Security University In the News

Title: SC Magazine November 2000 - Special Feature
The Rancor of InfoSecurity Recruitment
By Illena Armstrong

Signing up those professionals with prowess in the information technology arena has always been a wearisome task, as a general rule. Adding to this dilemma, there is the need for companies to find those well-versed in securing and maintaining computer environments primarily being used for e-business. As has been true for quite some time, the demand for knowledgeable information security specialists far outweighs the too-small pool of talent.

Even the U.S. Army is looking for a few good men and women to become one of "the nation's new 21st century information warriors," states a recent press release from the Army's public affairs office. Both the Department of Defense and the Army are asking the Army Reserve (USAR) to offer up their high-tech best to fill newly formed units and posts with the Information Operations division.

Since, already, one of the roles of the USAR is to defend information systems, "ensuring their availability, integrity, authenticity, confidentiality and non-repudiation," the government is trying to recruit savvy Army Reservists to help in maintaining systems in times of peace or war. Still, the powers that be are having trouble finding those with the right stuff.

"Recruiting for these new information operations units is challenging. Army Reserve soldiers who hold civilian-acquired skills in information technology will play a leading role in establishing this new capability. ... One of the greatest resources in the USAR is the skills soldiers have developed in their civilian training and occupations," the release explains. "The information operation units hope to tap into these skills and continue to meet the challenges of warfare in the 21st century."
The problem is, however, that even executives in civilian organizations responsible for hiring infosecurity experts to help safeguard intellectual property, are colliding with their fair share of recruitment roadblocks.
"Fewer than one in twenty security professionals has the core competence and the foundation knowledge to take a system all the way from a completely unknown state of security through mapping, vulnerability testing, password cracking, modem testing, vulnerability patching, firewall tuning, instrumentation, virus detection at multiple entry points, and even through back-ups and configuration management," Stephen Northcutt, author and former information warfare officer at the Ballistic Missile Defense Organization, explains in a recent SANS Security Alert Newsletter.

No matter in what marketplace or what country, the problem is still the same. Universally, corporations, governmental entities and businesses of all sizes are struggling to locate, hire and hang onto those infosecurity professionals with the proper skills set to keep their e-commerce practices safe, up and running.

Anybody Out There?

"There are lots of people out there who purport to do a number of things," says Andrew Palmer, recruitment services manager for U.K.-based Insight Consulting. "It's finding the people with the depth and breadth of expertise. Those are few and far between."

According to research conducted by the SANS Institute in Maryland, chief information officers are quite concerned about the shortage of infosecurity talent. SANS' findings showed that 56 federal executives and administrators agreed that the first of the top three barriers they are finding difficulty in overcoming is the lack of security skills that most system and network administrators have.

"Every single month, nearly two million new computers are registered as Internet hosts," adds Northcutt. "The people deploying these systems cannot find skilled security staff because the few skilled people are busy maintaining security on existing systems. The newcomers are forced to hire more and more junior people. So, on average, computers are being less well protected. And there's another force working against security. The problem isn't static. An increasing number of attackers are developing and launching new types of attacks at an increasing rate."

A survey conducted by SC Magazine and U.K.-based Content Technologies also found that many of the security concerns companies must now face are not fully understood by pivotal staff members. Of the 750 businesses in the U.K. queried for the survey, 60 percent of the managers had undergone no training in computer security issues. Additionally, despite increasing risks faced by companies doing business online, about a third of the corporations surveyed had no manager in place responsible for information security.
Pete Hillard, vice president of human resources for California-based SiteSmith, Inc., a managed service provider offering an Internet site security service, says that the problem of recruitment is causing companies to feel the pain globally, but specific government regulations are also driving specific needs.

"There is a good amount of low level security out there, including things people can do to tighten their security to an acceptable degree. If more than that is needed, there are not many organizations that can ramp up to support a large, comprehensive and integrated security model," he explains. "Each country is likely different because of the government's security requirements. These people have to comply with different regulations depending on where they are."

