Interview: Jeff Snyder
Jeff Snyder is the President of SecurityRecruiter.com, an executive search firm focused on recruiting cyber security, information security, corporate security, physical security, global compliance and global privacy professionals. Jeff is a Certified MasterMind Executive Coach by the Executive Coaching University and he is certified as a Stakeholder Centered Executive Coach by the Marshall Goldsmith Group.
You began doing IT recruiting in 1990, right? When did you begin noticing that IT security was becoming a specialized career path, and when did you make the decision to change your focus to information security?
I did start my recruiting career in 1990. At that time, I was recruiting general IT skills. My first information security search came in around late 1995. This was a request for me to find someone who could harden Windows NT and also UNIX. I filled this position and several more information security jobs between 1995 and 2000. It was around 2000 that I made a decision to focus on information security recruiting. It was a roll of the dice back then but a decision that has turned out to be a good decision.
How has that focus evolved over the years?
My decision to focus on information security has opened up many doors. For example, soon after 2000, I took on and filled IT Audit searches. In 2007, my first corporate physical search came along. Next came positions that covered IT Risk Management, Global Compliance and Global Privacy.
As you look at the IT security job market, as it continues to evolve, what skills seem to be in the highest demand right now?
The skills of a security architect are in high demand. These types of positions require candidates who have worked with a variety of security technologies, candidates who stay current on emerging threats to the business and candidates who can translate technical threats and vulnerabilities into language that line of business owners can understand.
When companies require security leadership up to the CSO / CISO level, they frequently require candidates who possess strong IT Risk Management, Global Compliance, Global Privacy and strong business skills. Security leaders who want to be part of the “C” suite need to function as business professionals versus functioning as technology professionals.
I have had some CSOs that I have corresponded with mention the growing number of career options for people in the information security field. I know that your focus in recent years has been primarily on filling executive and leadership roles, but could you describe what you’re seeing in terms of various identifiable career paths that exist in the field, and what someone seeking to enter those fields might want to consider in terms to training and skills that would be required for success?
There are many different career paths that information security professionals can follow. For the sake of brevity, I’ll suggest that security professionals need to decide whether they want to stay on a technical track or whether their passion takes them down a managerial / leadership path.
For security professionals who choose a technical path, there is definitely a need for security architects. These are the security professionals who study emerging threats and risks to a company and translate that data into actionable projects. These roles typically require security professionals to have 5-10+ years of experience and individuals who have been exposed to a broad range of technologies. It usually requires a couple or even a few carefully planned career moves to pick up the strong mix of technical skills required in a security architect role. This person will likely pursue vendor-specific certifications that line up with their subject matter expertise. If they choose a Master’s level of formal education, sometimes an MBA is the best choice while other times, a more technical Master’s degree in Computer Science or Information Security might be a better choice.
For security professionals who aspire to manage, lead and to guide other business professionals from a security and risk management perspective need to accumulate and master a wide range of skills. These individuals may start out on the same track as the person who desires to walk a technical path but at some point, they’ll step into a role that requires exceptional people skills. As a manager, these individuals need to master the skills of managing technical people while also beginning to master the skills of working with line of business owners, outside vendors, law enforcement, auditors, etc. Security leaders who aspire to reach the CISO or CSO level should consider an MBA in some cases rather than earning a Master’s degree in something technical such as computer science or electrical engineering. The most successful security leaders who reach the “C” level will understand that they’re there to serve the business.
In the past year, you have been asked to speak on several occasions to gatherings of information security professionals. What were you asked to speak about and, in a nutshell, what were some of the things you told them?
I’ve spoken publicly to both ISSA and ISACA groups in several cities. I’ve been in Q&A settings and I’ve also been in settings where the stage was mine and it was my choice as to what should be delivered through a presentation. I’ve specifically been asked to speak to security career paths and what it takes to get from Point A to Point B. Of course, everyone’s Point A and Point B will be different but there are some general pieces of advice I’ve shared to help security professionals begin to map out their progression. One of the most important things anyone can do is to reach a point of clarity around where their career is headed. One can’t get to where they’re going if they don’t know the address of the destination.
