Cisco's John Stewart believes there are roughly a million security role vacancies, and this gap is now officially a crisis. We are about a million brains and bodies short of what we need to plug the many growing holes that perforate our highly internetworked environments. Complicating this are legions of posers, intentional and uninformed, feeding off the payrolls of organizations desperate to hire anyone, anyone, who understands what AV, OWASP, or CISSP mean.
Here is a simple three-step process to be the security professional companies are looking for:
Step One: Research the Reasons for the Role
Typically, a new security opening in a company means that something happened. By the time a real job is posted or a recruiter is engaged, there has been some catalyzing event. The first step to getting that job is to research why they’ve decided to post it in the first place. Sometimes the role arises because there is a new and visionary manager or because an existing program has gotten bigger than the team that runs it.
Whatever the case, here’s where to start:
1. Look into the organization to understand the industry it is in and the customers it serves. See if they have had any recent incident disclosures, and check for disclosures or lawsuits involving companies in related markets. Google any new regulations that may be coming their way. Take notes, collect some names and dates, and get acquainted.
2. Look at their executive team and their board. Sometimes change or investment can be sparked by a new CEO, CIO, CFO or CISO coming from another company that invested more heavily in security, or had some security problems of their own. Check out their work history on LinkedIn or Google. Take notes on any media interviews or presentations they may have given, and look for any places where your experiences may overlap. Having a good sense of this will help you better understand how you can make them successful.
Step Two: Develop a comprehensible approach
The companies who have the most interesting jobs with the broadest scope will likely not know very much about the details of security. Helping them understand why you are a great choice first requires that you educate them on what it is you do. Come equipped with a rich description of your own background that is understandable and relevant to the company.
Here are a couple of specific things to do:
1. Become familiar with the language of the industry you are thinking of moving into. Retailers, hospitals, banks, and utilities all have different vocabularies, yet all think about common areas of concern like data breaches, mobile security, and monitoring. When you understand the industry dialect, your discussions will be smoother and it will be clear that you can hit the ground running.
2. Develop your own views on security challenges for companies like the one you are visiting. Are they growing quickly through acquisition and feeling the pains of integration complexity? Take the time to look for industry-specific press mentions of security and note the problems, and solutions that are featured. With this, create your own initial view on how the average company in the space can improve.
Create relevant questions to help you fill in your assessment of the issues, write them down, and have them near you. Avoid making it obvious that you are reading from a script. Don’t look for too much technical detail or information about any security events, because most companies won’t be comfortable sharing it. Ask about the team, the projects, and the rationale behind the creation of the role. Beyond making you unexpectedly prepared for the interview process, you will find that these calls are much more interesting than the usual blather.
If you do this kind of homework, you will not only be better prepared, but also a better candidate. You will also have a head start as you look at any other opportunities in that same industry.
And here is the punchline. This process is great for finding a new gig, but it can also help you reassess the way you are doing the job you have right now. It’s important to better understand your peers and leaders, be sensitive to the business concerns of others in your industry, and flesh-out how you think organizations can improve. Revisit these steps regularly, and if you keep your focus on how you can remain attractive to those that worry more about keeping the doors open than keeping the network ports closed, you will be more than just one of the million.