Top Qualities for IT Security ProsRecruiter Highlights Skills Organizations Seek in New Hires
What are organizations looking for in new IT security hires today? Recruiter Kathy Lavinder gives insight on the qualities companies are seeking.
According to Lavinder, executive director of Security & Investigative Placement Consultants, LLC, organizations are looking for professionals with strong, technical knowledge. "You can't be a generalist," she says in an interview with Information Security Media Group's Tom Field [transcript below].
"It's not a matter of someone who has a passing interest in some of these areas or people who have gone out and obtained a lot of certifications," she says.
Organizations also need recruits who have flexibility in order to deal with the rapidly changing landscape. "You have to be aware that the organization has needs that will evolve," Lavinder explains. "They don't hire you for one job and it's going to be static. In an environment as dynamic as this, you have to be able to evolve and change."
For IT security executives, leadership skills are still important, Lavinder points out, but even still, in many cases organizations need strong, technical underpinnings to go along with the over-arching knowledge.
"Frequently, I'm asked to find those people who started from the foundation, who have all of the actual work experience, but have also added on to their capabilities in regards to team management," she says.
In an exclusive interview about hiring trends, Lavinder discusses:
- The qualities organizations seek in IT security pros;
- Why IT security jobs turnover so quickly;
- How to grow the existing talent pool.
Lavinder has more than a decade of recruiting experience that has focused on placing investigative and security management specialists in corporations, financial institutions, accounting firms, law firms, insurance companies, academic and health care institutions, non-profits, and consulting firms. Prior to turning to executive search, Lavinder was with Investigative Group International, where she served as Managing Director and head of the firm's headquarters office in Washington, DC. Prior to IGI, Lavinder was with ABC News in New York.
TOM FIELD: To start out, why don't you tell us a little bit about yourself and your work please?
KATHY LAVINDER: I've been recruiting in this very specialized niche for over 12 years, and I find security people, both information security and physical security specialists, as well as all kinds of investigative personnel. Before I began recruiting I was an investigator myself and before that I was a journalist. I worked for ABC News. I'm a bit of chameleon. When people tell me they want to change jobs or reinvent themselves, I say to them, "You're talking to the queen of reinvention."
FIELD: What are the types of placements you find that you typically conduct for organizations?
LAVINDER: They're all over the map. I thought that they would be very discrete and finite, but it's actually very broad based. But right now on the information security side, [it's] a lot of people who are able to do incident response, respond to data breaches, malware and advanced persistent threats.
FIELD: What are the types of organizations you're typically conducting these searches for?
LAVINDER: I work with all kinds of corporations - large, medium, even small ones - that have realized they have issues and needs, and I also work a lot with professional services firms because in many of these instances when it's a very specialized or highly technical incident response-type need, they may not need that person on staff but they need to turn to an external provider, an external resource. Professional services firms have been building their talent rosters up, and I've worked with a lot of those firms to help them find those people who have really highly specialized, high-end capabilities that can be drawn in when there's a particular need. Across the spectrum, I've done searches around the country, around the U.S. and also around the world.
Sought After Qualities
FIELD: You talked about some of the specialized skills. What would you say are the qualities that organizations most seek in IT security pros today?
LAVINDER: Well first of all, it's a very, very strong technical knowledge. The technical piece, in many instances, you know you can't fake it. You can't be a generalist. In most of these roles, they really have to have highly specialized capabilities and it's not a matter of someone who has a passing interest in some of these areas, or people who have gone out and obtained a lot of certifications. They really have to deliver the goods to bring strong capabilities in their subject matter expertise.
Then on the softer side, I think they're looking for somebody who brings some flexibility to deal with the fact that the landscape is always changing. It's very dynamic so you have to be fluid. You have to be aware that the organization has needs that will evolve. You know they don't hire you for one job and it's going to be static and you're going to be repeating that same set of responsibilities day in and day out. In an environment as dynamic as this, you have to be able to evolve and change with the evolving needs and threats that are out there for your employer.
FIELD: What about for IT security executives? Is there the same demand for the hands-on skills or do you get more into some of the softer skills and more leadership?
