From time to time, I get asked "hey Al, where is the market going, what should I transition into, what is changing in the world of information security?" Over the years, this thing we call infosec has changed so rapidly, my answer would be different depending upon what day you called me. However, recently I have seen a definite trend in the types of positions we have been working on and the skill sets that are in demand. There has been a disruption in the force, and it will change how you and the companies you work for collect and use data. It will improve lives, perhaps save some, and make the world around us safer (we hope) but definitely smarter. By now you probably know I am talking about IoT or the Internet of Things. Think NEST thermostat if you are not sure what that means. Devices that are connected to a network sharing data, and information with you, other devices, or if you are a pessimist/realist, bad guys.
Being that I am both a realist and an optimist, I am pretty excited about the potential of this new technology. Other than owning the NEST, my first exposure to this was while walking through the isle at Walmart and noticing a wifi connected croc-pot on display over Christmas. At first I laughed (thinking about a hacker taking control of my cooking device and ruining my chicken tortilla soup struck me as funny at the time) but then I started to think.... how awesome is that! I can turn down my soup 1 hour before leaving home for work, who would have thunk of that! Then the little devil that sits on my shoulder reminded me that a bad guy could (in theory) take over my cooking device and potentially start a fire and burn down my house (not good!)
Obviously, I am not the only person on the planet that realizes there is a big potential for security concerns and potential abuse. Look no further than the recent car hacking stories to realize how serious the threat is from people with bad intentions. And honestly, that is just the tip of the iceberg when you consider the data that is being and will be collected and potentially used for nefarious purposes. How about a bad guy hacking an insulin pump, or a pacemaker for example. Stuff that will make Matthew Broderick's little WarGames stunt look like 1980ies fiction (wait...never mind).
IoT is here to stay, and all of that stuff needs to be collected stored and transmitted in a safe way. The threat landscape is ever expanding and ever increasing. To meet that challenge we will need talented, smart, and creative security professionals to think outside the box and find new solutions to both new and old problems. There is no doubt in my mind IoT is going to offer security professionals incredible opportunities for both career advancement as well as interesting and rewarding work for many years to come. If you haven't already considered honing your skills in the areas of cloud security, embedded systems, forensics, and threat detection, I suggest you start. Those skills will be in high demand as long as more and more devices become connected, and that spells opportunity for you!
Many of you may not know this about me, but I have interviewed many times in my life, from telecom jobs to sitting in front of an Air Force pilot board I have been involved in many many interviews. It's funny how little I knew at the time about how to interview, what questions to ask, and what to look for in an organization during an interview. Sometimes gut instinct worked, but most of the time, being prepared ahead of my interview made the biggest difference. Let me share some stories with you to highlight some best practices.
During one interview earlier in my career, I walked in to the office (was actually being shown around by the Director) and I immediately felt tension and stress. The office staff was not friendly, and everyone kind of just ignored my presence. This should have been a major RED FLAG. However, I have always been someone who learns by hitting my head and then say "I shouldn't have done that", so I hit my head... and learned an important life lesson. If it doesn't feel right, it probably isn't.
During another interview I met with this fantastic older gentleman (okay, he was probably in his fifties, but at that time, he was old) so I was getting excited about the opportunity. The next interview I was supposed to meet with him again, however this time he didn't show. Another person conducted the interview who seemed annoyed I was even there. When I asked about him she said "he has decided to pursue another opportunity" I responded "so he was let go" she fired back with an annoying tone "here at XYZ company we say, he is looking at other opportunities". Interview over! I had no desire to work for someone who can't be honest with me at our first meeting. Lesson learned!
Oh boy, it's a little embarrassing to share this one with you, but here goes... I was thrilled to be having my second interview with a big name in the pharma industry. My first interview went really well, so I thought I had the inside track. I still remember sitting outside the interview room in a large open room filled with lounge chairs, I was the only person around. The door flung open and the female Director was laughing and smiling with the candidate. They were referring to each other by first names and obviously had known each other for some time based upon the conversation. I was still dumb and naive at the time (my wife would argue I still am) so I didn't realize I had ZERO chance of getting this job. The Director put on a good show, asked me a bunch of questions, but kept it short. Now the embarrassing part, I ended up running into the Director again down in the lobby by the front desk, she was asking about getting a cab. I volunteered to drive her to the airport hoping she would get to know me better and be impressed. I should have taken the hint when she politely said no, I insisted several times and ended up driving her to the airport and having an uncomfortable and awkward conversation. Bottom line, I didn't get the offer. Should have known better, and let her grab that cab.
