A Cattle Call Approach to Recruitment

I Wish Employers Understood

A couple of months ago I heard about a company rebuilding their web presence and was in need of senior  Security Architect.  I called the CISO and left a voice mail  introducing myself and SecurityHeadhunter.com as a Security Search Firm. I indicated I would send my company Brochure and a link to the SecurityHeadhunter.com web site for their review. I was pleasantly surprised a few days later when I had a voice mail from the CISO (let’s call them John”) saying he would like to talk. When we spoke I had high hopes of picking up the search, which I hand already seen on their career page.

Well, I reach John and yes one of his managers was indeed still  looking for a security architect. They were frustrated in the fact this position had been open for over 7 weeks and the resumes from HR were not close to what was needed skills wise. I was sure my expertise could help identify quality talent, I told John. That’s when the shoe hit the ground. I was informed that all recruitment services must go through the HR department.  John had no control over that aspect of the process, but would  introduce me to the manager, which they connected me with while I was on the phone. Once John got off the call, the other shoe hit the ground. “I appreciate John introducing you, but we have a list of  approved vendors.  Please send your information and we’ll keep it on file” I was informed. I don’t go away that easy, so I let the HR manager know that I am not a general recruiter. I am president of SecurityHeadhunter.com and as the name implies we a  Security Search Firm. We have the ability and expertise to fill this job. Didn’t matter what I said. They had their vendors and they would let me know if I could help in the future. I let John know the outcome of the call.  He was also disappointed.

About 2 weeks ago I got a call from someone in HR (not the manager) asking if I could be available that afternoon for a conference call with the HR Manager and 2 Security managers to discuss the position since they were not getting the resumes they needed. Of course, I could and I was emailed the details to call for the CC.

At 2 pm I called in to enter the CC, but the code number to join the conference I was given was wrong.  I quickly reached the HR rep from earlier and was given the corrected code and called again. It was now 3 minutes after 2pm and when the automated system let me into the conference it announced to me “You are caller number 14  in the conference”.  You have to be kidding I thought. Am I just one of lots of recruiters on this call?  I must be part of a  “Recruiting Cattle Call”. What a waste of my time, but since I was already there I’ll listen.  The  HR Manager was already discussing  salary and other HR information before the  Security Managers detailed the job. It was good information, but nothing I didn’t already understand from a technical standpoint. The Security managers then asked for questions from those listening. I had a couple questions, but  I thought I would sit back and listen to what others asked. Like I suspected about 8 people (recruiters) asked question that made it so clear they had no idea what a security architect is and how to screen their skills.  At this, why would I want to spend valuable recruiting time on a search for an employer that utilizes the Cattle Call recruiting method. I did conduct a quick follow up call with the HR rep and was informed the others on the call were their approved vendors, the same ones that have not filled the job yet.

Time is money and the recruiting process is no different. Employers should try to fill their open jobs on their own if possible, but after 3 months of the efforts of the approved vendors with no success, perhaps it’s time to engage a “Security Headhunter” to fill the position.  In this case, it appears that the approved vendors just are not specialized in getting the correct talent  and I would not work on a search with 10 plus other firms. My time is to valuable to spend in a cattle call search process.

If you are not getting qualified resumes in your recruiting process, then you should change your process.

Moral of the story:  Make the decision to bring a “Security Search Firm” into your process at this point. You’ve given your other resources plenty of time with no success. Sometimes, as employers, you need to make an investment in your search with an exclusive search  that will actually results in a “search assignment” where candidates are recruited for your specific  job, not simply posting jobs to the Internet and see who replies.

I shared these thoughts with the HR manger and the CISO, but nothing yet. (the position is still open)  Perhaps next month the employer will decide to move forward on a real search assignment.

Have a great Monday!