With the onset of opportunities that use of the Internet poses, Joyce Brocaglia, CPA and principal of Alta Associates in New Jersey, says many technology professionals, especially those possessing the basic set of skills required of a typical network administrator, are moving into the information security marketplace. The U.S., she adds, is in a much better position than the U.K., and now countries in Asia Pacific are boasting a few professionals who are looking for work in their native countries, as well as Western ones.

Despite this migration of professionals, companies are still left vying for the same candidates. "It's recruit or die. It's very important right now for companies to do what they say and say what they mean," she warns. "There are always offers out there."

To Jump Ship or Not

Besides recruiting from the outside, some enterprises train those employees they already have on staff in security, says Insight's Palmer. Part of the reason more companies are doing this is because of the cost savings.

"There are good people out there, but they need information security training. Companies must accept 60 to 70 percent of the skills, then train them into well-rounded infosecurity people," he explains.
While many companies are realizing they have employees of this caliber already on payroll, SiteSmith, the California MSP, sought the help of their staffers in a different manner.

"Finding talented people is tough, no doubt about it. Every company in the Valley has come up with creative incentives and internal promotion to drive candidate flow," says Hillard. "Fortunately, at SiteSmith, we made recruiting a top priority for all. We immediately adopted a culture that established all employees as recruiters, talent scouts really, and every time we hired a new employee, we hired a new talent scout. Not only did we offer a cash bonus and a trip to Hawaii to the person [who] referred the most candidates ... we also made recruiting 50 percent of all managers' first and second quarter bonus objectives."
He estimates that out of the 380 people currently employed at the company, about 65 percent of them came through referrals. The organization was able to fill posts quickly with talented people. Once they got desired professionals on board, they then turned to concerns of ensuring that staffers did not abandon ship.

"People stay motivated when they feel a sense of accomplishment and pride in what they do. Communicating company success is key to retaining people," he contends. "Fostering an environment where people can interact with one another to share successes throughout the organization is very important."

As a recruiter for the security industry, Brocaglia warns that job-hopping is the name of the game now. The days of company loyalty, when employees would remain at an institution for 10 years, isn't likely to happen anymore. Because the job market is so strong, talented individuals know they can quit on a Friday and find a job the next Monday, she says.

One of the most frequent reasons for resigning she hears from professionals is that they were not being rewarded for their efforts - and this does not only mean in monetary compensation. Managers should consider, in addition to offering superior salaries, showing their appreciation, in some fashion, for a job well done. Traditional benefits are fine, but managers can get creative perhaps, making a health club membership part of the package, providing extra days off or providing investment opportunities.

"You're not going to stop everyone from leaving," says Insight's Palmer. "It's an inevitability. People are going to move on." However, he does have a few pointers for keeping good employees in the company. He suggests that superiors:

  • Remain competitive in salary scales;
  • Stay flexible and maintain ongoing training programs;
  • Schedule meetings, both formal and informal, to maintain morale.

Also, he says management should remember that the reason most people have jobs is to also have a life. So, if occasional telecommuting makes employees happy or if they would like to have flexible hours when they come in early and leave early, then supervisors should be open to such schemes.

Sondra Schneider, a partner with Security University in Connecticut, says that while money will be an issue to some information security professionals, the bigger concern is quality of life. Because these professionals work hard, companies need to extend generous recreation or vacation time to them. The flexibility managers adopt will ensure that their employees stay around that much longer.

Addressing the Shortage

The supply of talent is being pummeled by demand. Schneider maintains that training programs, both internal programs created by corporations and those organized by various professional and educational institutions, must be bettered.

Training and educational programs are always desirable, says Matt Tomlinson, business development director with MIS Corporate Defence Solutions in the U.K., but when it comes to the establishment of programs at universities, problems can arise.

"The issue is that the security arena moves so quickly that the majority of training is out of date in three to six months once it has been carried out," he says. "How can universities offer a stable course when they have to re-write it every six months?"

The real point to this line of thinking, he adds, is that "to understand IT security, you have to live it every day in an environment where a further 10, 20 or 30 colleagues live it every day."

As the need for more experienced and formally trained information security professionals rises, however, says Brocaglia, universities and the like will start to recognize the need to found security programs.
"In order to enable e-commerce, security is a necessary piece," she explains. "The demand is always going to be there. I don't see it slowing down."