Okay... I actually have many more stories but where am I going with all of this? If you are interviewing, be prepared to ask good questions. You should have your radar on and be aware of the environment, is it open and friendly, or like my first example stressful and tense? Next, always be prepared with some questions about the hiring managers priorities and urgency to hire. Are they just testing the waters or are they serious about getting someone onboard asap. If you can, try to talk with someone who works in that department, are they happy there? Do they feel challenged? Do they enjoy the work? Also, if you are comfortable, ask them for a little tour of the office, you will be surprised how much you can learn about a company by just doing a little walk around. Does the hiring manager introduce you to people, or just ignore his/her employees. How do other employees react to that manager can also provide you with some insight.
Your goal should be to learn as much as you can, while also putting your best foot forward. Be curious (like George) and get the hiring manager to open up with more information about what problems they are trying to solve, then apply your background and experience to let them know that you have solved similar problems in the past. It's not good enough that you have the technical skills and understand how to run certain tools. What they want to know is.... do you understand how that impacts the business, can you articulate those facts, have you configured the tool to run better, produce different results, used your technical skills to improve upon something, do you go the extra mile, or just far enough?
Last, make sure the business is a good fit for you... Be mindful of the work environment, pay attention to how the HM interacts with other employees and remember... A great boss will challenge and support you. Bad bosses don't (I actually had a boss call our group bottom feeders once). Great bosses lift others up and don't self promote. Leaders lead by example, not with ra ra speeches (although Herb Brooks miracle speech was fantastic!) Great leaders inspire by helping, encouraging, listening and acting. Look for those qualities in your future boss, it can be the difference between your future success or failure.
Are you engaged?
No, I am not asking if you are getting married… I am asking if you are working with an engaged recruiter…. If not, it might explain why you are not getting better results. Please let me elaborate!
You decided to look for a new opportunity, you met a nice recruiter who said she/he had the perfect position, you listened to the job description and it sounded good. They submitted your info that same day, with curious anticipation you wait for that next call, one day, two, then a week goes by and nothing. A few more days, and WHAT THE HELL? Why aren’t they calling you back? Sound familiar? It happens all too often and let me explain why. One of two things have occurred.. One is that the recruiter has not heard back from the hiring manager/ talent acquisition person. Two, they heard that you were not a fit, and moved on to finding another person but didn’t take the time to let you know, after all speed is what matters!
This is very typical in a contingent search scenario. Contingent simply means the recruiter will only be paid a fee, if you get placed (hired) at that company, otherwise it’s zippo for said recruiter if you don’t get picked. That relationship structure rewards speed and volume, not quality and relationships. It’s designed to entice the recruiter into submitting anyone and everyone that walks, talks, or has a key word that resembles what is on the job order. Companies like this arrangement because they feel like they will get more candidates faster by having this type of arrangement with their recruiting vendors. They falsely think the competition with other recruiters will force them to dig deeper, work harder faster to make that placement.
Reality however, is a whole different ballgame. Let me explain… In the scenario above, the hard working professional is not getting called back because the recruiter is only compensated for the people or person the client selects. Therefore, there is little incentive to follow up other than as a professional courtesy. Also, there is no urgency for the client to respond, they are getting many resumes to sort through, most of them not on target, so it will take time for them to provide the requested feedback. Plus, at this point they (the client company) has little to know skin in the game, they have very little incentive to get back to the recruiter, also they are waiting for all those “A” players the recruiters over-promised them to arrive in their inboxes.
A scenario that can be frustrating for all parties! So the recruiter continues to do key word searches on resumes, and the client gets frustrated wondering why all the “A” players they were promised aren’t materializing. Meanwhile, 10 different recruiting firms are banging through as many as people as possible, with different recruiting messages, often to the same professionals, who eventually start to recognize this is the same position that everyone has been calling them about, and starts to wonder what the heck is wrong with both the company and the position that so many recruiters are working on it. Meanwhile, this is doing real damage to the clients brand, which in a small or tight niche, can be a killer. Finally, exhausted and frustrated, the recruiter quickly shifts their focus to the next hot job order that just came in, and soon forgets about this search. Sound familiar?
