SecurityRecruiter.com's Security Recruiter Blog

Back from ISSA-LA’s 5th Annual (totally outstanding) Cyber Security Summit

noreply@blogger.com (Jeff Snyder) — Thu, 23 May 2013 19:27:00 +0000

You haven’t seen a Security Recruiter Blog in a few days because I’ve been really busy from early in the morning to late at night for several days. I was invited back to ISSA-LA where I first spoke in September of 2011 to deliver a career development workshop along with a presentation in which I facilitated a very interesting discussion between the members of the Los Angeles CISO forum.

I got to hang out with really smart people from many different industries who taught me about the challenges and opportunities they face every day as CISOs and security practitioners

It wasn't so much what I had to share with the top CISOs in Los Angeles as it was the way they reacted to what I had to share. I discovered that I love to introduce topics that make people think in dimensions in which they are not used to thinking. Here is evidence that just arrived that I added value to at least one member of the CISO forum.

“Hi Jeff, It was a pleasure meeting you yesterday. Your insights regarding other's perceptions of a CISO were spot on. I'm already working on adjusting! I'll contact you sometime in June to discuss my career plans further.”

I already knew from significant past experience that when I discuss my security resume writing methodology that opens doors around the globe with my resume writing clients, I’m frequently stretching linear thinking brains into a three dimensional school of thought with regards to the first impression a resume makes and how one’s personal marketing document can either open a door or keep the door closed. A testimonial that arrived in my Inbox while I was traveling meant too much to me to not share with you so here you go.

“I wanted to write you a quick note to thank you for your help in creating a new resume. The new resume clearly communicates my accomplishments and strengths as an Information Security leader. Your insights into the recruiting and hiring process helped me understand what I need to do to stand out from other candidates. Our conversations allowed me to see things from a unique perspective, which in turn allowed me to create a great new resume. When my wife, who is a teacher, read the resume you and I created together and said "So, that's what you do" I knew right away that your resume writing service was money well spent."

What I discovered with the CISO Forum in Los Angeles is that in the presence of a group of really smart people, my value to the group was to offer a unique point of view that I’ve come to have by surveying the business to determine what the business thinks of security leadership, what the business wants from security leadership and what the business can only wish that security leadership could deliver.

I think security leadership can deliver what the business wants and needs but I also believe that the business generally doesn't understand what security professionals are capable of delivering. This is in part because the security profession all too often communicates in bits and bytes rather than in the language that the business can understand.

This morning I shared a security resume writing discussion with a very smart Information Security Director level professional. When he responded to what I had to share by saying this, I knew he understood what I was trying to say:

“If as a security professional, you are speaking a language the business doesn't understand, how can you expect the business to trust what you have to say?”

This person gets it.

My personal mission is to help security professionals through, security executive recruting, security resume writing, my new website at SecurityJobCoach.com and through our soon to launch SecurityCareerCoach.com and SecurityExecutiveCoach.com to become better aligned with what the business wants, needs, expects and hopes for from the security profession.

The more security professionals align their personal performance with business needs, the higher a security professional’s personal stock value will climb.

Jeff Snyder’s, SecurityRecruiter.com Security Recruiter Blog, 719.686.8810

I’ll Meet You at ISSA-LA on Monday May 20, 2013 if you’re there

noreply@blogger.com (Jeff Snyder) — Fri, 17 May 2013 18:14:00 +0000

Today I’m putting the finishing touches on multiple presentations I’ll be sharing with ISSA-LA and the CISO Forum in Los Angeles on Monday at the Hilton Los Angeles Universal City.

Next Tuesday marks the end of my 23^rd year of recruiting. In that time, I’ve learned a little bit about a lot of different topics and a lot about a few topics. For ISSA-LA, I’ll be sharing what I’ve learned over 23 years about resumes, security career development and what the business expects from a CISO or CSO.

I think I have it figured out! What I’ve figured out is how to help security professionals to communicate their value to the business in language that the business can understand. This initially done through one’s resume. Then, once on the interview stage, a security professional can differentiate themselves from their peers by preparing for an interview in ways that security professionals typically do not.

Here is the latest testimonial that came in from one of my security resume writing clients. This person is an Information Security Leader in a large mutual fund.

Hi Jeff,
I wanted to write you a quick note to thank you for your help in creating a new resume. The new resume clearly communicates my accomplishments and strengths as an Information Security leader. Your insights into the recruiting and hiring process helped me understand what I need to do to stand out from other candidates. Our conversations allowed me to see things from a unique perspective, which in turn allowed me to create a great new resume. When my wife, who is a teacher, read the resume you and I created together and said "So, that's what you do" I knew right away that your resume writing service was money well spent.
Regards,
XXXXXXX

In my first hour session with ISSA-LA, I’ll explain the details behind this testimonial.

In the second session following the resume writing discussion, I’ll discuss what I’ve learned about security career development.

Later in the afternoon, when I speak to the CISO Forum, I’ll be sharing information I’ve acquired through research. I wanted to know what the business perceives it is getting from security leadership. So, I asked the business what it is getting from security leadership. The business spoke. I’ll share these findings with the CISO Forum.

I wanted to know what the business wants, needs, expects and hopes to receive from security leadership. The business told me what it wants, needs, expects and hopes to receive from security leadership. I’ll share these findings with the CISO forum.

If you’re in or around Los Angeles and you can make it to the ISSA-LA Cyber Security Pre-Summit on Monday, just before the big meeting of 600-800 people on Tuesday, please introduce yourself.

Regards,
Jeff

Jeff Snyder’s SecurityRecruiter.com Security Recruiter Blog 719.686.8810

How to Find the Most Meaningful Employment

noreply@blogger.com (Jeff Snyder) — Thu, 16 May 2013 15:00:00 +0000

Speed Boat or Ocean Liner?

Just over one year ago, I was simultaneously working with a Fortune 500 client on the East Coast while also working with a smaller technology-driven company in Palo Alto, CA that had just gone public. Both had highly paid and highly compelling security jobs to be filled.

Then a month or so later another Fortune 500 company came to me with security recruiting needs. Simultaneously, a company of 200 people that leads the industry with its expertise came to me requiring recruiting assistance.

Recruiting for large and small companies simultaneously is nothing new for me but what was new was the observations I made by working closely with a variety of different people in a variety of different sized companies simultaneously.

If you’re waiting for me to say that small, nimble companies that operate like a speed boat are better in some way than large, slow moving companies that operate like large ocean-going cargo ships; I’m not going to make that assertion.

What I Learned About Me

What became very clear to me is that great people exist in large companies and great people exist in small companies. When you’re looking for a new position, it is your job as a job candidate to determine what kinds of people you want to surround yourself with and then go find a company that contains those kinds of people.

Rather than focusing on large or small companies exclusively, what I discovered is that what matters most to me is whether I’m partnered with people who are responsible, respectful and competent and who operate with high integrity. Anything less than this leads to trouble.

Whether you want to work for a speed boat or an ocean liner doesn't matter. Both kinds of companies can provide meaningful employment. Your assignment either way when you’re looking for a job is to find companies that contain the kinds of people you want to associate with and better yet, the kinds of people you want to partner with.

What I'm Doing Today

Today, I'm working with several Fortune 500 companies. What I learned one year ago is still proving to be true today. The people I most enjoy working with are responsible, respectful and competent and they operate with high levels of integrity.

People who are not respectful, who are not responsible, who are not competent and who have low levels of integrity are not the kinds of people I want to associate with anywhere.

How do you go about evaluating prospective employers? I like to hear about your selection criteria.

Jeff Snyder’s SecurityRecruiter.com Security Recruiter Blog 719.686.8180

So You Want Top Talent. Do Your Actions Match Your Words?

noreply@blogger.com (Jeff Snyder) — Wed, 15 May 2013 15:00:00 +0000

To Attract Top Talent

When a job candidate is unemployed and is in desperate need of a new job, they might not be highly picky about the interview process. This person after all is out of work and needs a job. They’ll frequently be thrilled that their phone rang and an interview has been granted.

Whether the job candidates you are working with are employed or unemployed, if they are a top-shelf talent and they have options (and they do have options), how the interview process is constructed can make all the difference in the world as to whether a talented person will want to join your team or not.

This is an all or nothing proposition. There are no rewards for coming close to success or for trying hard.

Top Talent is attracted to Top Talent

Let’s say that your company has an articulate, engaging and well-qualified Chief Information Security Officer. The jobs you need to fill are Director level jobs that will report directly to the CISO. The CISO is a busy guy and he doesn't really have time to conduct interviews but he really doesn't have time to not conduct interviews. I’ll explain why.

Let’s Raise the Stakes

You’ve paid a retained search fee to a highly skilled security recruiter to find your Director level talent. Highly specialized recruiters have invested significant time and energy over a period of decades to becoming experts in their recruiting space. You pay part of the highly specialized recruiter’s fee up-front because you sincerely want their time and energy devoted to your project. You put your money where your mouth is.

The recruiter you’ve chosen comes highly recommended, has loads of recruiting testimonials to offer and is an expert in knowing where to find, knowing how to attract, knowing how to evaluate and knowing how to sell highly skilled security, risk, compliance and privacy professionals on opportunities that will be beneficial to their careers.

Assuming that you’ve chosen the right security recruiter, they will be skilled and gifted in ways that you are not. They’ll see things you don’t see. They’ll become your eyes, ears and magnet for talent in the marketplace. The most talented recruiters truly do possess skills and gifts that most companies do not have in-house. Check references and chose this partner wisely.

A highly skilled recruiter is not manipulative in any way. He / she is an expert at asking the right questions to determine what their client really wants and needs. He / she is an expert at absorbing the information that he / she extracted from the CISO and the information he / she derives from being an expert at researching companies. He / she is able to synthesize the abstract pieces of information he / she has accumulated in order to build an honest and compelling picture of the CISO’s opportunities.

People Work and for People and People Leave People

A big mistake is about to occur. Remember the busy CISO, the engaging, highly educated, highly certified, deeply experienced person the Director candidates are contemplating going to work for because the recruiter accurately positioned the CISO in the candidate’s minds? The CISO is now too busy to interview candidates so he delegates.

He delegates to one of his existing Directors who has been at the company for only a few months. A nice person and a highly skilled security professional but he doesn't know how to sell the CISO’s vision and he doesn't know how to sell the company.

The CISO also delegates to another existing Director who has been at the company for 20 years but he / she is an introvert and is very uncomfortable when they first meet new people. The telephone is not his / her friend so the first impression this person makes is not a good one with the highly talented directly recruited top-shelf candidates.

A Huge Mistake Just Happened

Remember engaging a highly specialized recruiter because they possess skills that your company generally doesn't have in-house? You just flushed that investment down the toilet.

A recruited candidate at the Director level will take on a new position because there is opportunity for that individual to grow their career and their skills. Most importantly, they’ll take on the role because they’re sold on working for the CISO. Remember, they were supposed to first meet the CISO who is now too busy for them?

After the recruited candidate meets the highly engaging, highly educated, highly certified and deeply experienced CISO and hears his vision for growing the team, the Director candidate will make a decision to join the CISO in his mission or they’ll decide that they are not compatible with the CISO and they’ll move on. This is what interviews are for.

If the CISO is removed from the front-end of the interview process and Director level candidates are aligned with Director level interviewers and the Director level interviewers haven’t been trained to evaluate and to attract top talent, the game is over.

So You Really Want and Need Top Talent

When you sincerely need top talent and you’re going to invest in a highly specialized recruiter whose references you’ve checked, trust the recruiter do deliver what he / she is an expert at delivering.