Security Job: Web Application Security Engineer

Security Job: Web Application Security Engineer

Job Type: Full-time salaried position
Job Locations: If you are open to any of the following areas we should talk:  Illinois, North Carolina, Nebraska, Pennsylvania, Indiana, and Connecticut
Compensation: $90,000 to $110,000 salary, maybe more
Telecommute: No
Education: BS strongly preferred, but not required.
Travel %: minimal
Relo Paid:  Possible assistance available on a case by case basis
Certifications Preferred: CISA, CISSP

SecurityHeadhunter.com is conducting a search for Web Application Security Engineers. Our client, a Fortune 500 organization, has engaged us to identify, recruit and prescreen candidates that have a passion for web security. These are full time positions working on site for the organization. The client is not a consulting firm.

Our client really wants to see candidates that have at least 3-5 years of software / application development and /or web development skills in Java OR .NET environment and has moved over to the Security side for at least the last 2-3 years.

Having a software or Web Development background prior to Web Application Security is NOT a must have, but is a big plus for the positions.

The selected candidate(s) will be working on new web application security as well as legacy systems from time to time. Selected candidate(s) must be very knowledgeable of OWASP TOP 10.

RESPONSIBILITIES & DUTIES

  • Conducting web application security assessments on both new and existing web applications.
  • These assessments involve manual testing and analysis as well as the use of automated web application vulnerability scanning and testing tools to include but not limited to Fortify, IBM App Scan, HP Web Inspector, Hail Storm testing tools.
  • Utilizing company standard reporting format to prepare formal security assessment reports for each application, using our standard reporting format.
  • Participate and lead when necessary conference calls with internal business customers to review security assessment results.
  • Consult with these internal business customers on remediation options and the retesting of security vulnerabilities that have been fixed and republishing your report to indicate the results.
  • Participate and lead when necessary conference calls with potential internal business customers to review newly requested security assessments and estimate the amount of time required to complete the assessment.
  • Ability to assist in the deployment and/or support of web application firewalls.
  • Experience working with static code analysis tools
  • Ability to communicate complex security subjects in easy-to-understand terms.
  • Desire to stay current with emerging technologies and industry trends.
  • Solid understanding of OWASP along with the ability to apply the application those security concepts.
  • Thorough understanding of both TCP/IP and HTTP.
  • Ability to work in a fast paced, challenging and sometimes stressful environment while keeping a cool head.
  • Ability to look at the big picture and help in finding acceptable solutions and remedies.
  • Strong focus and ability to dealing with internal users and customers
  • Solid written and verbal communication skills.

For information on this or other Security related positions, please contact:

Wils Bell
President
SecurityHeadHunter.com, Inc.
POB 620298 * Oviedo, FL 32762
Direct: 407-365-2404
Bell@SecurityHeadhunter.comSecurityHeadhunter.com * www.Linkedin.com/in/wilsbell

Security Breaches – A Short List

Security Breaches

Here are a basic sampling of Security Breaches that have been gathered from across the Internet. Who’s really winning this cyber war?

Hackers bait Zeus botnet trap with dead celeb tales

UPDATE: Idaho Power says Mercer breach affected over 375,000

UK insurer hit with biggest ever data loss fine

Judge approves Countrywide Financial ID theft settlement

Laptop stolen from U Kentucky had info on newborns and mothers

UConn notifies 10,174 applicants of laptop theft

Bank of America settles Countrywide data theft suits

College students slowest to respond to ID theft

Look for a weekly list from this point forward.

Wils Bell
President
SecurityHeadHunter.com, Inc.
POB 620298 * Oviedo, FL 32762
Direct: 407-365-2404

Security Job: Compliance Manager

Position Summary for

Compliance Manager

Job Type: Full Time
Job Location: New York / Manhattan
Compensation: $120,000 plus bonus
Telecommute: No
Education: BS Required, Masters a plus
Certifications:
Travel %: Minimal
Relo Paid: No

