[00:00] Chris Sienko: It’s celebration here in the studio, because the Cyber Work With Infosec podcast is a winner. Thanks to the Cybersecurity Excellence Awards for awarding us a Best Cybersecurity Podcast Gold Medal in our category. We’re celebrating, but we’re giving all of you the gift. We’re once again giving away a free month of our Infosec Skills platform, which features targeted learning modules, cloud-hosted cyber ranges, hands-on projects, certification practice exams and skills assessments.
To take advantage of this special offer for Cyber Work listeners, head over to infosecinstitute.com/skills or click the link in the description below. Sign up for an individual subscription as you normally would. Then in the coupon box, type the word cyberwork, c-y-b-e-r-w-o-r-k, no spaces, no capital letters, and just like magic, you can claim your free month. Thank you once again for listening to and watching our podcast. We appreciate each and every one of you coming back each week.
Enough of that, let’s begin episode.
[01:04] CS: Welcome to this week’s episode of the Cyber Work With Infosec podcast. Each week, I sit down with a different industry thought leader and we discuss the latest cybersecurity trends, how those trends are affecting the work of infosec professionals while offering tips for those trying to break in or move up the ladder in the cybersecurity industry.
Karl Sharman is vice president with BeecherMadden, a cybersecurity staffing and recruiting firm based out of London. We talk a lot about cybersecurity tips, career tips here. This is called Cyber Work, after all, but it’s not every day that we get to talk to someone who actually helps put people into cybersecurity positions.
We’re going to talk about ways that security departments can find the right people for their positions. How professionals can find places to work and how hiring and career movement is happening in the age of shelter-in-place.
Karl Sharman is a former head of recruitment in football, soccer, that assisted in selling 1 million pounds worth of talent for a variety of clubs. Since switching to cybersecurity recruitment in 2017, Karl is now the North American practice leader for prominent cybersecurity recruitment company, BeecherMadden. With 10 years of recruitment experience, he supports organizations in their help to identify, acquire and retain talent in the cybersecurity and risk management sector across North America. He consults the industry on career paths, salary benchmarking, talent pools and recruitment and retaining strategies. Karl was featured in the top 1% of search and staffing professionals globally by LinkedIn, and BeecherMadden won security recruitment company of the year for 2019.
Karl, thank you so much for joining us today on Cyber Work.
[02:35] Karl Sharman: No. Thank you for having me. It’s a real pleasure.
[02:37] CS: I want to talk about your background a little bit. That’s a great bio. You moved over to cybersecurity recruiting specifically around 2017, and before that you were involved with football, or soccer for us yanks. When did you first get interested in computers in tech? Was this something that you are interested in when you were younger or did this come later in life or just with this particular job change?
[03:04] KS: Yeah. It’s a really good question. I think when I was growing up, animals and sport, they were sort of my two things growing up. I did a lot of soccer. I’m based in America, so I have to say soccer now.
[03:22] CS: Sorry about that.
[03:23] KS: Yeah. I did a lot of like horseback riding and stuff growing up as well. There were like my two obsessions. My uncle introduced me to a computer. He’s an aircraft engineer and he was very technical in that respect and introduced me to computers at a very young age and got me into that sort of gaming world and a lot of different other areas. But it wasn’t really to why I came out of university where I did football and business study at university, and I only knew like computing like for the internet, Microsoft Word, Excel as a normal worker. But when I got into the soccer industry, it was very data-driven, database heavy, a lot of analysis from that respect. So I had to learn a lot of technology that I hadn’t. Because of my – Because I’ve been I suppose exposed to that, it allowed me to accelerate my career and allowed me to get up the ladder a log quicker, because when I entered the soccer industry, they were looking for people that had that type of skillset who are quick learners, adaptable with technology, because so much technology was entering the market. This was in sort of 2013, 2014, and we had all these statistical data-driven, like I said, technologies entering the market and a lot of the – No disrespect, but a lot of the older god who used a notepad to do scouting, suddenly had to adapt their methods but almost slower and stuff like that and it allowed me to accelerate. That was my real exposure into technology.
When you ask about cybersecurity, that’s very different. I think you’re aware of like generic terms, being a generic person, like hacking or phishing, them types of things, and you’re very aware of, I suppose, the word fraud or scam is a lot more common for a normal person. I think once you start to even read a little bit of the content, you suddenly start getting a little bit obsessed. It’s like the murder stories that you get on Netflix, and you watch one, and then you want to watch more. It became like that with cybersecurity. It became like another, “I won’t go as far as an obsession.” But there’s some great people that put some great content out there, whether it’s podcast, written content, a variety of different methods and I just started reading about it.
Then in 2017, I had a lot of some value, some deliberate choices, I suppose, in the soccer industry, and I opted to team up with a soccer agent who had started his own recruitment company and he started in technology and they were making a lot of their money through developers and placing developers, building architecture teams for companies, doing a lot of transformation work.