If you’ve paid a retained search fee, take advantage of the recruiter you’ve invested in and ask them to help you construct your interview process. Ask your highly seasoned recruiting partner if they see anything in your interview process that might cause a top-shelf candidate to shy away from your company.

Constructing an interview process correctly will make the difference between interviewing top talent and actually acquiring top talent.

Interview Feedback is Critically Important

When you’ve invested in a strategic outside recruiting expert, set up regular feedback for your recruiting partner after interviews have occurred. The recruiter who is a professional sales person has started closing the top talent you’re interviewing when they made their first recruiting call to the candidates you're now interested in potentially hiring.

The recruiter and more importantly, the candidate needs small doses of constant and timely feedback to keep the recruited candidate’s interest in your company on fire.

Ask Yourself and Be Honest

Does your company know how to identify, evaluate and attract top talent?
Does your company have an interview process designed to attract and draw in top talent?
Do you have the right people involved in the interview process in order to attract top talent?

Take Action Today

When you’re really serious about adding the industry’s top information security, cyber security, corporate security, IT risk management, compliance and privacy talent to your organization, you need to call Jeff Snyder at SecurityRecruiter.com. The phone number is 719.686.8810.

A Security Professional’s Integrity Should Never be Questionable

noreply@blogger.com (Jeff Snyder) — Tue, 14 May 2013 15:00:00 +0000

In the very recent past, I completed a security resume writing project with a Senior Information Security Architect in a very large financial services company.

One of the services we offer is to assist people with their resumes. Frequently, our clients tell us that they have difficulty constructing a resume that truly reflects their level of ability to contribute to the business. We help them to present their background and capabilities in a more compelling format from the hiring manager’s perspective.

A week or so ago, it seemed like my security architect client had referred one of his colleagues to me. That apparently wasn't exactly the case. Here is an email I received that shed significant light onto a situation that didn't turn out well for me at all.

Email Subject: Apology for awkward contact

Hi Jeff,

“I've just been made aware that an acquaintance of mine approached you in an unethical way. A week or so ago, after mentioning that I'd hired an excellent resume writer, he suggested that he had a contact for me inside a different company, and asked for my resume which I sent him.

Unfortunately, it looks like he decided to edit my resume and use it as his own, and then, inexplicably, ask you for a free consult. I can't fathom that behavior, and apologize that you were put in that situation. The guy was a complete ass.

It certainly wasn't my intent to send an unethical person your way; I'm thrilled with your product, and strongly believe that many of my peers would benefit from your services. “

Sincerely,
Name Withheld

Not only did this individual do what was just explained he followed up by sending his new resume, the one he had covertly copied, directly to me asking if I might have security jobs to share with him.

At this point I could share my point of view but do I really need to?

As I’ve worked with my clients over the years to place security professionals and as a result of surveying the business to find out what the business wants, needs and expects from the security profession, I can tell you without any doubt in my mind that high integrity is expected from the security profession.

My Security Resume Writing and Security Job Coaching services deliver value globally

This email arrived over the weekend from a highly satisfied security resume writing and security job coaching client:

I am writing to provide you an update on my situation. As I had predicted when we last spoke, the XXXXX interview went well and led to an offer. They provided me with a very generous offer and have great benefits. I have accepted their offer. I will be working in a position titled Senior Service Architect in which I will serve as an intermediary between the customer facing engineers and the security product development team to guide the development of their existing and future security products. This is a role that has a lot of different facets and requires many different skill sets. I look forward to being challenged by it.

I really appreciate your time working with me. Of course, your resume format got me in the door for the initial interview. I also had the enlightening experience of watching some of the in-person interviewers review it for the first time. It worked as you said. They skimmed down the resume and pulled out the headlines. For the headlines they cared about, they then read the blurb. With all the companies I have spoken with recently, I firmly believe that this format helped open doors for me. I also appreciate the time you spent speaking with me and the interest that you showed in me. You provided me with valuable insight into the minds of the employers and human resource personnel and provided me with a perspective I would not have considered on my own.

I hope that we can keep in touch over time because I have greatly valued our conversations. I also look forward to reading your blog posts as I have found them very insightful and beneficial.

Sincerely,
XXXXXXXX

I'd Enjoy Meeting You at ISSA-LA, May 20 and 21st, 2013

ISSA-LA has a huge Cyber Security Summit coming up at the Hilton near Universal Studios in Southern California on Tuesday May 21. I’ve been invited back to ISSA-LA to deliver a 2 hour presentation on Monday May 20 from 10-12 on Security Career Development and then later in the day, I’ll be addressing the CISO Forum.

If you’re able to attend the pre-summit activities from the ISSA-LA chapter on Monday May 20, I’ll be spending a significant amount of time talking in detail about security resumes and security career development.

Jeff Snyder’s SecurityRecruiter.com Security Recruiter Blog 719.686.8810

Cyber Security News for the Week of May 13, 2013

noreply@blogger.com (Jeff Snyder) — Mon, 13 May 2013 15:00:00 +0000

Cyber Security News of the Week

From our friends at Citadel Information Group

ISSA-LA - Summit V

ISSA-LA Provides Free Admission for Nonprofits to Attend the 5th Annual Information Security Summit: The Los Angeles Chapter of the Information Systems Security Association created a Not-for-Profit Educational Fund so that nonprofit executives and IT staff have free entry to the Fifth Annual Information Security Summit on Tuesday, May 21, 2013 24-7 PressRelease, May 3, 2013

ISSA-LA Offers Fed Employees Discount to Annual Info Security Summit on Cybercrime During Sequester: The LA Chapter of the Information Systems Security Association offers a discount to federal employees in information security positions for attending its Annual Information Security Summit on Tuesday, May 21, 2013, at Hilton Universal City Hotel PRLog, April 19, 2013

Cyber Crime

In Hours, Thieves Took $45 Million in A.T.M. Scheme: It was a brazen bank heist, but a 21st-century version in which the criminals never wore ski masks, threatened a teller or set foot in a vault. The New York Times, May 9, 2013

Hackers Retrieve Personal Data in Washington State: OLYMPIA, Wash. (AP) - The Washington State Administrative Office of the Courts was hacked sometime between last fall and February, and up to 160,000 Social Security numbers and a million driver's license numbers could have been obtained during the data breach of its public Web site, officials said Thursday. The New York Times, May 9, 2013

Cyber Warning

OLD IE ATTACK FINDS ITS WAY INTO COOL EXPLOIT KIT: You cannot accuse the keepers of the Cool Exploit Kit of not recognizing market trends. Given a rash of recent watering hole attacks and zero-day exploits built around Microsoft's Internet Explorer browser, it's no surprise that a 15-month-old IE exploit has been included in the crimeware package. ThreatPost, May 8, 2013

Stealthy Web Server Malware Spreads Further: IDG News Service - A stealthy malicious software program is taking hold in some of the most popular Web servers, and researchers still don't know why. CIO, May 8, 2013

Zero-Day Exploit Published for IE8: Security experts are warning that a newly discovered vulnerability in Internet Explorer 8 is being actively exploited to break into Microsoft Windows systems. Complicating matters further, computer code that can be used to reliably exploit the flaw is now publicly available online. KrebsOnSecurity, May 6, 2013

Cyber Underworld

Hackers sell out and go corporate as cyber crime becomes shift work: Online hackers are leaving surprising clues for cyber sleuths based on the time of their attacks - a trail suggesting the computer criminals are punching a clock for shift work. The WAshington Times, May 9, 2013

Cyber Defense

Google unveils 5-year roadmap for strong authentication: Google unveiled on Wednesday a five-year roadmap for stronger consumer authentication tagging smartphones, long-life tokens, and futurist schemes to harden access controls while striking an unapologetic tone toward users who resist the change. ZDNet, May 9, 2013

PENTAGON DECISION MOVES ANDROID SECURITY FORWARD: Android's security gets its share of grief, but perhaps it's been a bit misguided. Like many other popular open source technologies, there are a number of different flavors of the mobile platform, each with its security properties and nuances. ThreatPost, May 8, 2013

Cyber Security Management

BYOD, or else. Companies will soon require that workers use their own smartphone on the job: Bring-your-own-device strategies are the single most radical change to the economics and culture of client computing in a decade, according to a new study by Gartner. ComputerWorld, May 1, 2013

Cyber Update

A Stopgap Fix for the IE8 Zero-Day Flaw: Microsoft has released an stopgap solution to help Internet Explorer 8 users blunt the threat from attacks against a zero-day flaw in the browser that is actively being exploited in the wild. KrebsOnSecurity, May 8, 2013

Securing the Village

Security Awareness and Developing a Cyber Workforce: Cyber Defense experts from the California National Guard traveled to Kiev, Ukraine to conduct a Cyber Security Familiarization, Awareness and Workforce Development Seminar with the Ukrainian Ministry of Defense Armed Services, 19 - 21 March 2013. United States European Command, May 1, 2013

Cyber Privacy

Apple deluged by police demands to decrypt iPhones: ATF says no law enforcement agency could unlock a defendant's iPhone, but Apple can "bypass the security software" if it chooses. Apple has created a police waiting list because of high demand. Cnet, May 10, 2013

U.S. Weighs Wide Overhaul of Wiretap Laws: WASHINGTON - The Obama administration, resolving years of internal debate, is on the verge of backing a Federal Bureau of Investigation plan for a sweeping overhaul of surveillance laws that would make it easier to wiretap people who communicate using the Internet rather than by traditional phone services, according to officials familiar with the deliberations. The NEw York Times, May 7, 2013

National Cyber Security

Senate Bill Calls For 'Watch List' Of Nations Cyberspying On U.S., Trade Sanctions:China faces increasing political pressure from the U.S. to curb its cyberespionage activity, but legislation not certain DarkReading, May 8, 2013

U.S. Blames China's Military Directly for Cyberattacks: WASHINGTON - The Obama administration on Monday explicitly accused China's military of mounting attacks on American government computer systems and defense contractors, saying one motive could be to map "military capabilities that could be exploited during a crisis." The New York Times, May 6, 2013

Four Cybersecurity Breaches That Could Rattle The World: The cyber-ruffians who briefly tanked the stock market recently by faking a news tweet about an attack at the White House showed how much damage can be done with a few well-placed keystrokes. Those who hacked into a Department of Labor website earlier this week could have wreaked even more havoc, say, if they successfully tweaked the monthly jobs report. Business Insider, May 5, 2013

Critical Infrastructure

Honeypots Lure Industrial Hackers Into the Open: Dummy water-plant control systems rapidly attracted attention from hackers who tinkered with their settings-suggesting it happens to real industrial systems, too. MIT Technology Review, May 8, 2013

Cyber Misc

Trade Sanctions Cited in Hundreds of Syrian Domain Seizures: In apparent observation of international trade sanctions against Syria, a U.S. firm that ranks as the world's fourth-largest domain name registrar has seized hundreds of domains belonging to various Syrian entities, including a prominent Syrian hacker group and sites associated with the regime of Syrian President Bashar al-Assad. KrebsOnSecurity, May 8, 2013

Syria, and Pro-Government Hackers, Are Back on the Internet: Syrian Internet and cellphone access resumed Wednesday morning after an Internet failure pulled the company offline Tuesday. The New York Times, May 8, 2013

Securing the Village - Events Calendar

ISSA-LA Fifth Annual Information Security Summit; May 21, 2013: Join 800 of your colleagues and peers at the Universal City Hilton. Special Keynote Speaker: Howard Schmidt, former White House CyberSecurity Coordinator. For more information and to register, visit ISSA-LA.

