Dream Jobs Are Hard to Find

Some time ago, when he was looking for an executive-level opportunity in security, Ken Stephens started to notice certain job postings that never seemed to go away. Some CSO and CISO positions continually showed up on the job boards, requesting a pretty standard skill set and level of experience. Stephens made a habit of printing them off and stashing them away in a folder.

There were at least a couple of dozen that you just started to notice never got filled, says Stephens, now the CISO of Fair Isaac. One job, for an insurer, was listed for about three years. How does a company that defines it has a need for a CSO or CISO decide theyll look and not fill it for three years?

An entire magazine issue about dream jobs might insinuate that such jobs are waiting to be had. But are they so plentiful? Stephens folder of long-vacant positions suggests that some companies are looking for the wrong people, or asking for the wrong things.

In fact, Stephens isnt so sure that the unique skills that CSOs offer are understood by HR departments. And hes not alone. Jon Wunderlich, who just landed a job as CISO of McKesson, was actively looking for opportunities recently. He says, What surprises me is that everybody keeps saying there are all these opportunities for leadership in this space, but the jobs werent really there. Meanwhile, Kenneth Newman moved from New York to Hawaii to take an executive-level security position, after finding other positions he examined werent as high-level or strategic as advertised. As Newman notes of his job in Hawaii, It was one of the few opportunities I found which put me in a place of influence.

Job seekers interviewed for this story acknowledge that all job searches include some lemons, and that it can take sacrifice, be it the location of the work or the lower-than-desired starting level of responsibility. But while they acknowledge these points, the larger point remains valid: The job market, as represented by the descriptions that hiring companies typically post, is not seeking out security professionals who are capable business strategists. When it comes to CSOs and CISOs, many businesses may try to get them, but few still get what they can do.

Here, with Stephens, Wunderlich and Newmanthree C-level security executives who recently landed great new jobswe explore three of the disconnects that they say keep more jobs from being dream jobs, and what it will take for companies to create opportunities that maximize the contribution of CSOs and CISOs.

Its All About the Benjamins

More than any other factor, Stephens links the disconnect between security professionals and their potential employers to money. He says, They have no clue what the market bears, and, worse, they dont have the flexibility to adapt.

Stephens believes theres as much as a 10 percent to 15 percent gap in what many large companies are willing to pay for six-figure, executive-level security jobs and what he expects, based on experience and the increasing importance and complexities of the job. In one case, Stephens found himself and an employer 10 percent apart, which led him to reject what otherwise was a great offer.

Just why this disconnect exists can be attributed to several factors. For one, says Newman, the CSO of American Savings Bank in Honolulu, much of the disparity about salary expectations can be traced to the fact that many information security jobs grew out of IT jobs. You see it on the IT side especially, Newman says, because someone midlevel who had security experience and made midlevel IT professional money was plucked out of the pack to lead a security effort. I hope as more security roles move out of and beyond IT, the salaries follow, says Newman.

Another contributing factor is a lack of common responsibilities for security positions and, as important, a lack of common nomenclature for the jobs being offered, Stephens says. It might sound facile, but a jobs pay often matches up to its title, and titles in security right now are hardly consistent. Some companies post jobs that amount to executive-level security under titles like information security manager (jobs that are paid like managers jobs). It goes the other way too. Many companies have appropriated the high-level titles like CISO with job descriptions that sound like something farther down the corporate hierarchy.

This might sound like nitpicking, but Stephens sees it as the exact opposite. After all, he says, the job of security officer has gotten much harder in recent years, and his ilk have also proven they can be strategic business leaders. If hes going to contribute to the bottom line, he will demand compensation for that.

Were trying to close a $400 million contract at my last job, and the client wouldnt close it because of a couple of worms that had them scared, says Stephens, launching into a story to illustrate his point. The CISO on the other side was a roadblock. No one could close the deal. So I invite the CISO and others from the client up for all-day presentations. I showed them how we did metrics on security, and the security built into our network operations center.

By the end of the day the CISO says basically two things. One, he wants our metrics. I said, Done. And two, how do we get everyone together to sign the contract. Security is now a forefront issue with sales. If were not in the loop, deals dont get made for months. Its a key business driver. It sells products and services.

So, he argues, show CSOs the money.

Stabled Thoroughbreds

The way Newman sees it, he just traded one island for anotherManhattan for Oahuwhen he became CSO of American Savings Bank in the 50th state. Not a bad trade, huh? he chuckles. Then more seriously he says, Look, one of the reasons I came here was because this job was one of the few opportunities I found to combine physical and information security.

