Skills Gaps in Infosec Job SeekersRecruiter Highlights Candidates' Key Weaknesses
What are the skills most lacking in IT security job candidates today? U.K. recruiter Ruth Jacobs pinpoints the areas job seekers need to improve upon.
Jacobs, recruiter at Barclay Simpson, a corporate governance recruitment firm based in the U.K., says candidates often search for particular roles that don't match the skills they currently have, "and they might be suited to another area," she says in an interview with Information Security Media Group's Tom Field [transcript below].
And having just the technical knowledge around information security just isn't enough anymore, she acknowledges. "[Candidates] also need to have the client-facing skills, good communication skills and good presentation skills."
Those soft skills aren't needed just for the job itself, but also for the interview process. "They might fail at interviews [having to give] a presentation or not being able to come across well with how they communicate and building rapport," Jacobs says.
Candidates need to remember that information security isn't just an IT issue, Jacobs explains. "It's a business issue, so having that business understanding, particularly for someone who wants to move up [to] a more senior role, this will help them do that," she says.
In an interview about information security job trends and recruitment, Jacobs discusses:
- Today's toughest roles to fill;
- Skills most lacking in job candidates;
- Advice for individuals entering the information security profession.
Jacobs has been recruiting in the information security sector since 2000. She began her career in this area with a company called FTR, which was part of the recruiting giant Modis. She established their information security recruitment desk. In 2004, she joined Barclay Simpson and worked primarily with consultancies and system integrators to fill IT security roles ranging from security consultants, architects to security management positions. Before entering information security recruitment, she worked in the motor industry holding sales and marketing positions.
Information Security Recruitment
TOM FIELD: To get started, why don't you tell us a little bit about Barclay Simpson and your specific role there please?
RUTH JACOBS: Barclay Simpson was established first in 1989, originally focusing mainly on audits and then in 2001 the information security division was started and I joined in 2004 and I work with consultants. The types of roles that I work on are mainly new client-facing consultant roles and it's mixed with skills from security architecture and design to information assurance, security policies and standards and sometimes technical roles like penetration testers, security analysts and I've got colleagues here that work with any different industry sectors - banking, retail, media, pharmaceutical. We cover a whole variety of sectors.
FIELD: I know you moved into information security recruitment in the year 2000. What was it that motivated you to choose your career in this field?
JACOBS: It was quite a strange story actually because I joined a small recruitment firm at the time and I hadn't done recruitment before, and I was given a desk of testing QAs to cover that someone had already been doing and then they mentioned information security. They had one client and nine candidates on the database, and they said I could take that area if I wanted to build it up from scratch, and I just got interested in it. I picked up some jobs and just found it very interesting. I went to meet with a lot of the candidates and clients that I was working with. There weren't any other or very few other security recruitment consultants specializing in that area, so it was just really interesting to get in at the ground and pick people's brains to get a better understanding of the jobs and the type of industry and I really liked it. So I let go of the testing and QA area probably within a couple months or so and just focused on security.
Evolving Job Demands
FIELD: How would you say, in terms of recruitment, your job demands have evolved since you started in 2000?
JACOBS: It's really different now because back in 2000 if you found someone who had information security on their CV you could put them in nearly any information security job that you had, because there were just so few people doing it at the time and companies were willing to train for specific skills if someone had a bit of information security experience in one area. They could be trained across in another area if the job had different demands.
Now, it's completely different. There are so many people in the industry, there are so many people that want to get their first foot in the door in the industry as well that employers are far more selective when they're hiring. There are far more CVs for us to review for every role that we have in. Also, because there are so many people in the industry, it's really growing up and matured and it's professionalized - I think would be the word I would use - where there has been an introduction of lots of qualifications and numerous others and then the vendor certifications as well, and now the universities that offer a master's degree in information security too. The whole industry has really evolved.
UK Job Market
FIELD: And how would you assess the information security market today in the UK?
