InfoSec Institute Interview: Wils Bell – President of SecurityHeadhunter.com
SecurityHeadhunter.com Inc., a central Florida-based security search firm, is focused on uniting the right candidates with the right companies in the information security space.
As a specialist in security recruiting, the company knows where and how to identify the talent, said SecurityHeadhunter.com President Wils Bell, adding that the company has over the last decade added thousands of security candidates to its database.
With its finger on the pulse of the information security industry, SecurityHeadhunter.com is ideally positioned to know what information security professionals need to do to succeed. Which is why InfoSec Institute recently interviewed Bell to get his thoughts on sector-related issues.
What positions are currently in demand?
That really depends on the organization since some are really cutting-edge, big-enterprise [entities] and others are much, much smaller. So the demands are going to be different… [The demand for] compliance management is very strong. You can have policies and procedures in place; however, if your people don’t adhere to those and you’re found not to be in compliance, that can be a serious issue. That being said, other positions in demand include mobile security – because of the BYOD – forensics, web application security and cloud security, just to name a few.
What hard and soft skills are most in demand?
From a management standpoint, hard skills are understanding the technology. Someone needs to stay current with the technology that’s out there today, and having certifications like CISSP, CISA, CISM, etc cetera, can really be helpful.
As for soft skills, employers want someone that understands information security along with IT risk, privacy, compliance and business. Having an understanding of all of this, plus solid communication skills, are what clients are asking me to recruit. There are many upper-management types – non-infosec – that only look at cyber security and ask ‘What’s it going to cost?’ They have to know why it’s important.
Candidates that can take security plans and recommendation to the board, the company president or whomever – and sell their ideas – to me that’s a real soft skill and an asset. Clients also tell me they’re looking for candidates that have a real passion for this niche. These are the people who love to go to conferences or get additional certifications all in an effort to learn and better themselves in this niche. Their idea of pleasure-reading may be security blogs and security websites. They want to stay abreast of what’s going on in their industry, and they’re probably involved in user groups related to the industry.
What technologies are most in demand?
Mobile security, big data, cloud and forensics are highly sought after. In today’s cyber world, it’s not a matter of if you’ll get breached; it’s a matter of when and how serious will your data compromise be.
In which technologies is demand dying?
That’s an open question. I don’t like the term dying. Antiquated would be a better word. Many companies still are not embracing information security and IT risk the way they should or their technologies may be older or outdated. These older technologies and solutions aren’t in demand with companies truly embracing cyber security or staying on the cutting edge. However, if you’re one of the companies that doesn’t have the resources right now or doesn’t have the manpower to implement current technologies, the older technologies will have to work for you.
Who was the last security person you hired and what set that candidate apart from the pack?
It was a director of information security for a mid-sized company. This company had a security platform, but it was somewhat antiquated. They knew their growth had gotten to the point where they needed to really step up cyber security. The hired candidate understood the business and their technology. They were able to communicate to the hiring authorities what could be done and really sold them on the fact that it wasn’t going to cost nearly as much money or take nearly as much time as they thought to institute and implement the needed changes. They loved that since he was so down to earth and spoke non-technical because the upper managers knew little about cyber security.
How has your department changed and how do you expect it to change in the future?
The security niche is ever evolving, which means you must stay abreast of industry trends related to information security and IT risk. By doing this, I am able to understand a client’s security specs and what it is they really need in a candidate. Then I’m able to communicate that to a possible candidate. At the same time, I am able to understand what a candidate’s skills are and if and how they relate to my open search with that client. I don’t use job boards to recruit, so I have and will continue to use various social networks, networking and referrals.
Without naming specifics, what are the biggest security threats for companies?
Their employees! I don’t mean that they’re purposely trying to hack into systems, but many times they do not follow the corporate policies and procedures related to security. This can be especially true with younger employees who want to be on Facebook, Twitter, et cetera, or employees who are trying to take short cuts. I’ve got a really good friend who teaches and trains people in security awareness around the country. It’s a matter of educating your employees as to what to do and what not to do. Another serious threat corporations face today is advanced persistent threats.
