Traditional Recruitment Methods in the Security Niche

About two weeks ago I got a call from a firm on the west coast.  This call came from the Director of Information Security and he was frustrated with the fact he had an open senior security position that he had been trying to fill for several months. He had seen very limited resumes thus far and the few he saw were not even close to being a match. I should mention that I get calls like this often from both hiring managers and Human Resource managers.

When I asked how the hiring manager was trying to identify potential talent he stated  the  internal staffing department had been running many adds on the job boards. They also had several recruiters working on the position, but those recruiters didn’t really have a grasp of security or the position itself. Needless to say the hiring manger was frustrated with the whole process and the time that has passed with no good candidate presentations.

Trying to use these traditional types of recruiting for security positions is a little like casting a wide net and see if you catch anything.  Sure, there are times you may get lucky, but many other times you don’t.

The world of recruiting has changed over the last 20 years. It has moved into the electronic world. There are 1,000’s of job boards and social networks like Facebook and LinkedIn. With all this technology you would think that hiring staff for your company is simple.

Well, judging from the comments and conversation I have with many employers that is not the case. Having all the electronic technology in the world does not help if it does not produce the required results.

I hear from Fortune 100 companies and down that identifying “good” talent that meets their security job requirements is getting harder and harder. As I mentioned earlier I get many calls from firms that had an open position for several months simply because the limited talent they see is not close to being a match.

Recruiting in the security niche must be targeted and direct.  Casting a wide net and hoping to catch a perfect candidate is a poor solution for recruitment.

This is where, in my opinion, so many employers are missing out. If the traditional resources you have utilized are NOT producing solid results then why not change those resources. You may very well find that a change is just what your open security positions needed.

Wils Bell

President

SecurityHeadhunter.com, Inc.

SecurityHeadhunter.com is always open to answering questions and discussing security recruitment with both employers and security talented professionals. Feel free to visit us at SecurityHeadhunter.com or call us at 407-365-2404. Let our extensive experience in the Security Search Firm industry work on your behalf.

Security Job: Manager; Security Breach Response

Security Job: Manager; Security Breach Response

Note: This is a great opportunity and the position is very detailed. Below is just a brief description to provide a general understanding of the basic responsibilities. For a full confidential discussion of this exciting opportunity, please call Wils Bell – 407-365-2404

Job Type: Full-time (not a consulting firm)

Job Location: Positions available in – New York City, Philadelphia or Chicago

Compensation: Base of up $140,000 (maybe higher) plus bonus

Telecommute: No

Education: 4 year degree is a must

Travel %: up to 40%

Relo Paid: Prefer local to either Chicago, New York City or Philadelphia

SecurityHeadhunter.com, a Security Search Firm, has been selected to conduct a search for a client interested in hiring a Manager of Information Security Breach Response. The chosen candidate will be responsible for working closing with the upper management and C level executives at organizations that have had a serious cyber breach to direct and coordinate a response and remediation efforts with internal resources and outside 3^rd parties as required. In addition to having a good understanding of Information Risk / Security, the successful candidate will probably have had positions working in a client facing role (Sales or Sr. Consultant), but not necessarily . A solid understanding of how Information Risk and business functions interact is a real plus.

Our client is an established organization with “excellent” benefits and a great career path.

Responsibilities:

• Ability to direct and coordinate the breach response activities at affected organizations.
• Direct internal resources and 3rd party service providers that are involved in the breach response and remediation. This could include but not limited to Forensics Consultants, Credit Bureaus, Lawyers, Law Enforcement and other services as needed.
• 3^rd party service provider relationships to include; selection, contract negotiation, and performance evaluation.
• For major breaches, ability to coordinate and direct response efforts onsite at affected organizations location.
• Provide onsite breach response assistance for clients as needed for significant breaches.
• Ability to educate organizations on the need for proper incident response and the liabilities of failure to do so.

Skills and Abilities

• You must have excellent written and verbal communication skills
• Ability to work with people during high pressure and crisis modes.

To be considered for this position, please contact Wils Bell directly OR email a confidential resume to : Bell@SecurityHeadhunter.com

Wils Bell
President
SecurityHeadHunter.com, Inc.
POB 620298 * Oviedo, FL 32762
Direct: 407-365-2404
Email: Bell@SecurityHeadhunter.com

Web: SecurityHeadhunter.com

Are you too perfect to be an effective security manager?

If you’re scratching your head about why users are ignoring security policy, maybe it’s time to review your mistakes – and share them with people

By Michael Santarcangelo

Ever spend time working on policies, solutions and messages only to be ignored or cast aside? Worse, after spending the time to build a solution, are people simply not responding?

Last month I shared the “pink sticky approach” and why it often backfires and complicates the situation. There is more to the story. I learned about the “pink sticky approach” after keynoting a conference. During an open panel, a woman stood up to ask for help improving compliance with the privacy policy. She described how she used the pink stickies and was confused why it led to less compliance instead of more.

To read the full article by Michael on CSO Online click: http://tinyurl.com/23naft3

BCBS of Tennessee provides update on breach involving stolen hard drives

Approximately one year after the theft of 57 hard drives containing member data  from a leased facility in Chattanooga,  BlueCross Blue Shield of Tennessee provided an update…….

FULL ARTICLE

A Funny Thing Happened During the Interview

A Unique Security Interview

During a conversation today I was reminded of a situation that in some regards was funny and on the other hand was actually rude. It does have a lesson to those employees of companies involved in the interview process.

Here’s what happened. I had a position here in Florida for a senior hands-on technical Security candidate. The client was a solid company with operations around the USA, Caribbean and Central and South America. Even though this company had many bilingual employees due to their different business locations, it was not required on this particular position.

Since the candidate (let’s call them Dave”) I recruited was available ASAP,  had recently relocated to Florida and was local, the employer scheduled an in-house interview for one afternoon. ( I’d known Dave for several years since I recruited him for another opportunity when he lived in the Carolina’s. Still has his Carolina accent.)

The day of the interview arrived and Dave was off to meet everyone. Dave called me on his drive home from the interview  to share his thoughts of the company, the position, the people, etc. He met with Human Resources and got all the HR information and was taken on a brief tour of the facility by another HR representative on the way to interview with the technical security staff  and manager. Dave was taken to a conference room where  the manager and 2 project managers were all waiting to conduct a group interview, even though the interview  itinerary was stated differently, but no big deal.