LAVINDER: Certainly leadership is important, certainly some of the softer skills, but I think that in many cases my clients are asking for a really strong, technical underpinning and that's quite frankly where I've had some difficulty. It's one thing to have kind of an over-arching knowledge, but it's another thing to have from the ground up the foundational knowledge. Frequently I'm asked to find those people who started from the foundation, who have all of the actual work experience, but have also added on to their capabilities in regards to team management, interface with other organizations and interface with other groups and departments within the company or the employer. So it's a combination of things, but I find that more often than not, they're asking for strong subject-matter expertise, strong technical capabilities with the leadership overlay.
FIELD: It sounds like a simplistic way of saying that it's not enough just to go out and get a CISSP and expect you're going to get a premium job placement.
LAVINDER: Exactly. The CISSP is a good certification, but it's only one measure. It's only one way to determine that someone has a broad knowledge and I look for a combination of indicators and certainly certifications can be very valuable, but as I said you have to bring the goods at the end of the day. Just looking at certifications will not necessarily be a determining factor for me or for my client.
FIELD: Let's talk about some of the in-demand skills. You mentioned incident response earlier. What are some of the skills you're most asked to seek out these days?
LAVINDER: It's all over the map. Depending on the organization, they have a variety of needs. Some of them are much further along in their development of their information security program. So in that case, they need people who can continue to refine it. In many cases though, I'm finding that they're still building out the program so they need the people who can build it, who can structure it, who can bring both strategic and tactical capabilities. It really depends on the organization and where they are in terms of their lifecycle.
One thing that I've become aware of in regard to information security in particular is the tail started wagging the dog. These information security issues are so vitally important that they have such risk to corporate and private sector clients that they cannot be ignored. So IT departments are adding staff on the information security side. They're boosting the profile of this person within the organization and they're relying on them more and more, so those are a couple of things that I see. Basically, I will tell you something that you've probably heard many times before, which is, in regards to my clients and regards to companies out there generally these days, there are only two kinds of companies - companies that know they have had a problem and those that have had a problem that don't yet realize it.
Not Enough Talent
FIELD: One of the things that we hear consistently is that there just isn't talent enough to fill the positions that are available. How large and deep is the pool of available talent?
LAVINDER: It's not particularly large and it's not particularly deep. It's definitely more on the anemic side than on the deep or expansive side unfortunately. I'm somewhat encouraged by a number of the institutions and the academic programs that are starting to really see the need here and to respond to that need and start to educate the next generation of people who can step into these roles. But right now, baby boomers are not known for having strong technical skills, not to say that none of them have them, but technology sort of happened while they were in the middle of their careers. Many of the early adopters jumped on board and gained these skills, but we have smaller demographic pools when you look at Gen X , Gen Y and Millenials and so it's a work in progress.
And it's absolutely a fact that there's a war for talent in this front and there's also this tension between public and private sectors for talent. The public sector does such a great job to train and build out their teams, and then they can lose them very quickly to the private sector which can offer more money and perhaps other things that are attractive to people who are ready to step away from the public sector. The government and military are having a hard time keeping up with this just as the private sector is. So we need to do a lot more in that regard and so that's why I'm very happy when I see colleges and universities adding programs and even certificate programs, not necessarily degree programs, but addressing the need in a variety of ways and being creative about it because we've got to educate people. We've got to build that out.
FIELD: Where do you see the biggest disconnects between the organization, what they express they want and the candidates and what the candidates offer?
LAVINDER: I think the biggest disconnect is that sometimes they're not realistic. Companies can put together really exhaustive job specs for recruiters such as me. But sometimes I feel like I'm chasing a unicorn, that some of the skills and the requirements are non-compatible or just not likely to be found in the real world. I think there's a need to be realistic and to accept the fact that one person may not fill all of your needs. One person may go, let's say, 60 percent of the way to filling your needs and that person may have the need to reach out for other specialists. There are so many arcane specialties, arcane issues that I think it's hard to say that one person's going to bring all the solutions and all the answers. That's probably the biggest disconnect that I see, being realistic about what's out there and what people can do.
FIELD: Do you see these patterns consistently outside the U.S. in other markets in which you work?
