We can blame it all on this dastardly economy, but even in good periods, qualified individuals find it difficult to land a job as an executive.
Just recently, I applied for a job as a director of information security. The position reported directly to the company's hiring manager (CIO). It was widely advertised at the company so many of my friends and colleagues knew who the hiring manager was. I had already contacted the CIO directly -- and had subsequently been introduced to him and recommended by other CIOs who knew him well, so the hiring manager immediately e-mailed me to say to contact the HR director for an initial phone interview and to call him later that same day.
Both interviews went extremely well, with conversations lasting well over an hour. We covered their challenges that I could address and gravitated to small talk on our past experiences. We clicked and had long, enjoyable conversations. The CIO said he would bring me in for a face-to-face meeting the following week once he had a chance to interview other candidates.
Deep down I was overly cautious, having been burned in the past, as I explained to another candidate who had applied. I said, "It would appear to you I'm a natural shoe-in or on the CIO's short list by knowing so many people and from the work I do. But it is getting to the point that it no longer matters who and what you know, not even if you're a close friend of the hiring manager."
Being well-known in the industry and the local IT community, I knew who these other candidates were, and we shared much information. It is a small world.
In the weeks that passed, I sent the CIO two follow-up e-mails, I also e-mailed the HR director in California. All three were met with silence. I also left the CIO two voice mail messages -- one on his office line, the other on his personal cell phone -- and neither was returned. After three weeks, I received a phone call from the HR director telling me the CIO was unsure about the position. He was contemplating diminishing the role to a lesser grade and I was, of course, overqualified, and so were the other candidates.
The HR person did offer to help me network. He was just as puzzled as I was, and I explained what many information security executives go through. Through subsequent conversations with the other candidates, I learned that the CIO hired someone in an engineering role.
I was not surprised. This has happened to me on countless occasions, as it has with many others across the country.
Here are some of the problems we job seekers are up against.
Corporate Russian roulette
Is it the current economy that forces companies to ask employees to do more for less? Is it the misconception that companies don't really know or understand the enormous value that the CISO/CSO can bring to the table? I have notes recorded in a vast database where I keep track and document every detail of every job. It is an aggregator of executive-level jobs posted across the country that I and others have applied for. It includes the job descriptions, contact information, conversations, e-mail correspondence and communications with other candidates who applied. Interesting enough, a pattern is emerging where a director's job or even that of a CISO/CSO is diminished abruptly to that of an analyst/engineer role, or the job is placed on indefinite hold.
This characteristic pattern is directly responsible for the myriad security breaches happening at many organizations.
I embarked on trying to find out why this is happening, why so many qualified individuals struggle to find employment as an executive in information security, only to experience the same frustrations I've experienced.
Knowing many CIOs and other executives -- many of them good friends -- I have asked them for insights about my recent experience. They responded that CIOs are under heavy pressure to do more with less and get twice as much done. Moreover, businesses are also under a lot of pressure these days, and directors' roles may have been diminished for political or other reasons.
Then why is it that when a serious breach occurs, the executives panic and find the budget to spend extraordinary amounts of money to remediate the breach? Why is it that they seem to degrade a vital component in any business -- the security of their data? Don't they know that one serious breach can jeopardize the existence of their business and perhaps lead to criminal investigations? Why is it that many organizations just have one security executive with no staff and hardly any budget to work with as just a figurehead in the organization? Several states and the federal government, have enacted or are now enacting tough laws, some of which carry severe penalties should a serious breach occur, including requirements of complete public disclosure to all the victims associated with the breach.
Never mind the mountains of lawsuits that can put a company out of business. This is what's going on -- many companies are revolting, but the laws are being enacted, and ignorance is not bliss. Doing more for less is not the answer. It is not good business to put an organization's assets at risk -- particularly in this economy where security staffs are depleted and not valued. This is not an area where businesses should be doing more with less. They should be doing the opposite to ensure their survival.
At the federal level, top information security specialists have been saying for years that our current infrastructure is at grave risk. Serious breaches have since occurred, and the government is now scrambling. Most of the agencies have been mobilized, and at least four of the national laboratories are in an all-out effort to combat breaches and prevent future ones. Billions of dollars were budgeted to upgrade and secure the nation's infrastructure, and why was this? Because the same pattern keeps repeating itself. Security is ignored or pushed lower in priority until a crisis erupts and then there is a scramble to correct the problem.
The federal government is now hiring information security specialists, but mostly in engineering or analytical roles. Few, if any, management roles are being developed -- a serious oversight, because experienced leadership is needed badly.
Another problem the federal government has is the requirement that job candidates have an active security clearance necessary to even be considered for opportunities. This is the case at many of the primary contractor and subcontractor vendors, and they often hesitate to sponsor qualified individuals who can obtain clearance.
Clearances don't just appear out of thin air. The federal government must instruct the vendors to sponsor employees to apply for clearance. Understandably, the process of getting a clearance is time-consuming and heavily intrudes upon an individual's privacy, and not everyone is clearable. It is expensive, yet this investment must be made to bring qualified individuals on board to secure the infrastructure of our nation.
The problem of relocation
The current economic climate makes it difficult for information security executives to find work and difficult for them to relocate when many companies are not offering assistance. It is also difficult for many companies to find qualified candidates, since everyone seems trapped even if they are offered relocation assistance. In an informal roundtable discussion in Silicon Valley I was invited to, several interesting discussions took place with some of the companies in attendance. What was evident was the inability of top candidates to relocate to where the demand for the jobs are. The fundamental reason is economics: People are trapped because relocation assistance might not be available or because it's not enough to cover the costs of relocation.
People are having difficulty selling their homes, the cost of living is high and carrying two mortgages can be unrealistic. Housing is problematic and is preventing companies from attracting top talent from other parts of the country. The pressure is on for companies to come up with innovative ways to accommodate this hardship -- subsidizing an apartment for up to a year to give people time to sell their homes, or paying commuting expenses until they can purchase their homes would be a start. But very few companies do the latter, and they only offer relocation assistance for certain strategic positions or key employees. The expense is understandably substantial if they cannot find local talent to fill strategic positions.
Conclusion
These are tough times never seen before by any of us. Some of the executives I've spoken to shared stories of desperation, some of them have lost what they had worked most of their lives to achieve or had their roles seriously diminished.
Yet I do see a vision of the security executive playing an integral part in supporting the business and adding tremendous value to organizations of all sizes. These mindset changes have occurred in a number of organizations. They've discovered that security executives bring in enormous value and business leadership.
The author is a Chicago-based IT security practitioner looking for employment.
