robo-recruiters

No Robo-Recruiters Allowed

BBC has reported the Rise of Robo-Recruiters, artificially intelligent chatbots that can “evaluate resumes, schedule and conduct applicant screenings, and even congratulate you on your first day of work.”   In online conversations, there is “no obvious indication” that Mya (her name) is not human, except for the word “bot” next to her name.  Launched in 2016, the chatbot is already being used by three of the five largest U.S. recruiting firms.

Users of InfoSec Connect should be aware that Mya Bot and other bots are not allowed to post jobs or extract data from our system.  Jobs posted on InfoSec Connect are real positions posted by real people.  If you have any concerns or questions feel free to Contact Us – and you can connect with a real person. No robo-recruiters here!

cybersecurity c-suite

Cybersecurity consciousness in the C-suite – Domini Clark to SC Magazine

InfoSec Connect founder Domini Clark  contributed her thoughts on the rising awareness of cybersecurity in the C-suite to SC Magazine.

The article originally appeared here, and a copy is below.

***

Cybersecurity consciousness in the C-suite

Cybersecurity consciousness in the C-suite
Cybersecurity consciousness in the C-suite

Enterprises are better protected from repercussions of a breach with a board that’s knowledgeable about security and which makes sure a comprehensive set of security policies are in place, reports Greg Masters.

With cybercriminal risk at an all-time high across the globe, it’s only inevitable that your company will be targeted, experts say. But, they add, the manner in which a company prepares for a cyberattack is what separates winners and losers. The biggest differentiator is engagement by the board in cybersecurity matters and the adoption of best practices in IT departments.

The good news is that the C-suite is, in fact, improving its posture in these vital matters, according to a Protiviti security survey, “Managing the Crown Jewels and Other Critical Data,” released in February. The study found that current board engagement levels are at 33 percent, compared to 28 percent in 2015.But, while boards are, in general, increasing their management of IT security implementations, there is still more work to be done. “While the increase in boards of directors’ and company management’s engagement with information security is a positive sign, it’s imperative that leadership keeps closer tabs on the state of their organizations’ cybersecurity programs,” says Scott Laliberte, a Protiviti managing director and leader of the firm’s global IT security and privacy practice. “Particularly as new technologies are introduced and new approaches to generating revenue are deployed, it’s increasingly important to reexamine existing data security and privacy processes on a regular basis – ensuring that the right systems and people are in place to keep pace with changes.”

OUR EXPERTS

Wils Bell, cybersecurity recruiter
Joyce Brocaglia, CEO, Alta Associates; founder, Executive Women’s Forum
Domini Clark, principal, Blackmere Consulting; director of strategy, InfoSec Connect
Gary Clayton, shareholder in the workplace privacy and data security practice, Littler Mendelson
Rajiv Gupta, CEO, Skyhigh Networks
Scott Laliberte, managing director and leader of global IT security and privacy practice, Protiviti
Michael Potters, CEO, Glenmont Group
Kimberly Verska, partner and chief information officer, Culhane Meadows

Kimberly Verska, partner and chief information officer at law firm Culhane Meadows, sees roles shifting in the C-suite, particularly in light of the hacks of corporations and their advisers. “Locking down data securely at every point of an enterprise’s operations is finally getting the attention it deserves,” says Verska, who concentrates her practice on corporate and technology transactions as well as regulatory issues, particularly in the arena of data privacy.

Data security has been a longtime focus in companies whose product is data, she explains. “It’s only now, as a result of several highly publicized corporate exposures and CEOs losing their jobs as a result, that the issue of data security is getting serious attention.”

No company or executive wants to be embarrassed on the front page of any news outlet for something like a data breach or hacked email or Twitter account, she says. “And when CEOs lose their jobs over these breaches, security tends to become a top C-suite priority. As a result, management is starting to recruit more ‘tech savvy-ness’ at every level of their organizations — from operation to the C-suite, even to board-level positions.”

Competition to get the right security professionals on board is fierce, says Verska, who speaks Russian, German and Spanish, and has authored and co-authored numerous articles on the laws of foreign jurisdictions relating to data privacy and e-commerce. But it’s more than simply hiring a well-known security expert or a CIO. “It’s not enough to hire a ‘compliance lion’ if no one is watching what the cubs are doing. The real shift in the C-suite is working to create a culture of compliance organization-wide.”

In the past, a company’s security functions fell to the CIO or CTO, whose top priorities are typically a mix of innovation and operations, and very few of the largest enterprises employed a CISO, says Domini Clark (left), a principal at Blackmere Consulting, an executive recruiter for the technical and cybersecurity industry. Even the U.S. government didn’t have a C-suite security-focused executive in the role before 2016, when the first federal CISO was hired, she points out. “But times are rapidly changing, and corporations are learning that security is no longer purely a technological issue, and can no longer be constrained solely to IT.”

Senior management is realizing that information security is really a risk issue, and risk is a business challenge that needs broader solutions, says Clark, also the director of strategy at InfoSec Connect. “This realization means we will continue to see growth in the CISO function across organizations of all sizes.”

Michael Potters (right), CEO of Glenmont Group, a Montclair, N.J.-based executive search firm, agrees that roles are shifting in the C-suite, but, he explains, it’s taking shape in two forms: The CISO position is now showing up at most Fortune 500 organizations often not reporting to a CIO but to a CEO, he says. Plus, there is now a movement to see chief information governance officers (CIGOs) become an accepted role at the C-suite and have infosec in the silo.

Also, the role of the general counsel at the Fortune 500 has had cyber issues dotted lined to them as they are under fire to makes sure that this is being addressed properly to prevent “break the bank,” large-scale litigation caused by not addressing cyber issues in a proactive way, he says.

Others also see more direct reporting to the C-suite and activities with the board. C-level and boards are seeking trusted advisers, says Gary Clayton, shareholder in the workplace privacy and data security practice of Littler Mendelson. Although there is a caveat, he points to: Many who would be potentially great advisers are so concerned about personal and professional liabilities that they are reluctant to accept these positions.

Meanwhile, Laliberte at Protiviti, also sees some movement within the C-suite. “In some organizations, security is now reporting into risk management rather than IT,” he says. More C-level personnel are becoming involved in cyber and security issues, he says. “Organizations are realizing cyber is not just an IT issue, but needs involvement of the business as well.”

Joyce Brocaglia (left), CEO at security executive recruitment firm Alta Associates, says that as her firm seeks out CISOs, she is seeing that the role itself is being elevated in many companies. “We are conducting many searches where the C-suite realizes that what got them to here isn’t going to take them to the future, so they are hiring more strategic thinking CISOs with a broader set of responsibilities than just cybersecurity,” says Brocaglia, also the founder of the Executive Women’s Forum. “Some are now reporting to the CEO and no longer sit under a CIO in technology. Cybersecurity has become a board level imperative. The C-suite is interested in how cybersecurity can make the overall company more resilient.”

Today’s top cybersecurity personnel, particularly in the CISO position, are using more tools to help monitor the enterprise’s risk and planning ahead for what to do when they are breached, according to Wils Bell, a cybesecurity recruiter for 15-plus years. Bell says he’s seeing people that are more technical and have a good knowledge of enterprise risk as well as the overall business.

More tech speak in the corner office

Are boards enlisting more tech savvy personnel? Bell emphatically says “Yes.”