Jeff Snyder’s SecurityRecruiter.com Security Recruiter Blog 719.686.8810

Recruiting IT Talent is Different than Recruiting Information Security Talent

noreply@blogger.com (Jeff Snyder) — Thu, 09 May 2013 20:38:00 +0000

Information Security Talent is Difficult to Recruit

A CISO reached out to me today based on a referral from one of his trusted peers to me. At the outset of the call, the CISO of this Fortune 200 company told me that for the past 6 to 8 months, in attempting to fill information security jobs in his organization, his internal recruiting team has made the assumption that security recruiting can be done the same way they approach the task of recruiting a Java Developer or an Oracle DBA.

This company has a huge brand name and they’re used to having large talent pools to pick from when they attempt to fill most of the company’s jobs. Filling information security jobs is different and the CISO needs help.

The CISO went on to tell me that his positions are still open after 8 months and he has no hope in sight of getting his jobs filled. This of course was music to my ears because I’ve wanted to do business with this company for over a decade. To their credit, this company doesn't normally have to pay search fees because they have large candidate pools to pick from for most of their open positions.

IT Recruiting is Different from Security Recruiting

Many companies that I’ve run into treat information security as if it is just like IT. My recruiting career started out in 1990 focused on IT recruiting. While security recruiting might seem like a subset of general IT recruiting, I’ve encountered many companies that have figured out that filling security jobs requires a unique understanding of where technology, interpersonal traits and business needs intersect that doesn't necessarily apply to IT in general.

Knowing The Right Questions to Ask is Key

On many occasions I’ve filled CISO jobs that were open for 6 to 18 months once I was given access to key stakeholder decision makers.

Knowing the questions that need to be asked at the outset of a CISO search requires a unique skill set.
Knowing how to align stakeholder decision makers expectations around a CISO hire requires a unique skill set.
Understanding how to write a CISO job description that accurately captures the needs of a company and displays what’s in it for the candidate information requires a unique skill set.
Understanding how to build an interview process to evaluate a prospective CISO's fit with a company's business culture and a company's unique risk culture requires a unique skill set.

When your company has strategic cyber security jobs or information security jobs to fill, don’t make the mistake that the Fortune 200 Company that the CISO called me from has made.

Recruiting information security talent is different than recruiting IT talent.

Jeff Snyder’s SecurityRecruiter.com Security Recruiter Blog 719.686.8810

Is the “Black Hole” caused by inflated egos and speed reading?

noreply@blogger.com (Jeff Snyder) — Wed, 08 May 2013 17:23:00 +0000

Is the “Black Hole” caused by inflated egos and speed reading?:

'via Blog this'

To put this title into perspective, this article was written the Director, Client Relations & Sales, Employer Marketing at The Ladders, an employment website.

Every once in a while I use a free posting slot on The Ladders when I have a high-level position to fill. I use the slot mostly for branding and marketing to get my SecurityRecruiter.com name out there and place nearly no hope in the idea that a posting on The Ladders will actually generate a great candidate to fill my security jobs.

This isn't because there aren't highly talented people using The Ladders from a candidate perspective. This is because nearly every resume that is brought to my attention through The Ladders is off the mark. The shotgun approach to responding to jobs does not work yet most of The Ladders users to send resumes in my direction continue to use the shotgun approach.

What is a resume and what does a resume do?

In a recent Security Recruiter Blog that I wrote entitled "What is a resume and what does a resume do?", I wrote about "The Deep Dark Black Hole Where Resumes go to Die". I wasn't trying to be funny when I wrote about the black hole.

This article from The Ladders might help a job seeker to understand what what a recruiter is up against when they post a job.

Security Resumes

Although my resume writing skills are transferable to any skill discipline because a resume is a personal marketing document designed to quickly communicate from the resume's owner to the resume reader what the resume owner is great at delivering professionally, I have chosen to focus my energy on assisting the security profession with security resume writing.

The security profession around the globe is hurting itself by way of the quality of communication that is floating around in security resumes. Security professionals tell me that they want to be part of the strategic decision making team in every company. However, when most security professionals send a resume, they send a resume that is anything but strategic, clear, clean and logical.

Most security resumes that cross my desk fail to communicate accomplishments, contributions and value.

Stop Contemplating...Take Action

If you're a security professional and you want to stand out from the crowd, you need a resume that can easily be understood and consumed by someone who does not understand what you do.

I specialize in helping my security skilled clients in both corporate security and information security to create resumes that speak clearly to the audience the resume will be presented to.

If resume writing has ever challenged you, call me. My client's resumes are opening doors around the globe.

Jeff Snyder, SecurityRecruiter.com 719.686.8810

Ira Winkler on why cybersecurity degrees are worthless

noreply@blogger.com (Jeff Snyder) — Mon, 06 May 2013 18:36:00 +0000

Ira Winkler on why cybersecurity degrees are worthless:

'via Blog this'

This is a 12.5 minute video that gives a perspective on college degrees in cybersecurity. If you're considering a degree and you want to enter the information security profession, these thoughts might be helpful to your decision when it comes to what kind of degree to pursue.

Jeff Snyder's SecurityRecruiter.com Security Recruiter Blog 719.686.8810

Cyber Security News for the Week of May 6, 2013

noreply@blogger.com (Jeff Snyder) — Mon, 06 May 2013 16:51:00 +0000

Cyber Security News of the Week

From our friends at Citadel Information Group

ISSA-LA

Healthcare HITECH Privacy and Security Summit Provides Critical Compliance Content: Healthcare providers must comply with a new HIPAA/HITECH rule by September 23. This critical set of rules provides for additional safety and security for healthcare data, and experts will be on hand in Los Angeles on May 21 to provide important guidance. PRWeb, May 3, 2013

Cyber Crime

Systems Manager Arrested for Hacking Former Employer's Network: IDG News Service - A 41-year-old man was arrested for allegedly disrupting his former employer's network after he was passed over for promotions, leading him to quit his job and take revenge, the U.S. Federal Bureau of Investigation said. CIO, May 3, 2013

Reputation.com notifies customers of network attack: A company known for burying bad information to improve its customers' online images let everyone know this week its network was hacked. Reputation.com sent e-mails to thousands of customers in more than 100 countries to let them know of the attack. ThreatPost, May 2, 2013

Wash. Hospital Hit By $1.03 Million Cyberheist: Organized hackers in Ukraine and Russia stole more than $1 million from a public hospital in Washington state earlier this month. The costly cyberheist was carried out with the help of nearly 100 different accomplices in the United States who were hired through work-at-home job scams run by a crime gang that has been fleecing businesses for the past five years. KrebsOnSecurity, April 30, 2013

Cyber Espionage

Chinese Cyberespionage: Brazen, Prolific, And Persistent: China, China, China: New data and intelligence is shedding more light on just how bold and pervasive Chinese cyberespionage activity is today. DarkReading, April 30, 2013

Cyber Warning

DHS: 'OpUSA' May Be More Bark Than Bite: The U.S. Department of Homeland Security is warning that a group of mostly Middle East- and North Africa-based criminal hackers are preparing to launch a cyber attack campaign next week known as "OpUSA" against websites of high-profile US government agencies, financial institutions, and commercial entities. But security experts remain undecided on whether this latest round of promised attacks will amount to anything more than a public nuisance. KrebsOnSecurity, May 2, 2013

MORE MALWARE SHOWING UP ON FAKE SOURCEFORGE WEB SITES: Malware developers continue to clone SourceForge Web sites that appear to offer the source code for popular gaming software but are actually peddling malicious code tied to the ZeroAccess Trojan. ThreatPost, April 30, 2013

Online Bank Fraud

Banks targeted by 'mind-boggling' online scam: Britain's major banks have been targeted in a "mind-boggling" online scam potentially affecting record numbers of customers. E&T, May 1, 2013

Cyber Privacy

Spy Court OK'd all U.S. Wiretap Requests it Received in 2012: A special court established to review government requests for warrants to conduct electronic surveillance of suspected foreign spies received close to 1,900 warrant requests last year - all of which it approved. CIO, May 3, 2013

Cyber Defense

Samsung Smartphones, Tablets Running Knox Get U.S. Defense Department Approval: Samsung said Friday that its smartphones and tablets running its Knox security and management software have been cleared for use on the U.S. Department of Defense network. CIO, May 3, 2013

Got Malware? Three Signs Revealed In DNS Traffic: Companies focus much of their energy on hardening computer systems against threats and stopping attempts to breach their systems' security, and rightfully so. However, companies should always assume that the attackers have already successfully compromised systems and look for the telltale signs of such a breach. DarkReading, May 3, 2013

Cyber Security Management

La Vie En ROSI: With very few exceptions, there is really nothing in security that gives you a return on investment. Unless you're selling them, security technologies almost never make you any money - what they're there for is loss avoidance. Now, you may be able to achieve that loss avoidance by spending a lot of money, or by spending a little money; and if you manage the latter, then yes, you have parlayed a cost savings into another cost savings. But that's not the same as investing some money and watching it grow in value. DarkReading, May 3, 2013

The Art of Cyber War: Boardroom threat level rising: A closer look at how vulnerability in cyber space is redefining national security, enterprise risk, intellectual property, and oversight. NACD, May 3, 2013

The 7 elements of a successful security awareness program: CSO - When we were asked to keynote a recent CSO event, it was a pleasant surprise that the top concern of the CSOs was "security culture." From performing many security assessments and penetration tests, it is sadly obvious that even the best technical security efforts will fail if their company has a weak security culture. It is heartwarming that CSOs are now moving past straight technological solutions and moving towards instilling a strong security culture as well. [NB: Author Ira Winkler Delivers Luncheon Keynote at ISSA-LA 5th Annual Summit. May 21. Universal City.] NetworkWorld, May 1, 2013

LivingSocial Breach Scope Widens on Finding of 60% Sharing Logins: If having to reset 50 million passwords was not enough to worry about, Dashlane has found that about 60 percent of LivingSocial members reuse their passwords at other sites. CIO, May 1, 2013

National Cyber Security

US and UK to increase cybersecurity cooperation: As the militaries of the United States and Britain purchase more and more of the same networked hardware, most notably the F-35 Joint Strike Fighter (above), the two nations are increasing collaboration in cyber warfare, according to a Pentagon official. Foreign Policy, May 3, 2013

US military secrets leaked to Chinese hackers for three years: A US military contractor was allegedly hacked by those associated with the Chinese military. The company reportedly ignored signs of security breaches, allowing hackers to access military technology and classified documents for three years. RT.com, May 3, 2013

China's Cyberspies Outwit Model for Bond's Q: Among defense contractors, QinetiQ North America (QQ/) is known for spy-world connections and an eye- popping product line. Its contributions to national security include secret satellites, drones, and software used by U.S. special forces in Afghanistan and the Middle East. Bloomberg, May 1, 2013

Critical Infrastructure

ICS-CERT REVISES RECOMMENDATIONS TO AVOID SHAMOON INFECTIONS: Most publicly known malware attacks are disruptive in nature, for example causing the interruption of online banking services or taking websites temporarily offline. Few attacks cause actual physical damage to computers where hard drives are damaged and data lost or destroyed. ThreatPost, May 3, 2013

Dam! Sensitive Army database of U.S. dams compromised; Chinese hackers suspected: U.S. intelligence agencies traced a recent cyber intrusion into a sensitive infrastructure database to the Chinese government or military cyber warriors, according to U.S. officials. The Washington Times, May 1, 2013

Cyber Survey

PandaLabs Q1 Report: Trojans Account For 80% Of Malware Infections, Set New Record: In addition, China is the world's most infected country with more than 50 percent of all computers riddled with malware DarkReading, May 3, 2013

Cyber Misc

We rooted Wii U encryption and file system, says hacker group: The hacking group responsible for one of the first major modchips for the original Wii claims to have successfully reverse-engineered the pieces necessary to run copies of Wii U games from external USB hard drives. are technica, May 1, 2013

Developer Warns Of Google Glass Security Risks Following His Jailbreak Exploit: If the notion of an intruder hacking into your smartphone or PC seems disturbing, just imagine an even more personal sort of privacy breach-a hacker who gains full access to your sight. Forbes, April 30, 2013

Cyber Sunshine

Alleged SpyEye Seller Bx1 Extradited to U.S.: A 24-year-old Algerian man arrested in Thailand earlier this year on suspicion of co-developing and selling the infamous SpyEye banking trojan was extradited this week to the United States, where he faces criminal charges for allegedly hijacking bank accounts at more than 200 financial institutions. KrebsOnSecurity, May 3, 2013

Securing the Village - Events Calendar

Jeff Snyder’s SecurityRecruiter.com Security Recruiter Blog 719.686.8810

Top Talent is attracted to Successful Companies: An HR Director’s Perspective

noreply@blogger.com (Jeff Snyder) — Fri, 03 May 2013 15:00:00 +0000

On Wednesday, I wrote “Hiring Top Talent? How Is Your Interview Process Structured?” because I’m becoming more and more passionate about helping my clients to win the battle for talent.

