A Cattle Call Approach to Recruitment

I Wish Employers Understood

A couple of months ago I heard about a company rebuilding their web presence and was in need of senior  Security Architect.  I called the CISO and left a voice mail  introducing myself and SecurityHeadhunter.com as a Security Search Firm. I indicated I would send my company Brochure and a link to the SecurityHeadhunter.com web site for their review. I was pleasantly surprised a few days later when I had a voice mail from the CISO (let’s call them John”) saying he would like to talk. When we spoke I had high hopes of picking up the search, which I hand already seen on their career page.

Well, I reach John and yes one of his managers was indeed still  looking for a security architect. They were frustrated in the fact this position had been open for over 7 weeks and the resumes from HR were not close to what was needed skills wise. I was sure my expertise could help identify quality talent, I told John. That’s when the shoe hit the ground. I was informed that all recruitment services must go through the HR department.  John had no control over that aspect of the process, but would  introduce me to the manager, which they connected me with while I was on the phone. Once John got off the call, the other shoe hit the ground. “I appreciate John introducing you, but we have a list of  approved vendors.  Please send your information and we’ll keep it on file” I was informed. I don’t go away that easy, so I let the HR manager know that I am not a general recruiter. I am president of SecurityHeadhunter.com and as the name implies we a  Security Search Firm. We have the ability and expertise to fill this job. Didn’t matter what I said. They had their vendors and they would let me know if I could help in the future. I let John know the outcome of the call.  He was also disappointed.

About 2 weeks ago I got a call from someone in HR (not the manager) asking if I could be available that afternoon for a conference call with the HR Manager and 2 Security managers to discuss the position since they were not getting the resumes they needed. Of course, I could and I was emailed the details to call for the CC.

At 2 pm I called in to enter the CC, but the code number to join the conference I was given was wrong.  I quickly reached the HR rep from earlier and was given the corrected code and called again. It was now 3 minutes after 2pm and when the automated system let me into the conference it announced to me “You are caller number 14  in the conference”.  You have to be kidding I thought. Am I just one of lots of recruiters on this call?  I must be part of a  “Recruiting Cattle Call”. What a waste of my time, but since I was already there I’ll listen.  The  HR Manager was already discussing  salary and other HR information before the  Security Managers detailed the job. It was good information, but nothing I didn’t already understand from a technical standpoint. The Security managers then asked for questions from those listening. I had a couple questions, but  I thought I would sit back and listen to what others asked. Like I suspected about 8 people (recruiters) asked question that made it so clear they had no idea what a security architect is and how to screen their skills.  At this, why would I want to spend valuable recruiting time on a search for an employer that utilizes the Cattle Call recruiting method. I did conduct a quick follow up call with the HR rep and was informed the others on the call were their approved vendors, the same ones that have not filled the job yet.

Time is money and the recruiting process is no different. Employers should try to fill their open jobs on their own if possible, but after 3 months of the efforts of the approved vendors with no success, perhaps it’s time to engage a “Security Headhunter” to fill the position.  In this case, it appears that the approved vendors just are not specialized in getting the correct talent  and I would not work on a search with 10 plus other firms. My time is to valuable to spend in a cattle call search process.

If you are not getting qualified resumes in your recruiting process, then you should change your process.

Moral of the story:  Make the decision to bring a “Security Search Firm” into your process at this point. You’ve given your other resources plenty of time with no success. Sometimes, as employers, you need to make an investment in your search with an exclusive search  that will actually results in a “search assignment” where candidates are recruited for your specific  job, not simply posting jobs to the Internet and see who replies.

I shared these thoughts with the HR manger and the CISO, but nothing yet. (the position is still open)  Perhaps next month the employer will decide to move forward on a real search assignment.

Have a great Monday!

Security Breaches – A Short List

Security Breaches

Here are a basic sampling of Security Breaches that have been gathered from across the Internet. Who’s really winning this cyber war?

Hackers bait Zeus botnet trap with dead celeb tales

UPDATE: Idaho Power says Mercer breach affected over 375,000

UK insurer hit with biggest ever data loss fine

Judge approves Countrywide Financial ID theft settlement

Laptop stolen from U Kentucky had info on newborns and mothers

UConn notifies 10,174 applicants of laptop theft

Bank of America settles Countrywide data theft suits

College students slowest to respond to ID theft

Look for a weekly list from this point forward.

