Wanted: Security Superman

Finding the right person to oversee an organization's information security efforts can take extra time, money and salesmanship.

What really attracts Dale Bachman to a company are "cool toys and great projects." Pete van de Gohm looks for work that offers him "brand-new opportunities in brand-new markets." What draws Dan Doherty to a new job is the opportunity for growth and an energized work environment. For Howard Schmidt, the main attractor is support that's "more than lip service" from the top echelons of the corporation.

These employees hold titles such as chief security officer, national security practice manager, corporate security officer and director of information asset protection.

1pixclear.gif
1pixclear.gif
1pixclear.gif

Next Candidate, Please!

Publix Network Corp., an Internet service provider in Hamden, Conn., is preparing to go public in the next six months. But until now, the company's security oversight has been handled by Chief Operating Officer Peter Zackowski, who hired a part-time security consultant on an as-needed basis.

Like all start-ups, Publix isn't flush with money. About all it can offer a new security director is stock. Zackowski says he decided to bypass human resources and go through a headhunter. The headhunter saw the salary range and then sent candidates accordingly.

"The first candidate shows up in the largest pair of Fabu [elephant-leg] jeans that really showed his plumber's side and props his feet up on a chair. After I introduce myself, he says, 'When do I start?' " Zackowski says. "The next candidate believed that an unwashed body was a spiritual statement. He reeked. During the interview, he lifted his arm and sniffed, like he was smelling a delicate flora."

Even if Zackowski could get beyond these behaviors - and, he says, he considered it - he couldn't hire either candidate, because neither possessed the skills he claimed to have.

The message here: Woe to the small company that can't justify, afford or attract senior-level security professionals.

"We changed our request for a more managerial type on Aug. 7, but so far no one's walked through the door," says Zackowski. "The headhunter said he's sending three people, but I haven't even seen a resume."
1pixclear.gif

There aren't many such people to go around. One reason is that senior-level security positions like these call for certifications. The de facto security management certification is the Certified Information System Security Professional (CISSP). Only 3,000 have been issued, according to Jim Duffy, president of International Information Systems Security Certifications Consortium Inc. (ISC2) in Framingham, Mass. ISC2 is the CISSP certifying body.

In such a tight information technology labor market, it's no small feat to attract and retain information security executives, according to Tracy Lenzner, president of The Lenzner Group, a Las Vegas recruiting firm that specializes in security. According to a Computerworld survey conducted last month that polled 164 IT professionals on their hiring practices, it takes companies an average of three to five months to find and hire senior-level security managers.

And consider this from a recent survey by RHI Consulting Inc., a Menlo Park, Calif.-based IT temporary job placement agency: 58% of 1,400 CIOs polled said they increased their security resources, including personnel, in the past six months.

Companies attracting candidates from this relatively small pool are doing so by giving them what they want. And what they want isn't so much big bucks - although senior-level security professionals can pretty much name their salaries.

For example, when he interviewed Doherty, a retired deputy inspector brigadier general for the U.S. Army, Nick Tanzi, president and chief operating officer at Metromedia Fiber Network Inc. (MFN) in White Plains, N.Y., said he knew from Doherty's questions that Doherty was looking for growth, challenge and commitment to security objectives.

"In the interview, I was able to demonstrate to [Doherty] that security absolutely meant the difference between success and failure," Tanzi explains. "The other thing Dan focused on was how broad his role would be. I explained to him that security is more than locks on doors, that we knew we needed someone to come in and get our house in order, identify our challenges and address highest priorities first."

Tanzi's honesty about MFN's security issues and needs, along with the opportunity to work in a fast-paced, growing company, are ultimately what reeled Doherty in as chief security officer for the $75.2 million optical IP backbone company in June.

Such "soft" incentives continue to be the biggest attractors for information security managers, directors and executives, according to the Computerworld survey. Respondents listed the biggest attractors as a flexible work environment; growth potential; a progressive, security-conscious environment; and guaranteed support for security from corporate officers.

"The factors I've noticed that matter to senior-level candidates include workplace diversity, exciting technological problems to solve and the connection of their work to the customer," says Doug Merrill, senior vice president of information security at Charles Schwab & Co. in San Francisco.

Who's Interviewing Whom?

Even before senior-level candidates walk through the doors of a potential employer, they're screening for signs of those factors.

For example, when van de Gohm was leaving the U.S. Air Force security police at the end of 1998, he studied technical crime associations and vertical industries so he could better match his strengths with those industries' particular needs.

So, van de Gohm says, when he interviewed for a security management position at a chip maker in the Southwest, he knew the company's biggest security threat would be chip theft. Since he had a strong background in physical security, he agreed to an interview. But a few days later, he was more intrigued by Houston-based Enron Energy Services Inc.

