Landing a CSO Job

Why recruiters are your friends (and other secrets to landing a new CSO job)

OK, boys and girls, this month we're going to talk about the moving gamethat is, the process of finding a new job. But first, I'd like to begin with a list of the top 10 ways you know it's time to start looking:

10. You arrive at work and Eliot Spitzer is in the lobby as an unannounced guest.

9. When you log in, your computer begins playing Blue Oyster Cult, and you have a personalized greeting from "Hacker Boy."

8. The company CFO has just taken indefinite emergency leave to visit a sick relative in South America.

7. A recruiter friend calls to ask why your job is being advertised on the street.

6. The CEO, to whom you've been reporting for the past three years, gets on the elevator with you, smiles and asks whom in the company you're here to visit.

5. The police show up at work to inform you that your warehouse guard force has been arrested in a sting operation. They would like you to come down to the station to answer a few questions.

4. The new buzzphrase around the company is "working hard to achieve shareholder value."

3. Corporate relations issues a press release saying that there are no plans to sell the company or to lay off employees.

2. After the press release, the CEO calls a special "all hands" meeting to discuss plans for the future of the company.

1. The head of HR requests an impromptu meeting with you and, by the way, can you bring your hat and coat?

In case you haven't figured it out yet, I've been job-hunting. The wheres and whys aren't important here. (For a hint, though, go back and read my February columnyou know, the one that began: "My CEO is a psychopath.") What matters is that it was time for me to get rid of any quaint notion I might have had that my company or mentor or even rich daddy (if I had one) was going to take care of me. It was time to move on.

The same might go for you. Hard as it may be to admit sometimes, you and only you are the person responsible for your career and getting the job that you really want. So what's the secret? I'm still working that out. But here's a little of what I've remembered, and come to understand, along the road to my next job.

Welcome to the World of Recruiters

While it's nice to think that you might find your next job in the Sunday classifieds, that's not how the world works. Typically a company looking for a new executive will either promote a promising up-and-comer within the organization, or use an executive search agency to find someone outside the company. In the first scenario, there isn't a whole lot you can do, so as New Yawkers say, "Fuhgetaboutit!" However, if jobs are being filled by an executive search firm (affectionately known as a headhunter), then it helps to know how the business works.

There are two basic types of recruiters: those who work on contingency and those who are retained. Working on contingency means that the search agency is competing with other agencies to fill a position. They are essentially bounty hunters who get paid only if they find the person whom the company hires. A retained search, on the other hand, means that the recruiter has an exclusive contract to fill the position. Typically, retained search firms guarantee that they will find three to five qualified candidates within a certain amount of time, usually three months. The recruiter gets paid whether or not the company hires one of these candidates.

Knowing all this, how do you get on the radar screen of top recruiters? Let's play a mental sleuth game by tailing a hypothetical recruiter who has been given the assignment of finding a CSO for a Fortune 500 company.

Companies looking for a new CSO usually want someone with experience in their vertical industry. The recruiter will begin by calling some of the CSOs within that industrytypically, CSOs at the largest and most respected companies in the business. The recruiter will describe the position and possible compensation and ask if the CSO is interested in exploring the opportunity further. If not, the recruiter will ask that CSO if there is anyone he would recommend. Clue number one: If you know any CSOs in your industry, it helps if they know that you are interested in finding a new job. You can get to know other CSOs by attending professional meetings and conferences.

The next thing our hypothetical recruiter will do is see who has been invited to speak at major security conferences. The assumption here is that these folks are well-respected and well-connected, regardless of their industry. If recruiters see a name that crops up time and again, then they'll call that person. Clue number two: Try to get invited as a speaker at security conferences. You'll also find that public speaking has a way of sharpening your mind and the message you want to convey.

Finally, our recruiter will scan newspapers and security periodicals to see who is writing about security or involved in security news. Clue number three: Try to write or be interviewed about the security topics of the day. Of course, it doesn't particularly help you if you write anonymously. (D'oh!)

Handle with Care

Once you make contact with some recruiters, it's important to work with themnot against them. In other words, take special care that you don't piss them off. First, never try to circumvent the recruiter by talking directly to the company. Recruiters get paid by demonstrating that they are the one who found the candidate. If you talk directly to the company, then that puts their commission in jeopardy. Also, the retained recruiter gets paid to be a buffer between you and the company. If you begin speaking directly to the companyespecially during hiring and compensation discussionsthen you're stepping on the recruiter's toes.

Second, never try to play one recruiter against another. Remember, when a recruiter works on contingency, he has to demonstrate that he was the one who brought you to the table. If you begin talking to another recruiter about the same position, you risk starting a war between the recruiters over who "found" you for the position. As entertaining as that may sound, CSOs who do this risk being blacklisted by both recruiters. I've known recruiters who refuse to work with certain people because this happened.

Finally, never embarrass the recruiter by not being completely candid about your background. The company will do background checks prior to making an offer. For instance, the human resources department at your current or previous employer will typically give out dates of employment, job title and salary information. Make sure that what you say on your résumé and in your interview jibes with what HR will report.

If you violate any of these commandments, I guarantee you'll have a red-faced recruiter screaming in your face. But, on the other hand, you'll never have to worry about working with that recruiting agency again.

One side note: While you're looking for a new place to work, be sure to watch your back. I once had a colleague who was fired after it was discovered he was planning to interview with a competitor. I suggest that you never use company e-mail or fax to correspond with a recruiter. Speaking on the phone should be all right provided your conversations are short and can't be overheard.

Sizing Up Your New Company

Africans have a saying: "Before you get married, have both eyes open; after you get married, close one eye." If you're serious about changing jobs, you want to make absolutely sure that you will be improving your work situation. Extensively research your new company to see if it will be a good fit. True, the grass may look greener on the other side, but that may just be because the employees put up with a lot more fertilizer.

Start with traditional methods such as reviewing the company's website and its quarterly and annual reports. Those sources are always good for basic facts such as the company's size, locations, history and financial health. However, as we all know, there is a big difference between what marketing advertises and how the actual product performs. So try to find out the "straight skinny" from someone who already works inside the company. One way is to browse websites such as Vault (www.thevault.com), which provides insights into a company's work culture. The site has a message board where you can read what current and former employees have to say about a company. You can also ask questions about the company's culture and compensation and find out whether current employees are happy.

An even better source is your network of contacts. If you've been participating in industry conferences and organizations, then chances are good that you already know someone who works in the company. If not, make a few calls to see if any of your friends know anyone who works in the company. Heck, if it's true that we're only six degrees of separation away from Kevin Bacon, then I'm sure a couple of phone calls should get you to a person within the companyor at least Mr. Bacon's agent.

This research should be done before your first interview, which will be a vetting interview with the recruiter. In my experience, this is typically the toughest interview. This surprises a lot of people because they assume that their potential employer would be tougher. Not so. Recruiters want to ensure that potentially embarrassing or unqualified candidates are weeded out. If the recruiter is satisfied with you after the vetting interview, then and only then will she begin scheduling interviews with the employer.

If you make it that far, then you're probably in the final three to five candidates. I can't improve on the vast amount of literature that has already been written about how to shine during a job interview, so I won't even attempt it.

As for moi, I found a new position. The recruiter who helped me land it was someone I had worked with in the past and kept in touch with over the years. So yes, it pays to be kind to recruiters. Other than that, you have to work hard, do your homework and play by the rules. Good luck on the other side!

This column is written anonymously by a real CSO.

Copyright © 2005 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022