Verska, though, says the answer depends on the industry and, in some cases, board members’ comfort with technology. Historically, among the Fortune 100, the shift to nominate tech-savvy members is slower, aside from the obvious positions of chief technology officer (CTO) or chief information officer (CIO), she says, adding that this slow adoption results in an interesting phenomenon: Vulnerability at the very top of the pyramid, when, for example, an otherwise savvy executive uses the word “password” or “12345678” as a password, or unwittingly falls victim to a spear-phishing attack.

Security Rx:
An engaged board
Key findings from security and privacy Protiviti’s survey, “Managing the Crown Jewels and Other Critical Data,” include:Having an engaged board and a comprehensive set of security polices make a huge difference – In assessing the results for companies in which the board has a high level of engagement in information security, these organizations rate considerably higher than other companies in nearly all facets of information security best practices.A concerning number of companies – nearly one in five – cannot confidently identify or locate their most valuable data assets. Protecting these “crown jewels” requires a data classification scheme and effective policies that are supported across the enterprise.

People, as well as policies, are key to an effective security program. Security policies are best supported with training programs and communications for employees, who are often responsible, unintentionally or otherwise, for enabling data and security breaches. Organizations should focus on promoting a culture of security policy compliance.

Vendor risk management must mature – As the use of cloud-based storage and external data-management vendors increases, the importance of vendor risk management grows. Notable gaps currently exist between top-performing organizations and other companies when it comes to overall knowledge of vendors’ data security management programs and procedures – areas that might stand between an organization’s crown jewels and cyber-attackers.

Familiarity with the risks and with technology is critical, Verska emphasizes. And as board membership evolves, more board members will have grown up with technology and have been thoroughly schooled to know better than to disclose passwords, account numbers or other critical data to the sender of an unexpected email, she says.

“The executives who joke that they ‘are helpless with all this new technology stuff,’ may end up being the weak link that creates a major hole in a company’s security systems,” says Verska. “Because no matter how effective or cutting-edge the security technology one implements, in the end, the best defense against cyberattack is an organization-wide culture of security.”

At the board level, she says, this means that every member must understand that as part of their “a duty of care,” neither they nor the company’s employees engage in or overlook practices that pose risks like security breaches. “It’s a responsibility that board members increasingly know they must consider and to which they are beginning to respond,” she says.

Clark agrees, saying that technology in the workplace is growing at an explosive rate. “There is currently more technology in use enterprise-wide than there has ever been before,” she points out. “It is clear that security is influencing conversations at the highest executive levels and boards are becoming more and more savvy about technology and cyber risk.”

Brocaglia at Alta Associates, says her firm places many CISOs who must have the skills to directly present to the board. And, validating that requirement is new legislation recently introduced in the Senate that would require publicly traded companies to disclose to regulators whether any members of their boards of directors have cybersecurity expertise.

The Cybersecurity Disclosure Act of 2017, or S. 536, would not mandate that companies retain a cybersecurity expert on its board. Rather, the proposed legislation would require companies to explain – in their filings with the Securities and Exchange Commission – whether such expertise, in fact, exists on their boards and, if not, why this expertise is redundant owing to other procedures put in place by the company.

Brocaglia says she expects that this legislation will raise the issue more frequently with board members and result in their evaluation of the executives they have in place driving their security and risk teams.

But, for Rajiv Gupta (right), CEO at Skyhigh Networks, boards have paid lip service to adding members with cybersecurity expertise. CISOs often take on the responsibility of educating the board, he says, making business-minded CISOs a hot commodity on the job market. “They say the CIO is the new COO, and the CISO is the new CIO. Technology is now a core function for companies reinventing themselves as digital businesses. The CIO leads digital transformation and the CISO is responsible for overcoming the principal technology barriers of cybersecurity and privacy.”

Other experts agree that there is a gap between the talent required and positions filled. Potters at Glenmont Group, says this is a huge problem. “The boards are still being populated by investor types (VCs and PEs) or old school leaders who are too far away from cyber issues to understand the importance of cybersecurity,” he says. “When I talk with board members it is scary to hear how detached they actually are on this issue.”

Meanwhile, Clayton at Littler Mendelson says that many boards try to recruit board members that have cyber knowledge but the skillsets and personality combination are relatively rare. “There’s too much techno-babble by most of those who are knowledgeable cybersecurity personnel,” he says.

Laliberte too says it is extremely difficult to find tech savvy board members. “Instead boards are enlisting external help of subject matter experts to assist them in understanding cyber risks.”

Data theft response

But, while companies do what they can to hire the appropriate security personnel, in the C-suite security is certainly rising up the ranks as a business enabler.

Bell says he sees companies realizing that there is no way to avoid a data compromise if they are singled out for a hack, but, he explains, they can avoid large financial loses and branding issues. “No one wants to be the next Target or Home Depot,” he says. The solution he opts for is to reduce the damage. “I see some companies tie the CISO’s bonus or reduce it for breach activity or perhaps direct financial loss. Companies need to realize that there is just as brilliant a mind on the other side of the desk (hacker) as they have on staff.”

Breaches, he says, are inevitable for most firms, but how well they are mitigated or how the damage is contained makes the difference.

Potters says execs are finally looking at this issue proactively as opposed to reactively and are now willing to invest money (though not enough) to address the problems before they happen and not after they happen.

“…the best defense against cyberattack is an organization-wide culture of security.” 

– Kimberly Verska, partner and CIO, Culhane Meadows

Verska agrees that the C-suite folks are paying attention. “Episodes like the Target data breach, which resulted in the exit of that company’s CEO, certainly got the attention of industry,” she says. “We see increased emphasis on employee and executive training – including the C-suite and board level – particularly of those with a fiduciary responsibility of due care. Companies are spending millions of dollars on data security and training. This is a good thing if people take training seriously because sometimes it’s the little things that trip companies up.”

Security breaches are the quickest way for a company to get its name – the names of its executives, or the names of its board of directors – on the front page of the Wall Street Journal, she adds. “Worse is when it’s for neglecting to patch vulnerabilities that in hindsight look quite obvious, like permitting employees to transfer confidential customer data onto their unencrypted personal laptops so they can work at home.”

In the not-too-distant future, companies will be looking at block chain and cutting-edge technology as the standard of due care evolves, Verska (left) says. “But in the meantime, they can and should use the tools that exist. Have firewalls and monitoring software to check whether someone is trying to breach those firewalls,” she advises.

She also advises considering encryption. “It is the industry standard of care for many types of data, legally required in many cases.”

What’s shocking about encryption technology is how many companies don’t even do that, she says. “They may rely on third-party providers who may or may not have upgraded their own systems. We recommend that clients carefully consider the chain of operations and what happens when their data comes to rest in a third-party service provider — are they secure or are they leaky?”

Too often, she says, companies think their data is encrypted and protected as they move it from point A to point B, but it’s not. “Nor do I think a lot of companies realize how many ways there are for intruders to hop into the pipeline when they send sensitive data via ordinary emails.”

Companies are realizing that an ounce of prevention is worth a pound of cure, says Blackmere’s Clark. “Data theft is a risk from outside the organization from hackers and phishing attacks, but increasingly a risk from the inside – from both intentional employee theft and unintentional employee negligence,” she says. “Just like we’ve seen the emergence of the role of the CISO who is overseeing responsibility for corporate risk, we are also seeing the shift in mentality that data theft is not just an IT issue, but one that needs to be prevented through technology measures and continuous cybersecurity training geared toward the non-technical employee.”

