Tuesday, September 25, 2012

Confidentiality in IT Risk Management Recruiting and Security Recruiting

Confidential Searches

The topic of IT Risk Management is heating up in my recruiting world.  Over the past few years, the CISO jobs and CSO jobs I’ve been fortunate to fill have all had some level of responsibility for creating Risk Management programs where they never have existed before.

Recently, I filled a Manager of Security Governance and IT Risk Management role.  This position was a newly created position in a $20B global company.  The person who won this position is currently writing policies and procedures and he is building the foundation of an Enterprise IT Risk Management framework for the entire global organization.

A position on my desk today is a Security Governance, IT Risk Management Analyst.  This role will serve as the right hand to the Manager of Security Governance and IT Risk Management mentioned above. This too is a newly created position.

In my pipeline is a VP of IT Risk Management and Compliance for a $75B global company.  This too is a 
newly created position reporting to a global CISO.  This position is being created because of government regulatory compliance pressure.  I'm waiting for a contract with this company but when this search starts, it will be confidential in the sense that I'll rely on direct recruiting rather than positioning the job on a billboard.

I don’t take on a search unless I have open communication with key stakeholder executives.  Examples of key stakeholders include a CIO, CTO, CFO, COO, Controller, Chief Risk Officer, Chief Legal Officer, General Counsel, etc.  

Sometimes the roles I take on are highly confidential.  This means that if someone sends me a message as someone did last week on LinkedIn and asks me to publicly discuss details around a search on my desk on LinkedIn or any other public forum, I will not.

Recruiting After a Breach

Sometimes, I’m called in to recruit security talent after a company has experienced a breach or a series of breaches.  It is not always appropriate for me to openly discuss details around this type of search.

In the specific case of the LinkedIn message, I quickly got back to the person who asked for more information and offered him my direct dial phone number as well as my email address.  This person has never followed through with a call or an email so he didn’t get what he wanted.

Posting Open Security Jobs

For a long time now, I’ve wondered how much it does or doesn’t make sense for companies to openly post security jobs.  I’ll share these thoughts in another securityrecruiter blog.  For now, please understand that there are searches that I can openly discuss in a public forum and there are searches that I’ll never discuss in a public forum. 

Jeff Snyder’s SecurityRecruiter.com Security Recruiter Blog

SecurityRecruiter.com's Security Recruiter Blog