In my previous post, The Demand For Talent: Hidden Risks to Security Professionals, I wrote about the highly publicized demand for security professionals along with the lesser-known risks that come with it.
While there are more opportunities for security professionals than ever before, it is important to understand why this is occurring. From a big picture perspective, there are three major reasons one can point to.
Three Key Reasons for Rising Demand for Security Pros
The first is an increasingly complex and demanding regulatory landscape that companies must comply with. This includes well-established requirements such as SOx, PCI-DSS, GLBA, HIPAA and FISMA, as well as new and evolving standards companies will be expected to comply with in the future.
The second, which ties back to number one, relates to the increasing demands that organizations put on each other. Your organization may have a great security program but you are only as good as the weakest link, which may be a vendor or service provider. With the increased scrutiny on partners and providers, the bar has been raised for security programs everywhere.
And third is an increased awareness of security risks from the boardroom to the individual consumer. The old journalistic maxim "if it bleeds, it leads" now applies to cyber breaches and security events, which have become mainstream news. While security challenges are nothing new to practitioners, all things cyber have become a hot topic in the media, especially when it impacts individuals and consumers.
Certainly, there are other factors, but these three issues are some of the biggest drivers that have been contributing to the demand for security and IT risk professionals.
What does this mean to the job seeker? I'll put it this way: just because everybody wants to dance, it doesn't mean they know how... or can even snap their fingers to the beat. More simply, just because organizations are interested in building security programs, it does not mean they actually know what they are doing, especially when it comes to talent.
Over the last two years I have had hundreds of conversations with security professionals who are back on the market a year or less after joining a new company. Why? In most cases, the opportunity was not what it was represented to be and they have been put in a situation where they are either unsupported, professionally regressing, or set up to fail.
This is frustrating because while security professionals are often described as paranoid, skeptical or even jaded – mindsets critical to the job – most are idealists at heart. I don't know many dedicated practitioners who don't love the work they do or believe they are fighting for a worthy cause. The truth is, we are in a global technological arms race and it takes special people willing to take on these kinds of challenges. As a result, many go into the interview process with an overly optimistic mindset and don't ask the hard questions.
Asking the Hard Questions
What are the hard questions? They are the ones that every security and IT risk professional needs to ask while interviewing and before accepting a new position. They are the questions that can uncover future obstacles and allow you to make a more informed, objective decision about an opportunity. So for simplicity's sake, I'll break them down into some basic categories: motive, history, leadership, resources and path.
Here are examples of the questions one needs to ask for each category:
Motive - Why is security important to this organization? What's driving the program? What are the assets that need protection and how vital are they to the company's success? How much is driven by compliance? Is security seen as a business enabler or a check box? What are the major initiatives in the coming 1-5 years? Why is the position open? How long has it been open? Is it open due to attrition, a particular security event or part of a new initiative?
History - What do you know about the company's business? How do they stack up against their competitors? What are the security-specific challenges that organizations in their industry face? What has the company's past position been towards security? Have they experienced any recent breaches or incidents? Do they have an established program? If so, how large and what kind of attrition have they had? Is this their first effort to build a program? Why? (See motive) How has the preceding security organization succeeded or failed?
Leadership - From the executive leadership team down, what can you learn about the culture of the organization? What is the CEO's or board of directors' public position on security? Has there been high turnover at the CIO or CISO level? What about the supporting security organization? What can you learn about the current approach to security? What can you learn about the manager your future role will report to? What has his/her career progression been?
Resources - This is critical for any level, but especially leadership roles. What is the annual budget for security? How is this determined? If more resources are needed, what's the process for attaining them? To what extent does the security organization rely on external service providers? What is the current and projected headcount of the team? How is the team currently structured? What is the attrition level? If high, why? What kind of internal or external recruiting support can you expect? Does the company pay competitive salaries? Do you have a dedicated HR or recruiting partner? What are your impressions of the interview experience? Is it positive, competitive, effective?
Path - How is success determined? What are the internal growth opportunities? What is the average tenure of previous employees in your role? Where did your predecessor end up? Does the company offer any support for certifications, training or continued education? Does the company allow employees to attend or present at industry events? How does a role with this company align with or support your long-term career goals? How strong is the regional market for security professionals should you decide to move on?
Understandably, it's not always possible to ask or get answers to every question, but it's worth the effort. We're talking about a serious commitment on your part and since there are more jobs than qualified applicants, you have an advantage. Companies that are unwilling or unresponsive to your questions may not be the best choice. In fact, if they are unwilling or unable to answer these kinds of questions, it's a red flag and the buyer should beware.
Remember, the goal is to avoid landing in a new position that looked great on surface but turned out to be a mistake. Making a career move is a big investment in time, energy and your future. The more a person understands about a career opportunity before they accept, the better they will feel about their situation. With the significant challenges facing all of us, it is more important than ever to get it right. So don't be afraid to ask the challenging questions. As the saying goes, "Trust, but verify."