Here’s where it begin to get a little funny and rude at the same time.  All three employees of the client were asking Dave questions related to the job.  As usual, the questions started out relatively easy and progressed quickly to more difficult questions since Dave was able to answer correctly without any issues. He knew he were doing well. He knew he knew more than the project manager he would report too. He knew the manager thought he would not be challenged for long in the job. He knew he blew away all the other candidates  interviewed thus far, and many other insights.

Now you ask, why would these employees conducting the interview discuss these comments directly in front of Dave. Simple, they were speaking Spanish. Yes they were interviewing in English, but discussing amongst themselves their comments about the candidate. How rude was that, but the fact that Dave was able to understand about 75% of the Spanish was the funny part.

Yes, here’s someone with a Carolina accent that had a real good handle on understanding Spanish. He had worked for a firm in the past with many Latin American clients and  spent 5 years travelling south and picked up Spanish enough to understand people fairly well.

Dave thought it was a real insightful interview situation that most people would never experience, while also being rude.

One we jot to the actual job,  regardless of the rudeness factor, Dave stated that the client indeed had some real security  issues, as I had indicted. Once those issues were resolved over the next many months, the job would not be challenging.  Even though he was ready to go to work, this was not going to present a long-term opportunity. (The client still made him an offer, even though I said it was not necessary)

The overall  problem I saw was the client was discussing Dave and his answers and comments right in front of  him in a language they thought he did not understand. Whether he understood or not I felt and he felt it was rude. Would that have been the normal work environment and atmosphere. In fairness, I did share with the CIO that Dave turned down the position based on opportunity, but for future reference he night want to discuss with his managers their interview style.

I supposed the moral of the story would be never assume anything, like you are not being overheard or understood by those around you.

Have a great Wednesday.

A Cattle Call Approach to Recruitment

I Wish Employers Understood

A couple of months ago I heard about a company rebuilding their web presence and was in need of senior  Security Architect.  I called the CISO and left a voice mail  introducing myself and SecurityHeadhunter.com as a Security Search Firm. I indicated I would send my company Brochure and a link to the SecurityHeadhunter.com web site for their review. I was pleasantly surprised a few days later when I had a voice mail from the CISO (let’s call them John”) saying he would like to talk. When we spoke I had high hopes of picking up the search, which I hand already seen on their career page.

Well, I reach John and yes one of his managers was indeed still  looking for a security architect. They were frustrated in the fact this position had been open for over 7 weeks and the resumes from HR were not close to what was needed skills wise. I was sure my expertise could help identify quality talent, I told John. That’s when the shoe hit the ground. I was informed that all recruitment services must go through the HR department.  John had no control over that aspect of the process, but would  introduce me to the manager, which they connected me with while I was on the phone. Once John got off the call, the other shoe hit the ground. “I appreciate John introducing you, but we have a list of  approved vendors.  Please send your information and we’ll keep it on file” I was informed. I don’t go away that easy, so I let the HR manager know that I am not a general recruiter. I am president of SecurityHeadhunter.com and as the name implies we a  Security Search Firm. We have the ability and expertise to fill this job. Didn’t matter what I said. They had their vendors and they would let me know if I could help in the future. I let John know the outcome of the call.  He was also disappointed.

About 2 weeks ago I got a call from someone in HR (not the manager) asking if I could be available that afternoon for a conference call with the HR Manager and 2 Security managers to discuss the position since they were not getting the resumes they needed. Of course, I could and I was emailed the details to call for the CC.

At 2 pm I called in to enter the CC, but the code number to join the conference I was given was wrong.  I quickly reached the HR rep from earlier and was given the corrected code and called again. It was now 3 minutes after 2pm and when the automated system let me into the conference it announced to me “You are caller number 14  in the conference”.  You have to be kidding I thought. Am I just one of lots of recruiters on this call?  I must be part of a  “Recruiting Cattle Call”. What a waste of my time, but since I was already there I’ll listen.  The  HR Manager was already discussing  salary and other HR information before the  Security Managers detailed the job. It was good information, but nothing I didn’t already understand from a technical standpoint. The Security managers then asked for questions from those listening. I had a couple questions, but  I thought I would sit back and listen to what others asked. Like I suspected about 8 people (recruiters) asked question that made it so clear they had no idea what a security architect is and how to screen their skills.  At this, why would I want to spend valuable recruiting time on a search for an employer that utilizes the Cattle Call recruiting method. I did conduct a quick follow up call with the HR rep and was informed the others on the call were their approved vendors, the same ones that have not filled the job yet.

Time is money and the recruiting process is no different. Employers should try to fill their open jobs on their own if possible, but after 3 months of the efforts of the approved vendors with no success, perhaps it’s time to engage a “Security Headhunter” to fill the position.  In this case, it appears that the approved vendors just are not specialized in getting the correct talent  and I would not work on a search with 10 plus other firms. My time is to valuable to spend in a cattle call search process.

If you are not getting qualified resumes in your recruiting process, then you should change your process.

Moral of the story:  Make the decision to bring a “Security Search Firm” into your process at this point. You’ve given your other resources plenty of time with no success. Sometimes, as employers, you need to make an investment in your search with an exclusive search  that will actually results in a “search assignment” where candidates are recruited for your specific  job, not simply posting jobs to the Internet and see who replies.

I shared these thoughts with the HR manger and the CISO, but nothing yet. (the position is still open)  Perhaps next month the employer will decide to move forward on a real search assignment.

Have a great Monday!

Slow Feedback Is Bad PR For Your Company

Slow Interview Feedback

Last week I had 3 people interviewed in person at three different organizations for 3 different types of positions. Even though each position and organization is different, they all have one thing in common.

Virtually “NO” timely interview feedback.

The problem of getting client feedback in a timely manner is probably the biggest complaint I hear from candidates I represent on search assignments. I have spoken with other recruiters I know in other industries and I hear the same thing from them. It is happening, or rather not happening across all search types to even include Retained Search.

As most of my clients know, when they engage SecurityHeadhunter.com to perform a search assignment for a senior level position, critical hire or hard to fill position, we don’t run out and post jobs to a bunch of job boards. We actually recruit candidates that are generally working and happy in their current job. They are top candidates that will only make a move that is right for their family and career goals.  They ARE NOT actively looking for a job, rather they are interested in hearing about the employer opportunity and once again determining if this new opportunity AND company are a fit for them.