Executive teams are beginning to understand that the responsibility for protecting their company’s data is truly a team effort, and that the responsibility for data loss risk management, while led by the CISO, truly belongs to the organization as a whole, Clark adds.

And what will it take to attract and retain the right people?

Corporations need to come to terms with the compensation needed to get these highly skilled and highly desirable cyber experts, says Potters. These workers can save your company, he explains. “Don’t try and squeeze someone with $200k skills into a $100k pay band,” he advises.

Also, he adds, hiring authorites need to understand that time is of the essence when looking at candidates. “If you think you have found someone that is worth bringing in on your team, move quickly,” Potters says. Streamline the interview process so it only takes a couple of weeks, and not a month or more. “You will lose out on that candidate as they start hearing about other opportunities – or, at the very least, you will have to give them more than the 15 percent recruiting bump that is typical.”

GDPR Impacts The Cyber Security Talent Gap

How GDPR Impacts The Cyber Security Talent Gap – Domini Clark to Cyber World

InfoSec Connect founder Domini Clark contributed an article to the special edition of Cyber World magazine, focused exclusively on the important issue of the upcoming EU General Data Protection Regulation (GDPR).   The article in its original format can be seen here, and a reprint is below.


The General Data Protection Regulation (GDPR) will go into effect on 25 May 2018, and will have an important impact on business operations around the world. Data protection is at the heart of any business, encompassing everything from employment and emails to commercial contracts and corporate restructuring. Since this legislation will apply to most  companies doing business with the EU, as we consider the impact these changes will have on business, the increased need for talent must be at the top of the list.

A recent study indicates that businesses will need to add at least 28,000 Data Protection Officers in the EU alone to support the GDPR. While this is an enormous amount of new talent to bring into the market, the real issue is brought into sharp focus through the current state of Cyber Security Workforce Trends and Challenges for 2017. ISACA, the International Information Systems Audit and Control Association, indicates that 55% of organisations take more than three months to fill their current open cyber positions. In addition, 30% of companies in the EU are completely unable to fill their open cyber security positions.

Although we are navigating through already troubled cyber talent waters, it is important to understand that many companies affected by the GDPR will be required to hire, appoint or contract a Data Protection Officer (DPO). Let’s get started with what a Data Protection Officer looks like.  While there are differing opinions on the specifics of the position description, here are some general guidelines to follow when searching for yours:

  • Experts in data protection regulations
  • Industry specific knowledge in accordance with both the size of the data processor or controller, as well as the sensitivity of data being processed
  • The ability to inspect, consult, document and log file analysis
  • Ensure that technical and operational groups comply with procedures

The Data Protection Officer will be responsible for raising awareness of data privacy as well as implementing, monitoring, documenting and applying policies and procedures, and verifying compliance. This will also be the person responsible for notifying data protection authorities in the event of a data breach. Essentially, this will be an expert in privacy and data protection with the ability to truly understand and balance the risks for data processing.

A very important factor to consider as you plan your GDPR programme is the protected status of an internal (employee) Data Protection Officer. In other words, the GDPR prevents dismissal for performance of related tasks, with the aim of ensuring there are no penalties for ‘whistle blowing’.   While this protection will insulate against retaliation terminations, it can also tie the hands of employers when navigating through a ‘bad hire’ situation. This
caveat may ultimately create more opportunities for law firms or specialty consulting firms offering Data Protection Officer services.

Of course, the best approach to cyber security is to prevent hacks, attacks and breaches before they happen. Prevention requires a strong cyber security team, which will expand with the new regulations.  The GDPR’s intent is to ensure compliance and raise awareness of data privacy and protection. We will very quickly need to determine HOW we are going to attract the right talent to our organisations. Here are a few tips to consider as you  recruit for your Data Protection Officer (or any other cyber talent, for that matter):

A BREED APART

The best cyber security professionals think like the criminals they oppose. That enables them to anticipate what hackers might try, and to identify weak points in system defences. You likely won’t find their CV on CareerBuilder or LinkedIn, so you’ll need to leverage your best networking skills and hardcore power-searching techniques. Consider utilising industry specific job boards such as ISSA, SANS or InfoSec Connect. If your quarries think like a criminal, you have to think like Sherlock Holmes to track them down. Don’t email  them a link to apply, as they will not click on a link from an unknown source (and neither should you). Send them a PDF with instructions for connecting with you.

IT’S NOT A POSTING, IT’S A PITCH

The demand for such professionals means they’re constantly hearing from recruiters. InformationWeek’s DarkReading.com cites new research by Enterprise Strategy Group and the Information Systems Security Association, indicating that about half of cyber security professionals are contacted by a recruiter at least once a week. If you post a standard HR job description of duties and requirements, it will wash out amongst all the other background noise.

In today’s market you have to court talent, and that is especially true of cyber security  professionals.  Don’t think of it as a job posting, think of it as a sales pitch. Resist the ingrained habit of listing what your company needs, and focus instead on what will engage the interest of your target audience.

APPEAL TO THE HOT BUTTONS

In general, cyber security professionals want to:

  • Take on intriguing work that is varied and unique. Let them use their devious  creativity to your company’s advantage.
  • Stay current with the ever-evolving threat landscape. If you’ve got the coolest technology, executive buy-in and a penchant for innovation, your pitch should highlight those perks.
  • Do more than just scratch the surface – offer them opportunities not only to look under the hood, but also to take some deep dives into your systems. Give them the authority to make a true impact on your organisation.
  • Have the option to work remotely. Your organisation may cling to traditional models,
    but if virtual options give you an edge in the talent war, then it’s time to loosen up.

KEEP YOUR SOCIAL MEDIA BUZZ FRESH

This is good general recruiting advice, but definitely important for this group. The content doesn’t have to be about job openings (although you should push those out, too). Instead, think of social media as digital pheromones that make your company attractive. Blogs and tweets help establish your company as a thought leader, enhancing your brand.  They also increase the likelihood that hard-to-find candidates will stumble across your company.

Share great insights and ideas your team has, and be sure some of your efforts target the cyber security community — it’s not ALL underground. Join cyber security forums and GDPR discussion groups, for example. Encourage your existing cyber security talent and ranking IT leaders to write blog posts and white papers on the topic.

HANG LOOSE

There are specific qualities to look for in cyber security candidates, but you can’t run an effective search if you focus only on screening people out. The pool’s just too small. Given that security threats are constantly evolving, a degree probably isn’t as important as current experience. Or consider recruiting recent graduates to work with your Data Protection Officer by offering the opportunity to gain valuable hands-on experience (an ounce of future planning never hurt!) Another tactic: instead of asking for five to seven years of experience, ask for three to five and highlight the opportunity for career growth.

You can try retraining existing IT staff, but keep in mind that success in cyber security takes a certain mindset. Ideally, you have a system administrator who can channel her inner  cyber risk analyst and ask, “What would I do if I wanted to get past our own security measures?”

REACH OUT

Another strategy is to promote outreach programmes that engage new hires, women and minorities. According to the Wall Street Journal, big banks such as J.P. Morgan Chase and Citigroup are getting results through programmes targeting different groups. Some have even started ‘re-entry’ programmes to attract women who took a career break to care for dependants or others. Getting involved with organisations such as the Women in Security special interest group within ISSA International, or the International Consortium of Minority Cyber Security Professionals (ICMCP), will help you.