JACOBS: It's a strange market at the moment. It's buoyant in that there are lots of roles that are open and companies are recruiting, and due to the recession and due to budget constraints and some loose structuring as well within the organizations, recruitment processes have been really slow. So although it looks like there's lots of hiring and there are interviews taking place, underneath that it's much slower, roles are being pulled so after interview processes are going on then the candidates find out actually that role has been canceled or the company decides to take an internal candidate instead to save on the cost of a new hire and maybe use someone who wasn't being utilized to the best of their ability or was in a pool of candidates as employees are about to made redundant. There's quite a lot of slowness in the processes which is quite frustrating for candidates looking for new roles.
Tough Roles to Fill
FIELD: What do you find to be the toughest roles to fill today?
JACOBS: The hardest roles I've always found are the one that are in the middle of nowhere, and because the UK isn't a very small place compared to most other countries there are some places that are really remote - particularly Scotland - and some areas of the Midlands as well. There are not information security professionals that actually live in that area, so they need to find people who are willing to relocate. That's one part.
Another area that has always been hard to find good candidates is penetration testing. There are just not that many penetration testers out there. I think it requires a really high level of intelligence and skill, and there are just not that many people that do it, and when you do find someone who's really good, the company that employees them has put in place strategies to keep them - employee retention strategies. It's hard to get people in that area to move. And there are also sometimes roles that are hard to fill when a new technology becomes quite popular or a particular company's consultancy is working with a vendor on a particular technology where there are not that many people in the UK with those skills, but companies are trying to recruit them.
FIELD: You've talked about the challenge of locating people in some of the most remote regions. What do you find to be other unique challenges to recruiting specifically for information security in the UK?
JACOBS: I think the challenges that we face in the UK are probably not that unique. I mean, maybe other countries have other challenges as well, but I think the challenges that we have here are probably replicated across other countries as well. One thing that's apparent at the moment is we've got this issue here with immigration where we've closed down our tier 1 visa scheme and the government has done that, and it means that I often find that the people with great skills are actually in other countries and they need a visa to work here, and although we've got a lot of unemployment here, we haven't got the people with the right skills for some jobs and we really need to bring them in from other countries. And due to the legalities of sponsoring work permits, there are a lot of companies that just aren't able to do that, but most of my clients aren't able to sponsor work permits. So roles can remain open because we don't have the right skills here, but the skills do exist elsewhere in other countries. We just can't bring those people over. Actually we've opened up recently offices in the Middle East and Asia Pacific and we're able to place some UK candidates into roles in those regions. It's just a shame it can't work the other way around as often in bringing people over from other countries to work here in the UK.
Skills Most Lacking
FIELD: What skills do you find are most lacking in the candidates that you're seeing today?
JACOBS: Sometimes you find that candidates just don't have the right information security experience for a particular role, and they might be suited to another area. What I do particularly is with consultancies and system integrators and the majority of my roles are client facing, so the candidates having really strong knowledge and experience in that particularly area of information security, which it could be architecture, it could be policy or standards, they also need to have the client facing skills, good communication skills and good presentation skills. And sometimes I find that I get a candidate who's really good in terms of what they know, but they haven't got the soft skills so they might fail at interviews [having to give] a presentation or not being able to come across well with how they communicate and building a rapport and if they can't build a rapport with an interviewer, the interviewer might feel they're not going to build a rapport with the clients and so they fall down in that area.
FIELD: There's a great detail of emphasis today on screening candidates properly. What are some of the methods that you use as a recruiter to screen candidates before you recommend them to somebody?