For certain, threats to information are growing more quickly than the knowledge to thwart them, says MIS' Tomlinson. It is just having enough experts in this area on hand to fill the wide void, adds SiteSmith's Hillard. Until information security is recognized as a need to move forward into this century's Internet-connected, globally based age, executives will still be scrambling to find good help.

"There needs to be enough emphasis placed on security to generate the demand for these services," Hillard says, "then preparing for these demands will be easier."


Tips for Keeping IT Help Loyal and Happy
by John Winn

Company loyalty is a lost virtue. Just retaining solid IT security staff for longer than a millisecond is a daunting feat these days.
In truth, many high-tech employees actually place a stigma on remaining with a company longer than three years. IT pros feel this makes them appear lacking in ambition and thus, "unplaceable."
Another issue with which managers must grapple is this labor-squeezed market. IT employees know they can quit their jobs on Friday and have another position by Monday, no sweat.

"IT professionals often increase their salary between 15 and 20 percent during a typical career move," says Mike Kappel, president of Top Echelon, the nation's leading network of recruiters. "When company loyalty goes head-to-head with a hefty salary increase, the cash often comes out on top."

None of this bodes well for managers and HR personnel, who know losing a skilled employee puts a significant dent in productivity. Hiring, training, and assimilating a new techie into a workplace means time and money. Bottom line: Lose a good IT employee, and you could find yourself in hot water with your manager.

What's the solution to this shortage of high-tech help? Keep your employees in the first place. With that in mind, here are five tips for keeping good workers:

  1. Soften up. Why is "paid leave" such a hot political topic? Because employers are a step behind public sentiment on this issue. People work to live, not vice-versa. Your top IT person wants to knock off two hours early to catch his son's soccer game? Let him go. Ever consider implementing "flex" hours - allowing employees to work any eight-hour shift between 7 a.m. and 7 p.m.? As long as your employees do their jobs well, help them put their families first.
  2. Pay up. Make sure you are paying competitive salaries to your IT staff. This requires almost quarterly monitoring, because demand for talent in this technology sector is greatly outstripping supply. If you find that certain key employees are underpaid for their skills and you're over budget, turn your attention toward soft benefits. If you can't put up the cash, you'd better make sure your work environment is a pleasant place to be. Come clean with your staff on salary issues. A promised raise that falls through will sting you every time. Implement a fair, regular review system, budget for it, and stick to it.
  3. Square up. Be square with your employees. Foster a work environment that encourages the open exchange of information. Simple employee communications programs, such as newsletters and regular staff meetings, do wonders for keeping employees in the loop. Explain the rationale behind your decisions. Clue them in on what the CIO or CEO is thinking. Understanding the "why" behind a decision and feeling like part of a team does wonders for employee loyalty and morale.
  4. Train up. Establish a formal mentoring process that enables new employees to feel at home and quickly get up to speed. Saying, "Here's your cubicle, I'll check on you in six hours," is a poor way to kick off a working relationship. Make training an ongoing process. Everyone benefits from training - it's a motivating force that rekindles drive and enthusiasm in even the most jaded staffer.
  5. Promote up. Instead of looking outside to fill that senior level position, look hard within your organization to find a match. An outside search could take months, not to mention assimilation and training time. Chances are you have a current employee who can fill that position and hit the ground running in a month's time. Internal promotion will do wonders for your staff's morale. The implied message: performance is rewarded with advancement. This, in turn, fosters productivity and that elusive, all-important company loyalty.
    In short, listen to the needs of your employees. If your corporate culture is stagnant, uptight and stifles communication, brace yourself. You'll be tackling the employment enigma for years to come.

John Winn is founder, executive recruiter and president of the Anchor Group. He spent two decades in the information technology sector before starting the executive recruiting firm, which specializes in filling high-tech and executive positions. A Preferred Member of Top Echelon, Winn can be reached at (901) 757-2620, or visit




Current Schedule
SU Policies Webmaster Contact Us Opt-Out Testimonials Advertise Brochure
Copyright © 2007 Security University, Inc. All rights reserved.
Translate this page to