WELCOME EVERYONE

Take a long, hard look at your organisation. Even if there is no active discrimination, lack of diversity can make cyber security departments look like good ol’ boys’ clubs, further discouraging members of under-represented groups from pursuing careers in this space.

Keep in mind that of the employed population, the National Cyber Security Institute  reports that women make up only about 20 per cent of that profession, while African-Americans, Hispanics and Asian-Americans combined make up only 12 per cent. While this data is pulled from the US, the preliminary numbers out of the EU do not appear to be any more promising.

Since the best approach is to prevent the hacks, attacks and breaches from occurring in the first place, talent leadership needs to be a big part of your GDPR programme. However, as you are aware, talented cyber security professionals are in serious short supply. They’re a bit of a unique beast, so you’ll need a recruitment approach for engaging cyber security talent that’s different from the ones you’re using with other positions — even other IT positions.

About the Author:

Domini Clark is the founder of InfoSec Connect, the industry’s first hassle-free recruitment communication platform exclusively serving the information security community. She is also Managing Principal at Blackmere Talent Acquisition & Consulting, a specialty Talent Acquisition Firm with a focus on the information security sector. Domini has been involved in professional recruiting for over fifteen years working in both technical and operational recruiting for Fortune 10 organizations, small and medium sized businesses and federal government contractors. She sits on the Board of Directors for ISSA (Information Systems Security Association) Utah and recently received the Luminary award from the International ISSA Women In Security Group.

cybersecurity staffing shortages

Analysts: Cybersecurity staffing shortages negatively affect national security – Domini Clark to Stars & Stripes

InfoSec Connect founder Domini Clark‘s insights on cybersecurity staffing shortages were used for a recent article in Stars &  Stripes.  The article appeared here.


The nation’s colleges and universities are scrambling to add courses to prepare students to fill the huge number of cybersecurity jobs that have arisen due to exponential growth in hacking worldwide.

The extent of the problem isn’t clear; analysts say the number of job vacancies ranges from 100,000 to 350,000, with as many as 45,000 positions in California.

Ashton Mozano, a cybersecurity professor at the University of San Diego, says there are thousands of $80,000 entry-level jobs available to applicants who have nothing more than an undergraduate degree in computer science or computer engineering.

Analysts are trying to nail down the actual number of openings.

“The cybersecurity industry does not have the best track record when it comes to quantification,” said Stephen Cobb, a senior researcher in the San Diego office of ESET, a digital security company.

But the shortfall is real.

And a lot of the blame has been placed on academia for failing to train large numbers of students with targeted skills. Industry and government officials also are being criticized for failing to define their needs more clearly — a key component for helping colleges solve the labor shortage.

Academia is trying to fix the problem, especially in San Diego County, where hackers routinely assault the region’s huge military, defense and science communities, as well as the assets of consumers.

National University, the University of San Diego, San Diego State University, UC San Diego Extension and Palomar College now teach courses that weren’t available 5 to 10 years ago.

USD also closely works with Circadence Corp., a company in Kearny Mesa that specializes in the “gamification” of cybersecurity training. Students are exposed to high-resolution videos and graphics that give them a sense of what a real “hack attack” is like. They also use the immersive software to learn how to spot and prevent digital assaults.

The company is led by Mozano, who is also part of USD’s growing cyber program.

He’s trying to change the way students are taught in hopes to drawing larger numbers of people into the field quickly.

“Unfortunately, presenting technical training in an aesthetically pleasant way does not seem to be a high priority among course material developers,” Mozano said.

“Certain academic fields in mathematics and engineering are infamous for presenting material in drab, monotonic, esoteric, non-interactive manners.”

Analysts said that compounds the problem because cybersecurity already suffers from an image problem.

The field pays well, but many computer-science students would rather create new products and technologies for Apple and Google than design and operate systems that spot, resist and mitigate a widening variety of attacks.

“Computer science is sexy. Cyber isn’t,” said P.K. Agarwal, regional dean of Northeastern University’s Silicon Valley campuses, which teach cybersecurity.

“Cybersecurity can be a high-stress job where you can get fired if things go wrong, and no one pats you on the back if there were no problems overnight,” he added.

Analysts said the industry needs to jazz things up and highlight job opportunities.

“The chances are excellent for graduates of homeland security and cyber security degree programs to enter the job market directly out of college,” said Lance Larson, assistant director of the Graduate Program in Homeland Security at SDSU.

“The reality for recent graduates is that they need a degree, experience, and certification; this is really the perfect trifecta for graduates to have a powerful job seeker portfolio.

“At San Diego State University’s Graduate Program we are requiring students to intern, starting with our 2018 graduate class, to allow students to gain practical experience required for the job market.”

San Diego-based National University also is emphasizing practicality.

“One thing we do to improve students’ skills and make them more marketable is provide opportunities to work with local small businesses and nonprofits to conduct free security assessments as part of their final Capstone project,” said Chris Simpson, director of National’s Center for Cybersecurity

“Students who gain experience from this applied learning and who have the opportunity to network within the tech community have shared with us how well-prepared they are for the job market.”

The staffing shortage is serious enough that, “The president should … train 100,000 new cybersecurity practitioners by 2020,” the Commission on Enhancing National Cybersecurity said on Dec. 1.

The shortage also means “you’ll see more things like the Tesco attack, which targeted bank accounts (in England), and a greater risk to health-care records and everyday devices like your phone,” said John Callahan, director of cybersecurity programs at the University of San Diego.

“In the digital age, this is potentially the greatest period of risk that consumers have ever faced.”

There’s special concern about ransomware, a type of malicious software that hackers can use to remotely take control of computers, including those in automobiles. In most cases, victims have paid money — from hundreds to tens of thousands of dollars — to regain control. For example, hackers carried out such an attack against Hollywood Presbyterian Medical Center in February, forcing the hospital to pay $17,000 in ransom.

The U.S. Justice Department estimates there are about 4,000 attempted ransomware attacks each day against individuals, companies and the government, and that many of them are successful.

“Based on FBI statistics, bank robbery in the U.S. is a $40 million a year problem, whereas cyber criminals using ransomware are making over $200 million per quarter,” said Cobb at ESET.

“And while a handful of bank robbers are shot dead every year, there are no reports of cyber criminals ever being killed in the commission of a crime,” he added.

The federal government and the military began to significantly ramp up their efforts to fight cyber attacks about a decade ago. Security firms and a wide range of companies did the same.

The results have been mixed.

Analysts said most cyber attacks, including some pretty sophisticated ones, are blocked or minimized. But hackers have quickly adapted to every method used to stop them, leading to damaging and embarrassing breaches amid an ongoing game of cat and mouse.

Earlier this year, hackers stole digital spying tools thought to belong to the super-secret National Security Agency. Hackers also stole data from the Democratic National Committee and Hillary Clinton’s campaign in an apparent attempt to influence the presidential election.

In late November, a hacker disabled the fare system for the San Francisco Municipal Transportation Agency, forcing it to give commuters free rides until proper operations were restored.

Experts said these kinds of intrusions underscore the need to develop a huge professional class of cyber professionals — and to market the field as a noble and dynamic domain where well-regarded, highly valued specialists defend precious assets and protect the public’s safety.