During the interview employers are looking at the candidate for a match, but remember that the candidate is also looking very hard at the employer. What kind of first impression does the employer make on the candidate.

We all know the old saying “There is never a second chance to make a first impression” and when employers wait 4-5 days or a week or longer to provide feedback, this leaves candidates with less than a great impression of that employer.

I understand that everyone is busy.  Just staying up with emails and all the other electronic media can be overwhelming, however when an employer has an open position the goal is to fill that position. To fill the position, interviews must take place and to get candidates to want to work for your company and accept your offer employers must sell the candidates on their company. Dropping the ball on feedback is no way to sell your company to a prospective hire.

All I am trying to say here is that if an employer decides to interview a candidate and go through the time and expense it takes for the interview , then get feedback about the interview out ASAP. Not only will that make my job easier, but the candidates will realize that you are not only serious about filling this position, but you are professional in how your company deals with candidates.

Security Job: Web Application Security Engineer

Job Type: Full-time salaried position
Job Locations: If you are open to any of the following areas we should talk:  Illinois, North Carolina, Nebraska, Pennsylvania, Indiana, and Connecticut
Compensation: $90,000 to $110,000 salary, maybe more
Telecommute: No
Education: BS strongly preferred, but not required.
Travel %: minimal
Relo Paid:  Possible assistance available on a case by case basis
Certifications Preferred: CISA, CISSP

SecurityHeadhunter.com is conducting a search for Web Application Security Engineers. Our client, a Fortune 500 organization, has engaged us to identify, recruit and prescreen candidates that have a passion for web security. These are full time positions working on site for the organization. The client is not a consulting firm.

Our client really wants to see candidates that have at least 3-5 years of software / application development and /or web development skills in Java OR .NET environment and has moved over to the Security side for at least the last 2-3 years.

Having a software or Web Development background prior to Web Application Security is NOT a must have, but is a big plus for the positions.

The selected candidate(s) will be working on new web application security as well as legacy systems from time to time. Selected candidate(s) must be very knowledgeable of OWASP TOP 10.

RESPONSIBILITIES & DUTIES

• Conducting web application security assessments on both new and existing web applications.
• These assessments involve manual testing and analysis as well as the use of automated web application vulnerability scanning and testing tools to include but not limited to Fortify, IBM App Scan, HP Web Inspector, Hail Storm testing tools.
• Utilizing company standard reporting format to prepare formal security assessment reports for each application, using our standard reporting format.
• Participate and lead when necessary conference calls with internal business customers to review security assessment results.
• Consult with these internal business customers on remediation options and the retesting of security vulnerabilities that have been fixed and republishing your report to indicate the results.
• Participate and lead when necessary conference calls with potential internal business customers to review newly requested security assessments and estimate the amount of time required to complete the assessment.
• Ability to assist in the deployment and/or support of web application firewalls.
• Experience working with static code analysis tools
• Ability to communicate complex security subjects in easy-to-understand terms.
• Desire to stay current with emerging technologies and industry trends.
• Solid understanding of OWASP along with the ability to apply the application those security concepts.
• Thorough understanding of both TCP/IP and HTTP.
• Ability to work in a fast paced, challenging and sometimes stressful environment while keeping a cool head.
• Ability to look at the big picture and help in finding acceptable solutions and remedies.
• Strong focus and ability to dealing with internal users and customers
• Solid written and verbal communication skills.

For information on this or other Security related positions, please contact:

Wils Bell
President
SecurityHeadHunter.com, Inc.
POB 620298 * Oviedo, FL 32762
Direct: 407-365-2404
Bell@SecurityHeadhunter.com *  SecurityHeadhunter.com * www.Linkedin.com/in/wilsbell

Security Job: Chief Software Security Architect

Job Type: Full-time
Job Location: New York or Pennsylvania
Compensation: Base – starts at $200,000K and will go up from there DOE —
Bonus Estimate: $75 -$100,000
Telecommute: No
Education: BS Degree Preferred, but client will consider total experience
Relo Paid: Yes
Other: GSSP Certification a plus

SecurityHeadhunter.com is actively recruiting a senior level candidate for the position of Chief  “Software” Security Architect for a major New York client. You can choose to work in New York or work in their Pennsylvania location.  (FOR FULL DETAILS CONTACT US TODAY!)

This is a new and very key role. You will be responsible for all software / application security architecture for the corporation.  You must posses a technical background from the Software Security side. Any experience as a structure hacker would be a benefit.

You’ll also need a good understanding of network, host, and physical aspects of the security infrastructure. Any experience dealing with offshore systems development would be a plus but not required. You’ll need the same communication and interpersonal skills as a senior principal / partner of a large security and information protection agency.

Responsibilities will include
• Provide solutions and guidance in the form of design, development, and deployment on all aspects of software & application security to the development teams on a national and international basis.
• Implementation of:
o Software Security Services
o Security Architecture Analysis and Design Reviews
o Security Code review
o Recommendations of procedural and technological compensating controls
o Secure Coding best practices implementation and training
o Application Threat modeling and Mitigation Services.
• Strengthen the Risk Assessment process with pertinent technical criteria to better assess the risk ratings of client applications.
• Strengthen client Vulnerability Management process which includes bugs, patches, configuration management advice.
• Comprehensive and holistic level perspective required for implementing security methodologies and best practices across all lines of business of the organization; including Technology.
• Must apply structured thinking, methodology and disciplines to a complex environment of business and technical requirements.

Qualifications
• Core security, vulnerability scanning & pen testing tools
• Core security analysis
• Understanding of secure HTTP, application security, web security, SHH, SFTP, SSL and additionally application vulnerabilities.
• An understanding of application security over OS’s (Linux, Sun, Windows, Novell, etc.)
• Must have a minimum experience 10 years developing scalable, distributed applications with a thorough understanding of platforms like Enterprise Java, .NET with security aspects of Java, C#, C++ languages. 5 years in the Application Security space; including information (storage, transmission, etc.), application (design & development), deployment, run-time (access), operation/support.

To share your confidential resume please email a resume “directly” to: careers@securityHeadhunter.com or contact:

Wils Bell
President
SecurityHeadHunter.com, Inc.
POB 620298 * Oviedo, FL 32762
Direct: 407-365-2404
Bell@SecurityHeadhunter.com *  SecurityHeadhunter.com * www.Linkedin.com/in/wilsbell

“A Security Search Firm”
P Go Green – print only if necessary

Security Breaches – A Short List

Security Breaches

Here are a basic sampling of Security Breaches that have been gathered from across the Internet. Who’s really winning this cyber war?