A former HR Director client of mine read my blog and sent me a note. Mike Salisbury form the Human Resource Alliance shared with me that although he appreciated my article, one perspective that was nagging him that I didn't cover was this:

“Often times, people with talent are attracted to organizations that are successful rather than becoming attracted to companies that they can make successful. “

Mike is one of those people in my life whom I deeply appreciate because he challenges my thinking and frequently comes up with perspectives I might not have thought of or I might not have considered. I like to be challenged in this way.

Just before speaking with Mike, I shared a call with the CEO of a professional services firm. In that call, I probed to find out what the CEO had in mind for an interview process. His ideas were loose so I added some ideas to the table that caused the CEO to want my help to tighten up his interview process. This CEO wants to win and he won't settle for anyone who doesn't already win. He is confident that a top 20% performer will want to be part of his vision. I suggested to the CEO that needs to be ready to articulate his vision. By doing so, he'll push his company ahead of his competition very quickly. He had no problem accepting my challenge.

This articulation will connect with someone I’ll eventually recruit who falls into the top 20% category.

I have to agree with Mike. Some people see challenge and opportunity in turning around or fixing organizations. Other people will only be attracted to organizations that are already running on all cylinders when they walk in the door.

The next time you interview for security jobs, know ahead of time whether or not you will enjoy fixing things or whether you prefer for the house to be in order before you arrive. Once you know this, you can do a better job of interviewing your prospective employer.

Jeff Snyder’s SecurityRecruiter.com Security Recruiter Blog 719.686.8810

Jeff Snyder's Weekly Look Into What Makes a CISO / CSO Successful

noreply@blogger.com (Jeff Snyder) — Thu, 02 May 2013 19:23:00 +0000

A very busy Financial Services CISO shares his thoughts regarding what it takes to be a successful CISO.

1. A CISO must excel in negotiating skills. The ability to convince and negotiate a solution is a critical skill, especially in today's business environment where "getting it done, now, and cheaply" appears to rule business and risk decisions.

2. The ability to see beyond the technical issues to the couch presentations in tangible, quantifiable risks and rewards can be the difference between success and failure.

Care to Contribute?

If you are a CISO or CSO and you would like to contribute your thoughts, please call me so I can explain to you what I'd like to deliver to readers.

Jeff Snyder's SecurityRecruiter.com Security Recruiter Blog 719.686.8810

Security Jobs: Information Security Operations Analyst, University Environment, Somerville, MA

noreply@blogger.com (Jeff Snyder) — Thu, 02 May 2013 02:14:00 +0000

Information Security Operations Analyst

Somerville, MA

The university-wide service organization is dedicated to the strategic planning, implementation, and support of technology systems and services that anticipate and meet the academic, research, and business needs of the university community. Our team offers technical leadership and services to our customers with a focus on providing innovative solutions, delivering exceptional customer service, and creating a reliable infrastructure that demonstrates value to the students, faculty, staff, and alumni. Our team works in partnership with schools, business units, and other academic support organizations to provide campus-wide services in the areas of academic and research technology, enterprise application systems and services, networking and telecommunications, information security, data center operations, and user support, training and outreach.

Reporting directly to the Chief Information Security Officer, the Information Security Operations Analyst works closely with the security team, partners with clients to prevent, detect, respond and recover from security incidents and drives good stewardship over institutional information resources. Primary responsibilities include centrally developing and maintaining a distributed suite of operational support services including infrastructure and application security vulnerability assessment and reporting, security event collection, monitoring and correlation, intrusion prevention and providing architectural and other security oriented consulting services to the community. Additional responsibilities include developing and maintaining cost-effective software automation tools and business processes to manage operational workflow, prototyping new IT security products and services, transferring operations to other groups within the team. The position also provides direct incident response and digital forensic services as may be required.

Basic Requirements:

Bachelor's degree
Three to five (3-5) years in a technical role with security monitoring, analysis, software development or support experience within a team environment
Highly advanced PC / Mac / Unix and related application experience, including the ability to effectively use Office, Visio and Project, and demonstrable experience with scripting tools to automate procedures or software development.
Excellent written and verbal command of the English language, strong interpersonal communications, motivational and team building skills, the ability to relay technical concepts to non-technical audiences in a business context, the ability to work effectively both independently and in team environments, and the ability to effectively respond to urgent service requests.
An employee in this position must complete all appropriate background checks at the time of hire, promotion, or transfer.

Preferred Qualifications:

Previous security consulting
Experience with HP Arcsight
Experience with intrusion prevention, distributed differential vulnerability assessment and ongoing report generation
Certifications (CISSP, GIAC, etc.)
Familiarity with non-profit or academic environments, including related compliance issues and enterprise applications (Oracle, PeopleSoft, etc.)

Special Work Schedule Requirements:

Occasional work on weekends and after hours is required as needed.

Apply for this position directly with the employer on he Security Jobs page of SecurityRecruiter.com: http://misjobs.com/cgi-bin/securityrecruiter/showjob.cgi?actiontotake=ShowRecord&JobID=200158

Hiring Top Talent? How Is Your Interview Process Structured?

noreply@blogger.com (Jeff Snyder) — Wed, 01 May 2013 21:54:00 +0000

If you’re building a team of average performers and those average performers will report to an average manager, having an average interview process in place might work out just fine. If this is the case, this body of thought won’t be worthy of reading.

However, when you’re looking for performers who perform at the top of the Bell Curve, your interview process needs to be much more carefully developed and adapted to the mindset of a top performer.

Birds of a Feather Do Flock Together

For example, when you’re recruiting at a level where you expect desirable candidates to have vision and you’re expecting desirable candidates to have futuristic ideas, you can’t align these candidates with average performers on your staff during the opening rounds of an interview or on the job when they join your team.

Just as candidates make a first impression when they step into an interview, top performers are evaluating the person or the team of people who are interviewing them and they form their own first impression. Top performers have options. Top performers want to be led by a top performer and they want to be surrounded by top performers just like great high school athletes will decide where to play a college sport based on the quality of talent they perceive they'll be joining on a team.

Hiring a Director

If you are a CISO or CSO and your hiring target is a Director, the candidates your company is recruiting will want to know who they’ll be working for and they’ll need to know how working for a particular boss is going to benefit their career. In other words, what’s in it for them to come to work for YOU? Security Jobs are plentiful in today's market.

The Job Description

Chances are very high that the job description your company put on the street to attract Director candidates did a great job of describing what your company wants, need and expects in a candidate. However, the same job description very likely did little to nothing to explain what’s in it for a top performer to come to work in your organization and for the particular boss they’ll come to work for.

Don't Be Too Busy For Top Performers

Because the CISO or CSO is very busy, there may be a temptation to have a Director level candidate interview with Director level peers. This seems like the natural thing to do. If the Director level candidate who walks in the door is a top performer and the Director level peers involved in the interview process are average performers, the candidate’s first impression will be an average impression even if a dynamite CISO is sitting somewhere down the hall. Your interview process just died a sudden death.

Try This Approach

If you’re a CISO or CSO and you are performing at the top of your game, you are a greater asset to your interview process than your company’s name, brand and reputation. In fact, you're your biggest strategic advantage when it comes to attracting and acquiring talent. As busy as you are, you need to carve out time to invest 20-30 minutes with a Director level candidate to determine if there is first impression mutual chemistry.

This Really Does Work

I’ve recently had a top-shelf CISO reluctantly carve out 30 minutes of his time to interview the top-shelf candidates I’m directly recruiting for him. This CISO is smart, seasoned, warm and engaging and so far, every candidate I’ve put on the phone with this CISO has come back to me with glowing feedback. One candidate even told me that his impression of the CISO was stronger than the preparation I gave him before he met the CISO. The candidates who've encountered this CISO can’t wait for the next step.

How Are You Arranging Your Playing Field?

Are you setting your company up to acquire average talent or top talent? There’s more to it than simply writing a job description and posting it to a job board.

SecurityRecruiter.com clients are introduced to the industry’s top security, risk management, compliance and privacy talent every day. How? We primarily reach talent through direct recruiting.

Direct recruiting puts us in touch with the 80% of the talent pool that is not actively looking for a new security job at the time of our call. From the 80% of security professionals who are not looking, we’re able to get to the 20% who make up the top talent on the Bell Curve.

Don’t take my word for it:

“I reached out to Jeff through a recommendation of a fellow security professional. We were hiring three positions at the time including my new boss who would be the CISO of our organization. Jeff took the time to understand me and set up dedicated calls with key personnel in our organization to include our CIO and the Head of Recruiting. Through his hard work, Jeff filled all three of our positions, providing us a wonderful diversity of backgrounds to support our organization. The best part was the people. CyberSecurity is a tough role in any organization, but my colleagues and I have a wonderful foundation of trust and experience I am looking forward to building upon.”

As much as I appreciate this reference, what it didn't say is that a total of 5 candidates were sent from SecruityRecruiter.com to this client to fill the 3 jobs mentioned in the reference. There was an intelligent process in place that was built to attract, catch and reel in top performers.

How can SecurityRecruiter.com help you?

Jeff Snyder’s Security Recruiter Blog 719.686.8810

Hiring In-Demand Professionals? If You Snooze, You Could Lose

noreply@blogger.com (Jeff Snyder) — Tue, 30 Apr 2013 18:00:00 +0000

When I started recruiting IT professionals back in 1990, my boss at the time pulled me into his office one day and explained how “Time Kills All Deals”. I was a brand new recruiter in 1990 so the timing of Brad’s message in my ears didn't mean much. As a seasoned security recruiter, I now know more about what Brad tried to explain to me 24 years ago than I ever wanted to know.

Time Kills All Deals

I’ll soon start my 24^th year of recruiting later this month. I could now write a book on the meaning of “Time Kills All Deals” when it comes to acquiring top talent. I live through this horror story far too often.