Responsibilities

  • Manage and lead an array of Compliance Programs to include but not limited to Sarbanes-Oxley (SOX), Continuous & Ad hoc internal audit  programs, Technology Audits, Controlled Access to Production Systems (CAPS) exercises, Internal Audit Issues, and others
  • Work with fellow team members, Technologists and Vendors to ensure that all the program deliverables are responded to the Enterprise-level Program teams in a timely fashion.
  • Ensure that the most efficient governance process in place for the Compliance Programs
  • Interface with Senior management including C-level Technology Executives  (by providing them continuous status updates on all Compliance Programs), as well as the technology managers and their team members to ensure that the program goals and objectives are addressed and executed on a day-to-day basis to achieve the overall goals
  • Interface with the Central Operation Risk Management team of Global Markets Technology, infrastructure groups, and the Global Auditors (internal and external) for the department
  • Stay abreast of the upcoming audit schedule and  requirements for the GRCT team and track any open audit items across the department to remediation and closure

Required: Required for being successful

  • Seven (7+) years experience in either a Program Management Office (PMO) or Business Management Office (BMO) in a compliance-based role
  • Excellent inter-personal, negotiation and influencing skills
  • Strong problem solving and analytical skills
  • Excellent organizational, planning, writing and communication skills
  • Self-starter with a proven track record of taking initiative
  • Persistency, poise and perseverance to get things accomplished under pressure and within the set timelines
  • Interest and track record of ensuring accuracy, clarity and quality of work with attention to detail
  • Past experience of working with senior management
  • Excellent MS-Office skills (including PowerPoint (for presentations) and Excel ( for manipulating large amounts of data)

Preferred:  Not mandatory but preferred –

  • Project Management Certification  – PMI or PRINCE 2, etc.

For additional information on this or other Security Jobs, please contact:

Wils Bell

Information Security Recruiter

SecurityHeadhunter.com, Inc.

POB 620298

Oviedo, FL 32762

Desk: 407-365-2404

Cell: 407-718-7764

Email: Bell@SecurityHeadhunter.com

Security Job: Web Application Security Consultant

Position Summary for

Web Application Security Consultant w/ Java

“70% Telecommute Opportunity”

Job Type: Consultant
Job Location: Telecommute from home 70%+ of time
Compensation: $70 – $80 per hour; maybe more
Telecommute: Yes
Education: Degree a plus, but not required
Certifications: See Below
Travel %: 20-30%
Relo Paid: N/A

Our Client has developed a very strong track record of delivering web application security services on a consulting basis to their financial and banking industry clients.

This strong record of exceptional service has results in additional long-term assignments and the need for additional team members.

SecurityHeadhunter.com is seeking Web Application Security consultants to lead and participate in web application security consulting assignments. The current team is made up of seasoned software engineering professionals who have 20+ years of total experience. That experience includes building large Java enterprise applications.

As stated above, our client’s solid delivery and track record has created a situation where their clients invite them back for additional projects.

In this role, a consultant will perform application security assessments through both on-site and off-site project assignments. Successful consultant will lead small review teams and will consult on threats and mitigation approaches.

Majority of work will be done in a telecommute fashion whereby you can work from your home office. Expected travel will only be in the 20-30% range on weekdays only. You’ll be home on weekends.

Possible travel sites: NC, MN, PA, CA

Required Background:

  • A BS in math, computer science or engineering discipline is preferred.
  • Education at the Masters level is appreciated.
  • Certifications to include the CISSP, CSSLP, EC-Council E|CSP and/or SANS, GIAC Secure Software Programmer – Java (GSSP-JAVA) are highly appreciated.

A consultant must demonstrate the following:

• A very solid and deep knowledge & understanding of web application security threats, risk models and tools.

• Static analysis experience with Fortify (preferred) or IBM Ounce Labs tools.

• Architectural review, manual source code review, dynamic analysis.

• Solid technical background that includes Java enterprise application technology.

• Ability to interact with customers presentation and communication purposes.

• Ability to manage small technical teams and projects.

• Must be experienced on helping clients to build security into their software development processes.

The successful candidate must be able to read and understand Java code, APIs and architecture (JSP, Servlet, EJB, Hibernate, Struts, Ant, etc.). A prior Java programming background is strongly preferred.