Newman says his job search became increasingly frustrating as he interviewed for positions and found that most of them lacked two key things: One, they lacked a view to the upper levels of the organization, and two, they didnt include duties that Newman feels are fundamental, like strategic planning and even contributing to the bottom line through the security function.

No matter how they tried to position them or sell them, the jobs ended up buried in tech somewhere, he says. Were supposed to be business managers and risk managers, but rarely did I find a position that was even planned for a place of influence.

At American Savings Bank, Newman has taken a central role and, he adds, Ive got business continuity and since I started, I took over records management. I report to the head of operations. I have management interaction and board interaction. Thats the reason Ive come all this way.

Yet, in order to find such influence, Newman not only had to travel 5,000 miles but he also had to move to a smaller company. And even at this company that gets it, as Newman says, it took a long time for his employer to decide they needed such a position. I started networking here years ago, he says. The challenge at any company is for HR to understand the executive security position, then how to look for it and finally, how to screen those who come asking for it. On all three counts, Newman says, his job hunt experiences suggest that many companies are lacking.

He was echoed by Wunderlich, director of information security at McKesson, who says of HR departments, They dont know what they dont know. In all three jobs that Ive had, Ive submitted up front what I thought the role should be. Here, they have a VP of enterprise security, and theyve brought in a CSO for physical security and executive protection. They get it. In his previous jobs, Wunderlich says the descriptions didnt match the actual jobs, which amounted to managing infrastructure. You were a compliance check mark. Youre a thoroughbred, and you were stabled.

To Newman, its a sad irony that there are so many talented people who want to help companies run more securely and efficiently, but that the companies dont seem to want them. There are a lot of good, frustrated people out there who could do things, Newman says. But the influential opportunities are few and far between.

Fear of the Cop

Wunderlich says the gap between what security professionals have to offer and whats being offered to them was illustrated perfectly at a meeting held the day before he discussed job searches with CSO. I was talking about availability, and the principal finally says to me, Why do you keep talking about availability? Thats not your job. So I just say, Well, what if a worm takes out your SAP environment? and there was this collective, Ooooooh, now we get it.

This is how the first month had gone on the job at McKesson, a pharmaceutical company where Wunderlich says executives get it, but where biases against security still must be overcome with the rank and file at the business unit level. Before that meeting about availability, at a meeting with another business unit, attendees expecting Wunderlich to talk about firewalls were first shocked, then refreshed, to hear him focus instead on risk and workflow.

And if this happens at McKesson, whats happening at companies looking for a CSO, or drawing up job descriptions?

Wunderlich thinks this disconnect leads to an environment where potential jobs are skewed toward security officers as compliance monitors. The dilemma companies face is that they at once want someone for compliance enforcement but they also fear theyre hiring a cop type who will walk in and create restrictions everywhere. This leads to poorly defined jobs. Both he and the others say job descriptions that are vague but specifically mention certain regulations can mean a security professional will be pinned to compliance duty and prevented from doing much else.

I think CSO, CISO, security, some of these words have connotations of a badge, Wunderlich says. All of a sudden they forget that you have 20, 25 years of experience. They forget you were an innovator and thought leader before this. Suddenly I was interviewing for jobs where Im just a check mark. I think thats a shortcoming.

Conquer from Within

The question is, what happens to Stephens folder, where he kept long-unfilled security jobs? Will it become more or less full? Will more companies make the mistakes that these three executives found on their way to landing dream jobs? Will top security jobs garner the attention, respect and money they deserve?

Stephens, Wunderlich and Newman say the situation will improve, albeit slowly.

Scott Hamrick, the CISO of GE Healthcare, is more upbeat and wants security executives to work toward change. He says waiting for companies to see the light or adapt to the candidate wont work. Hamricks first high-level security job came when he impressed a company enough to choose him over someone with 20 years experience, because, he says, he adapted his security plan to their low-margin business while the other candidate came in with a budget much higher than the company was willing to spend. Mind you, Hamrick brought in a plan he thought could work, while the experienced candidate seemed to say, It can only work my way.

Once Hamrick had the job, he started increasing his influence. And now he says that same conquer-from-within strategy should apply today. When I post jobs, I have an idea of what Im looking for, but after I hire someone, they change it. I hired someone last year and this year I reviewed the job posting for them, and I kind of laughed because what the person brings now is a whole lot more, a whole lot different than what we were looking for. Its sort of up to the employee to get in there and, once in the role, take it from what the company wants it to be and make it their own.

E-mail Senior Editor Scott Berinato at sberinato@cxo.com.