"This was a brand-new company entering a brand-new market, tied to a brand-new thing [deregulation]. The similarities between the environment here and the environment when I first went to join the Air Force Strike Fighter program were incredible," van de Gohm says. In November 1998, he accepted the job of director of information asset protection at Enron.

Likewise, Doherty's skills in physical and IT security led him to consider the job at MFN after he had been recommended by an employee of MFN's chairman. His research led him to a similar conclusion.

Having recently acquired AboveNet Communications Inc., a Vienna, Va.-based Internet connectivity company, MFN was setting up deals with Dulles, Va.-based America Online Inc. and San Francisco-based Webvan Group Inc. and was laying fiber-optic cable all over the country.

"I knew there was an opportunity for growth here," says Doherty.

Explains Tanzi, "We're building fiber-optic networks in 67 cities between North America and Europe. The first thing we're concerned with is best practices in physical security, because if someone were to tamper with one of our fiber backbone cables, we'd lose customers and revenue. We also needed someone to be our advocate to legislative and governmental bodies to really understand the new world that we live in and the risks of data theft."

While Tanzi was scoping out Doherty for these qualities, Doherty was checking out the company, especially the employees he saw casually in the hallways and in their cubicles. The employees seemed genuinely excited about their work, he says, which was enough to finally sway him to take the job at MFN, instead of a post at one of the two defense contractors that were also interviewing him.

Schmidt, corporate security officer at Microsoft Corp., says he likes to interview the interviewer. When he interviewed at Microsoft, he says, he was particularly interested in support from above.

"I asked [the CIO and the security team]: 'Who does this position report to? What executive sponsorship exists? What's the escalation procedure if things don't get done? What's the potential for hiring?' " says Schmidt, who was recruited out of the Air Force's Office of Special Investigations, where he directed the computer crime and information warfare training programs, among others.

Top-Down Buy-In

Schmidt says that after a few reorganizational bumps in his first year, his unit now gets the top-down support he needs, which is why he's stayed put for three years. While not every security objective is realized - security and business must give and take to work together - the most telling sign of support was when Microsoft's CIO merged physical and data security into one department last month.

This top-down support is also what has drawn a veteran security manager, who asked to not be identified, to security management jobs. He has worked in security management positions for the private sector and the federal government. In hiring interviews, he says, it's difficult to pick up on the true level of support for security.

1pixclear.gif
1pixclear.gif
1pixclear.gif

Security Can Pay - Handsomely

Information security officers can draw $110,000 to $250,000 in annual salary based on the following factors: company size, company type, location, amount of travel, expertise (e-commerce and business development pay more) and level of ability to lead a security practice.
1pixclear.gif

"If you know somebody inside the organization already, they might be able to give you indicators," he says. "You need to talk to the network administrators, for example, and check their level of cooperation."

Inversely, the hiring company also benefits when candidates know someone on the inside. In fact, employee referral was among the top three methods employers use to find information security candidates, according to the Computerworld survey. Doherty has already pulled in someone he knew from the Army's Criminal Investigative Command's computer investigative unit, which Tanzi says makes him even more happy to have hired Doherty.

But even more companies are cultivating security leadership from within, according to the survey. One such company is Sprint Enterprise Network Services (ENS), an IT consulting firm in Houston. Sprint ENS recently promoted Bachman to help develop and manage a newly spun-out security practice group at the national level.

A year ago, Bachman, a former crypto breaker at the National Security Agency, wanted to live closer to his family. So he posted his resume on the Web and interviewed with three companies. Bachman, who has a doctorate in mathematics, took the consulting job at Sprint mostly because of the training and educational opportunities.

Meanwhile, Sprint was looking at him, especially with his advanced degree, as someone to put on a fast track to management. "We're always looking for someone to groom for security management positions for our global projects," says Bob Robinson, practice principal at Sprint ENS.

You can't expect people with senior-level security management skills to fall into your lap, Robinson says, so career development is crucial. Sprint starts by hiring people with the basic certifications - Cisco Network Administrators, Certified Cisco Internetworking Engineers or even a Check-Point FireWall engineer. Those with management potential like Bachman are identified, trained and mentored.

Not only do training programs help solve the problem of where to get security professionals, but they also help keep them. Because of such programs, Schwab's attrition rate for its IT staff was less than 10% last year.

"We focus on retaining talent through internal growth. We're constantly asking our employees, 'What do you want? What do you need to refocus our value proposition so you can get what you want out of your job?' " Merrill says. "It's really expensive to find people, so it's better to retain them."

Bachman is currently developing a security management curriculum for Sprint. He says his goal is to grow his own crop of security project managers to support his new organizational and service objectives.

And, he says, as long as he can create, build, design and work hands-on, he'll stay around awhile. "Call it geek pride," Bachman says. "I think a geek feels as much pride in his creation as an artist does with his painting."

Copyright © 2000 IDG Communications, Inc.

  
Shop Tech Products at Amazon