There is a better way! It’s called Engaged Search (my term). The difference with engaged search vs contingent search is that the recruiter and the company have a vested interest in filling the opening. The recruiter will have primary responsibility in filling the position, and are partners with the client company in filling the role, not just another vendor. The client receives weekly reports updating the status of the search, and the candidates get treated like professionals with timely feedback, interviewing information, and assistance throughout the hiring process. Engaged Search stresses quality vs quantity, with the focus on the clients and candidates brand in the marketplace as well as working as partners. Since going to this model, we have filled all five positions we have been entrusted with, and are working on a sixth. Feedback from the professionals we have worked with has been terrific, good fit or not, they appreciate hearing feedback so they can make an informed decision moving forward.
Make sure to take a minute and ask your recruiter how they are working the search, what is their relationship with the client firm, and how your brand will be handled. Some contingent searches are better than others, so feel comfortable asking “what is your relationship with your client”. This should give you some idea how the process will be handled. Then, make an informed decision on whether it makes sense to be represented by that firm. Remember, your brand is you. You are a corporation of one that is either highly valued, or shopped around. Hope this information helps you make informed decisions.
Cyber Security Recruiters
Okay... believe it or not I have other interests outside of recruiting. One of my passions has always been Home Theater. I was an early adopter when surround sound first came along, I had a patchwork of speakers from this brand and that, as well as a really nice Sony ES receiver that I picked up from AAFES. I loved it, and have been upgrading gear ever since. In fact, I have probably owned every brand of home theater receiver at least once including Sony, Pioneer, Yamaha, Denon, and Onkyo. I also am the proud owner of an Toshiba HD-DVD player, before Blu Ray stole the show (I still think HD-DVD was a better format and should have won). Lately, there just hasn't been much to get jazzed about in the world of home theater. Sure, 4K televisions are cool, and OLED is really impressive (also very expensive) but nothing has been like that first time I heard surround sound in the demo room at one of the big box stores... until now!
Recently while combing through my quarterly issue of Crutchfield, I read about Dolby Atmos. For those of you who don't know, it is a new way Dolby has been producing sound tracks for your favorite movies in the theater, and now they have brought that technology to your home via your home theater receiver. What it does with sound is amazing, I won't go into the technical details, but you will probably have to add a couple of speakers to your existing home theater to get the full effect. I (fortunately) was very lucky to already have the preferred setup (much by accident) and didn't have to upgrade anything other than my HT receiver which I did with the Yamaha RXA-760. At first I wasn't impressed, and couldn't figure out why it didn't say dolby atmos on my display. After some frustration, I figured out the problem,... when you buy a dolby atmos disc, it comes with another regular DVD disc as well, I didn't notice that, and didn't have the correct disc inserted into my B-ray player (oops, rookie!).
There aren't a lot of movies that have dolby atmos encoded yet, so I purchased the new Tarzan movie, hit play, dimmed the lights, and waited to see what happened. Early in the movie there is a scene when Tarzan's dad is about to get jumped by angry gorillas. He is below the tree house and the monkeys are swinging above him making well, monkey jungle sounds. I was instantly hooked, the sound of the jungle all around and above you really is a whole new movie watching experience. You definitely feel like you are in the action, not just watching it. There is another scene where soldiers are firing in all directions in a vain attempt to dissuade their attackers... the bullets fly all around you, it almost feels like you should duck.
Bottom line, it is the best thing to hit home theaters since the very first 5.1 system was displayed at Best Buy. It makes me want to watch my favorite movies over again with the sound cranked (sound proofing your HT is a whole another conversation). If you have a chance, pop into your nearest HT store and hear what you have been missing. I guarantee it will put a smile on your face.
You would be surprised at the number of interviews I have listened to in my lifetime, and I could probably count on one hand the number of so called professionals who did it well. Let's face it, interviewing is not a skill set you go to school for, often don't prepare for, and often don't do very well. Most of us will have at minimum 20 to 30 interviews in our lifetime. Let's assume, for the sake of this exercise that you really, really want this job you are interviewing for.... So how should I prepare myself for the interview?
First the obvious, you should do research on the company you are about to meet with, this doesn't have to be a deep dive into memorizing every employees name, but you should have a firm understanding of their products/services, who they key market is, and what they are known for. You should also show up a little early, dress appropriately, and be respectful of everyone you meet that day. Those are the obvious, now let's talk about the not so obvious.
Every interview boils down to two basic concerns the interviewer has... #1 Can this person do the job, do they have the background and experience needed to accomplish goals, fix problems, or make/save them money. #2 Are you a good culture fit for the group, division, or company?