* Hackers bait Zeus botnet trap with dead celeb tales

* UPDATE: Idaho Power says Mercer breach affected over 375,000

* UK insurer hit with biggest ever data loss fine

* Judge approves Countrywide Financial ID theft settlement

* Laptop stolen from U Kentucky had info on newborns and mothers

* UConn notifies 10,174 applicants of laptop theft

* Bank of America settles Countrywide data theft suits

* College students slowest to respond to ID theft

Look for a weekly list from this point forward.

Wils Bell

President

SecurityHeadHunter.com, Inc.

POB 620298 * Oviedo, FL 32762

Direct: 407-365-2404

Bell@SecurityHeadhunter.com * SecurityHeadhunter.com * www.Linkedin.com/in/wilsbell

Contact Information on Your Resume

I love getting resumes from Security Professionals, but…

I am very fortunate in that my security search firm receives many resumes  every week that are unsolicited.  Unfortunately, I /we can’t call everyone that sends a resume. There simply is not enough time.

We do however save 95% of all resumes sent  because the first place I go when I have a new search is our company database. The software we use is great since all we have to do is

save the resume file and the resume is parsed into the database right from the email.  All the information such as contact, skills, employers, etc. is pulled and entered to certain fields which I can then search upon.

Here is minor problem that we encounter many times a month.

Many people send resumes with incomplete contact information. Here are basic examples from last week:

John J. Smith
john.j.smith @currentemployer.com

OR

John Smith
555.555.5555

OR

John Smith
Atlanta, GA

Why is full contact important? It goes to what I mentioned earlier. We can’t call everyone that sends a resume today, but that doesn’t mean we’ll not try contacting you in a week, month, or year from now regarding a new opportunity that comes across our desks.  Knowing this fact means your resume can’t be entered until all the correct  contact data has been included. A new position/ search may happen at any time and full contact allows us to search by variables, including location. Many clients only want local based candidates or candidates within a certain mileage of their location. The more contact we have the better chance we can reach you quickly or at all.

Also, another good tip for you is don’t use your current employers email (yes some people do) because when you leave that employer your email becomes invalid. Simply keep a Gmail or Yahoo type for use with your resume and career development. I call people every day from 3-4 year old resumes.

Don’t get me wrong. We love getting all the resumes that are sent to us, but please include all your contact information, not just for today but for years from now.

John Smith
1000 Main Street
Orlando, FL 32805
407-555-1212
john.j.smith@gmail.com

Not to worry, we will reach out to you and ask for full contact, but it’s much quicker if you  included full contact on your resume to begin with.

Keep those resumes coming, but preferably with full contact information included.

As usual, thanks for visiting my blog.

Regards,

Wils Bell

President

SecurityHeadHunter.com, Inc.

POB 620298 * Oviedo, FL 32762

Direct: 407-365-2404

Bell@SecurityHeadhunter.com * SecurityHeadhunter.com * www.Linkedin.com/in/wilsbell

Security Job: Application Security Architect

Application Security Architect

Job Type: Full-time

Job Location: State of Washington

Compensation: “Very Competitive Package” –You won’t be disappointed!!!

Telecommute: No

Education: BS & MS is strongly preferred, however experience may be considered in lieu of degree.

Travel %: none

Relo Paid:  Yes –excellent package!!!!

Other:

SecurityHeadhunter.com is currently recruiting for a client in the state of Washington.  This is NOT an entry level position, but rather the successful candidate will need to have an in-depth and solid understanding of software / application security. Our client is looking for the best of the best and is open to paying for those excellent application security skills, within reason of course.

As an individual, you will need to be a good communicator since you will be working in a team environment with many different people and with software developers within the company.

If you truly love being part of the software development process to ensure that new and existing applications, website, etc, are build with the most cutting edge security functionality, then this position is for you!

Our client is a well funded organization with a solid and growing security department. Although a 4 year degree or MS is some cases would be preferred, client will look at candidates that have solid work experience to over-ride the degree. As a successful candidate you will need to have good references and be able to get through a standard criminal background check with no major problems. Minor blemishes may not be a problem and will be reviewed on a case by case basis.

Duties may include but not limited to:

• Review and evaluate new and exciting security products

• Assist in Security policy and procedure development

• You should have good understanding of Security Compliance issues

• Act a SME to other technical people and have the ability to train others

• As a SME you’ll need to be able to sell others on the security process

• Be responsible for risk assessments from outside vendors

What you need to be considered for this opportunity:

• Excellent and current experience within Application Security

• Solid software development skills in various software, i.e. C++, Java, C, etc.

• Knowledge of Networking, Network Security, Systems Security, Security Protocols, Scripting, Security Remedy, Authentication, Security Vulnerabilities, Threat Modeling.

As you have seen, this is a very general description on the position, but will give you a basic idea of what I am recruiting for with this client and others. If you currently are working as a Software / Application Security expert for your firm, I would like to talk with you in more detail on a completely confidential basis.

For information on this or other Security positions, please contact:

Wils Bell

President

SecurityHeadHunter.com, Inc.

“A Security Search Firm”

POB 620298 * Oviedo, FL 32762

Desk: 407-365-2404

Bell@SecurityHeadhunter.com

SecurityHeadhunter.com

Security Job: Chief Security Architect

CHIEF SECURITY ARCHITECT

Job Type: Full-time
Job Location: New York
Compensation: Base – $200,000K (maybe more)   Bonus Estimate: $75 -$100,000
Telecommute: No
Education: BS Degree Preferred, but client will consider total experience
Relo Paid:  Possibly some assistance on a case by case basis.
Other: GSSP Certification a plus

SecurityHeadhunter.com is actively recruiting a senior level candidate for the position of Chief Security Architect for a major New York client. This position will have very broad enterprise impact.  You’ll be setting strategies which will translate into tactical decision making, influencing technology implementations and business operations processes. You must have implemented an enterprise scale threat mitigation and assurance strategy for software development.  You’ll also need a good understanding of network, host, and physical aspects of security the infrastructure.  Any experience dealing with offshore systems development would be a plus but not required.

You’ll need the same communication and interpersonal skills as a senior principal / partner of a large security and information protection agency.