Wils Bell
President
SecurityHeadHunter.com, Inc.
POB 620298 * Oviedo, FL 32762
Direct: 407-365-2404

Top 10 Cyber Crime Jobs

The  Cyber Crime Organization

This morning while reading my daily dose of security breaches to post to my Twitter account I came across a great article from an FBI study that discusses the make up of a Cyber Crime organization. The Top 10 Positions, if you will.

It really made me think back to the days that hackers where young kids, bored, sitting at a computer seeing what mischief they could cause. Oh, how things have changed.

As I talk to clients daily and discuss the issues of Cyber security it makes me really wonder how many firms really think about hackers being in a “Cyber Crime Organization”. Clients have their internal IT and Security departments with a variety of talent who create applications and those that protect the applications, and data and networks and so forth. Well, so do Cyber Criminals.

As I tell my clients, Cyber Criminals are very smart and sophisticated. You need to be smarter and more sophisticated. These criminal enterprises are run like a business. They are staffed with top talent that are dedicated to the job, yes their criminal job! By having these enterprises setup and running, they can and do strike within hours of an opportunity making itself available.

Here is a look at how the” Top 10″ positions within a Cyber Criminal Organizations according to the FBI.

1. Coders/programmers, who write the exploits and malware used by the criminal enterprise.

2. Distributors, who trade and sell stolen data and act as vouchers for the goods provided by other specialists.

3. Tech experts, who maintain the criminal enterprise’s IT infrastructure, including servers, encryption technologies, databases, and the like.

4. Hackers, who search for and exploit applications, systems and network vulnerabilities.

5. Fraudsters, who create and deploy various social engineering schemes, such as phishing and spam.

6. Hosted systems providers, who offer safe hosting of illicit content servers and sites.

7. Cashiers, who control drop accounts and provide names and accounts to other criminals for a fee.

8. Money mules, who complete wire transfers between bank accounts. The money mules may use student and work visas to travel to the U.S. to open bank accounts.

9. Tellers, who are charged with transferring and laundering illicitly gained proceeds through digital currency services and different world currencies.

10. Organization Leaders, often “people persons” without technical skills. The leaders assemble the team and choose the targets.

As I said earlier, this is no longer a bored teenager looking for mischief.

Wils Bell

Information Security Recruiter
SecurityHeadhunter.com, Inc.
POB 620298
Oviedo, FL 32762
Desk: 407-365-2404

Security Breaches on the iPhone – By Trevor Hawthorn

A friend of mine recently spoke at the Schmoocon conference in Washington on the New World of Smartphone Security.

I thank him for allowing us share the article. You may reach him

Trevor Hawthorn, CISSP

Managing Principal

Stratum Security, Inc.

Trevor has thirteen years of information security experience in various roles.  Trevor specializes in risk management, application and infrastructure vulnerability assessment, penetration testing, wireless security and incident response.  He is also a regular instructor of the Certified Ethical Hacker (CEH) training course.  Previously he was a Senior Security Consultant with Cybertrust (Formerly TruSecure) where he performed information security assessments.

Click Here to Read Article:

http://www.stratumsec.net/sites/default/files/Stratum%20Security-The%20New%20World%20of%20Smartphone%20Security-Shmoocon%202010.pdf

Wils Bell
Information Security Recruiter
SecurityHeadhunter.com, Inc.
POB 620298
Oviedo, FL 32762
Desk: 407-365-2404
Cell: 407-718-7764
Twitter: security_REC

Why I Don’t Share Client Name

Why I Don’t Share the Name of Client on First Recruiting Call

When I am recruiting for an open Security Job that is not a retained search, I usually do not share the name of my client with a cold called candidate for several reason,  until we have talked in detail.

First, I interview many candidates daily, and unfortunately I must tell several that they are not a match for “this job”.  Perhaps future jobs, but not this one. It does not mean that are not a good security candidate, just not a good match for this job. Sometimes, they on the other hand, feel that they are a great fit and want to proceed with the interview process. When I explain that the client wants and expects me  to pre-screen heavily so as only to present dead on matches, they get upset.  I have had these people try to go directly to the client themselves or call other recruiters and ask them to present them. If the company name has not been discussed, it protects me.