“Some people think of cyber as the I.T. guy, which is wrong,” said Callahan at the University of San Diego.

While the staffing estimates vary, analysts agree on the huge need for qualified workers in the cyber industry.

Northeastern University’s Agarwal estimates there are 100,000 of these unfilled jobs nationwide. Peninsula Press, a journalism program at Stanford University, puts the figure at 209,000. Cyber Seek, an industry-government coalition, said the number could be about 350,000 when including positions that require at least some cyber abilities.

The job descriptions range from security analysts to network engineers to software developers to risk managers. Some lower-level positions pay as much as $70,000 per year, and management positions can hit $235,000 or higher.

Experts are eager to see the applicant pool widen, and they’re looking for specific types of candidates.

“The best cybersecurity professionals think like criminals,” said Domini Clark, an Idaho-based recruiter at the recruiting company Decision Toolbox. “The joke in the industry is that superstars have an ‘evil bit’ in the code of their personalities. They know better than to have a high-profile online presence. ‘Paranoid’ is too strong a word, but they tend to be hyper-cautious and some take pride in operating in ‘stealth mode.’”

Those people tend to be coveted, so low-ball employment offers just don’t work.

“(Some) companies are doing lip service, not willing to fund the important roles that are necessary for the growing security issues,” said Kirsten Bay, chief executive of the firm Cyber adAPT in Half Moon Bay. “There is a desperate need for technologists who can speak at both the engineering and board levels, candidates who can understand technology and yet speak to the business case for security.”

Clark at Decision Toolbox agrees, noting: “About half of cybersecurity professionals are contacted by a recruiter at least once a week. If you post a standard H.R. job description of duties and requirements, it will wash out among all the other background noise … (Candidates) want to do intriguing work that is varied and unique. Let them use their devious creativity to your company’s advantage.”

niche job boards value

SHRM Examines The Value of Niche Job Boards

This article originally appeared on SHRM here.

Niche Job Sites Still Valuable as Legacy Boards Fade

By Roy Maurer

Smaller, atypical job boards segmented by industry and region help target relevant talent but require more proactive work from recruiters to be truly effective.

Staffing firm Randstad’s 2016 acquisition of an ailing Monster—one of the original behemoth online job boards—and indications that the sole remaining mega-board CareerBuilder is also for sale have reignited discussions on the recruiting blogosphere about the decline of the model.

“The big job boards are not exactly the darlings of the recruitment industry these days,” said Chris Russell, a recruiting technology and job board consultant with RecTech Media, based in Trumbull, Conn. Russell curates a free database of more than 1,100 job boards.

“Recruiters are balking at their high prices and the many unqualified candidates that they generate.”

But savvy talent acquisition professionals know that not all job boards are waning, and in fact, smaller niche boards that cater to specific regions, membership associations, specialized industries and types of contracts are a valuable tool for recruiters. Examples of niche boards include AllRetailJobs, CollegeRecruiter, JobsInLogistics, Medzilla, GitHub and Minnesotajobs.

“Niche job boards are particularly useful for cutting through the clutter and finding talent for hard-to-fill roles, specialized positions, specific industries—or to tap into unique candidate audiences, such as military veterans,” said Susan Vitale, chief marketing officer at Matawan, N.J.-based recruitment software provider iCIMS.

“Niche boards will always play a part in recruitment advertising,” Russell agreed. “By posting jobs or searching resumes on these sites, the employer has access to a targeted pool of candidates on demand.”

[SHRM members-only how-to guide: How to Target Passive Job Seekers]

But recruiters might be wasting their time if they treat these sites as they would Monster or CareerBuilder. “If you are going to a niche board and throwing up a generic job ad and expecting big results, you’re probably going to be disappointed,” said Jessica Nettleton, recruitment media strategist at end-to-end recruitment services firm Decision Toolbox.

“If recruiters actively source from niche boards and proactively engage with potential candidates, then [the boards] can be a huge value,” she continued. “It’s not a ‘post-and-pray’ situation. You won’t reach the numbers that you would by using a bigger job board, but you will probably reach the right candidates. If recruiters do the work, they will see a ROI [return on investment].”

Quality over Quantity

Recruiters are often frustrated with having to sift through a massive amount of unqualified applicants to find suitable candidates. Niche boards don’t boast the traffic of sites like CareerBuilder and Monster but are more likely to attract candidates with specialized skills and relevant experience, leading to lower cost-to-fill and higher quality-of-hire, according to experts.

Amber Hyatt, SHRM-SCP, director of product marketing for SilkRoad, a talent management system, noted that niche job boards may be a particularly effective way for organizations to snag candidates in high-demand industries, or to help ensure that companies meet their compliance goals regarding diverse candidates and veterans.

A recent survey conducted by iCIMS revealed that military veteran job boards are one of the top sources veterans use when searching for a new position. “Employers should make it a priority to showcase their brand on these types of niche job boards to find and attract best-fit talent,” Vitale said. iCIMS partners with job-distributing engines like JobTarget and eQuest to enable employers to post their jobs on many boards, including niche sites.

“The targeted aspect is the main benefit, whether we are talking about an industry-specific candidate or one where location is a big factor,” Russell said. He added that in his experience, niche sites are more approachable and do more to engage their clients. “One of the big ways they contrast with bigger sites is customer service. When I ran my boards in the 2000s, I knew a lot of my customers by first name and I also met many of them in person.”

Cybersecurity Professionals

Staffing Industry Analysts Credits Domini Clark with Quote of the Week about the Best Cybersecurity Professionals

InfoSec Connect founder Domini Clark was credited with the Quote of the Week from Staffing Industry Analysts (SIA).

BEST CYBERSECURITY PROS ‘THINK LIKE CRIMINALS’ — STAFFING QUOTE OF THE WEEK

“The best cybersecurity professionals think like criminals,” Domini Clark, an Idaho-based recruiter at the recruiting company Decision Toolbox, told The San Diego Union-Tribune in a story about unfilled cybersecurity jobs. “The joke in the industry is that superstars have an ‘evil bit’ in the code of their personalities. They know better than to have a high-profile online presence. ‘Paranoid’ is too strong a word, but they tend to be hyper-cautious and some take pride in operating in ‘stealth mode.’”

SANS CyberTalent Fair

Virtual career fair hosted by the SANS Institute June 7

Need a job in cybersecurity? You should consider attending the next SANS CyberTalent Fair (SCTF), an online career fair hosted by the SANS Institute coming up on Wednesday, June 7, 2017. You can register now at http://bit.ly/2p19EHA

This daylong virtual career fair event will provide employers and jobseekers in cybersecurity with the opportunity to engage one another in a unique online setting. The event uses a dynamic, innovative online platform in which jobseekers and employers can chat, share resumes and job vacancies, and more! All registrants also have the opportunity to take the SANS CyberTalent Test at no cost.

Past participating employers include Verizon, General Dynamics (IT), U.S. Department of Homeland Security, Leidos Cyber, Cisco, Juniper Networks, NTT Security, Stroz Friedberg, EY, the 780th Military Intelligence Cyber Brigade, Deloitte, and many others! It’s the seventh event in the series, with over 9,000 jobseekers and 55+ employers having participated to date.