Responsibilities will include

• Provide solutions and guidance in the form of design, development, and deployment on all aspects of software & application security to the development teams on a national and international basis.
• Implementation of:
  • Software Security Services
  • Security Architecture Analysis and Design Reviews
  • Security Code review
  • Recommendations of procedural and technological compensating controls
  • Secure Coding best practices implementation and training
  • Application Threat modeling and Mitigation Services.
• Strengthen the Risk Assessment process with pertinent technical criteria to better assess the risk ratings of client applications.
• Strengthen client Vulnerability Management process which includes bugs, patches, configuration management advice.
• Comprehensive and holistic level perspective required for implementing security methodologies and best practices across all lines of business of the organization; including Technology.
• Must apply structured thinking, methodology and disciplines to a complex environment of business and technical requirements.

Qualifications

• Core security, vulnerability scanning & pen testing tools
• Core security analysis
• Understanding of secure HTTP, application security, web security, SHH, SFTP, SSL and additionally application vulnerabilities.
• An understanding of application security over OS’s (Linux, Sun, Windows, Novell, etc.)
• Must have a minimum experience 10 years developing scalable, distributed applications with a thorough understanding of platforms like Enterprise Java, .NET with security aspects of Java, C#, C++ languages.  5 years in the Application Security space; including information (storage, transmission, etc.), application (design & development), deployment, run-time (access), operation/support.

To forward a confidential version  of your resume, please email directly to: Bell@SecurityHeadhunter.com
or contact:

Wils Bell
President
SecurityHeadHunter.com, Inc.
POB 620298 * Oviedo, FL 32762
Direct: 407-365-2404

Bell@SecurityHeadhunter.com *  SecurityHeadhunter.com * www.Linkedin.com/in/wilsbell

“A Security Search Firm”

Phone Interviews are “Very Important”

Phone Interview are a Key Part of the Interviewing Process

As you can imagine, I speak with many security candidates every day in the process of doing my job for client companies.  Over the years, these 1,000’s of phone interviews have allowed me to become somewhat of an authority on phone interviewing and I wanted to share  some tips, observations and stories that may help you during this aspect of the  interviewing  process. These tips are for both talking with a recruiter or an employer. Hope they help.

1) Keep your scheduled appointment or contact ASAP

Yes, I know that we are all really busy, but if we have a scheduled time to speak please try to keep it. Many times this is the first impression I have of you. I understand that your schedule can change at the last second due to problems at work, but please try reaching me thru email, text, or phone just to give me a heads up. We can reschedule,  just let me know. Also, there’s no worse feeling than having you scheduled to speak to a client of mine at say 1 pm and I see the client’s # come up my caller ID at 1:05 only to hear them say you were not at your phone when they called.

2) Cell phone charged, conference room available, Etc.

Yes this happens more times that I like to admit. I’ll be talking on a scheduled call and the candidate says that their cell is going dead. Ouch.  I also have people chased out of conferences rooms since they failed to check the availability. Also, when talking on a cell if you go outside the building, please be aware that many times traffic and / or wind noise can be a real issue to the person on  the other end. Try sitting in your car. That generally works well as long as you have a good signal.

3) Never ever eat while interviewing!

Yes this does happen. I’ll be interviewing a potential candidate and they are eating.  Not only does this sound bad on the phone, it really give a bad impression to me or an interviewer.

4) Give the interviewer your full attention.

Many times I speak to candidates while they are home or in the car driving.  I understand that you may need to ask me to hold on while attending to children or other issues, but doing it several times is not good.

5) Interrupting the interviewer is never good.

Let’s face it, we all interrupt each other from time to time. It must be human nature, but constantly interrupting an interviewer is one of the worst things you can do. It happens to me on many occasions. I can barely get a sentence out before someone starts talking again. They don’t listen to my entire question before trying to answer and many times I have to ask the question again. This is incredibly annoying.

As I stated above, I have done 1000’s of telephone interviews over my career. Probably over 25,000, so I can speak on the subject with authority.

Remember, there are several candidates to interview for an open position. Several are interviewed by phone to determine who will get a second interview and / or in house interview. When you look at it this way, it’s obvious to see that a phone interview by me or an employer is a method of eliminating candidates for a particular job. That’s why so much is based on the conversation.

Whether the call is for 15 minutes or a full blown hour or two call, I learn a great deal about you and how you conduct yourself, how you share your skills, and how you will represent yourself to a client of mine if I get you an interview.

Wils Bell

Information Security Recruiter

SecurityHeadhunter.com, Inc.

POB 620298

Oviedo, FL 32762

Desk: 407-365-2404

Email: Bell@SecurityHeadhunter.com

LinkedIn Profile:

Web: SecurityHeadhunter.com

Blog: SecurityHeadhunter.wordpress.com

Twitter: security_REC

Top 10 Cyber Crime Jobs

The  Cyber Crime Organization

This morning while reading my daily dose of security breaches to post to my Twitter account I came across a great article from an FBI study that discusses the make up of a Cyber Crime organization. The Top 10 Positions, if you will.

It really made me think back to the days that hackers where young kids, bored, sitting at a computer seeing what mischief they could cause. Oh, how things have changed.

As I talk to clients daily and discuss the issues of Cyber security it makes me really wonder how many firms really think about hackers being in a “Cyber Crime Organization”. Clients have their internal IT and Security departments with a variety of talent who create applications and those that protect the applications, and data and networks and so forth. Well, so do Cyber Criminals.

As I tell my clients, Cyber Criminals are very smart and sophisticated. You need to be smarter and more sophisticated. These criminal enterprises are run like a business. They are staffed with top talent that are dedicated to the job, yes their criminal job! By having these enterprises setup and running, they can and do strike within hours of an opportunity making itself available.

Here is a look at how the” Top 10″ positions within a Cyber Criminal Organizations according to the FBI.

1. Coders/programmers, who write the exploits and malware used by the criminal enterprise.

2. Distributors, who trade and sell stolen data and act as vouchers for the goods provided by other specialists.

3. Tech experts, who maintain the criminal enterprise’s IT infrastructure, including servers, encryption technologies, databases, and the like.

4. Hackers, who search for and exploit applications, systems and network vulnerabilities.

5. Fraudsters, who create and deploy various social engineering schemes, such as phishing and spam.

6. Hosted systems providers, who offer safe hosting of illicit content servers and sites.

7. Cashiers, who control drop accounts and provide names and accounts to other criminals for a fee.

8. Money mules, who complete wire transfers between bank accounts. The money mules may use student and work visas to travel to the U.S. to open bank accounts.