The book would be full of sad stories and would be one in which I would write about real stories describing employers who had good intentions but who frequently failed to hire the talent they wanted because they either had no process built around the action of hiring or their process was long and drawn-out. Long and drawn-out enough for even a passive candidate who wasn’t looking for a job when I first called them to become an active candidate who finds other interesting companies that have moved faster than my clients.

I don't think this book would sell very well.

What If Hiring Managers Were On The Clock?

Last week I caught a few minutes of the NFL 2013 draft. For a moment, I thought about what it would be like if the companies I recruit for were on the clock just like the coaches and owners of my beloved Pittsburgh Steelers were on the clock to make draft decisions.

That will never happen but for a moment, I caught myself daydreaming about how much more fun recruiting could be if my clients were all on the draft clock. If you snooze on NFL draft day, you definitely lose out on the picks you wanted to make.

Job Candidates Are Like Bananas

Instead of writing a book about what goes wrong in the hiring process, I’d rather put my energy into writing a book that gives play-by-play examples of companies I’ve been fortunate to work with that don’t snooze and lose. There’s an idea!

As recently as Friday, I explained to an overwhelmed CISO client how the lifespan of a recruited candidate’s interest in a new job lasts about as long as the lifespan of a banana when you bring it home from the grocery story. This CISO is really smart. By simply bringing up the idea that candidates are like bananas, I shifted his paradigm of thinking from his busy schedule to a discussion in which he could laugh at me and himself.

I like to eat bananas before and after hockey games. I play hockey 2-3 times per week so I consume a lot of bananas. When I buy bananas, I like to buy them when they’re still mostly green. I’m picky about my bananas since I eat so many of them. It takes only 24-48 hours before a bunch of mostly green bananas turn yellow. For my taste preference, just when the banana is starting to turn yellow is when I like to consume them. My wife of course disagrees. She prefers bananas that are bright yellow and even likes them when the spots start to appear.

When the brown spots show up, the banana starts to soften. Approximately 48 to 72 hours later, the lightly spotted banana is so soft and spot covered that I no longer enjoy the taste. This all happens in a week’s time.

I sat here one day trying to come up with an analogy that everybody could understand to explain the lifespan of a job candidate’s interest level when they’ve gotten excited about the potential of a new job. As goofy as it is, the lifespan of a banana when it leaves the store and lands on my kitchen counter is very similar to the psychological lifespan of a candidate who is excited about a job opportunity.

It only takes a week with no communication to a job candidate before their interest in a newly presented job starts to diminish. If you’re a hiring manager, think of the lifespan of a banana when you’re interviewing job candidates. Put yourself in the shoes of the job candidate and I’ll bet that after a week of silence, your candidates will start to wonder if your company is the right company for them. This happens in my world all the time and it is a very simple mistake to fix that will cost nothing in the sort-run but pays dividends in the long-run.

A Process Wrapped Around Talent Acquisition

Does your company want top talent? If so, you need a well-defined talent acquisition process. Without a well-defined process, you’ll frequently be asking yourself what just happened when a company that values talent acquisition more strategically than yours does keeps beating you to the industry’s best talent.

Jeff Snyder’s SecurityRecuiter.com Security Recruiter Blog 719.686.8810

Security Jobs: Regional Secuirty Manager, Sao Paulo, Brazil

noreply@blogger.com (Jeff Snyder) — Tue, 30 Apr 2013 03:43:00 +0000

Regional Security Manager, Sao Paulo, Brazil

Company: Client of SecurityRecruiter.com

Location: Sao Palo, Brazil

Type: Full Time

SecurityRecruiter.com has been engaged by a long-standing client to identify a Regional Security Lead in Sao Palo, Brazil. This person will support a region that is comprised of 2,500 employees working at over 35 sites.

The chosen candidate will be responsible for the management of systems and programs designed to protect employees and corporate assets. The responsibilities of the Security Lead include: Protecting People, Conducting Investigations, and Protecting Assets, Intelligence issues and Program Management and Intellectual Property protection.

The current team includes two Security Specialists and outside contract security staff. This position requires bi-lingual speaking and writing abilities in English and Portuguese.

The successful candidate will be responsible for:

• The physical security for all facilities and personnel located in the Brazil region

• Establishing policies and procedures related to this regional area of responsibility
• Implementing Brazil regional brand protection strategies to prevent or minimize product counterfeiting of company brands
• Implementing Brazil supply chain protection strategies to prevent or minimize product theft of company brands
• Conducting security vulnerability assessments of facilities and operations
• Conducting and managing investigations in conjunction with other business units and law enforcement authorities worldwide
• Preparing well documented investigative and security assessment reports
• Overseeing the budget and expenditures of the above areas of responsibility
• Providing global response to crises or other matters of importance to the company or the department
• Establishing and maintaining liaison with the law enforcement and military community
• Establishing training and security programs for employees
• Maintaining liaison with and providing professional consultation to the corporate leadership of the region
• Collecting and disseminating intelligence related to activists, criminal exploits, or other matters relating to the security and well-being of the company and employees
• Providing direct involvement with executive protection movements as a responsible representative of the Global Security department participating in the advance preparations, protection responsibilities in proximity to the designated company officer, or other functions as necessary.

Requires:

This role requires an individual who has a broad range of skills and knowledge in the security field.

The successful candidate will have a Bachelor’s degree. A Masters or other advanced degree would be beneficial.

Verbal and written proficiency in English as well as Portuguese is required. This position will require extensive domestic and international travel and international experience is highly preferred.

A minimum of ten years of prior experience is required as a corporate security professional and / or as a law enforcement agent with a state, federal or international law enforcement organization.

The successful candidate will demonstrate proven experience as a team leader, as he/she will be expected to retain and develop the team in Brazil, currently comprised of two Security Specialists.

The successful candidate must have excellent interpersonal and communication skills, and be able to prepare documentation for submission to corporate leadership or governmental agencies without supervision.

The successful candidate must demonstrate:

• Extensive experience in evaluating and implementing physical asset protection

• Extensive experience in conducting and managing complex criminal and civil investigations
• Specialized experience in Intellectual Property, Supply Chain and Brand Protection matters
• Experience in conducting witness, victim and suspect interviews
• Extensive experience in conducting vulnerability assessments
• The ability to prepare clear and succinct written communications
• People management experience
• Experience in conflict resolution, workplace violence, negotiations, threat analysis and developing risk analysis of human behavior
• The ability to work under pressure in stressful, high profile, sensitive, and life threatening situations
• The ability to physically handle the tasks of: physical arrests, physical protection, field surveys and protection response by being in exceptional physical condition
• Experience in executive protection including protection surveys and advance preparations is desirable.

Successful completion of a post offer fitness test is required for employment in this position.

Apply to this job on SecurityRecruiter.com at: https://www.securityrecruiter.com/submit_resume_and_profile.php

Jeff Snyder's SecurityRecruiter.com Security Recruiter Blog 719.686.8810

Regional Security Manager, Brazil

Compensation: Mid $100s USD

Relocation: Yes

Education: BA/BS, Masters Preferred

Cyber Security News for the Week of April 29, 2013

noreply@blogger.com (Jeff Snyder) — Mon, 29 Apr 2013 17:21:00 +0000

Cyber Security News of the Week

From our friends at Citadel Information Group

Cyber Crime

Cyberattackers hack into LivingSocial, 50 million customers impacted: LivingSocial, the daily deals site owned in part by Amazon, has suffered a massive cyberattack on its computer systems, according to officials at the company. USA Today, April 26, 2013

Sources: Tea Leaves Say Breach at Teavana: Multiple sources in law enforcement and the financial community are warning about a possible credit and debit card breach at Teavana, a nationwide tea products retailer. Seattle-based coffee giant Starbucks, which acquired Teavana late last year, declined to confirm a breach at Teavana, saying only that the company is currently responding to inquiries from card-issuing banks and credit card brands. KrebsOnSecurity, April 22, 2013

Cyber Attack

Hackers compromise AP Twitter account: Hackers compromised Twitter accounts of The Associated Press on Tuesday, sending out a false tweet about an attack at the White House. CBS News, April 23, 2013

Syria's pro-Assad hackers are hijacking high-profile Twitter feeds: The Syrian Electronic Army, an informal network of hackers who wage cyberwar in support of the Syrian government and President Bashar al-Assad, have found yet another way to harass Western Web users. Hackers identifying as part of the Syrian Electronic Army have hijacked a series of Twitter feeds over the last few weeks. The targeted feeds tend to be associated with Western organizations, particularly ones that somehow cover Syria. The Washington Post, April 22, 2013

Cyber Underworld

BRAZEN CRIMEWARE MARKETING BRANCHES OUT TO SOCIAL NETWORKS: The secrecy of underground forums where financial malware and crimeware kits are traded is well guarded, to the point that few are able to penetrate them without some kind of internal sponsor. Here, criminals value their privacy as much as those from whom they steal. ThreatPost, April 26, 2013

MALWARE C&C SERVERS FOUND IN 184 COUNTRIES: In an attempt to better evade detection, cybercriminals are increasingly configuring their command and control infrastructure in such a way that initial malware callbacks communicate with a server located in the same country as the newly infected machines. ThreatPost, April 23, 2013

Cyber Warning

Hackers increasingly target shared Web hosting servers for use in mass phishing attacks: Cybercriminals increasingly hack into shared Web hosting servers in order to use the domains hosted on them in large phishing campaigns, according to a report from the Anti-Phishing Working Group (APWG). ThreatPost, April 26, 2013

VULNERABILITY IN VIBER FOR ANDROID ENABLES LOCK SCREEN BYPASS: Another day, another smartphone lock screen bypass vulnerability. ThreatPost, April 25, 2013

Fireeye Finds Gh0stRAT Cyberespionage Campaigns Continue: Many advanced persistent threat attacks use the malware, believed to have been developed in China CIO, April 24, 2013

Researcher's Serial Port Scans Find More Than 100,000 Hackable Devices, Including Traffic Lights And Fuel Pumps: You probably remember serial ports as the ancient nine-pin plugs you once used to hook up your mouse or joystick to your computer in the pre-USB dark ages. But tracking down devices that still use serial port connections isn't so hard, it seems. In fact, according to H.D. Moore, any hacker can find-and tamper with-more than 100,000 of them over the Internet, including critical systems ranging from traffic lights to fuel pumps to building heating and cooling systems to retail point-of-sale devices. Forbes, April 23, 2013

JAVA SANDBOX BYPASS DISCOVERED THAT BREAKS LATEST UPDATE: Optimism and praise followed last week's Java critical patch update. Oracle not only patched 42 vulnerabilities in the Java browser plug-in, but also added new code-signing restrictions and new prompts warning users when applets are potentially malicious. It took less than a week, however, to deflate any good will toward Java that resulted. ThreatPost, April 23, 2013

New Malware Hijacks Twitter Accounts for Financial Fraud: Cyber criminals are always looking for new ways to avoid detection, escape cyber sleuths, and carry out their cyber crimes. So it shouldn't be surprising that malicious hackers are now taking advantage of social media. A newly discovered malware, designed to gain access to users' banking credentials, uses Twitter to spread itself and reach more victims. Mashable, April 22, 2013

Cyber Threat

Businesses Face Growing Threat From Hackers: With government scrambling to fight cyber threats, the private sector sees a growing need to protect itself. US News and World Report, April 26, 2013

New Research Shows Remote Users Expose Companies To Cybercrime: BROOMFIELD, Colo., April 23, 2013 /PRNewswire/ - Results of new remote access security research show half of companies with a remote workforce had their websites compromised in 2012, over a third had passwords hacked, and twice as many companies with remote users were victims of SQL injection attacks. DarkReading, April 23, 2013

