jeff how important a certification was, such as a CBRP, etc. Again we got a somewhat unexpected answer. Jeff stated that while certifications are definitely nice to have (and are required by many companies), they don't necessarily mean much if there isn't a basic competency level. For example, a technician who has the appropriate certifications but can't articulate or demonstrate its use in any project that he or she has worked on probably isn't going to be a good candidate for the position he or she is seeking. Again the emphasis is on communications and the ability to convey and project how smart you are, not just show a sheep skin to someone.
So what kinds of backgrounds lend themselves best to this kind of position? Clearly there are many NaSPA members with the backgrounds and intellects that could allow them to make the switch, perhaps from mainframe programmer to security professional. How should one package oneself if they wish to do this? Jeff emphasized a candidate's ability to look at the big picture beyond their normal scope of expertise. Stated another way: What skills does this candidate possess that can fundamentally drive a business, and how can this person make money for the company? This requires an outlook that goes beyond the typical technical skills and demonstrates a clear differentiation between a big picture candidate and one that lacks such expertise. Leo added that this is particularly important since some companies consider disaster recovery and security a "dead" expense with no return to the company. A security professional who can show ways to pay for himself or herself will obviously be highly valued.
Leo asked if Jeff typically recruits from the military and was surprised when he stated that he generally does not. When pressed for a reason why, Jeff stated that military personnel aren't normally considered because they are programmed to do their a job a certain way. While the military mentality obviously helps in some positions, and the training received in the military can be great, Jeff believes security is not one of those positions. He added that most businesses would wait until an applicant is out of the military and working on the outside for a few years at a corporate security position before recruiting them. And even Leo (ex Air Force) tended to agree. While he uses contingency planning skills that he learned in the military some 30 years ago even to this day, he reluctantly admitted that he was only able to put them into commercial use after many years in the commercial sector. This does not mean the training and skills are not adaptable to the commercial sector, only that it takes some time to find the "fit" and to develop further as an analytical employee in a commercial rather than military enterprise.
While on the subject of placements, Sharon asked Jeff what he considered to be his most successful security employee placements. She got the following reply.
"Let's see, without naming names, I can give you a couple of examples. I placed a CISO into a top 15 bank as well as a CISO into an integrated health care organization. I am in the process of placing a Global CSO for a retail/hospitality company."
And what advice can Jeff give to people recruiting in the security and or disaster recovery professions? Again it seems that it is all about business acumen and the ability to see beyond the technical position and into the enterprise level:
"People need to understand how technical work fits into the bigger picture. The role of a technical person is one of understanding why they are there and learning how to secure systems without impeding the progress of the organization. This person has to build security in a transparent way. "
Leo again echoed these sentiments and emphasized the fact that operating and security standards become counterproductive if they stifle the productivity of the organization. Whatever standards and safeguards are developed, they must coexist with the mission of the organization and not hamper its execution. If operating and security standards make it difficult for the core business to deliver its product or service, then these services were not thoughtfully written and should be re-evaluated. A good employee or consultant can strike the delicate balance between productivity and system protection.
Sharon pressed Jeff on what advice he could give to people looking for jobs in the security profession. Obviously, the resume is important. In this area Jeff also imparts a few tips, and restates a familiar theme:
"In building a resume, the candidate needs to come up with examples of how to help the company make or save money. He or she needs to know what value they are adding to the company. They have to walk a fine line between technical expertise and measurable quantifiable business results. Most technical candidates will usually stop with the technical task instead of elaborating on their other accomplishments."
Which are the hottest industries insofar as needing security professionals?
According to Mr. Snyder, it is any industry that is driven by regulatory compliance. This would include such enterprises as hospitals, government, and financial institutions. These are the industries that have to comply with Gramm Leach Bliley, HIPAA, etc. In addition, just about every public company of any size has to comply with Sarbanes-Oxley. These industries don't have a choice but to be in compliance or their executives could go to jail. That's a pretty good motivator and a chief reason why people hire security professionals.
Getting back to the resume, we asked what companies look for on a resume and specifically, what should people NOT do? Again, Snyder emphasizes communications skills and business acumen.