Also, I have had some very good intentioned people that knew my client name simply mention  to a friend or co-worker that I called and discussed a great opportunity with them at XYZ company and the friend or co-worker simply goes directly to the company without thinking about me. They did not mean to cut me out, they just did not realize they should call me to present them. After all, I am dealing directly with the hiring authority and can make things happen.

Please be aware that I do share the client name as soon as we (you and I) determine that it is a good match and worth proceeding forward with the process.

Since this is how I earn a living for me and my family please don’t be insulted by the process and my guarding my client name until we agree it’s a match.

 

Happy Holidays,

 

Wils Bell – Security Recruiter

Bell (at) SecurityHeadhunter.com

SecurityHeadhunter.com, Inc.

SecurityHeadHunter.com

 

Desk: 407-365-2404

Another Satisfied Client

I recently completed a search for a new client.

It was a situation I have come to see very often lately.

Here’s the scenario.

The client was a previous candidate of mine who had recently gotten a CIO job with a mid size company. Unfortunately, I  had not placed him in his job. He found it on his own, but he liked the efforts I had made on his behalf.

They had a Security Manager position that was about to become open due to someone relocating to follow a spouse. The current Security Manager had given 3 months notice of his relocation and two months had already past. They had tried advertising on 2 of the major job boards and received lots of resumes, but not a single one that was worth calling.

They had used a couple recruiters that were on the “Approved Vendor” list but simply got many of the same resumes they got from the job boards themselves.

When the CEO told my contact (CIO) to fill the position anyway he could, I got the call. I went in and meant with the CIO and current Security Manager to get a full job spec as I always do.

Since time was critical in locating local talent I also told them that I would only work the job as a exclusive search under exclusive search terms. They agreed!

Within 1 week  I  direct cold called recruited several candidates and was able to present 3 candidates that were all on target, followed up by 2  more a couple days later. The client listened to me and spoke to all 5 candidates by phone and decided to interview 3 in person. Of  those 3 he brought 2 back (the 3rd he felt was to heavy – not unqualified) for final interviews.

He decided one, with the second candidate being his backup. The offer was made and accepted by the candidate.

What makes this a nice placement is hearing the client say over and over during the process how please they were and that they should have called me first and not gone through the aggravation of the previous search efforts.

Once again, job boards and e-cruiting did not get results. There is a whole word of untapped candidates waiting to be found that most employers never know exists, because they are not answering ads and posting resumes online.

Direct Recruiting fills jobs with top talent.

Also, guess who’s the preferred vendor now.

PCI Standards Not Doing Enough

PCI Standards Not Doing Enough

Visa, Inc. has begun testing new security measures with retailers and banks that goes beyond the current standards set by PCI.  This PCI (Payment Card Industry) standard has been the private sector’s attempt to regulate itself, but it no longer is thought of as strong IT Security. Way to much Debit and Credit card information is being breached by “so called” certified PCI compliant organizations.

According to Rep. Yvette Clarke (D -NY) the PCI Compliant Standard is not worthless, but is not currently sufficient to protect company data. She stated:” I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure.”

As an example, last February a third party certified a major grocery store chain (Hannaford Bros ) PCI Compliant one day AFTER it was informed of the system intrusions that had begun two months earlier. Hannaford Bros. later indicated that they would be spending “millions” of dollars upgrading security after the breach of 4 million plus credit and debit accounts.

As most of you know, these breaches are happening more and more. Remember Heartland, the card processor?

The cost to companies for data breaches as I wrote about in an earlier blog can be staggering, not to mention your loss of brand name.

What about the multiple lawsuits that follow these types of breaches.  They could put these companies out of business.

How many employees could lose their jobs for something they had no control over?

PCI Standards need to be updated and the compliancy and technology followed 24/7, 365 days a year.

By:  Wils Bell, President

LinkedIn Profile: http://www.linkedin.com/in/wilsbell
SecurityHeadhunter.com, Inc.

Security & Risk Recruitment Since 1990
Phone: 407-365-2404
eFax: 407-956-4976

Email: Bell@SecurityHeadhunter.com

Web: SecurityHeadhunter.com