Tuesday, January 15, 2013

If a Job can go 1.5 Years Without being Filled, I Contend the Job is not Necessary

The title of today’s Security Recruiter Blog is not one I came up with on my own.  This title is actually a statement made by one of my LinkedIn connections after we knocked the ping pong ball back and forth so to speak on several topics last night by way of our mutual connection on Linkedin. 

What prompted this dialogue was a topic around whether or not there really are jobs out there to be filled. 
I prompted the dialogue accidently when I posted an update to LinkedIn suggesting that I had delivered 2 resumes to a client that turned into 2 interviews and I let my LinkedIn connections know that I had just completed 2 preparation processes with the candidates for these interviews that happen today.
Our back and forth comments covered a lot of ground late last night.  Where the dialogue rested was on the point that serves as the title to this blog. 

An Open Position 1.5 Years
I made reference yesterday to having had a candidate start yesterday on a position my client had sitting open for 1.5 years.  Here is exactly what I wrote in the LinkedIn dialogue.

To address another one of your points, I see many security requirements that describe several people in one job description. Sometimes multiple areas of competency can be found in one candidate but frequently these requirement heavy jobs go unfilled for months or even longer. I had a candidate who started on one of these requirement- heavy jobs today. My client told me they'd been searching for 1.5 years to fill this position. It made my day to learn that I was able to help solve a problem of this magnitude. In the end, it was an outstanding candidate who prepared for the future who earned the new role. I simply got to open the door.

The person on the other end responded with this comment

That lack of technical skills stems from our education system has not changed in over 50 years and the world has changed a little. You see candidate after candidate need to work but lack the experience, certifications, and knowledge. How does anyone in this Industry get experience? How can Info Sec college graduates be graduating without 1 Networking or Firewall Certification? Would that person be qualified for any job that you recruit? If a job can go 1.5 years without being filled I contend the job is not necessary. How did the company make it that long without the mission critical role being filled?

A Niche within the Security Recruiting Business

There are several topics in the last paragraph that are worthy of addressing but for today, I’ll address the last sentence.  I didn’t set out to make this my niche but over the past 5 years or so, I’ve filled many security jobs that had been open for 6 to 18 months.  I prefer to work on brand new positions so I can help my clients architect the position description in the first place but frequently I'm called in to clean up a mess.
All of these security jobs I refer to have been mission-critical positions to fill, thus the reason that each company was so deliberate in their approach to filling each job and the reason they were willing to finally pay a search fee. 

Back to the point the writer on my LinkedIn update made, I would argue that each position I’m about to profile was necessary for each company.  The reason each company made it as long as they did without finding a solution is that they simply got lucky.  Nobody in the hacker community thought to go after these particular companies when they were missing critical talent.

Here are a few examples to give you a flavor of the complexity of positions that go open for so long.

Application Security Architect
Open for 1.5 years

I just filled a brand new Application Security Architect role that my client tells me was open for 18 months.  The company made it without this person simply because in the past 18 months, they had nobody playing offense against the defense they did not have in place with regards to application security.  From this point forward, my client is now in a position to fortify their application security defense.
What was missing in 18 months’ worth of interviews?    Recruiters serving my client did not understand the complexities of a secure software development / application security skillset and/or previous candidates possessed technical skills but little to no ability to address my client’s business issues at an enterprise architecture level.  The company’s job description in this case didn’t do a very good job of identifying the company’s need for an application security skilled professional.

Chief Information Security Officer
Open for 9 months

After a newly created CISO role had been open for 9 months and numerous CISO candidates had walked through the interview process, this client brought me in and granted me an hour of time with their global CIO.  In this hour, I asked the CIO questions he had never been asked about his desire to hire the company’s first CSIO.  By the end of our call, I was able to identify precisely what the CIO wanted and needed in a CISO candidate and I learned what the gap was between what the CIO wanted and needed and what he was actually receiving from his HR staff. 
In a few weeks’ time, I delivered one candidate who possessed the laundry lists of skills, experiences and traits my CIO client requested.  A couple of weeks later, this position became a filled position.

Head of Security and Risk Management for North America
Open for 18 months

This position with a global telecom company had been open for 18 months before I was engaged to solve the problem.  I worked with a senior HR leader and was granted access to both the CFO and the Controller for North America.  These individuals were significant stakeholder decision makers connected to this search.   The call lasted 43 minutes.  I listened for 38 minutes.  In 38 minutes I discovered the gap between what the CFO and Controller wanted and what they were getting from the 18 month long search process that I was not involved in. 
The job description in this case was not written in a way that lined up with the CFO and Controller’s wants, needs and desires in a CISO.  I rewrote the position description and implemented a process of direct recruiting, an approach my client had not used before I came along.  I delivered one candidate 3 weeks into the search.   Approximately 4.5 weeks into my search process, this 18 month problem turned into an opportunity because the right candidate walked through the door and the position was filled.

Director of Corporate Secruity, Anti-Bribery and Corruption Compliance Officer
Open for 9 months

I received the call to assist with this position after a global $650M company had worked on their own and they had worked with one of my competitors for 9 months.  After investing an hour or so on the phone with the Chief Compliance Officer, I discovered they they were interviewing federal law enforcement agents because a consultant with a DHS background advised them to hire a law enforcement professional.

As I probed and asked the Chief Compliance Officer about the needs of his business, it became crystal clear to me and to my client that what he really needed was a corporate security professional who had sound business experience, enterprise risk management experience and global experience working across many different cultures.

I re-wrote the original job description and aligned it with the conversation I shared with the Chief Compliance Officer and came up with the right candidate a few weeks later.

The reason this Chief Compliance Officer wasn't happy with 9 months of interviewed candidates was that they hit target that was not his target.  Once the Chief Compliance Officer's target was clearly defined, the search process could then be clearly defined.

Where is the Gap
The gap that keeps positions from being filled has many components.  I’ll address two components to keep it simple. 

Frequently, companies that have open positions do a less than stellar job of putting together a job description that actually aligns with the position they have to fill. 
On the other side of the coin, security professionals all too often present resumes that are task oriented when employers are holding out for strategic, big-picture hires. 

The disconnect starts with a poorly written, strategic, mission-critical job description and the problem is further compounded with security resumes that are written in a tactical, non-strategic, non-big picture format.

My personal experience dictates that there most definitely are mission-critical positions that remain unfilled for 6, 12, 18 months that are in fact critical to the organization.  The fact that an organization doesn’t suffer a breach of any kind while such a position remains open is frequently attributable to pure luck.
Jeff Snyder’s SecurityRecruiter.com Security Recruiter Blog

SecurityRecruiter.com's Security Recruiter Blog