JACOBS: Most of the candidates that I work with - the majority of them having been in the industry for 12 years now - I already know and I have dealt with them in the past as a client or they may have been a candidate in the past or a mixture of both. If I have not met someone before, it depends. If I'm in London to meet them, that's great. I will do a face-to-face interview or a colleague might meet them if I'm not because I work remotely but I will spend time with them on the telephone. I think what's really important when you're screening a candidate in my personal opinion is to understand exactly what they're looking for, exactly what they require in terms of the role that they want to do, the type of company that they want to join, the culture of the company, and what they want to achieve in a new job, what they expect from the employer and what their long-term goals are. I think when you screen a candidate you need to really understand what they want as well as what they can do, and then when you place them you make sure that they get what they want so they're going to stay in that role as a long-term employee, and I think that's really important. I think it works as well to understand what the client wants and then you find a good match if you really understand what it is that they're after. In terms of other kinds of screening, technical screenings, because I'm not technical myself I can't ask questions off the cuff to test someone's technical knowledge. We do have clients that will give us specific technical questions to ask candidates and then I'll have the answers so that I can tell if they really do know their stuff.
FIELD: Now with so much awareness about the insider threat and insider fraud, do you do an element of background screening as well for your clients?
JACOBS: That's something normally our clients will complete themselves and because I work with large blue-chip clients, mainly that's something that their HR departments would get involved with at the time of an offer.
Evolution of Recruiting
FIELD: Now you've been in your role for a number of years now. How do you see this role of information security recruiting evolving as the technology evolves and as the jobs evolve?
JACOBS: Well, I think the crux of recruitment will always remain the same and I think that's what I was saying earlier about fully understanding and appreciating a need for the candidate and the needs of the client, and then delivering by using what both parties are looking for. I think some aspects of the roles have changed with the introduction of social media. About four years into recruitment in about 2004, I joined LinkedIn and that was really useful for networking and keeping in contact with my connections in the industry and then Twitter came along and I used Twitter for a while, but I didn't really find that effective for recruiting in security. It was a good source of information to find out about news and what was happening in the industry but not actually for making contact or finding the right candidate for the role.
I think as far as social media goes, it's great for networking but as a recruitment tool you really need that personal touch. You need those personal relationships and you need to understand what people are looking for and quite often that can't be done over a tweet or LinkedIn. You need that real talking, real interaction and a candidate might see a role advertised on LinkedIn or Twitter but with what someone can put across in an advertisement, it might not tell them enough about the company, the career development opportunities that are available or maybe something else like gaining a specific new skill that the candidate wants to pick up, or they might want to move to a company that they can stay with but maybe in a year or two relocate to another part of the world, and that might not come across on the advertisement or the tweet so the candidate thinks that definitely discounts it where as, as a recruiter, I would understand what the client can offer and what the candidate needs. Then if we have to discount something that actually might meet their need or equally there might be something that's hidden about a particular role - maybe that there's traveling involved - that doesn't come across in an advertisement or a tweet or something and they spend time going to an interview and then find out there's a lot of travel but that's not something that they can do because they may have a young family for example. I think that social media is not going to take away from the job of a recruitment consultant. I think when a company wants to recruit the right people, they know that there are lots of benefits to using someone who is well connected and knows the industry well.
Advice for Job Seekers
FIELD: For people that are looking to enter the information security field today, what advice do you give them?
JACOBS: If someone is brand new and they want to get into information security, they need to know that there are lots of people who are doing exactly the same thing as them, so it's going to be absolutely essential for them to stand out from anybody else or from as many people as they can because there are so many people who want to work in this field at the moment. Having a master's degree in information security is the best qualification that you can have. It's the most highly regarded and it won't guarantee you a job in information security, but certainly when you're applying for roles it will put you ahead of anyone else who hasn't got one.
I think as a general rule, having commercial acumen as well as the information security skills helps people to succeed further in their careers, and that's really important because information security isn't just an IT issue. It's a business issue, so having that business understanding particularly for someone who wants to move up a more senior role, this will help them do that.
I think also when someone's entering information security, it's good to have an idea of the type of career path that they want to follow, whether that's technical or management for example, or if they want to work internally, an end user, or if they want to do consulting, and then giving their job applications to the right type of companies and for the right kind of roles, and sometimes we see someone who really wants a more business-focused information security role but they're stuck as a security analyst working in a security operation center and then find it hard to move out from there. Making sure you're looking at applying for the right kind of roles that are going to fulfill the long-term career goal is really important.