For the past few years, I've been short-staffed. As a result, I've had to do a lot of the security work myself. For example, I've created my own security awareness program, performed SOX functions on my own, gotten internal buy-in for patching and vulnerability management, and even read through firewall logs, among other things. In fact, I so rarely am able to delegate work to other people on my team that this column might be called One-Man Security Department's Journal rather than Security Manager's Journal. But all that is about to change.
I've gotten approval to hire three new people. Evidently, the dam that was built against new hires when the economy was at its most dismal has been breached. I had an intuition that would be the case, so during the fall budget season, I pitched several new staff positions. I'm thrilled to report that they were all approved! With those positions filled, I'll be able to get a lot more security work done. That's good for me and the company.
But I've been quite surprised to find that there aren't very many experienced security professionals looking for work in the areas I'm trying to fill. I had thought that after so many years of a rough economy, people would be lining up at my door when I was finally ready to hire. But that hasn't been the case. Did the dam burst at other companies well ahead of mine?
Optimally, I would like to hire people whose abilities I already have confidence in. With that in mind, I started out by approaching people I've worked with before or otherwise know to be highly competent. But most of my friends and colleagues weren't even open to the idea of changing jobs. Of the few who were willing to talk, none did anything more than talk, and after a few conversations, things went nowhere. That taught me that my friends and colleagues are doing just fine. I was surprised, because in the past, people had been a lot more dissatisfied with their jobs and more willing to consider grabbing a new opportunity.
Next, I asked my contacts whom they knew that might be interested in my jobs. A second-level recommendation is not as reliable as knowing somebody personally, of course, but there's still some value in having a trusted colleague vouch for somebody. But I was surprised again -- nobody I know has any friends or colleagues who are looking for work. That's a lot of people not looking for work.
That left me no choice but to go to the street. I engaged a few headhunters I know (they have gotten me jobs in the past). Unfortunately, recruiters often don't really know the people they bring for interviews. They find resumes on job boards and pre-screen the candidates, but they can't vouch for them. I have to rely on references and background checks. A reference from an unknown third party is never going to be as frank as one from a friend, but it's the best I can do right now.
Across the nation, overall unemployment remains high, but this experience has me thinking that those of us who practice information security are living in our own bubble of prosperity. On that note, I wish you and yours all the best in the new year.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
To join in the discussions about security, go to blogs.computerworld.com/security.