The SANS CyberTalent Fair is open to interested jobseekers at no cost. Please visit http://bit.ly/2p19EHA for more information.

cybersecurity jobs SC Magazine

Cybersecurity jobs are there for the taking. Are you ready? Domini Clark to SC Magazine

InfoSec Connect founder Domini Clark  contributed her thoughts on the increasing number of cybersecurity jobs to SC Magazine.

The article originally appeared here, and a copy is below.

***

It takes more than technical know-how to be an essential part of an IT security team, reports Greg Masters.

One might think that a net increase of 13,000 information technology jobs in February is a sign of healthy growth in the field, but a comparison to previous employment numbers from the Bureau of Labor Statistics (BLS) paints a more complex picture.

While the numbers prove conclusively that February was the best month since last September in terms of job growth for IT professionals, there is something a bit unsettling about performance over the last three months of the year, David Foote, CEO and chief research officer at Foote Partners, a Vero Beach, Fla.-based IT analyst firm and research organization, said in a report.

“Only 7,533 jobs were added on average in this period compared to 11,533 jobs per month in the first nine months,” he wrote. While he pointed out that a three-month span is insufficient for a true analysis of labor numbers, still, the February results indicated “volatility and uncertainty in the marketplace for U.S. tech jobs.”

Foote’s conclusion was that companies are cautious about hiring on full-time staff for technology-enabled solutions they are experimenting with. Rather, the call is going out to consultants and contingency workers to fill roles. This way, enterprises can remain flexible as they develop their security implementations.

To stay competitive, enterprises must scale quickly, Foote said. This means positions are being added in areas that prove effective – such as cloud, Big Data, mobile or digital technology –because the outlook shows these professionals having an impact for a long time.

“What will drive new job creation in 2017 will be hiring in niche areas – such as Big Data and advanced analytics, cybersecurity and certain areas of applications development and software engineering, like DevOps and digital product development,” he said.

Other experts point to the growth of the cloud as a determining factor in opening a wide berth between jobs to fill and candidates skilled enough to fill them. The move to the cloud and evolving threats have transformed the skill requirements for IT departments, exasperating the skill shortage, says Rajiv Gupta (right), CEO, Skyhigh Networks, a global cloud access security broker with U.S. headquarters in Campbell, Calif. “With the prevalence of cloud services, IT professionals are more valuable if they can understand user need, educate employees on risk and balance the needs of security with business,” he says.

Many customers his firm works have set aggressive timelines to eliminate most or all their datacenters, he explains. “A CISO empowering an efficient, secure company-wide cloud migration can have a significant effect on their organization’s business.”

As companies build out their software development programs, IT security will move to a front-office role and work directly with application teams to deploy solutions more efficiently and without compromising sensitive data, says Gupta, adding that more than two-thirds of IT professionals believe communication with non-IT departments and executives will become more or much more important in the next five years.

Gone are the days that companies are searching for CISOs based on their technical competencies alone, says Joyce Brocaglia (left), CEO of Alta Associates, a Flemington, N.J.-based boutique executive search firm specializing in cybersecurity, IT risk management and privacy. “The CISO role is now valued as a bridge for business enablement, so these leaders need to demonstrate collaboration and influencing skills with business stakeholders, be able to effectively and succinctly present to the board, interact with regulators and have the capability for the development of an overall risk strategy for their companies.”
As if that’s not enough, she adds, those in this role need to have a combination of true leadership skills, the gravitas and capabilities to build consensus, influence culture and be an evangelist for their programs internally and externally.

Considering by 2020 there is expected to be 1.5 million unfilled cybersecurity positions, Brocaglia – also the founder of the Executive Women’s Forum – says the gap will never be closed by ignoring half of the population, women. She points to “The Women in Cybersecurity Study,” co-authored by the Executive Women’s Forum on Information Security Risk Management & Privacy and (ISC)2, which was released in March. “It is an eye-opening report on the stagnation and underrepresentation of women in cybersecurity,” she says.

Highlights of the report show:

  • Women are underrepresented in the cybersecurity profession at 11 percent, a number that has been stagnant since reported in 2013.
  • Women have higher levels of education than men, with 51 percent holding a master’s degree or higher, compared to 45 percent of men, yet hold fewer positions in management.
  • Globally men are four times more likely to hold C and executive level positions, and nine times more likely to hold managerial positions than women.
  • 51 percent of women report various forms of discrimination in the cybersecurity workforce, compared to 15 percent reported by men. Women report higher levels of discrimination, as they rise in an organization with 67 percent of C level women reporting discrimination.
  • In 2016, women in cybersecurity earned less than men at every level
  • Women who feel valued in the workplace have also benefited from leadership development programs in greater numbers than women who feel undervalued
  • Women who receive sponsorship and mentorship are more likely to be successful.

Since 2002, the Executive Women’s Forum on Information Security Risk Management & Privacy (EWF) has been committed to addressing the issues highlighted in this report by delivering programs and events that help women to succeed, says Brocaglia. “So I’m not surprised to see that this study reflects what women have been telling us for the past 15 years: That they are most successful and feel most valued when they are given access to thought leaders, mentorship and leadership development programs and provided a safe and trusted environment to interact.”

The point, says Brocaglia, is that corporations need to take meaningful actions in attracting, developing and retaining women in cybersecurity. And, she emphasizes, that directive needs to come from the top and hiring managers need to make the diversity of their teams a priority. She is proud of the fact that her firm filled 60 percent of its searches in 2016 with minority candidates and 40 percent were filled with qualified women executives. “This proves that building diverse cybersecurity teams is, in fact, an obtainable goal, given the right partner and right commitment to diversity hires.”

Domini Clark (left), a principal at Blackmere Consulting, an executive recruiter for the technical and cybersecurity industry, agrees that cybersecurity professionals of all types are growing in demand, and the reason, she says, is well-founded.

“It can be easy to think of cyberattacks as something that only happens to other companies. Unfortunately, a more realistic view is not whether if it will happen, but when it will happen to your organization.”

The fact is that cyberattacks are on the rise, she explains, pointing to PwC’s “Global State of Information Security Survey 2016,” which stated that, across all industries, there were 38 percent more security incidents in 2015 than in 2014. “It doesn’t just happen to giant corporations like Yahoo!, Sony and T-Mobile,” says Clark, also a director of strategy at IT security recruiter, InfoSec Connect. “SmallBizTrends.com claims that 43 percent of attacks on businesses target small business. Large or small, it can cost you plenty.”

The average total cost of a single data breach was $7 million – up from $5.4 million in 2013 – according to the 2016 Ponemon Cost of Data Breach Study. More than half of these costs are related to lost business due to customer churn related to reputation concerns following a breach.

“The best approach to cybersecurity is to prevent the hacks, attacks and breaches, and you need a strong cybersecurity team to do that for you,” says Clark, adding that the specific titles of roles that are growing in demand include: CISO, application security engineer, application security architect, cyberthreat intelligence analyst, information security architect, and incident response manager. However, she adds, “this is hardly an exhaustive list.”

Scott Laliberte (left), managing director and leader of global IT security and privacy practice at Protiviti, a global consulting firm with more than 70 offices in over 20 countries, agrees that all cyber-related skills are in demand right now due to the significant increase in the threat and awareness of cyber risk. These skills range from cyber governance and related soft skills to technical skills, such as penetration testing, hardware/ IOT security, industrial control system security, secure development and code review, network security, identity and access management, etc., he says.