"What I look for beyond strong written communication skills is progression tempered with stability. There should be a balance between business and technical skills. Too many job changes are bad, but also someone that has been in the same job without any progression is equally bad. I look for someone who has carefully calculated their career move as opposed to someone who has made a lot of job changes. What one shouldn't do is make lists of all the certifications one has unless they can be quantifiably and measurably backed up. In other words, as I stated earlier, don't just make a list of tasks that you have done, emphasize what you've accomplished. Show a clear link with the completion of those tasks to precisely how they benefited your employer."
When asked for some closing advice for people who are looking to fill security positions or for employment in the disaster recovery profession, Jeff emphasized finding the right fit.
"A lot of businesses do a horrible job at placing the right person in the right job. They may see a string of certifications, a personable applicant, yet don't have the insight to look beyond all that and see what that applicant really brings to the table. I am partnered with a firm called Profiles International http://www.profilesinternational.com that offers assessment tools that would eliminate the guesswork. Getting the best job fit is the bottom line for retaining and developing top notch employees while saving the business costly hiring errors. "
Leo underscored the importance of investing a few dollars in a personality profile test before making a critical hiring decision with a personal story.
"I took one of these tests myself a few years ago, and it was uncanny how accurate it really was. Mine said basically that under normal circumstances I was a rally-the-team, inspirational person that people felt good about following. Before my ego went off the chart, however, they told me how I manage when under pressure. In pressure situations I turn into a cross between Saddam Hussein, Hitler and the Ayatollah. My profile goes off-the-chart dominant!"
Sharon Wrobel agreed, in fact she did so a little bit too quickly for Leo's liking. Leo went on, however, with what the testing company told him about his profile:
"The testing people said that what I had was a classic executive profile, easy to follow and inspirational normally, but dominant and willing to take any bull by the horns under adverse circumstances. Although I took this test 20 years ago, those characteristics have not changed. The important lesson here is not where you fall when you take one of these tests, but that your potential employers knows where you fall in order to be sure you match the position. This will enable the employer to make sure he or she is hiring a keeper and someone that will be happy and fulfilled in their work. I can't agree more with Jeff on knowing what kind of person you are hiring, in advance."
We hope you enjoyed Jeff's insights this month in an article that is a little bit different but pointed to the needs of the NaSPA membership both from a security perspective and in recognition of the challenging job and hiring market that all of us face. If one or two of the tips in this article help you make a good hire, or help you find the right position, we think this was time well spent. Jeff welcomes your questions at email@example.com or visit his web site at http://www.securityrecruiter.com. You can also look for Jeff on http://www.linkedin.com/in/securityrecruiter. Send him an invitation to connect and become acquainted yourself with a new and interesting resource and avenue for your hiring and career questions. Until next month, good luck and happy planning!
About the Authors
Leo A. Wrobel has over 30 years of experience with a host of firms engaged in banking, manufacturing, telecommunications services and government. An active author and technical futurist, he has published ten books and over 400 trade articles on a wide variety of technical subjects. Leo served ten years as an elected Mayor and City Councilman (but says he is "better now"). A sought-after speaker, he has lectured throughout the United States and overseas and has appeared on several television news programs. Leo is presently CEO of Dallas-based TelLAWCom Labs Inc, and b4Ci. Inc. See http://www.b4Ci.com call (214) 888-1300 or email firstname.lastname@example.org.
Sharon M. (Ford) Wrobel served as Corporate Secretary and Director of Personnel for Premiere Network Services Inc. prior to joining b4Ci in 2004. During that time Sharon was instrumental in getting Premiere certified as the first CLEC to be certified in all 50 states by aiding in filings and when called upon, attending hearings. Sharon also engaged in extensive research for Premiere, a function she continues with b4Ci as Vice President of Business Development. In addition to her duties at b4Ci, Sharon was also President of the Ellis County Early Childhood PTA and the Ovilla Lions Club. Sharon attended the University of Maryland and El Centro College in Dallas and received training as a registered nurse before joining Leo in the businesses in the late 1990's. Sharon also served as a public official by accepting appointments to the Planning and Zoning Commission, and Historical Commission.