Desired Skills

A background that includes Microsoft application technology is appreciated (.NET, classic VB and ASP). Technical project management / team leadership experience is required.

To learn more about this situation or others, please contact:

Wils Bell

Security Recruiter

SecurityHeadhunter.com, Inc.

POB 620298

Oviedo, FL 32762

Desk: 407-365-2404

Cell: 407-718-7764

Email: Bell@SecurityHeadhunter.com

LinkedIn Profile: http://www.linkedin.com/in/wilsbell

Web: SecurityHeadhunter.com

Blog: SecurityHeadhunter.wordpress.com

Twitter: security_REC

“I’m a great believer in luck, and I find the harder I work, the more I have of it.” — Thomas Jefferson

P Go Green – print only if necessary

Security Breaches on the iPhone – By Trevor Hawthorn

A friend of mine recently spoke at the Schmoocon conference in Washington on the New World of Smartphone Security.

I thank him for allowing us share the article. You may reach him

Trevor Hawthorn, CISSP

Managing Principal

Stratum Security, Inc.

Trevor has thirteen years of information security experience in various roles.  Trevor specializes in risk management, application and infrastructure vulnerability assessment, penetration testing, wireless security and incident response.  He is also a regular instructor of the Certified Ethical Hacker (CEH) training course.  Previously he was a Senior Security Consultant with Cybertrust (Formerly TruSecure) where he performed information security assessments.

Click Here to Read Article:

http://www.stratumsec.net/sites/default/files/Stratum%20Security-The%20New%20World%20of%20Smartphone%20Security-Shmoocon%202010.pdf

Wils Bell
Information Security Recruiter
SecurityHeadhunter.com, Inc.
POB 620298
Oviedo, FL 32762
Desk: 407-365-2404
Cell: 407-718-7764
Twitter: security_REC

Security Breach Compromises Information

Security Recruiter – Daily Security Breach Report from the Web

Security breach compromises information on 1,400 District 86 grads

December 4, 2009
By SANDY ILLIAN BOSCH sbosch@pioneerlocal.com

A security breach discovered last month at the University of Nebraska involved the names, addresses and Social Security numbers of 1,400 Hinsdale High School District 86 graduates.

The breach involved a computer in the College of Education and Human Sciences at the Lincoln campus. The university’s investigation revealed the computer had not been adequately secured, allowing unauthorized external access to the computer and its information.

Associate Dean Deb Mullen said the information about students who graduated between 2002 and 2005 was used in a study intended to analyze the practices of school districts and what could be done to improve test performance.

“The district was doing it for school improvement,” Mullen said.

The information was provided to the university by the ACT organization, with permission from District 86, according to Mullen. She said it is not uncommon for researchers to obtain student information from school districts. The difference, she said, is that these days the students are identified by randomly assigned student identification numbers.

“Back in those days Social Security numbers were used as ID numbers,” she said.

Letters were sent to all 4,000 students whose information was made accessible through the security breach. Although no one has reported the misuse of information involved in the security breach, Mullen said she has fielded many calls from former students who did not understand how the University of Nebraska had their information. She said many people involved also have accepted the university’s offer to pay for a year of LifeLock identity protection.

Also included among the 4,000 names involved in the security breach were students from Glenbard District 87 and students from schools in South Sioux City, Neb. Mullen said all of the information has been purged from the university’s records.

Representatives from District 86 could not immediately be reached for comment Friday.

Source: http://www.pioneerlocal.com/clarendonhills/news/1921349,hi-d86security-120409-s1.article

Presented by:

Wils Bell – Security Recruiter

SecurityHeadHeadhunter.com

407-365-2404

Bell (at) SecurityHeadhunter.com

Web: SecurityHeadhunter.com

LinkedIn Profile: http://www.linkedin.com/in/wilsbell

“Why work with a generalized recruiter when you could work with a specialized Security Recruiter!!”