9. Tellers, who are charged with transferring and laundering illicitly gained proceeds through digital currency services and different world currencies.

10. Organization Leaders, often “people persons” without technical skills. The leaders assemble the team and choose the targets.

As I said earlier, this is no longer a bored teenager looking for mischief.

Wils Bell

Information Security Recruiter

SecurityHeadhunter.com, Inc.

POB 620298

Oviedo, FL 32762

Desk: 407-365-2404

Email: Bell@SecurityHeadhunter.com

Security Job: Compliance Manager

Position Summary for

Compliance Manager

Job Type:	Full Time
Job Location:	New York / Manhattan
Compensation:	$120,000 plus bonus
Telecommute:	No
Education:	BS Required, Masters a plus
Certifications:
Travel %:	Minimal
Relo Paid:	No

Responsibilities

• Manage and lead an array of Compliance Programs to include but not limited to Sarbanes-Oxley (SOX), Continuous & Ad hoc internal audit  programs, Technology Audits, Controlled Access to Production Systems (CAPS) exercises, Internal Audit Issues, and others
• Work with fellow team members, Technologists and Vendors to ensure that all the program deliverables are responded to the Enterprise-level Program teams in a timely fashion.
• Ensure that the most efficient governance process in place for the Compliance Programs
• Interface with Senior management including C-level Technology Executives  (by providing them continuous status updates on all Compliance Programs), as well as the technology managers and their team members to ensure that the program goals and objectives are addressed and executed on a day-to-day basis to achieve the overall goals
• Interface with the Central Operation Risk Management team of Global Markets Technology, infrastructure groups, and the Global Auditors (internal and external) for the department
• Stay abreast of the upcoming audit schedule and  requirements for the GRCT team and track any open audit items across the department to remediation and closure

Required: Required for being successful

• Seven (7+) years experience in either a Program Management Office (PMO) or Business Management Office (BMO) in a compliance-based role
• Excellent inter-personal, negotiation and influencing skills
• Strong problem solving and analytical skills
• Excellent organizational, planning, writing and communication skills
• Self-starter with a proven track record of taking initiative
• Persistency, poise and perseverance to get things accomplished under pressure and within the set timelines
• Interest and track record of ensuring accuracy, clarity and quality of work with attention to detail
• Past experience of working with senior management
• Excellent MS-Office skills (including PowerPoint (for presentations) and Excel ( for manipulating large amounts of data)

Preferred:  Not mandatory but preferred –

• Project Management Certification  – PMI or PRINCE 2, etc.

For additional information on this or other Security Jobs, please contact:

Wils Bell

Information Security Recruiter

SecurityHeadhunter.com, Inc.

POB 620298

Oviedo, FL 32762

Desk: 407-365-2404

Cell: 407-718-7764

Email: Bell@SecurityHeadhunter.com

Security Job: Web Application Security Consultant

Position Summary for

Web Application Security Consultant w/ Java

“70% Telecommute Opportunity”

Job Type:	Consultant
Job Location:	Telecommute from home 70%+ of time
Compensation:	$70 – $80 per hour; maybe more
Telecommute:	Yes
Education:	Degree a plus, but not required
Certifications:	See Below
Travel %:	20-30%
Relo Paid:	N/A

Our Client has developed a very strong track record of delivering web application security services on a consulting basis to their financial and banking industry clients.

This strong record of exceptional service has results in additional long-term assignments and the need for additional team members.

SecurityHeadhunter.com is seeking Web Application Security consultants to lead and participate in web application security consulting assignments. The current team is made up of seasoned software engineering professionals who have 20+ years of total experience. That experience includes building large Java enterprise applications.

As stated above, our client’s solid delivery and track record has created a situation where their clients invite them back for additional projects.

In this role, a consultant will perform application security assessments through both on-site and off-site project assignments. Successful consultant will lead small review teams and will consult on threats and mitigation approaches.

Majority of work will be done in a telecommute fashion whereby you can work from your home office. Expected travel will only be in the 20-30% range on weekdays only. You’ll be home on weekends.

Possible travel sites: NC, MN, PA, CA

Required Background:

• A BS in math, computer science or engineering discipline is preferred.
• Education at the Masters level is appreciated.
• Certifications to include the CISSP, CSSLP, EC-Council E|CSP and/or SANS, GIAC Secure Software Programmer – Java (GSSP-JAVA) are highly appreciated.

A consultant must demonstrate the following:

• A very solid and deep knowledge & understanding of web application security threats, risk models and tools.

• Static analysis experience with Fortify (preferred) or IBM Ounce Labs tools.

• Architectural review, manual source code review, dynamic analysis.

• Solid technical background that includes Java enterprise application technology.

• Ability to interact with customers presentation and communication purposes.

• Ability to manage small technical teams and projects.

• Must be experienced on helping clients to build security into their software development processes.

The successful candidate must be able to read and understand Java code, APIs and architecture (JSP, Servlet, EJB, Hibernate, Struts, Ant, etc.). A prior Java programming background is strongly preferred.

Desired Skills

A background that includes Microsoft application technology is appreciated (.NET, classic VB and ASP). Technical project management / team leadership experience is required.

To learn more about this situation or others, please contact:

Wils Bell

Security Recruiter

SecurityHeadhunter.com, Inc.

POB 620298

Oviedo, FL 32762

Desk: 407-365-2404

Cell: 407-718-7764

Email: Bell@SecurityHeadhunter.com

LinkedIn Profile: http://www.linkedin.com/in/wilsbell

Web: SecurityHeadhunter.com

Blog: SecurityHeadhunter.wordpress.com

Twitter: security_REC

“I’m a great believer in luck, and I find the harder I work, the more I have of it.” — Thomas Jefferson

P Go Green – print only if necessary

Most Organizations Now Suffer Cyber Attacks

A recently released study by Symantec states that most organizations now suffer Cyber attacks!

The study revealed that 75 % of organizations experienced cyber attacks and 42 % of organizations rate security as their top issue.  They rate rate it higher than natural disasters, terrorism, and traditional crime combined.

Cyber attacks, which are often very effective,  cost enterprise businesses an average of $2 million per year, according to the report. The study was based on 2100 CIO’s, CISO’s and IT Managers in 27 counties and was done in January 2010.