I’ve been asked to explain to audiences of security professionals what the business wants, needs and expects security professionals to deliver to an organization. There is frequently a gap between what security professionals are delivering and what the business needs.
Organizers who have invited me to speak ask me to talk about security resumes. Having reviewed security resumes since the mid-1990s, I’ve seen thousands of examples of resumes. Security resumes occasionally communicate the value a security professional has delivered to companies listed on their resume but far too often, security resumes fail to clearly explain to the consumer of the resume the value a security professional is capable of delivering if they were hired into a new job.
If you were to speak to a group of college or high school students who might be considering careers in information security, what advice would you give them? Is there specific training, or are there specific certifications that would sever anyone well as basic building blocks, regardless of the specific career track they might select?
High School or college students who are gifted in subjects such as math or computer science can created a bright future in information security / cyber security. Every new technological advance will create vulnerabilities that never before existed. I would encourage those who have an interest in the information security field to find ways to communicate with security professionals who are already in the profession. One way to do this would be to attend a local ISSA meeting as a guest. Surround yourself with the people who do information security work and immerse yourself in the topics they talk about to determine if these topics spark a personal passion. If so, acquire education that includes both a technology component and a liberal arts component. Learn how to write. Learn how to speak in both technical and non-technical language. Consider joining a local Toastmasters group to learn how to speak in public.
Aside from the obvious technical training that is required for different positions, what do you generally see as characteristics of successful candidates at any level?
When employers set out to hire information security professionals, they frequently do so with a list of checkbox items in hand. Many security professionals can pass the checkbox test which includes having certain skills or certain certifications. Skills and certifications are not enough.
High integrity is a critical trait for a security professional. Evidence of high integrity is found when a security professional’s words and actions consistently match.
Making carefully planned security career moves versus constantly changing jobs is a trait of outstanding security professionals. In order to make carefully planned security career moves, a security professional needs to have a clear strategic roadmap in hand to know when a truly outstanding opportunity has surfaced.
Developing highly polished interpersonal relationship building skills is a trait that I see in most highly successful security professionals. Learning to solve business problems and learning to create business opportunity is what great security professionals do rather than building security programs for the sake of having a program in place.
The most successful security professionals understand compliance but they strive to build programs that will actually make a company secure rather than just making a company compliant. The best security professionals understand the difference.
As you review an individual’s resume, what are some things that will likely result in it getting moved to the bottom of the pile?
When employers are paying a search fee, they frequently eliminate candidates whose resumes contain too many job changes. The definition of “too many job changes” depends on who the consumer of a resume is and what their biases are. Every hiring manager has biases when they review resumes.
Some employers prefer candidates whose formal education comes from well-known brick and mortar universities versus what some refer to as “Internet Schools”.
Many security resumes are nothing more than a job description turned inside out. By that I mean that the resume content is made up of short, choppy bullets that describe what a candidate was originally hired to do. Much like the information you would find on the job description they signed up to perform in the first place. These resumes generally tell me nothing about what the candidate has accomplished. What value have they created for past employers that I believe they might be bringing to my client’s table? Very seldom do I see resumes that translate a security professional’s work into measurable quantifiable value. Businesses function on profit and loss. Security professionals who want the best jobs need to demonstrate how they’re adding value to a business.
Finally, do you have any predictions regarding the future of information security as a profession in the coming years?
There will continue to be both technical and leadership career paths in information security. Many of the technical jobs may not exist within large corporations if corporations continue to outsource certain parts of their technology to managed service providers. Leadership roles will continue to require security professionals who operate like business professionals first and security professionals second. Business owners will only authorize spending on projects they understand and projects they perceive will either protect or mitigate their business unit’s risk. Security professionals who master the ability to create security solutions that solve business problems and create business opportunity will rise to the top.