One area that he had touched was cybersecurity. I approached him and his other cofounders interviewed me to head up that space to them. That’s how it really started. I sort of used my recruitment and talent acquisition skills and just had been learning and reading about cybersecurity, and it was a huge learning curve talking to people like CISO, CIOs, about what they do.
[06:39] CS: Oh, sure. I’m here.
[06:43] KS: Yeah.
[06:43] CS: What we do. Yeah, I’m learning on the fly as well here right with you.
[06:47] KS: Yeah. Well, I mean, firstly, what you do is a great way of learning, be all I did was ask a lot of questions and listened. That was really my acceleration.
[06:55] CS: Exactly what I do too.
[06:56] KS: Yeah. But it works. It works, and that’s my recommendation to anyone who wants to get into the industry and learn, is just ask, ask, ask. Ask as many questions. People want to give you that time, especially in the US. The UK culture is slightly different, and that’s where I’ve come from. You will find people that want to learn, but everyone wants to give you that helping hand, and that’s just the British culture, unfortunately. But in the US, I found that once I entered this market in early 2018, it was just over 2-1/2 years ago now, it was totally different. Everyone wanted to have that conversation, and I have a number of mentors who are CISOs in the US now who if I need to understand about certain aspects of in this framework or certain aspects about this technology to help me better answer questions for my clients, I’m now able to do that because of the help I had. That was really what accelerated my knowledge in the market, was just asking questions.
[07:56] CS: Okay. I guess we’re here today to talk about hiring strategies in the cybersecurity industry. So I’d like to start with a topic that’s been very curious to us here at Infosec. We’ve had some mixed messages regarding hiring practices in cybersecurity. Are you finding that organizations are emphasizing the need for traditional educational credentials, like a VA or a VS, when searching for candidates?
[08:23] KS: I feel like these questions come up a lot lately, like a lot from organizations, a lot in interviews. A lot of people have contacted me about this. What are we seeing? I must say, and I don’t have the official status on it, but I imagine looking for our job description since the start of the year. 95% was to include a bachelor’s degree and there’s a real issue in that, because as you know and as many people know that will be listening and watching this, not everyone has a degree.
Firstly, there’s a great group out there called Aspen Cybersecurity who are trying to change the initiative with this, like we are. We spend a lot of time, probably 60% to 70% of my time is spent educating clients on what they should look for. How a job description should be? Poor job descriptions are leading to this myth of a skills gap. We’re going to come on to that as well in a little while. But yeah, going back to your point about bachelor’s degree, so many companies ask for this, especially large organizations. Normally, it comes down to company policy. Normally, it’s done because the finance team has to have this or the sales team has to have this.
But in cybersecurity, we’re creating our own skills gap, which is only created by ourselves that is being generated by people making poor job descriptions. I think that’s what allows it to be exciting for us and we’re creating opportunity for us, because it creates that education path for organizations. I know it’s hard, because the security team in control of all these processes, aren’t in control whether needs to be a bachelor’s degree. But there are some companies that will get better talent by just opening this market up.
I think with that, I think we need to get over this bias. I think we have this old school bias that university degrees equal being intelligent, and I think that’s totally wrong, and I think a lot of people rely on that. A lot of the organizations rely on that as a safety buffer and to say, “If this person fails – Oh! He had all the credentials, had all the certifications. He must have just been the wrong fit,” and I think that’s a total wrong way of looking at it. I think we need to take more risk. I think we need to take more chances on people. My push to my clients is very much, “Why don’t we measure on culture fit? Why don’t we look at them avenues and start to look down them roots rather than focus so much on certifications and degrees?” Because certification and degrees, all they do is they’re a tick box exercise in certain cases. I want to talk, I’m currently on my master’s degree. So I’m not exactly living by the my own standards here.
[11:12] CS: You’re not anti-education anyway. Yeah, but it’s a specific sort of barrier to entry that might not be necessary there.
[11:21] KS: Exactly right, and I’ve had very, very excellent candidates that are rejected in the process because they don’t have a degree. There are even companies that will reject them if they don’t finish the degrees or the certifications before they can accept the job. I mean, it’s insane to me. It’s a barrier that we’re putting in place that we don’t need to. Like I said, I think it’s very much a bias. I think it’s very much to protect people. Cybersecurity, and this is sometimes the problem with HR generalists in certain cases, is they base cybersecurity on every other market in their organization. As we know, cybersecurity is very complex. It’s a very different market. Sometimes you need to breakdown them barriers of exactly the same salaries for audit as it is for cybersecurity or the exact same salaries for the finance team as it is for cybersecurity, but we also need to do the same with job descriptions. Degrees is a huge part of that.
Like I said, there are a number of groups that are trying to improve this. But me personally, I’d rather go to an organization that wasn’t making that and putting barriers in my place, because if that’s the type of red tape that they’re putting in place, that could be the red tape – That could be a sign of the red tape that could put in in other places when trying to maneuver.