The study also indicated that all organizations, small to large  are concerned. This is a change from the past.

I  hope this last statement is accurate since so many small to mid size firms I deal with many times don’t seem to realize they are at risk. They have the “It always seems to happen to the other guy mentality”.

Wils Bell

Information Security Recruiter

SecurityHeadhunter.com, Inc.

POB 620298

Oviedo, FL 32762

Desk: 407-365-2404

Cell: 407-718-7764

Email: Bell@SecurityHeadhunter.com

LinkedIn Profile:

Web: SecurityHeadhunter.com

Blog: SecurityHeadhunter.wordpress.com

Twitter: security_REC

IT Auditor w/SOX skills

Senior IT Auditor

Job Type:	Full Time
Job Location:	NJ
Compensation:	100,000 -$120,000 plus bonus
Telecommute:	No
Education:	Degree a plus BUT not required
Certifications:	CISA is a must!!!
Travel %:	minimal
Relo Paid:	No relo offered

Position Summary

Successful candidate will have 5 – 10 years of IT internal audit and/or related work experience in the financial or securities industry.

Successful candidate must have a CISA –no exceptions.

Experience Needed

Strong knowledge of IT systems configuration and operations to include;

• operating systems – Windows, Linux
• databases – Sybase, Oracle, SQL Server
• security & access configuration – infrastructure & application level
• business applications  – general ledger, trading & clearing, risk management, etc.
• programming experience a plus  – SQL, Java, C
• Strong knowledge of securities trading & back office activities – equities & fixed income: order routing & execution, settlement & clearing

Position Responsibilities:

• Assess the IT control environment for audits assigned, develop audit scoping and test document (RAM) and effectively execute audit fieldwork.
• Identify and communicate audit issues and develop practical recommendations to assist departments to better control businesses and processes.
• Draft audit reports, identifying audit scope, findings, and conclusion.
• Meet with Senior Management to discuss audit coverage and the status of audit issue follow up.
• Appropriately update and execute the Sarbanes Oxley IT Program and identify control design and operational deficiencies.
• Maintain current in relevant technology trends, standards, requirements, and best practices.
• Assist in preparing presentations for management and the Finance & Audit Committee.
• Keep IT Audit Director and IA Managing Director updated on work in process.
• Execute special projects as required.

For full details please contact:

Wils Bell

Information Security Recruiter

SecurityHeadhunter.com, Inc.

POB 620298

Oviedo, FL 32762

Desk: 407-365-2404

Cell: 407-718-7764

Email: Bell@SecurityHeadhunter.com

Why I Earn My Placement Fee!

Employers – I Earn My Placement Fee

I am currently working on a search with a new client.  It’s a great company that is stable with lots of growth potential.

During my initial conversation with the manager, I explained that I am not an e-cruiter who uses job boards to troll for resumes that can then be quickly emailed to you for “your screening.  That’s simply the “Throw something against the wall AND hope it sticks” method use by most recruiters.

I explained that once I begin the search it will be several days before I present candidates since I want to identify, recruit and screen several candidates before selecting the top candidates for presentation and discussion. He likes this approach, he says. I let him know that my screening process takes at least 2-3 calls with candidates before submitting and that many of the candidates that I speak with will need to dust off their resume since they won’t have resumes all over the job boards. This also takes a few days.

So here’s were we are. I called and set up a time to speak with the manager about 3 candidates that should be phone interviewed. I have talked with SEVERAL candidates thus far and these three are the best matches. They have been interviewed and spoken with for at least an hour. I know their skills, their career goals, and their personal situations that can be factors in a job change and so forth. These candidates are no longer simply resumes, but an actual people with qualified skills.

In other words I know a great deal about these candidates.

I send the resumes to the client ahead of time so they can be reviewed prior to our phone conference.

Well…, when I call the manager the first thing he says is “I don’t have interest in candidates 1 and 3. I don’t see what I’m looking for on the resumes or in your brief notes.” Ok, but that’s why we are going to “discuss” the candidates, I say.

Long story made short. After discussing “ALL” three candidates the manger wants to talk by phone with all three. After interviewing all 3 over the phone he ranks them. The 2 resumes he wanted to pass on are his #1 and #2 choice to move forward.

Moral of the Story: Candidates can’t be screened by looking at a resume only.  A resume is a one dimensional piece of paper. Most people’s skills can’t be shared on a 2 page resume if they have 15 years experience or more. If you’re going to use me to recruit top security talent for your firm let me do a thorough upfront screening. That’s my job!! I’m here to save you time and take those recruiting frustrations away. That’s why you pay me a placement fee!  You shouldn’t pay a placement fee to someone for just emailing you resumes.  What are you paying for?

Stay tuned for more details.

Wils Bell
Information Security Recruiter
SecurityHeadhunter.com, Inc.
POB 620298
Oviedo, FL 32762
Desk: 407-365-2404
Email: Bell@SecurityHeadhunter.com

LinkedIn Profile: http://www.linkedin.com/in/wilsbell
Web: SecurityHeadhunter.com
Twitter: security_REC

“I’m a great believer in luck, and I find the harder I work, the more I have of it.” — Thomas Jefferson

Security Breaches on the iPhone – By Trevor Hawthorn

A friend of mine recently spoke at the Schmoocon conference in Washington on the New World of Smartphone Security.

I thank him for allowing us share the article. You may reach him

Trevor Hawthorn, CISSP

Managing Principal

Stratum Security, Inc.

Trevor has thirteen years of information security experience in various roles.  Trevor specializes in risk management, application and infrastructure vulnerability assessment, penetration testing, wireless security and incident response.  He is also a regular instructor of the Certified Ethical Hacker (CEH) training course.  Previously he was a Senior Security Consultant with Cybertrust (Formerly TruSecure) where he performed information security assessments.

Click Here to Read Article:

http://www.stratumsec.net/sites/default/files/Stratum%20Security-The%20New%20World%20of%20Smartphone%20Security-Shmoocon%202010.pdf

Wils Bell

Information Security Recruiter

SecurityHeadhunter.com, Inc.

