InfoSec Institute Interview: Ryan Farmer and Scott West of Acumin
Acumin, an international recruitment specialist, focuses on areas such as information security and risk management, governance and compliance, penetration testing, forensics, and business continuity management.
With information security and risk management teams spread out across the UK, Europe and the United States, Acumin has its finger on the pulse of the industry, particularly as it relates to developments in Europe.
InfoSec Institute recently conducted an interview with two professionals from London, England-based Acumin’s end user and security consultancy team – Senior Resourcer Ryan Farmer and Managing Consultant Scott West – to get the company’s take on certain issues relevant to the information security industry.
InfoSec: What positions are currently in demand?
Farmer: Hybrid technical-strategic roles, which align enterprise security architecture and solutions to business needs. [Companies are also looking for] candidates with deeply technical backgrounds who are business-facing and capable of articulating security as more than a compliance checklist. Application security experts in the UK are severely lacking. Failure to bake security in through the development process, coupled with programming functions being traditionally offshored, has resulted in a real lack of deep experts and bidding wars between employers for those at higher levels.
InfoSec: For which positions is demand dying?
West: Pure-play network security engineers are less in demand now, particularly within end users, with organizations typically seeking technical personnel with knowledge across multiple domains.
InfoSec: What hard skills are most in demand?
Farmer: Application security, threat and vulnerability, and enterprise identity management.
InfoSec: What soft skills are most in demand?
West: Communicating value of security, strong stakeholder management and process engagement, and those that are able to work across multiple projects and programs.
InfoSec: What technologies are most in demand?
Farmer: Those that focus on protecting data. Often there is a focus…establishing a DMZ, when really we are in information security, and that is what should be protected. So we are seeing a lot more projects around DLP; monitoring of networks, files and databases; threat mitigation; and vulnerability management.
InfoSec: For which technologies is demand dying?
West: Traditional firewall.
InfoSec: Who was the last security person you hired and what set that candidate apart from the pack?
Farmer: A lead security architect within a FTSE100 finance organization. What set this person apart from the pack was the ability to communicate technical solutions to the business, manage multiple stakeholders throughout the process, and breadth and depth of technical security experience.
InfoSec: Without naming specifics, what are the biggest security threats?
West: End user information security managers, directors and architects who attend our monthly Risk and Network Threat Forum (RANT) confirm that the biggest concerns to the enterprise are employee-owned mobile devices, protecting web facing applications and security awareness.
InfoSec: What is the hardest part of the job?
Farmer: Understanding where the next generation of security consultants are going to come from.
InfoSec: What is the most enjoyable part of the job?
West: Growing out a security function, allowing the organization to meet strategic objectives.
InfoSec: Which, if any, certifications and degrees do you see as important for hiring and career advancement?
Farmer: Certifications initially came in to the industry to validate the skills of hackers-cum-white hats, and really their purpose hasn’t changed. You can’t beat experience and a genuine passion for the subject, but a CISSP will always go a long way to showing commitment to on-going improvement and a sound broad knowledge. The MSc in information security helps to escalate candidates, promote professional maturity and shows the right level of willingness to progress.
InfoSec: What will get your resume thrown in the trash?
West: Misleading information, such as embellishing skills and experience or incorrect dates. Whether it be through the interview process, referencing or during probation, you will get found out. It’s better to be honest about any shortcomings. Employers want to develop people within a role.
InfoSec: What would you tell a secondary school student interested in a network security or cyber security degree?
Farmer: Ensure a breadth and depth of education whilst gaining as much real world experience as possible. Try to differentiate yourself during your education.
InfoSec: Which security sites do you visit?
West: SC Magazine, InfoSecurity, The Register, and of course LinkedIn and Twitter for a summary of everything
InfoSec: What’s the last security book you’ve read?
Farmer: Kevin Poulsen’s Kingpin has been on my Kindle to-read list for the last few weeks.
InfoSec: Who’s your favorite fictional hacker?
West: Case from Neuromancer,
Farmer: Mr. Universe from Serenity. And everyone loves the Napster!