Let's discuss #1 They assess your technical experience by asking questions about your past experience, how you handled situations, and asking technical questions to assess your knowledge. So far da... right? But this is a key area where many professionals slip up.... Even when they have the right background and experience, they end up talking themselves right out of a job offer... How? By going off on some tangent, not understanding the question, or by assuming they know what the person is asking. I have heard this play out time and time again, and so I am writing this to help. Normally an interview starts like this - "Hey Jimmy, we are a Fortune 500 organization in bla bla bla and we are building out our IAM capabilities. So, I see you worked at XYZ corporation as an IAM specialist, what did you do for them? STOP! DO NOT ANSWER THE QUESTION!!!!! This is not the time to start telling the world about how great and smart you are. At this point you don't know enough about their problems and could start going down a path that does not fix their problems or address their concerns. At this point YOU need to start asking a few clarifying questions to make sure your answers are appropriate and on target. A great way to do this is to say... "I am really excited about this opportunity, but before I elaborate on my background and experience and to make sure my answers are on target, can you tell me a little bit more about why you are implementing an IAM solution, and where you are at in that process?" BOOM! What you have just done is set yourself apart from the other 10 people they will be talking to that week/month about this opportunity because you just asked a reasonable, well thought out question that clarifies an issue. It also provides you with specific information about their situation/problem/concern so you can highlight your specific experience to address their unique situation. 9 times out of 10 the hiring manager at this point will provide you with what exactly they are trying to accomplish, what hurdles they have run into, and why they are implementing the solution from a business perspective. How powerful is it to have that information early in the interview so that you can address those specific concerns from beginning to end. Can you see how powerful a well placed question can be?
Now let's discuss #2 Culture fit - The biggest concern of a hiring manager when hiring a new person, is will that person gel with my existing team? You might have all the technical ability in the world, but if you can't or won't play nice in the sandbox, you will not get offered the job. Bottom line, the hiring manager has probably spent years building their team, and they want to avoid adding a cancer who might destroy what they have spent a lot of time and energy building. This isn't as black and white as let's say our technical abilities, this is more of a nuance thing. Do you talk over other people? DON'T! Do you tell people you are a team player, don't just say it, have an example of how you have been a team player in the past. Do you listen carefully to hear people out, or do you jump in to finish their sentences by cutting them off? Are you conceded, arrogant, or difficult to work with? All of this comes out during an interview. I have a good friend who is a police officer, he told me one of the interview questions a lot of recruits and even current officers (from other departments) fail on is "have you ever made a mistake" and "what did you do to fix it" or "what did you learn from it". My friend told me several officers freeze when they get asked that question, and often reply "I can't think of any". That is a major red flag, as it shows they lack emotional intelligence and self-critiquing skills that are important in any mature professional. This is an instant disqualification to work for his department. So culture fit is extremely important and is something that you should not overlook. Practice interviewing with a friend or a spouse. Have them critique your answers and ask them for advice. If they are in a professional field, they probably will be able to help you fine tune your responses so that you look and sound professional.
Most interviews are a one and done deal so doing it right the first time is very important to your career. Interviewing well vs poorly can have an impact on where you work, your income, and your brand in the marketplace. I strongly suggest you prepare for your interview and practice, practice, practice. Just like anything you do, the more you do it, the better you become.
Al Lerberg is the owner and president of cyber security recruiters, has over a decade of experience in recruiting and hiring, and has written several articles and blogs on interviewing and hiring best practices.
Is your corporate recruiting strategy damaging your brand in the marketplace? Most organizations don't know what messages are flooding the marketplace or how their brand is being perceived by professionals they are seeking to attract. As a recruiter who has worked with multiple organizations to find said talent, I get a unique perspective of how candidates perceive organizations and their brand in the marketplace.
Recently I was asked to find a Security expert in a geography that we had not done a lot of work in. I was aware that the company had worked with other recruiting firms in the past, but did not know what the brand perception was until we started making calls. What we soon discovered was that the "A" player professionals were very aware of this opening because they had been in their words "contacted multiple times" and had no interest in further pursing the position. Why? The position was no longer unique, other firms didn't formulate a strong value proposition for the opportunity and had watered down the message. Worse, the position had been posted everywhere, so the new car smell was definitely gone, replaced by the stench of desperation.
