General security

Interview: Joyce Brocaglia, Alta CEO

September 10, 2012 by Ian Palmer

Joyce Brocaglia is the president and chief executive officer of Alta Associates, a Flemington, New Jersey-based executive recruitment firm. Founded in 1986, Alta focuses on the IT risk management, information security industry. Brocaglia recently took some time out of her busy schedule for an interview with InfoSec Institute.

What positions are currently in demand/dying?

We are seeing great demand right now for people in the IT risk space — these professional are considered information risk officers. [O]rganizations [are] creating new IT risk organizations within an existing otherwise financial/capital markets risk kind of structure, or they are organizations that are bringing in new folks to head up risk from an IT perspective that have the ability to interface with business lines.
So, in other words, we’re seeing the equivalent of what a BISO might be in a security organization where they’re putting in business information security officers. We’re seeing the same thing happen on the IT risk side of things, where they are bringing in people that they may call IT risk officers to be aligned with specific lines of businesses. I think there’s more and more outsourcing of things like penetration testing and vulnerability management. Third party providers are being used more from a managed security services standpoint.

What hard and soft skills are most in demand?

I think that the biggest skills that we see, among the more executive-level positions, are the abilities to articulate technical issues and business terms; the ability to present to senior-level executives, whether that is the board of directors or committees; the ability to influence management. Maybe those are slanted towards the soft side. But for the most part on the executive-level positions that we’re filling, the emphasis is not on core technical abilities but rather much more focused on being an enabler and being part of the solution, so getting to ‘yes’ as opposed to saying ‘no’.

What technologies are most in demand/dying?

Many companies are still looking for folks that have either very strong end-point skills or have strong network engineering type of skills, so all of the related technologies that go along with those sorts of products and toolsets are still in demand. The majority of the positions we fill are in the management capacity so they’re not asking us for the bits and bites.

Who was the last security person you hired and what set that candidate apart from the pack?

We recently placed a chief information security officer for a large financial services company based in Manhattan. What set them apart was global experience and responsibilities, their holistic approach to information security and IT risk management, their ability to build a strong security and risk framework, and then…their ability to partner with businesses and enable solutions.

How has your department grown or changed and how do you expect it to change in the future?

Our firm has grown in the sense of, well, we’re unique. Our background is we’re the leading specialized recruitment firm in information security, IT risk management, and governance risk and compliance. We also work in the privacy area, so we’re a boutique firm specialized just in those areas. What I can tell you is we’re doing a lot more work on the retainer side of the business for senior executive roles. We’ve seen a huge increase in companies making very strong strategic hires in the areas of information security and IT risk management. And they’re leveraging us in a retained manner to find them key executives that can build world-class organizations. There are five of us working at Alta Associates. We’re looking to hire right now. We’re in the active interview process currently. The demand this year has been exceptional.

What are the biggest security threats?

The biggest issue that we find people discussing is around bringing your own device, in other words mobile security. So whether that’s the idea of mobility or a mobile workforce or this concept of bringing your own device…That’s a hot area that our executives are working with….Cloud computing or big data are issues that people are struggling with. The whole data-loss area is important. People are still looking at some of the major attacks, and how to avoid them, keeping ahead of the curve so that they don’t have a Sony type of an incident.

What’s the hardest part of the job?

The hardest part of the job is to find people that are forward-thinking and have not just the technical side of the requirements of the position, but also have the cultural fit and the ability to interface at an executive level with business people. The demand is ahead of the curve of the supply of people with those types of broader risk skills.

What’s the most enjoyable part of the job?

The satisfaction of not only coupling an ideal candidate with a company that is going to enhance the personal life and career of the individual, but also assisting the company at building a state-of-the-art, world-class department is the best part of the job. We also get to interact on a regular basis with the most senior people in the information security and IT risk community and see the big picture of the challenges they face globally. Founding the <a href=”“>Executive Women’s Forum on Information Security, Privacy and Risk Management</a> and enabling women in our community to build strong networks and achieve their goals continues to be my passion.

Which, if any, certifications and degrees do you see as important for hiring and career advancement?

The most common credential that we see for executives in information security is the CISSP. Most people have a technical degree. If they combine that with some type of an MBA to give that ability to put together metrics or put together board level presentations, that’s ideal.

What will get your resume thrown in the trash?

Misrepresenting their dates of employment or compensation. That’s the biggest mistake anybody could make, in my opinion.

What would you tell a high school student interested in studying IT in college?

I would tell them to try to not only be part of the school classes but join organizations that they can find mentors, and be an active part of associations in their particular specialty that they’re interested in. There’s a lot of associations. There’s (ISC)², for example. Any type of a mentorship program that they might get into or internship program at a high school level would be ideal. For women, I would suggest that they join our Executive Women’s Forum on Information Security, Privacy and Risk Management — probably not from a high school perspective, however. We do a national conference in Scottsdale, Arizona. It’s in October, the 2nd to the 4th, where we’ll be gathering 250 top women in our field. And they can get all of that information off of the website.

What are the last security books, magazines you read?

CSO is probably the magazine I read most from an information security perspective.

Do you have a favorite fictional hacker?


Posted: September 10, 2012
Ian Palmer
View Profile

A Canadian currently based in Ontario, Canada, Ian is a researcher for InfoSec Institute. Over the years, he has written for a number of IT-related sites such as, and