Hacktivists Change Tactics From Data Breaches to Disruption: Verizon: The amount of data hacktivists stole plunged in 2012 as politically motivated hackers focused more on DDoS, but state-sponsored attackers and cyber-crooks picked up the slack. eWeek, April 23, 2013

Cybercrime's easiest prey: Small businesses: A data breach investigations report from Verizon (VZ, Fortune 500), released Tuesday, showed that small businesses continue to be the most victimized of all companies. CNN, April 23, 2013

Report: DDoS Attacks Getting Bigger, Faster Than Ever: Distributed denial-of-service (DDoS) attacks are steadily increasing in size and speed, creating new problems for enterprise defenses, according to a study published today. DarkReading, April 22, 2013

Online Bank Fraud

Lawsuits Bring Clarity To SMBs In Corporate Account Takeovers: Small businesses have had millions of dollars stolen from their accounts by online thieves; court cases have started creating a clear picture of responsibilities. DarkReading, April 22 2013

Cyber Security Management - Cyber Defense

Tech Insight: Time To Set Up That Honeypot:Many companies are simply doing security wrong. While they might have perimeter security nailed down, they are probably failing at securing their workstations from insider abuse or have no true visibility as to what's going on within their internal networks. DarkReading, Apri 26, 2013

Social engineering in penetration tests: 6 tips for ethical (and legal) use: Social engineering techniques are often crucial to executing penetration tests. But which methods cross the ethical line - or even venture into the dangerous territory of illegal? CSO, April 23, 2013

Cyber Security Management

Many Hacked Businesses Remain Unprepared For The Next Breach: New Ponemon report finds three-fourths of hacked organizations either have had or expect to have a breach that loses them customers and business partners DarkReading, April 24, 2013

Cyber Privacy

It's privacy versus cybersecurity as CISPA bill arrives in Senate: Cybersecurity and online privacy are two critical interests that seem destined never to get along. Sure, you want malicious hackers, spammers, and other Internet lowlifes brought to justice-but you also want to protect your online data. PC World, April 25, 2013

IN FOCUS: The Directive: In this Q&A, Timothy Toohey, CIPP/US, CIPP/E, of Snell & Wilmer, discusses the tensions and controversies within the proposed EU data protection regulation. IAAP, April 22, 2013

Securing The Village

GOOGLE JOINS FIDO ALLIANCE EFFORT TO MOVE BEYOND PASSWORDS: Google, which gradually has been moving its users away from using passwords as their main form of authentication for Web services, has joined a young organization whose goal is to phase out passwords and replace them with various forms of strong authentication. The FIDO Alliance, formed last year, is working to make two-factor authentication the default mechanism for authentication through the establishment of an open standard for strong authentication. ThreatPost, Aprul 26, 2013

National Cyber Security

EXECUTIVE ORDER EXPANDS WARRANTLESS NETWORK MONITORING TO INCLUDE CRITICAL INFRASTRUCTURE: A little-known policy through which the Departments of Justice, Defense, and Homeland Security offered prosecutorial immunity to companies that helped the U.S. military monitor Internet traffic on the private networks of defense contractors has reportedly been expanded by Executive Order to include a score of other "critical infrastructure" industries, according to information obtained as part of a Freedom of Information Act lawsuit filed by the Electronic Privacy Information Center (EPIC). ThreatPost, April 25, 2013

U.S. and China Put Focus on Cybersecurity: BEIJING - The United States and China held their highest-level military talks in nearly two years on Monday, with a senior Chinese general pledging to work with the United States on cybersecurity because the consequences of a major cyberattack "may be as serious as a nuclear bomb." The New York Times, April 22, 2013

Stuxnet and the Dawn of Algorithmic Warfare: Though autonomous, destructive robots are a long-time, hackneyed science fiction plot, for some time, this new kind of warfare has been shifting from yesterday's movie to today's reality. But unforeseen by the imaginations of both headline and science fiction writers, it was not a missile-laden drone or humanoid Terminator that introduced this new kind of combat, but a piece of software. Stuxnet, part of the "Olympic Games" covert assault by the United States and Israel on Iranian nuclear capability, appears to be the first autonomous weapon with an algorithm, not a human hand, pulling the trigger. While the technology behind Stuxnet or other autonomous weapons is impressive, there has been little or no ethical debate on how (or indeed whether) such weapons should be used. ACUS, April 17, 2013

Cyber Law

Finding Common Threads in Privacy and Information Security Laws: The sheer number and variety of laws and regulations that can apply to even small businesses handling sensitive information can be daunting, if not overwhelming. In some instances, it may be almost impossible for even a large, sophisticated organization to identify all applicable laws, reconcile inconsistencies, and then implement a compliance program. In this discussion, the goal is not to discuss any specific laws or regulations, but to identify three common threads that run through many of them. By understanding those common threads, businesses can more easily understand their baseline compliance obligations. CSO, April 26, 2013

Cyber Survey

VERIZON DBIR TAKES FIRST DEEP DIVE INTO CYBERESPIONAGE: Targeted cyberespionage attacks have dominated discussions within the security community and outside of it from the mainstream media to the halls of the executive and legislative branches of government. But until now, discussions about attacks stemming from China that target intellectual property from engineering, manufacturing and military interests in the United States, have been anecdotal and one-off analyses of specific breaches. ThreatPost, April 22, 2013

No 'One Size Fits All' In Data Breaches, New Verizon Report Finds: Verizon Data Breach Investigations Report 2013 says financial cybercrime accounting for three-fourths of real-world breaches, followed by cyberespionage in one-fifth of breaches. DarkReading, April 22, 2013

One in five data breaches are the result of cyberespionage, Verizon says: IDG News Service - Even though the majority of data breaches continue to be the result of financially motivated cybercriminal attacks, cyberespionage activities are also responsible for a significant number of data theft incidents, according to a report that will be released Tuesday by Verizon. CIO, April 22, 2013

Cyber Sunshine

Dutchman Arrested in Spamhaus DDoS: A 35-year-old Dutchman thought to be responsible for launching what's been called "the largest publicly announced online attack in the history of the Internet" was arrested in Barcelona on Thursday by Spanish authorities. The man, identified by Dutch prosecutors only as "SK," was being held after a European warrant was issued for his arrest in connection with a series of massive online attacks last month against Spamhaus, an anti-spam organization. KrebsOnSecurity, April 26, 2013

Leadership

Is It Okay to Show Vulnerability?: Leaders should show a sense of vulnerability. Forbes, April 23, 2013

Securing the Village - Events Calendar

Santa Monica Rotary Club; Lunch Meeting, May 3, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the weekly meeting of the Santa Monica Rotary Club. In this non-technical talk - It Takes the Village to Secure the Village ^SM - Dr. Stahl discusses the financial implications of cyber crime, illustrates how cyber criminals take control of a user's computer, describes the limitations of technology, summarizes emerging cyber security laws, regulations and practices, and provides practical tips to lower the risk of becoming a victim.

Jeff Snyder’s SecurityRecruiter.com Security Recruiter Blog 719.686.8810

Jeff Snyder's Weekly Look Into What Makes a CISO / CSO Successful

noreply@blogger.com (Jeff Snyder) — Thu, 25 Apr 2013 18:27:00 +0000

What Makes a CISO / CSO Successful?

I don't know how many more of these CISO / CSO success blogs I'll be able to produce. Coming up with willing volunteers to contribute advice has been a bit more challenging than I thought. While I'm enjoying reading the feedback that has come in for me to pass along, I'm not collecting this information for my own benefit.

My vision when I came up with this idea was to provide information for up-and-coming security leaders to learn from. While I don't know every CISO or CSO on the planet, I know more than the average person does.

What I've discovered through this effort is that many of the CISOs and CSOs that I think most highly of are the ones who've been willing to contribute to this project.

Today's thoughts come from a CSO in the Financial Services and Insurance industry

I've known this person for approximately 7 years when I first recruited him for a Bank CISO Job I was working on in New York.

I hope you enjoy today's contribution.

"The leadership of your business desperately wants to be successful. They've read how security problems can undermine their dream, but they don’t really know how to find the right balance between spending money to drive growth and spending money to protect their business. So if you want to become a CSO, you’ll need to help them figure how to find that balance, and then be able to drive the changes for them to achieve that balance.

Not everyone is going to thank you for focusing on the ugly problems that the business has learned over the years to ignore. But a good CSO will lead the changes needed to fix the problems standing between security risks that are appropriately managed and those that are not. It takes more courage to do that than most people imagine. You’ll receive as much criticism as praise when you step up to untangle expensive and deeply entangled problems. Being a good CSO is less about being in charge than it is about being willing to bet your badge to do the right thing, often without the praise or even acknowledgement of the people in the business with the most at stake. Don’t misunderstand. I’m not talking about being dogmatic or sacrificing business for the sake of security. I’m talking about implementing reasonable controls that business leaders publicly claim to encourage and uphold.

I deliberately did not talk about things that lead to public perception of success in the CSO role. There are plenty of CSO’s who finish their stint with all of the business’s messy, difficult problems still intact. Those CSO’s aren't necessarily viewed as failures. But in my book, if you want the CSO role, you need to take personal risk to reduce business risk and if you’re not willing to do that, you shouldn't aspire to be a CSO."

Care to Contribute?

If you are a CISO or CSO and you would like to contribute your thoughts, please call me so I can explain to you what I'd like to deliver to readers.

Jeff Snyder’s SecurityRecruiter.com Security Recruiter Blog 719.686.8810

What is a resume and what does a resume do?

noreply@blogger.com (Jeff Snyder) — Wed, 24 Apr 2013 21:43:00 +0000

A topic that I deal with and discuss on nearly a daily basis is the topic of security resumes and security resume writing. In my role as a 3^rd party or outside recruiter, a recruiter who sits between security professionals who want a job and numerous corporations that have security jobs to fill, I sit in a unique position. This position enables me to understand the hiring needs of major companies and stakeholder hiring decision makers while simultaneously positioning me as the recipient of security professional’s resumes on a daily basis.

Over the past few weeks, I’ve been working on two Security Director Jobs in Las Vegas. Most of my effort has been devoted to direct recruiting to get to the most talented information security leaders in the industry. In addition to resumes coming my way from my direct recruiting efforts, some of the resumes that are coming my way are coming from security professionals who have found these director searches on the Security Jobs page of SecurityRecruiter.com.

In My Client's Shoes

My recent daily review of resumes I’ve never seen before has caused me to put myself mentally in the shoes of my clients. I’ve been looking at fresh resumes from the perspective that I believe my client’s look at resumes from and I have to say that when I think back on the past 20-30 fresh resumes I’ve reviewed, I’ve seldom been compelled to pick up the phone to immediately call the resume’s owner. That comment comes from someone who wants to fill jobs and from someone who wants to figure out how to help individuals to advance their careers.

More often than not, your security resume is likely landing in front of a recipient who isn't thinking about your well-being and your career advancement.

The fact that I’m not compelled to immediately pick up the phone to call people who own the resumes I’m receiving is a problem. I’ve given significant thought to this problem because I like to solve problems and because I'll soon be speaking to the Los Angeles ISSA about career development. Addressing this resume issue will be one of the topics I'll cover with the ISSA group.

What Is a Resume?

There are many opinions about what resumes are and how they should be written. Here are some bottom line conclusions I've come to when thinking about what a resume is or isn't and what it can or can't do.