Brand perception is very important, and critical for your overall recruiting strategy. Many things can shape the opinion on your brand in the mind of the professional so make sure you are working with your teams to create powerful value propositions. I attend local security meetings and can see and hear the impact a positive vs negative brand perception has on a room. If attracting "A" talent is the end-game, having a partner who can sell your brand effectively should be a major part of that strategy.
Cyber Security Recruiters
This afternoon the New York Times published a story highlighting the Pentagons plans for a cyberattack on Iran should our negotiations have failed (some would argue they already have). To me this was a fascinating story, not just about the details of Nitro Zeus (the plans code name) but the entire idea of cyber-warfare against a nation state. That led me to thinking... if we could do it to them, who is planning on doing it to us either on a micro or macro scale? What industries, what companies, who would be impacted? Certainly utilities, and defense contractors, how about hospitals and sub-contractors, and anyone else who does business with the federal government? The article went on to say we had been planning for years just in-case things didn't go our way. Again..... it got me to thinking who or what has been happening here? How do we defend against it, could we stop a major attack or would we be at the mercy of the Feds (God forbid) to fix the problem?
I have a lot of faith in the private sector to identify and rectify cyber attacks, there is a marketplace incentive to provide these solutions. My fear would be our military infrastructure who wouldn't benefit from the speed and urgency that you find in the private sector. Cyber Security is not a buzz word that is going away, we have found a new way to fight without having an all out war (in terms of guns and bombs). As our understanding and realization of this new battlefield emerges, it will be interesting to see how the marketplace responds. Should be interesting!
Recently our family took a trip to Phoenix in order to see my parents who have decided that seeing the sun during the winter months is actually a good thing, who knew? When at last (7 days) time had arrived for the trip home, we were notified by the airline (Spirit) via email that our flight had been cancelled. At times like these your mind starts to race, so many things to do, how do we get on a new flight, what do we do with the rental car, what about the dog, will the vet keep her another day? It really is a panic moment! First lesson #1 Let people know what is going on - Spirit did a great job letting us know the flight was cancelled, but after that moment, it was your on your own. They didn't tell us it was due to weather, although we had been following the news so knew a winter storm had hit our area. This is a simple thing, tell people what's going on, they will appreciate it and not have to guess. Over-communicate if you have to... I looked everywhere and finally found a Spirit number to call, when an out of country reservation agent (who I could barely understand) told me that they would not have another flight available for two days. No hotel information, no rental car discount, just the flight info. Lesson #2 Take care of your customers - it would be very easy for Spirit to have hotel choices close to the airport, as well as an easy to find published 800#'s to call in-case of a cancelled flight. Information is very helpful and powerful at times of stress, and would have benefitted all the people who were now scrambling to find lodging, food, and transportation options.
After booking our return flight, I called Hertz to inform them of our situation. My wife patiently told them what was going on and requested rate info if we decided to keep the car. The Hertz agent informed my wife it would cost over a hundred dollars to keep the car two extra days, which is almost more than what we paid to have the car for 7 days. Customer Service Lesson #3 Help people out - and don't take advantage of their situation. I didn't expect to get the car for free, but offering us to pay the same daily rate would have been a kind gesture, and one that kept me coming back to Hertz. Instead we returned the car, where a Hertz agent charged me extra for not having the gas tank topped off. It was a smidge below full, since we drove 30 miles into the airport. I didn't even argue with him, just chalked it up to lesson learned, find another rental car company.
Once getting flights and our car situation handled, we wound up stranded at the off-site rental center (Thanks Phoenix). With two kids under 9 now getting impatient, we frantically called area hotels only to find many of them booked. On a whim my wife called the Green Tree Hotel close to the airport and talked to a customer service professional named Melissa. She not only said they had a room, but would come get us immediately at the airport with their free shuttle. Customer Service Lesson #4 The little things matter - Our driver (another Melissa) was fantastic, told us about stuff in the area, places to eat, things to do, and took us all over whenever we requested. The Melissa's who were both in there 20ies, knocked it out of the park for us. These two women did a fantastic job, always answered the phone right away, took us all over town, and even suggested two restaurants that the entire family enjoyed. Well Done Green Tree! - there is a thing or two you could teach Spirit and Hertz about customer service...
Albert Lerberg was in ND Air National Guard where he served for 8 years. He has also held roles in sales for McLeod USA where he earned numerous sales awards. He has also was a recruiter in the Healthcare niche for several years as well as a pharmaceutical sales professional. In 2009 he opened Lerberg Group, Inc. which operates under the name Cyber Security Recruiters.