, ,

Want to be a CISO? Career Advice from David Garcia

Image Credit - Pexels

Image Credit – Pexels

Like any other field, many people in the field of information security are asking for career advice. Recently we had conversation with David Garcia, specializing in executive recruiting in the field of information security. He typically works with CISOs and VPs of Sales to fulfill their staffing needs. David’s firm, Garcia and Associates, made placements in thirteen states and two countries over the past year. David shared his insights into what it means to be a security leader, skill sets that are in demand, and how to make progress your career. Following is the Question/Answer session with David.

CISOcast:

How are you helping security leaders find talented security professionals? What challenges you face in doing so? The intent of the question is to find what problems they are facing in finding candidates and how you help them solve these problems.

David Garcia:

I primarily rely on direct contact of likely qualified candidates using my existing network, and then phone, email, and social media.  The greatest challenge is high demand when finding individual contributors such as pre-sales engineers, security architects, and security engineers.  It is important to find differentiators within an opportunity—and that can mean support for the security program within an enterprise, it can mean a program is being built, and of course the income potential.

CISOcast:

What skillsets are hard to find and why?

David Garcia:

It comes down to supply and demand, and the fact that some skills cannot be “grown” overnight.  Enterprise security architects, anything touching application security, and new roles that blend security and big data analytics.

CISOcast:

Do security certifications matter? If yes, which one has the most value in the entry, mid level, and leadership roles (may be different at different levels)?

David Garcia:

Yes, they do—in certain companies.  On the vendor side there is generally an expectation that a senior consultant will have a CISSP and/or an ISACA and SANS cert as it applies to the type of work.  We all know that certifications don’t guarantee proficiency, but they do serve as a benchmark when measuring the competition and they are expected.  On the enterprise side, I tend to find that certifications can be waived in lieu of experience.  There are exceptions.  I am currently retained by a major hospital system and have candidates interviewing for CISO.

CISSP required—no exceptions.

CISOcast:

What is your advice for a recent graduate in engineering or computer science degree who wants to get into information security field?

David Garcia:

Find a mentor and join a professional association such as ISSA. Security is so broad these days, it may be unlikely that a new graduate really knows what portion of the field they desire to pursue.  The job market is in their favor, and internships are becoming more abundant to tap into the market and identify future employees prior to graduation.  This is absolutely critical given the deficit of practitioners.

 CISOcast:

How new technologies like IoT, Software Defined Networking, Cloud etc are changing requirements for security professionals?

David Garcia:

It certainly increases the overall knowledge level, at least from a familiarity perspective.  I believe it simply increases the number of sub-specialties for practitioners, as we have seen with cloud over the past few years.  I query practitioners regularly, “Does your enterprise have an IoT strategy?”  The answer is rarely yes, typically due to a lack of resources.  I fear that IoT will be yet another wave of technology where security practitioners will be pushed on the front side of the wave as opposed to being behind it or at least riding atop.

CISOcast:

What is the most unusual thing you have found out about hiring people? Something that was unexpected for you.

David Garcia:

The amount of anxiety that many people have over the creation of a resume came is a surprise.  I don’t get hung up on format, as long as I can follow the story being told succinctly and rapidly.  And that’s the trick—tell a compelling story in a short amount of white space that quantifies and qualifies (successful) experience and that you will make the company money.  While never embellishing, you know you need to have the “right” technology terms present.  If you are in management you know you need to demonstrate your work as a security practitioner/leader is an actual business enabler.  And I suppose as a side note I am surprised at how many successful people rely on spell check vice proof reading prior to sending a resume to me or a prospective employer.  Bad move.

CISOcast:

What is your advice for aspiring CISO? What should the focus on? Do they need help from executive recruiters?

David Garcia:

If applicable, find out how your CISO briefs the board of directors and the details of that two way interaction.  In my mind that is the clearest and most pure example of a security leader communicating to the business.  Some version of that conversation, communicated properly and backed up by action with your peers, non-IT shareholders, and within your own team will clearly show that you understand security’s role as an advisor and strong supporter of the business.  Security enhances patient care.  Security supports efficient manufacturing process.  Our security program helps us sell more insurance.  If you and your team take that approach you will also find yourself saying “No” less, and “Yes, but…” more frequently, and you will be seated at the table in more meetings.  You’ll find a way to make it happen and mitigate risk appropriately.

Always know what your go/no-go criteria is regarding ethics, and how well your profile matches up with leadership.  If your no-go criteria is breached, you better have a silver bullet in your pocket or be ready to walk.  It’s a tough job, most CISOs are only in place about three years.  In a large enterprise that’s about the time that it takes to gain trust, sell ideas, implement major projects, and begin to see results.

Other advice would include interacting and presenting to your peers, and be the thought leader.

Pursue applicable certifications and stay current with technology changes and threats.  Network extensively.  Learn as much as you can about other security programs, particularly those of competitors.  The latter is beneficial both from a business and career perspective.

If you have a relationship with a good executive recruiter, you should be able to get insights into the company and opportunity that are not readily available to the public.  It’s also a good way to keep up with trends on requirements and salaries.  If I’m taking the time to interview someone then I am already fairly certain that their background and experience is a good fit for the position I am representing.  Knowing my client, I only begin to get excited when I realize that the personalities will be a good fit.  That is invaluable insight.  If that last piece is not in place, you are not going to get the job or worse…things won’t end well in the long run.