A resume is a personal marketing document. How are you marketing yourself?
A resume is a key that opens an interview door. Are doors opening when you share your resume with recruiters or prospective employers?
If poorly written, a resume is a key that won’t unlock an interview door. Is your resume landing in the "black hole" where resumes go to die?
A resume is a communication tool that makes a first impression. What kind of first impression are you making with recruiters or prospective employers?

If a resume is written in a clear, concise and logical way, a resume can have a positive impact on one’s job search and it can serve to market the owner in a way that causes one person's resume to float to the top while others float to the bottom of the pile.

Ideally, a great resume can compel the resume recipient to pick up the phone to engage in a conversation to learn more about the resume owner. This is really the ultimately objective behind sharing a resume. To open up a dialogue.

On the other hand, if a resume is not written in a manner that makes it crystal clear to the reader what the resume owner does and does well, the phone may never ring.

The Deep Dark Black Hole Where Resumes go to Die

I often hear people talk about their dissatisfaction with the process of responding to job postings. I’ve been told by many people that they’ve sent out resumes only to have their resume fall into a “black hole”. Others have used the word “Abyss” to describe the place where they believe their resume traveled to.

There is no doubt in my mind that the black hole for resumes does exist. I won’t address that side of the equation today because that side belongs to corporations and recruiters and the magnitude of the problem is overwhelming.

What I can address is the side of the job search equation that belongs to a resume owner. That side is the side where the resume owner has 100% control over the way they package and market themselves.

If I used all of the examples that are spinning in my head right now, this blog would turn into a book. Hey, there's an idea I'm already working on!

Director of Security Awareness and Training, Policies and Procedures

I’ll focus on just one recent challenge I’ve faced. One of my searches is a Director of Security Awareness and Training, Policies and Procedures. This is a $150,000 job opportunity with bonus and stock. Its a chance for someone to make a difference in a global company and to build upon security awareness program development work they've done in the past. For someone, this is the opportunity they've been waiting for.

I’ve been receiving resumes for nearly 3 weeks now from individuals who are interested in this position. Each person is sure that they’re a fit for the job. I want them to be a fit but sadly, they're usually not.

When I open up a resume, I give the resume a 5-15 second visual scan. If I don’t immediately see terms I’m looking for such as Security Awareness and/or Security Policies and Security Procedures, I go to the top of the resume and enter the word “Awareness” in the search box.

Time and time again, the word “Awareness” fails to show up in a resume that belongs to someone who wants to be the Director of Security Awareness for a Fortune 350 company with a price tag of $150,000 plus bonus and stock and they're sure that they fit the job like a glove.

If this happened once in a while, I wouldn't be writing this blog. This happens every day.

Time to Shift the Burden

To potentially avoid the resume “Abyss”, consider taking the burden of discovery and critical thinking off of the recipient of your resume. Stop making the recipient of your resume have to hunt and peck and read every word on your resume in order to form a conclusion about what you’re great at delivering professionally.

What you're great at delivering professionally should be so clearly evident to the recipient of your resume that they could simply read the "Cliff Notes" version of your resume and they'd still be compelled to talk to you. I rarely see a resume that draws me in like this.

A Different Approach

Instead, invest the time and energy into your resume to make the resume’s message crystal clear. This means that a resume must be clean, clear and logical in its format. A resume must clearly tell the reader what you’re professionally great at delivering and the reader should be able to come to that conclusion in 5-15 seconds. Does your resume communicate in this manner?

If you’re responding to a Director of Security Awareness, Training, Policies and Procedures opening in a Fortune 350 global company, send a resume that clearly explains what you’ve done in the past around the Security Awareness topic.

For example, if you’ve worked for a Fortune 100 company that has 50,000 global employees and your Security Awareness program was directed to all 50,000 employees, say so. If you’ve built a Security Awareness program from the ground up, provide details that qualify and quantify the projects you've worked on. Write about the quantifiable level of risk reduction that occurred after your security awareness programs were developed and delivered.

Don’t make the reader of your resume assume that you may or may not have done certain work. The recipient of your resume is busy. They’re likely data-overwhelmed. What I mean by data-overwhelmed is that you're sending your resume to someone who has an overflowing Inbox. They're bombarded with Text messages, InMail messages on LinkedIn, etc. They're phone rings off the hook and every time they get off of a call, a voice mail is waiting for them.

Some recipients are so busy that they won’t stop to apply critical thinking skills to your resume. Other recipients don’t possess the required critical thinking skills to evaluate your skills in the first place. Their job is simply to check boxes.

How difficult have you made it for the check box person to check boxes when reviewing your resume?
In 5-15 seconds, can someone who has never reviewed your resume before determine what makes you great as a security professional?
Can the recipient of your resume instantly determine what kinds of problems you are capable of solving?
Can the recipient of your resume determine how you might add to their company's bottom line or how you might save their company money based on work you've done in your past.
Can the recipient of your resume easily tell that you are capable of communicating and presenting to business leaders?
Are you chasing after a highly strategic security career opportunity with a tactically written resume?
Does your resume describe what you were previously hired to do but fails to describe your accomplishments, contributions and created value?

As the owner of a security resume, you cannot eliminate the resume black hole. The black hole frequently exists and I’m convinced that many security resumes land in the black hole because the resume owner placed the burden of critical thinking on the recipient of their resume.

Jeff Snyder’s SecruityRecruiter.com Security Recruiter Blog, 719.686.8810

Jeff Snyder's Weekly Look Into What Makes a CISO / CSO Successful

noreply@blogger.com (Jeff Snyder) — Thu, 18 Apr 2013 15:00:00 +0000

I’m always looking for new ways in which I can use my position to bring value to the security profession. When I refer to my position, I’m simply referring to the position I occupy sitting between security, risk, compliance and privacy professionals and those who hire security, risk, compliance and privacy professionals. I constantly learn from the individuals I’m fortunate to work with every day so I've been thinking about how I can pass on some of what I learn for the benefit of others.

A few weeks ago I came up with the idea to leverage my position for the good of those who one day aspire to become a CISOs or CSO. For that matter, current CISOs or CSOs who are struggling might benefit from the advice of their successful peers.

The idea is pretty simple. I’ve begun reaching out to CISOs and CSOs to find out what they think the secret to their professional success is so I can share their secrets with those who wish to one day be a successful CISO or a CSO.

I hope you find this information to be helpful. I’ll try to post a new success secret every week as these points of view are shared with me.

How a CISO in the Publishing Industry views success

Becoming a successful CISO is not an easy task. It is not something that happens without considerable effort. But developing a few key skills will help to put you on the right path as you climb the security ladder. As a relatively newly minted CISO, these skills have helped pave the way for growth in my career.

Be Tenacious

Work hard and don't give up. My philosophy has always been "be the best in whatever job you are in and doors will open". I always strive to be the best and provide the most value for my employers.

Communicate well and often

Communicate with stakeholders in the business. Repeat. It is important to show the value of the security program to the business. By continuously doing so, you will gain credibility. It is important to communicate with all levels of the business, from the boardroom to the mailroom. I regularly post security bulletins and host security seminars for all employees. By demonstrating how why security is important in their personal lives, they case how the same applies for the business.

Build Relationships

Relationships are very important and are essential for a successful career. In the publishing industry, we don't have the "Big stick" of regulatory compliance requirements. Instead, I rely on my relationships to persuade my peers to adhere to our security standards.

Be the "solution guy"

Avoid being seen as a roadblock. Sometimes the answer is "no". When it is, be sure to follow it with ".. but let’s see if we can come up with an workable solution". It is important to collaborate with the business to come up with an acceptable solution. Don't get in the way of the business or hamper their ability to get work done. You want to be seen as an enabler, not an obstacle.

Make a difference

It is difficult to illustrate the bad things that your security program has prevented. I recommend maintaining a comprehensive security metrics program. This will help to illustrate the value you are adding to the organization.

Mastering these skills should put you on the path to becoming a CISO and ensure that you succeed once you do.

Care to Contribute?

If you are a CISO or CSO and you would like to contribute your thoughts, please call me so I can explain to you what I'd like to deliver to readers.

Thanks,
Jeff

Jeff Snyder’sSecurityRecruiter.com Security Recruiter Blog719.686.8810

Chris landed a new job! Thanks to Chris for sharing

noreply@blogger.com (Jeff Snyder) — Wed, 17 Apr 2013 17:30:00 +0000

If you’ve read my blog for any length of time, you’ve probably read something about the late Zig Ziglar. When I graduated from college and was looking for my first position in sales, I consumed large amounts of training material from speakers / trainers such as Zig Ziglar, Tom Peters, Brian Tracy, Anthony Robbins and more.

While each person I just mentioned has brought some level of value to my career, the person whose words have remained most true over my 23 years of recruiting is Zig ZIglar. I read many Zig Ziglar books years ago and learned a lot. However, the one concept that Zig Ziglar taught that stuck in my mind more than anything else is that if I would help others to reach their goals, I’d soon reach my goals.

These words (paraphrased of course) were true over 20 years ago and I think they’re even more true today. Yesterday a really cool message came to me from a friend through LinkedIn. Today, another unexpected message arrived from a security resume writing and security job coaching client. He wrote:

LinkedInChris has sent you a message.
Date: 4/17/2013
Subject: Got a great new job
Jeff,

It has been some time since we last spoke. But I wanted to thank you and tell you that my time on the phone with you, and my resume building investment was well spent. I have left XXXXX as the Operations Manager and landed the Corporate Security Director position with XXXXXXXX. I am doing some pretty interesting stuff and it definitely matched my key talents and minimized my weaknesses.

Just thought I would share.

Chris

The report in Chris’ message both encourages me and reminds me why I do what I do. I am passionate about helping my clients to reach their professional goals. That is the case whether I’m working with an individual who needs resume writing help, job coaching help or executive coaching assistance or I’m working with a corporate client that needs to reach the industry’s top security talent.

How may I be helpful to you today?

Jeff Snyder’s SecurityRecruiter.com Security Recruiter Blog 719.686.8810

There is at least 1 fan in my SecurityRecruiter.com Fan Club! Thank You Lance

noreply@blogger.com (Jeff Snyder) — Tue, 16 Apr 2013 20:18:00 +0000

No, I'm not going to start offering computer advice. I know how to use them and I know how to break them. I definitely don't know how to fix them. It was tough to find a picture to demonstrate friendship, support and encouragement. This one will have to do.

Some days are so intensely busy that there isn't room in my brain for the idea of writing a blog. This is one of those days. I’m busy recruiting to build a CISO’s entire security, risk, compliance, privacy, business continuity, disaster recovery and QA team and I don't have any time to spare.

I’m also busy living up to commitments I've made to security resume writing clients who have entrusted me with their resume writing projects. My resume writing clients and my executive coaching client’s success in the marketplace is of paramount importance to me. If they don't succeed, I feel as if I haven't succeeded either.

I don’t know if you have any professional or personal fans in your life who provide support and encouragement to you when you need it but I’m fortunate to have a couple. These people expect nothing in return. They just seem to show up at just the right time. Sometimes the right time isn't even a time when I was hoping for some fan support.

Perhaps the biggest fan in my professional and personal life is someone I've yet to meet face-to-face. I recruited this information security professional back in 2001. Over the past decade plus, we've developed a close bond of friendship, support and communication.

It seems that sometimes just when I need a boost of 3^rd party confidence, my friend Lance comes out of nowhere and provides just what I need. Today, Lance stopped by my LinkedIn profile and clicked some endorsement buttons. I sent Lance a thank you note expressing my appreciation for his effort and then my day got just a little better when Lance's note landed in my LinkedIn Inbox.