What is the hardest part of the job?
One of the hardest parts is when you’re recruiting for a position and you come across somebody who absolutely loves the position; this is what they’ve been looking for; this is going to be the next step in their career; and they’ve got a great background and match up nicely with what the client’s looking for. Sometimes such candidates go through the process and it doesn’t work out for them because the client decides to go with someone else. It’s tough making those calls and telling the candidate that ‘X-Y-Z company has decided not to move forward with you.’ That’s a really tough part of the job.
What is the most enjoyable part of the job?
When you’ve brought together both the employer – or client – and a candidate and it results in a hire. It’s a win-win for the client and the candidate. You really helped fill a need for both parties. Another aspect I enjoy is referrals of my efforts by an employer or candidate to someone else they know.
Which, if any, certifications and degrees do you see as important for hiring and career advancement?
More and more companies really want people… that understand business. So MBA degrees are really highly thought of. A lot of clients say that if somebody has an MBA degree, that’s a plus. As for certifications, everyone knows what a CISSP is, but there are also other certifications depending on your area of expertise. There are security professionals who are actually called certified ethical hackers and have the CEH certification. If you’re a security auditor, there’s a CISA, a certified information security auditor. There’s also the CISM, certified information systems manager. In fairness, all the certifications in the world are wonderful, but you really need hands-on experience. Most certifications require you to have prior experience before you’re able to sit for the exam. I have seen many people over the years who have, say, gotten a CISSP or a CISM but who let them expire. A lot of companies and hiring managers really frown at that.
What will get a candidate’s resume thrown in the trash?
They’re all electronic today, but there is a delete key. I get a lot of resumes, and many are sent to me unsolicited, which is fantastic. Resumes come in all types and formats, but lying on a resume is the fastest path to the delete key. There are a few things that really speak poorly of a resume and depending on the severity will get the delete key. One is typos on the resume. That’s a major no-no, especially with the ability to run spell check. It tells me someone didn’t take the time to seriously review their resume.
The same thing goes with dates of employment, education, et cetera. I was talking with a potential candidate yesterday and immediately picked up that their dates were way off on their employment history. That’s a huge red flag. Another issue is when I receive a resume that does not include the current employer. Unless I have asked for a resume as is, they should always be up-to-date if sent out.
I also see resumes that are sometimes eight, 10, 12 pages long. Why? If I look at a resume and see that someone has had, say, six jobs in the last ten years, that’s a real problem. That person can’t seem to keep a job. I could not represent that candidate to an employer.
What would you tell a high school student interested in studying information security or information technology in college?
It used to be that universities and colleges offered a standard computer science-type of curriculum. There are now degree programs that are specifically for information security and information assurance and one can specialize in specific areas. If you’re in college, try to get an internship that involves working in the security field. Get your hands dirty.
Speaking of college, I talk to people all the time that do not have their degrees. In today’s world, with all the legitimate online degree programs you can go back and get that degree or get an MBA or other Master’s degree. It might take you a little longer to do it online, but what you’re doing is setting yourself up so you’re not eliminated from some opportunities that are out there.
What security sites do you visit?
On my Twitter account, I tweet about security breaches and issues related to security everyday and I follow lots of security people and read their posts and links. I also like CSO Online, InfoSecIsland.com, ThreatPost and I’ve started reading InfoSec Institute. Actually I wasn’t previously aware of it, but now I’m on there everyday. I use a news reader to follow dozens of other sites also. You have to stay abreast of what is happening in the security world.
Who is your favorite fictional hacker?
Perhaps the computer expert Penelope Garcia in that television show, Criminal Minds. She supposedly can hack into just about anything, but at the same time you know they’re really not that quick at hacking.
POB 620298 * Oviedo, FL 32762