Wils Bell, a cybersecurity recruiter at SecurityHeadhunter.com, agrees that all skills appear to be in demand, depending where a company is with their cybersecurity platform. There are two particular attributes that he looks for in a good candidate. “One being an understanding of business, if you will, and the other someone who can think outside the box.”

Michael Potters (right), the CEO of Glenmont Group, a Montclair, N.J.-based executive search firm, points to a number of skills currently in demand for IT security professionals. The requirements obviously change position to position, he points out, but he offers some of the common skills listed on a few of his firm’s job descriptions, including monitor and respond to security events escalated by Level 1 security analysts; use endpoint products (various) to identify malicious activity; provide technical expertise of security tool deployment and implementation; the ability to work at speed, under pressure; to make decisions in real time and with reliable accuracy; able to work in a global environment and drive change; security certifications (CISSP, CISM, GIAC certs); and working knowledge of much of the cyber software used in the space.

Not just tech know-how

But, Potters says that it’s not just technical know-how that is required. He looks for candidates who have the ability to speak and understand terminology, especially those related to cybersecurity assurance, the ability to validate effectiveness of current controls and identify potential gaps, and those with good attention to detail, strong analytical, quantitative and investigative problem-solving abilities. Additionally, he likes to see a prospective hire who exhibits qualities like tenacity and who provides mentoring to other members up and down the organization.

Laliberte too says it takes more than technical know-how to be an effective member of the team. “Besides technical knowledge, a love of learning and thirst for new challenges are key attributes of successful candidates,” says Laliberte. Typically, candidates who enjoy puzzles and brain-teaser-type games do well in this the field, he says.

But, perhaps even more attractive to hiring personnel are candidates with the ability to communicate issues in non-technical terms that business people can understand. “This is a key attribute in attaining leadership positions in this field,” says Laliberte. “Finding a candidate that has a balance of strong technical skills, business acumen and communication aptitude is extremely rare, but those candidates will go very far.”

However, he explains, not every candidate exhibits potential leadership skills – and that’s ok. “We also need team members with strong technical skills in multiple areas.” Also extremely important, he says, are a strong work ethic, a love of learning and the ability to work in teams.

Blackmere’s Clark agrees with much of this assessment, but offers an additional asset to look for. “The best cybersecurity professionals have two primary skills outside of technical knowledge: communication/social skills and the ability to think like the criminals they oppose.”

Without question, the ability to communicate and influence change in an organization is key to the success of both the individual as well as the entity they support, she says. “The ability to think like a ‘bad guy’ enables security professionals to anticipate what hackers might try, and to identify weak points in system defenses. This ability is sometimes lovingly referred to as the ‘evil bit’ (as in bits and bytes) which seems to be coded into the personalities of many industry superstars.”

Potters says the best candidates are both “the smartest person in the room” and “someone who know that they are never smart enough.”

What he means by this, he says, is these job seekers have to have the knowledge and skill sets to lead change in an organization and the confidence in their knowledge to go toe to toe to the stakeholders in an organization that do not particularly want to hear or be told to do what needs to be done to protect an organization.

“The not-smart-enough bit is because there has to be an insatiable drive to learn in an industry that changes daily as very few areas are this dynamic,” Potters says. “Those that continue to learn and stay in front of the knowledge curve are always valuable to their organization and the industry.”

Bell, who has been a cybersecurity recruiter for 15-plus years, considers the perfect applicant to be someone who is very flexible.

The ideal candidate is passionate about their work, says Blackmere’s Clark. “Technology isn’t just something they do for work, it is also a hobby and they are constantly staying in touch with what’s new in the industry.” Regardless of which facet of security they work in, from application security to the NOC to sales, security drives them and it’s clear in everything they do, Clark points out. “The trick is that many of our ideal security candidates do not approach life in the shadows online,” she says. “You won’t find their résumé on CareerBuilder or LinkedIn, so you’ll need to leverage your best networking skills and hardcore power-searching techniques.”

If your quarry thinks like a criminal, she says you have to think like Sherlock Holmes to track them down. “Don’t email them a link to apply – they won’t click on a link from an unknown source (and neither should you). Send them a PDF with instructions for connecting with you.”

A good team member

And, being a good team member is an essential part of the mix as well. That means, Bell says, someone who can work well with others and is not a prima donna. “Someone who is open to mentoring others,” is another attribute he looks for in potential hires.

As far as what he considers to be the attributes that best define a good team member, Potters says, “One thing that is often brought up is ‘we need someone that has the ability to park their ego at the door.’ Most companies want someone who they are comfortable sitting around the table with for the next five years. Try to show that in your interview,” he advises.

“Also let them know that you love to mentor and to be mentored,” he says, adding that that’s the equivalent to getting a trainer along with the other skill sets that you are being considered for.

In addition to having the technical skills to perform the job, the very best team members approach their work differently, and they have a unique set of expectations, says Blackmere’s Clark. “They want to do intriguing work that is varied and unique – let them use their devious creativity to your company’s advantage,” she says. These candidates want to try new tools and techniques to keep up with the ever-evolving threat landscape. “If you’ve got the coolest technology, you should highlight that,” she advises.

Further, these potential hires want to do more than just scratch the surface, Clark says, so she advises offering these people opportunities to not only look under the hood, but also to take some deep dives into the systems and code of your organization.

Another asset of the job these candidates seek is the ability to work remotely. “Your organization may cling to traditional models, but if virtual options give you an edge in the talent war, it’s time to loosen up,” she says.

Finally, Clark says these players want to know that the organization appreciates and values their contribution – like other employees in your company. “If you don’t have a proactive recognition and rewards program in place, now’s the time,” she says

When pressed to define what makes a good team member, Laliberte says good team members have no ego. “This field changes so rapidly that no one can know it all,” he says. “Recognizing that you do not have all the answers and can learn from everyone else around you is important. One or two egos in a group changes the entire dynamic and stifles a culture of innovation.”

If you’re recruiting and want to be successful at attracting qualified and talented cybersecurity team members, be prepared to approach the salary negotiation process differently, says Clark. Cybersecurity professionals know what they’re worth, and it’s pretty high in the IT pay bands, she says.

The gap between supply and demand is daunting, she adds, pointing to a recent Cisco report showing between 500,000 to one million unfilled cybersecurity positions in the U.S. “And that gap is expected to grow,” she says. “You may be reluctant to pay market value, but if your competitors will pony up, you’ll be stuck on the wrong side of the firewall.”

Further, while the purse strings are loose, be sure to include professional development opportunities, such as ongoing training and conference attendance, Clark advises. “Not only will it give you an edge in the talent market, but it also will ensure your cybersecurity staff stays current. Threats are constantly evolving and what your people learned last year is already outdated. No one can afford to leave their company assets vulnerable.”

best cities for cybersecurity professionals

2017 Best Cities for Cybersecurity Professionals

It’s a good time to be working in cybersecurity. As hackers continue their onslaught, stealing information in sectors ranging from health care to retail sales, businesses will need experts in digital security to fight back.Hacks in 2016

In the first half of 2016, more than 554 million records were breached – a 31% increase over the previous six months.

Analysts expect significant growth in the industry: More jobs will come, and companies will spend more money to shore up security.

SpendingCybersecurity Ventures projects companies and consumers will spend $1 trillion globally over the next five years on cybersecurity. That’s a projected growth of 12-15% from 2017 to 2021.