LAVINDER: Yes I do, absolutely. It's across the board. Obviously there have been a lot of people who have come in from other countries into the U.S. on visas and quite frequently I have candidates who are working in the U.S. on visas. Other countries such as India are doing a great job in educating people and then of course they lose them because they come over to the U.S. and want to work in the U.S. because the compensation is higher. There are a lot of opportunities so that's a draw for many people, but across the board I see this.
I've recruited in other parts of the world, including the Middle East and Europe, Latin America and also in Asia. Across the board I see these issues. So it's not like we're behind and everybody is ahead of us. I just feel like everybody is behind. Technology is moving at warp speed. We're all chasing after it. When I talk to potential candidates, I say, "How would you like to jump on a moving train?" Well that's what we're talking about right now, we're talking about jobs in information security.
FIELD: A few minutes ago we talked a little bit about the churn, especially from the public sector to the private sector, and even in the private sector. What do you see as contributing to the high turn-over rate of IT security pros?
LAVINDER: A couple of things. The first thing would be the fact that there's a burn-out factor. These jobs are very intense and the demands are significant. So I think a lot of people feel like they have no way to step away from it. That I hear from people all the time, "I worked a 12-hour day yesterday. I worked a 12-hour day the day before. I'm probably going to have to work on the weekend." They just simply burn out because there's too much on their plate in many cases. It's just a reality to many of these roles.
The other thing is the fact that there are always going to be people who are willing to pay more and even throughout the recession there was this escalating compensation scale, and if you're really, really good you could probably jump a year from now or a week from now and get more money. You have to sell basically some of the other things, maybe better work-like balance, maybe some of the technical growth that you could have in a particular organization, and a lot of the peer learning, peer sharing. Peer sharing and peer learning are very, very important as well as the fact that if an employer can offer a path where someone can continue to learn, continuing education is very, very important in this space because if you're not continuing to develop as an information security professional you're falling behind.
Peer learning, ongoing learning are very important retention tools and a lot of organizations forget that and they lose people because they feel like they're kind of spinning their wheels or they're losing traction, losing ground and so they would rather go somewhere else that really supports that ongoing professional development.
Growing the Talent Pool
FIELD: We talked about the diminished talent pool. From your perspective, what are things that we as an industry can be doing to grow this talent pool?
LAVINDER: I think peer learning, peer sharing, continuing to have a dialogue. A dialogue is very, very important and sort of bringing all of these issues to the floor, a lot of people when I talk to them feel like they've kind of made some bad life decisions because they've wound up in these roles where they're kind of buried in their company's, their employer's, problems. Sometimes [it's] just feeling like there's someone out there who understands what you're going through and can share with you how they've addressed issues. I think the education, the dialogue, is vitally important and I really think a lot of organizations can contribute to that, taking away some of the stigma with really discussing honestly what's going on in an organization.
FIELD: Given everything we've seen in the news about security over the past year - high-profile breaches, threats, viruses - is security an exciting profession for young people today?
LAVINDER: Yes. I find the people that are attracted to it love it. It's almost in their blood. It's a wonderful thing to see. I do think that it's a very, very attractive field, and I always tell people when they come to me and have said, "I have recently graduated and I've got a degree in this or that," well you're going to have a really interesting career because there are a lot of opportunities. There are a lot of career paths that you can take, so it just depends on how you want to sort of direct your career, but absolutely it's a very exciting career path.
FIELD: If you were to sum it up, what advice would you offer to individuals who want to enter the profession, whether they're starting at the beginning of their career or changing horses mid-career?
LAVINDER: There's no one set path. This is an area where I have found some of the people who are the most talented are self-taught. This is an area that they were just intrigued by that they wanted to learn, and so they've done a lot of self-study. They've paid for programs that they've gone to on their own. They've been motivated. Motivation and real dedication to getting some traction in this field go a long way. And I have a lot of clients that really don't care so much about the traditional education credentials and are open to people who have had alternative career paths. I think a lot of people don't realize that. It's absolutely a sector that has a non-traditional career path and it's never too late. If this is really your passion and you really want to do something in this space, you can.