POB 620298

Oviedo, FL 32762

Desk: 407-365-2404

Cell: 407-718-7764

Email: Bell@SecurityHeadhunter.com

LinkedIn Profile: http://www.linkedin.com/in/wilsbell

Web: SecurityHeadhunter.com

Blog: SecurityHeadhunter.wordpress.com

Twitter: security_REC

Millions of MA Residents Exposed to Cyber Breaches

Todays Cyber Breach

From the Boston Globe:

http://www.boston.com/news/local/massachusetts/articles/2010/01/03/data_breaches_affect_million_state_residents/?rss_id=Boston.com+–+Massachusetts+news

Wils Bell

Information Security Recruiter

SecurityHeadhunter.com, Inc.

POB 620298

Oviedo, FL 32762

Desk: 407-365-2404

Cell: 407-718-7764

Email: Bell@SecurityHeadhunter.com

LinkedIn Profile: http://www.linkedin.com/in/wilsbell

Web: SecurityHeadhunter.com

Blog: SecurityHeadhunter.wordpress.com

Twitter: security_REC

Personal Finance Predications for 2010: ID Theft

Information Security Breach

Personal Finance Predications for 2010: ID Theft

http://www.foxbusiness.com/story/personal-finance/personal-finance-predictions–id-theft/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+foxbusiness/latest+(Text+-+Latest+News)

Wils Bell

Information Security Recruiter

SecurityHeadhunter.com, Inc.

POB 620298

Oviedo, FL 32762

Desk: 407-365-2404

Cell: 407-718-7764

Email: Bell@SecurityHeadhunter.com

LinkedIn Profile:

Web: SecurityHeadhunter.com

Blog: SecurityHeadhunter.wordpress.com

Twitter: security_REC

Penn State notifies 30,000 of computer security breach

Cyber Security Breach

Penn State notifies 30,000 of computer security breach

http://www.post-gazette.com/pg/09364/1024438-454.stm?cmpid=news.xml

Wils Bell

Information Security Recruiter

SecurityHeadhunter.com, Inc.

POB 620298

Oviedo, FL 32762

Desk: 407-365-2404

Cell: 407-718-7764

Email: Bell@SecurityHeadhunter.com

LinkedIn Profile: http://www.linkedin.com/in/wilsbell

Web: SecurityHeadhunter.com

Blog: SecurityHeadhunter.wordpress.com

Twitter: security_REC

Security Job: Cyber Counterintelligence Instructor

Security Job:

Cyber Counterintelligence Instructor

SecurityHeadhunter.com has been tasked with identify and recruiting a senior level candidate to work as an Instructor for Cyber Counterintelligence.

Please note that the education and security clearance requirements are FIRM, BUT the client will have some flexibly on other requirements SO please read this entire spec closely!!

Job Type:	Full Time
Job Location:	Maryland
Compensation:	to $100,000 and above –Depending on Experience
Telecommute:	No
Education:	4 Year degree as a minimum
Clearance:	Must have current Top Secret & ability to obtain a SCI is a must!
Travel %:	None
Prior Instructor Exp:	No
Relo Paid:	Yes, case by case basis.

JOB SUMMARY

The real key to this position is Counterintelligence experience even though you must have Cyber Security experience also. The students to be taught are already trained in Counterintelligence, but need to be brought up to speed on Cyber Counterintelligence.

As an Instructor, the courses are to be fairly basic and will principally be for familiarizing the counterintelligence agents / students with cyber threats and the capability to deter and exploit. Under this premise, the Cyber Security experience level can be 3-5 years as long as the overall counterintelligence experience is solid and credentialed. What is needed is a candidate that can “walk the walk & talk the talk” relating to “counterintelligence” and has worked with / has experience in cyber security applications. What the client does not need is a pure computer forensics / security type individual with no counterintelligence.  Again, (some – see below) previous counterintelligence experience is a must.

Client would like someone who has conducted (or closely supported) investigations of cyber threats and approaches and/or has exploited any such approach (operations).  They also would be interested in anyone with a strong (3-5 years) cyber analysis background…having looked at the threats, capabilities, and patterns.

Counterintelligence experience through Military or Federal (FBI, etc,) service is great, but client will also look at civilians that have been /are accredited / certified in CI.

The ideal candidate will have 10-15 years of counterintelligence with 3-5 years cyber investigations, operations, or analytic experience. ENCASE trained.

The client will possibly consider  5-7 years in the military or a civilian with a technical (computer forensics / security) background who can at least claim they are experienced in Counterintelligence and is also ENCASE trained.

Specific expertise in the area of CI Force Protection, CI Investigations, CI/CE Operations and/or CI analysis is desired.

INSTRUCTOR DUTIES:

As a Cyber Counterintelligence (hereinafter CI) Instructor, you will be responsible for:

• The development and delivery of training courses for Cyber CI and Information Operations.
• Maintaining a working knowledge of the subject matter, the class dates, and any and all problems associated with delivery of training materials.
• Coordinating with the Joint CI Training Academy (JCITA) and the military Board of Governors (BoG) and their field units to identify training requirements.
• Ensuring course materials are maintained, updated / improved to meet current training requirements of the DOD and the Defense Counterintelligence and Human Intelligence Center (DCHC) under the supervision of the Defense Intelligence Agency DIA.
• Routinely providing timely responses to queries and support requests from DCHC staff and military services.
• Providing sound & accurate advice, guidance and counsel on any issues dealing with training.
• Appropriately handling and safeguarding classified / sensitive information in accordance with applicable security directives and where needed, incorporate policy changes into the course curriculum.
• Maintaining liaison contacts with appropriate national agencies and their officials to ensure timely exchange of training related material and information.
• Ensuring remote learning packages/computer based training (CBT) on information operations meet the needs of field personnel.
• Developing, preparing, and presenting briefings/lessons to students and senior level community officials. Briefings need to be clear, concise, well researched, and well organized in a logical and easy to understand fashion. Briefings and lectures need to be up-to-date, timely, adequately address the subject matter, and meet the expected level of information by the intended audience.For consideration on this or other Security positions, please contact:

Wils Bell

Information Security Recruiter

SecurityHeadhunter.com, Inc.

POB 620298

Oviedo, FL 32762

Desk: 407-365-2404

Cell: 407-718-7764

Email: Bell@SecurityHeadhunter.com

LinkedIn Profile: http://www.linkedin.com/in/wilsbell

Web: SecurityHeadhunter.com

Blog: SecurityHeadhunter.wordpress.com

Twitter: security_REC

“I’m a great believer in luck, and I find the harder I work, the more I have of it.” — Thomas Jefferson

P Go Green – print only if necessary