Make Yourself a Dream Security Job Candidate

Although security pros still find new jobs through personal networks, recruiters also hold the keys to many executive-level positions. The best recruiters know the job market better than anyone, and they know which candidates have the skills and talents that are most in demand. To help CSOs (and would-be CSOs) gauge how well they stack up, we asked four top recruiters—some with an expertise in information security and some with a corporate security bent—to describe the signs that indicate they’ve got a dream candidate on their hands. They told us the skills and capabilities that make a job seeker easy to place.

Joyce Brocaglia, founder and CEO of Alta Associates in Flemington, N.J.

We look for what I call a triathlete: someone who has strong technology skills and who has a lot of business acumen and understands risk. On top of that, the ­overriding thing CSO candidates need to have is leadership.

The best way to differentiate themselves is to be able to describe a situation, the action they took and the results that were accomplished in a way that displays an overall ­understanding of risk. If they just rolled out two-­factor authentication, I want to hear how they socialized the organization, how they worked with business lines in getting them to understand risks and benefits, how they managed the project and the team, and ultimately what the results were. I don’t care about how many nodes and this and that. Did they display an understanding of the problems or risks before they implemented a solution? Did they tailor the solution to meet the risk appetite of the business?

CEOs are looking for somebody who has a holistic approach to risk and the ability to convey ideas that add value to the business. Candidates need a broad understanding of areas like business resilience, privacy, governance and compliance. Information security alone isn’t enough.

Jeff Snyder, president of Human Capital Solutions in Woodland Park, Colo.

I can tell in 10 minutes if someone is a great candidate. It starts with the way their résumé is written; it starts with the way they correspond by e-mail. You have people who shoot out four or five words, who don’t spell check or know what a ­complete sentence is. And you have some who write more formally. When I do get to the phone, the people who can very specifically articulate their accomplishments separate themselves from the pack very fast.

Generally speaking, this caliber of person is not without a job. From a recruiting perspective. I’m not looking for someone who’s unhappy. I’d rather find a person who loves his job, but the job opportunity I have available represents another career step. That’s the best placement you can possibly put together. The time to make [job change] decisions ideally is before you have to. I prefer people who haven’t put together their résumé in a couple years. Clients prefer someone who’s not looking for a job.

If you’re that rare candidate who has the whole package, you’re going to have an awful lot of opportunities. But if you’re a person who excels on the technical side but is lacking the people skills, there is going to be a ceiling. Does that sound harsh? It’s reality. If I were talking about CFOs, it would be the same. The people who ascend to the top of the company are the people who have outstanding communication skills. Yes, they have to understand their subject matter. But if they don’t have outstanding communication skills, there’s going to be a limit to what they can accomplish.

Pete Metzger, vice chairman and head of the global security practice at Christian & Timbers in Washington, D.C.

It’s not what my dream candidate is; it’s what the clients want. The first thing a client will say is, I have to have someone who can lead this organization, someone who can influence people and events. The other thing is threat analysis. Our enterprise is threatened by man-made disasters, by natural disasters, by radical reformist groups and by state-sponsored terrorists. How do I prepare my enterprise to deal with these threats? That generally requires a forward-thinking person who is also able to network with national-level sources in law enforcement and intelligence. The CSO also has to have experience in designing, practicing and implementing disaster recovery plans, and have the executive presence to knock on the door [of the CEO] when necessary and say, here’s something you need to know about.

Then the client needs someone who understands business. An MBA is an important advantage for a CSO candidate.

Vincent Sorrentino, president of J & S Resources & Associates in New York City

I’m looking for a solid work background, not a candidate who takes a new job every two years. I’m not looking for someone from a ho-hum school. I’m looking for someone who has moved from one good firm to another good firm. We advise candidates to trade up, and when we say trade up, that’s not only in terms of compensation. You don’t want to go from a Merrill Lynch to a firm that’s not recognizable. You don’t want to go to a startup just because there’s an opportunity to make millions of dollars. If you trade down, it’s gotta be a minimal trade down.

The other thing is personality. You’re talking about somebody who’s going to come into a new corporate environment, and he has to know how to win over his peers to get the job done—especially from a security perspective, because you don’t come in and just lay down mandates. You don’t want to come in like a bull in a china shop. You have to be able to negotiate. You have to get people to buy in to your program.

Senior Editor Sarah D. Scalet can be reached at sscalet@cxo.com.