Lance has sent you a message.

Date: 4/16/2013

Subject: You are the Best!

Jeff,
I am always pulling for you. YOU are the BEST in my mind and I have years of experience working with you to be able to make that statement with authority.

Keep Charging Forward.

Respectfully,
Lance

Life is tough. Life can be fun. Life can be rewarding. Life can be draining. Lance has been there for many of my professional wins and risk taking failures. He has been around for the birth of my children and the death of my parents and the start of my adult hockey career that continues on tonight!

Despite the fact that we've never met and we've never been able to shake hands, this guy has proven the worth of his character over and over and over. I've challenged Lance to come to Colorado this summer so we can head up to Idaho for some world-class fly fishing. Not that we need to seal the deal of friendship but a summer fly fishing trip with Lance would be the icing on the cake for me.

Thank you Lance, your friendship and professional support is sincerely appreciated!

If you've read this blog today, whose day can you positively impact today with a few kind words?

Jeff Snyder’s SecurityRecruiter.com Security Recruiter Blog 719.686.8810

Jeff Snyder's Weekly Look Into What Makes a CISO / CSO Successful

noreply@blogger.com (Jeff Snyder) — Thu, 11 Apr 2013 15:00:00 +0000

The idea is pretty simple. I've been reaching out to CISOs and CSOs to find out what they think the secret to their professional success is so I can share their secrets with those who wish to one day be a successful CISO or a CSO.

I hope you find this information to be helpful. I’ll try to post a new success secret every Thursday as these points of view are shared with me.

How a CSO in global manufacturing views success

To be successful as a CSO one must be successful in a waterfall of balancing engagements. He / She must be:

· Executive in balancing change and risk.

· Public speaker with an approach which balances communication with business executives and technology professionals.

· Arbitrator of customer demands and capabilities of staff and technologies.

· Able to balance opportunity with regulatory compliance.

· A CSO who excels is one who ensures both sides of the scale are favored in each engagement.

Care to Contribute?

If you are a CISO or CSO and you would like to contribute your thoughts, please call me so I can explain to you what I'd like to deliver to readers.

Jeff Snyder’s SecurityRecruiter.com Security Recruiter Blog 719.686.8810

Cyber Security News for the Week of April 8, 2013

noreply@blogger.com (Jeff Snyder) — Mon, 08 Apr 2013 15:00:00 +0000

Cyber Security News of the Week

From our friends at Citadel Information Group

ISSA-LA - Securing the Village

Ira Winkler to Speak at ISSA-LA Fifth Annual Information Security Summit on Cybercrime in May: Ira Winkler, president of the Information Systems Security Association to be a featured speaker at the LA Chapter of the Information Systems Security Association Fifth Annual Information Security Summit on Wednesday, May 21, 2013, in Los Angeles. For more information and to register, visit ISSA-LA.

Cyber Security Management - Awareness Training

Hacking The User Security Awareness And Training Debate: Bruce Schneier says training end users on security is a waste of time. But security awareness experts argue there's a whole new generation and approach emerging that better schools users on security behaviors. Dark Reading, April 4, 2013

Cyber Security Management - Cyber Defense

A Different Approach To Foiling Hackers? Let Them In, Then Lie To Them: Most systems administrators describe the task of network security as something like defending a castle. Kristin Heckman talks about fighting hackers in terms that sound more like a job as a Walmart greeter.Forbes, April 5, 2013

Google Uses Reputation To Detect Malicious Downloads: Using data about Web sites, IP addresses and domains, researchers find that they can detect 99 percent of malicious executables downloaded by users, outperforming antivirus and URL-reputation services. DarkReading, April 5, 2013

Cyber Security Management - Cyber Warning

Shylock Trojan Going Global with New Features, Resilient Infrastructure: The prolific, credential-stealing Shylock banking Trojan is growing increasingly sophisticated as its creators continue adding new modules and functionalities to the man-in-the-browser malware, according to a Symantec report. ThreatPost, April 5, 2013

Skype Malware Stealing Victims' Processing Power to Mine Bitcoins: Bitcoin may still be a virtual unknown quantity for most people, but the digital currency has not escaped the notice of attackers, many of whom are turning their attention to finding ways to use the system for their own gains. ... now there is a piece of malware in circulation that is using Skype as a spreading mechanism and then using infected machines' processing power to mine Bitcoins. ThreatPost, April 5, 2013

DHS Warns of 'TDos' Extortion Attacks on Public Emergency Networks: As if emergency responders weren't already overloaded: Increasingly, extortionists are launching debilitating attacks designed to overwhelm the telephone networks of emergency communications centers and personnel, according to a confidential alert jointly issued by the Department of Homeland Security and the FBI.KrebsOnSecurity, April 1, 2013

Cyber Crime

AMI Firmware Source Code, Private Key Leaked: Source code and a private signing key for firmware manufactured by a popular PC hardware maker American Megatrends Inc. (AMI) have been found on an open FTP server hosted in Taiwan. ThreatPost, April 5, 2013

Cyber Attacks

Anonymous hackers take control of North Korean propaganda accounts: A Twitter and Flickr account associated with a North Korean news agency has been taken over by hackers claiming to be from the hacktivist collective Anonymous. Instead of pro-North Korea propaganda, the accounts are now criticizing North Korea and its leader Kim Jong-un for building nuclear weapons. The hackers controlling the Twitter account also claimed to have hacked the news agency's website and other North Korean websites, which appear to be offline. Ars Technica, April 4, 2013

CyberUnderworld

Who Wrote the Flashback OS X Worm?: A year ago today, Apple released a software update to halt the spread of the Flashback worm, a malware strain that infected more than 650,000 Mac OS X systems using a vulnerability in Apple's version of Java. This somewhat dismal anniversary is probably as good a time as any to publish some clues I've gathered over the past year that point to the real-life identity of the Flashback worm's creator.KrebsOnSecurity, April 3, 2013

Cyber Privacy

Google Fights U.S. National Security Probe Data Demand: Google Inc operator of the world's largest search engine, is challenging a demand by the U.S. government for private user information in a national security probe, according to a court filing. Bloomberg, April 4, 2013

Apple's iMessage encryption trips up feds' surveillance: Encryption used in Apple's iMessage chat service has stymied attempts by federal drug enforcement agents to eavesdrop on suspects' conversations, an internal government document reveals. CNET, April 4, 2013

Cyber Career

How valuable are security certifications today?: Will investing your time in earning security-industry certifications ultimately mean more money in your paycheck? Which certifications are vital in today's job market?. CSO Leadership, April 1. 2013

National Cyber Security

Chinese Hackers May Gain Advantage From U.S. Attempt to Block Chinese Hackers: Congress has for years tried to block China's major telecommunications companies from entering the U.S. market, fearing they may help Chinese hackers snoop on American companies and government agencies. Huffington Post, April 5, 2013

NIST Outlines Next Steps in Drafting Cybersecurity Framework: The first of three in-depth workshops on the drafting of a cybersecurity framework will take place at Carnegie Mellon University in Pittsburgh, Pa., May 29-31, allowing time for the National Institute for Standards and Technology (NIST) to coalesce feedback from industry into a guiding document, the agency announced Thursday. HSToday, April 4, 2013

Securing the Village - Events Calendar

ISSA-LA April Lunch Meeting; April 17, 2013. For more information and to register, visit ISSA-LA.

Santa Monica Rotary Club; Lunch Meeting, May 3, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the weekly meeting of the Santa Monica Rotary Club. In this non-technical talk - It Takes the Village to Secure the Village ^SM - Dr. Stahl discusses the financial implications of cyber crime, illustrates how cyber criminals take control of a user's computer, describes the limitations of technology, summarizes emerging cyber security laws, regulations and practices, and provides practical tips to lower the risk of becoming a victim.

ISSA-LA Fifth Annual Information Security Summit; May 21, 2013: Join over 500 of your colleagues and peers at the Universal City Hilton. Special Keynote Speaker: Howard Schmidt, former White House CyberSecurity Coordinator. For more information and to register, visit ISSA-LA.

Jeff Snyder’s SecurityRecruiter.com Security Recruiter Blog 719.686.8810

Do You Want More Attention When You Respond to an Open Security Job?

noreply@blogger.com (Jeff Snyder) — Fri, 05 Apr 2013 20:36:00 +0000

I sent my resume. Pay attention to me!

In my position, I’m the recipient of unsolicited resumes every day. No, I’m not complaining about receiving unsolicited resumes, I’m simply stating a fact. I've been in this position for 23 years now so I've seen more resumes than most people will see in their entire lifetime. There is no reward for that. Just stating another fact.

I've recently been working to fill several director level searches. Here are two of the the titles in order for the rest of this blog to make sense:

Director of Business Intelligence
Director of Cyber Security Awareness and Training, Policies and Procedures

The point in sharing these titles is to point out that I've received numerous resumes for each position. For the Business Intelligence role for example, I received an abundance of resumes that didn't even carry the words “Business Intelligence”. Yet, the resume owner stated in a cover letter that he or she was a “perfect fit”.

More recently, I've reviewed resumes for the Security Awareness position. This is a role in which the selected candidate will build a global security awareness and training program for a Fortune 350 company.

In order to qualify for this role, a candidate needs to demonstrate that they've previously built security awareness programs. Yet, I've received resumes that don’t carry the term “security awareness" anywhere in the document.

Please help me to help you! I sincerely want to help you.

The Goal of a Security Recruiter

Every day of my life, when I come to my desk in the morning, my goal is to get closer than I was the day before to filling my client’s open positions. This is how I put food on the table for my family.

In fact, I live for the days when I get to deliver a job offer to an excited candidate. There is never a day when I come to my desk hoping to see a resume that someone thinks is a “perfect fit” for one of my client’s openings when the resume doesn't even address my client’s needs.

Security Resume Writing

In a recent article I contributed to CSO Magazine called “15tips for landing - and acing - a job interview”, the first point I made dealt with resumes. I suggested that one needs to write a great resume to open the door. I'm sticking with this point as my first point out of 15.

When sharing your resume with a security recruiter or a corporation that might hire you, may I suggest that you should make it as easy as possible for the recipient of your resume to quickly understand who you are, where you are, how you’re educated, how you’re certified, where you’ve worked and what accomplishments, contributions and value you’ve brought to past employers.

If you’re responding to a Director of Security Awareness job opportunity, be sure that your resume clearly tells success stories around the past security awareness projects you’ve led.

If you want to be the brand new Director of Business Intelligence for a Fortune 50 company, it should take the recipient of your resume a matter of seconds to determine that you have an extensive background in data warehousing and business intelligence. It should be crystal clear to the reader that you've previously built business intelligence programs on a global basis.

The burden of proof shouldn't be placed on the resume reader’s shoulders to determine that you are or are not a fit. Make it simple for the recipient of your resume to determine that you fit the job you're responding to.

Conclusion

I read negative comments all the time that suggest employers and recruiters don’t acknowledge receiving a job candidate’s resume. I have no doubt that this is the case.

If you want to receive more acknowledgement for your skills and accomplishments, one way to get more attention is to send a resume that clearly and logically entices the resume recipient to not only read but to take action.

Are you sending a tactically written resume to employers and recruiters when you’re responding to a job that will have a strategic impact on the organization? I receive this kind of resume all the time. There is a solution.

Either invest the appropriate amount of time and energy to develop a strategic business-focused resume on your own or hire a security resume writer whose proven resume writing methodology gets results.

Jeff Snyder’s SecurityRecruiter.com Security Recruiter Blog 719.686.8810