The U.S. Bureau of Labor Statistics predicted 18% job growth from 2014 to 2024.

A recent report showed that several states have a high need for cybersecurity professionals.

Given the bullish nature of the industry, GoodCall® analysts crunched the numbers to determine the Best Cities for Cyber Security Professionals.

They looked at data from 221 cities, including average salary for cybersecurity JobGrowthprofessionals compared with the average overall salary, the number of jobs available per capita, affordability, and amenities per capita. These factors highlight cities that are both great places to find a job in the industry and great places to live.

The top 10 best cities for cybersecurity professionals are (Click on the city name to find your next cyber role):

  1. Columbia, MD

Columbia stood out for its high number of available jobs per capita. It’s also a fairly affordable area that pays cybersecurity professionals well.

  1. Sioux Falls, SD

The average salary for cybersecurity professionals in Sioux Falls is more than double the city’s overall average. And rent there accounts for just 26% of annual household income.

  1. Jersey City, NJ

Talented workers have a good chance at landing a job in Jersey City, which has the fourth-highest number of jobs available per capita. Salary is competitive, too: the average of $115,000 is 1.9 times the city’s overall average.

  1. Newport Beach, CA

Newport Beach has it all. It’s fairly affordable, pays well for cybersecurity pros, and the abundance of amenities make it a fun place to live.

  1. Cary, NC

Cary is the fourth most affordable place on the GoodCall list, and it ranks in the top 50 cities for jobs available per capita.

  1. Orlando, FL

Cybersecurity jobs pay well in Orlando – nearly 2.2 times the overall average salary. And companies are hiring; Orlando ranks 20th in jobs available per capita. And, of course, the area’s amenities are abundant.

  1. Irving, TX

Companies are shoring up security in Irving, which has 14th-highest available cybersecurity jobs per capita. The area is also an affordable place to live: Rent accounts for just 25.3% of annual household income.

  1. Chattanooga, TN

Security jobs pay well in Chattanooga, where average salary for the industry is 2.2 times higher than the overall average. The abundance of amenities makes it a great place to live, too.

  1. Troy, MI

Aside from its fairly high available jobs per capita, Troy stands out for its incredibly affordable rent, which accounts for 24.7% of household income.

  1. Plano, TX

When analysts last checked, there were at least 21 cybersecurity jobs posted in Plano, among the top 10% of cities in available jobs per capita. The fact that it’s affordable is just a bonus.

 

Here’s a look at the top 50:

View the full rankings here.

Some cities didn’t make the highest ranks on the GoodCall list but were still notable in specific statistical areas:

Methodology

GoodCall analysts included data from 221 cities in the U.S. to generate rankings based on a score. That score was determined by:

Available Jobs: The number of full-time jobs in each city posted on Indeed.com under the title “cybersecurity” or “information security.” This was analyzed per 1,000 residents and accounted for 30% of the score.

Salary Potential: The average salary for Information Security Analysts from the U.S. Bureau of Labor Statistics, compared to the average overall salary from the area, also from the BLS in 2015. This made up 30% of the score.

Affordability: The median gross rent as a percentage of household income, taken from the American Community Survey 2015 1-year estimates. This accounted for 30% of the GoodCall score.

Amenities: The number of accommodation and food services as well as arts, entertainment and recreation venues, as reported in the 2012 Geographic Area Series from the Census Bureau, and adjusted per 1,000 residents. County data was used when city data wasn’t available. This accounted for 10% of the GoodCall score.

 

This blog originally appeared on GoodCall here and was republished with permission.

naked security women in security Domini Clark

Studies are nice, but women in security say it’s time for the next step: Domini Clark to Naked Security

InfoSec Connect founder Domini Clark weighed in on the current state of women in security and how to improve the status quo.  The article originally appeared on Naked Security by Sophos here.

****

Studies are nice, but women in security say it’s time for the next step

There’s been no shortage of studies over the years about the fairness gap between men and women in security, not to mention every other industry.

Now comes one from the Center for Cyber Safety and Education and the Executive Women’s Forum showing that women make up only 11% of the cyber security workforce.

These studies are well intentioned. But according to several women in the industry who spoke with Naked Security, it’s time to move beyond the studies and focus on actually changing the culture. One of them is Magen Wu, a security consultant with Rapid 7.

She said the latest survey is a great example of awareness on an issue that has been long debated in the industry. But the data reads a lot like a phishing report.

It’s good to have the numbers on who opened the email versus who clicked the link or filled out the form. But unless we do something with that information, it serves little purpose other than to generate awareness that we have a problem.

The latest study

For this latest study, the Center for Cyber Safety and Education and the Executive Women’s Forum surveyed more than 19,000 participants from around the world. It painted the following picture:

  • Women are globally underrepresented in the cybersecurity profession at 11%, much lower than the representation of women in the overall global workforce
  • Globally men are four times more likely to hold C- and executive-level positions, and nine times more likely to hold managerial positions than women.
  • 51% of women report various forms of discrimination in the cybersecurity workforce
  • Women who feel valued in the workplace have also benefited from leadership development programs in greater numbers than women who feel undervalued.
  • In 2016 women in cybersecurity earned less than men at every level.

Indeed, those statistics resonate for some of the women we interviewed. One San Francisco-based infosec professional, who asked that her name not be used because of potential repercussions at work, explained how she was encouraged to apply for a position within her company on an all-male team only to be told later that those who encouraged her didn’t really think she’d fit in. She pressed them for examples of why she wouldn’t work out and got no answer. She believes the real issue was gender.

A call to action

Those interviewed said it’s time to move beyond studies and surveys that merely illustrate an already understood problem and start focusing on some action items that’ll lead to meaningful progress.

Wu would like to see reports and articles that are more a call to action on what can be done at the individual, corporate, and community level to positively impact the numbers:

For example, do the women who are in the industry today get into it because of a mentor? If so, we should try and be more proactive about reaching out to people about mentorships or establishing mentorship programs at conferences and work. We are asking some of the right questions, but it may be time to shift focus from why there are so few women to why do the women who are here stay.

As the industry grows, so does female representation

Some say surveys like this are flawed for a variety of reasons. The questions don’t dig deep enough into the respondent’s skills or match up with the actual roles they have in their companies. It also doesn’t paint a full picture of areas where progress has been made.

Allison Miller has seen the good and bad in the industry over her career, which includes technical and leadership roles in several industries and now product strategy for Google Security. With a seat on the (ISC)2 board of directors and on selection committees for popular security industry events, she has an even broader view. She said:

As the industry overall has expanded, the representation of women has kept up and in some sectors even grown.

 

Domini Clark, a recruitment partner at Decision Toolbox,  said she has seen the challenges over the course of steering people toward jobs in the industry. But things are improving:

There is far greater awareness than there was when I was going to school, but the tide has not shifted completely. 
Women often face other issues that men traditionally have not faced like family care and being stretched too thin on all sides personally and professionally. Culturally, I think that is changing some as well.

The way forward

Miller said the she has worked across the spectrum, in “amazing, inclusive cultures” and places that were not. Women should research the culture at the places they’re looking at. They should learn all they can about the management. Above all, they should play to win.

My strategy for women in any industry is, compete and win. Really go for greatness. What we need is people who want to be here [in cybersecurity] and are really willing to work hard, set the bar higher. Only by being competitive can we get a seat at the table.