[12:38] CS: Right. Yeah, I asked that question specifically because there’s a very interesting sort of friction going on right now. I talked to a lot of CISOs, CEOs, even CEOs of their companies and so forth, will say, “As long as you have the ability to prove your work, lack of degree doesn’t matter.” But we’re still hearing these stories, like you said, where people without degrees aren’t even getting sort of in the door.
There seems to be this sort of disconnect between HR or the hiring manager tailoring these job descriptions, looking for these unicorn candidates. But at the same time, on the other side of the barrier, there are people who would actually work with this person saying, “I don’t need any of that stuff.”
It’s not even just that we’re sort of like trying to turn the hearts and minds of these companies. It’s that we’re trying to get them to sort of even sort of connect together within their own company between the sort of what IT security departments need and what HR is trying to give them. What do we do about this friction?
[13:42] KS: That’s the hardest part. If you go into any organization, there are a number of riffs, friction, as you say, as a good way of describing it. I think, often, it is between HR and the hiring managers and sometimes we get involved in that, because we get stuck in the middle. We’re here trying to place a candidate, and that’s all our aim is. Our aim is to solve the CISOs pain. That’s the way we look at it.
We are 100% focused on that, and sometimes HR or other leaders get involved and love that, because they have their own agenda. For anything that we’re looking to do, the number one skill that we need is influence and the number one skill that CISO needs currently is influence. How much influence can you get over your board, over your C-suite, over your HR? We’re in exactly the same position. We’re trying to influence as many people to convince them that our candidate is the one they need for this position.
[14:42] CS: I imagining this is sort of thing that eventually people will get the point, but by then, it will be too late. Are there things that we can sort of be doing in the meantime to sort of, as you say, be swaying the C-suite and be swaying HR and stuff?
[14:57] KS: For me, it’s data. It’s being the evidence, data-led. What I mean is not just tracking data for the sake of tracking data. It’s actually quality, high-quality data. For me, that’s evidence. That’s the evidence. If it’s taking too long to fill a position, and what I mean like that, is anything over, I suppose, 8 to 12 weeks, is way too long to fill. Now, I get it. Companies might have really long processes, and we can come on to that, sure, about company processes.
[15:28] CS: Yeah. A whole other can of worms. Yeah.
[15:31] KS: Yeah. We might lose candidates for that process. I totally understand that, and that’s why companies sometimes partner with us to try and manage same candidates through the process. However, there are certain things we can do, and one of them is what we say to our clients, is what’s the three things you cannot live without on this job description? Eliminate the rest. What’re the three things you can’t live without? Because you start to make hiring managers and HR directors or whoever it is in the talent acquisition process. Really consider what’s a priority, and prioritizing is probably what the humans are worst at by far, because we just want to find this perfect person.
[16:12] CS: We want everything. Yeah.
[16:14] KS: Yeah, exactly. There isn’t that perfect person out there, and we rule out very, very good candidates because they haven’t got A to Z. While really, we just need A, B and C. That’s all we need. That’s all we need. The rest of it is culture fit. That should be 30%, should be the three things. 70% should be culture fit. Because if you’ve got someone who wants to learn, who’s ambitious, who’s driven, who’s going to do their absolute all for the loyalty or the person or the brand, depending on where their loyalty sits, and often it’s the person. Often it will be the CISO or their hiring manager. That goes a lot further than having certifications, a degree, 100 things that needs to be happening.
What we find, our data has always told us, when we’re looking at diversity recruitment, which is something that we spend a lot of time on. A lot of candidates don’t apply for that job, because the job description is too long. We find that neuro-diverse, and often women, pull themselves out when they get two things that they haven’t got, two or more things that they haven’t got on that job description, they rule their selves out. You could be ruling out 30% to 40% of your talent pool solely through making job descriptions too complex, too difficult to adhere to, or even too long, which can be quite boring for people.
If you look at our website or the way we do job descriptions, we have three things that you will be doing on your day job and three things that you need to be qualified for that position, and that’s how we qualify people. That’s what we try to tell our client. Unfortunately, like you said, there’s a friction there, because often it’s company policy. I think the CISO needs to be a little bit more open when applicants are coming through and actually bypass HR and go, “These are the three things I’m looking for,” and when candidates get sifted through from talent acquisition, or recruiter, or HR, she go, “Do they meet the three things?” If they do, that qualifies them for an interview.
Then we can start then putting into processes in place in order to actually make this a more successful hire for that hiring manager. That is the key steps that we are now taking with our clients to mitigate this friction with HR, talent acquisition or, like I said, the company policy, because its culture is free influences there. You’ve got culture. You’ve got leadership and then you’ve got the actual opinions of people, which is the hardest thing to please, because that can change on a daily basis.
[18:43] CS: Yeah. I mean, that lines up. We’ve had a number of women in the industry on the show in the past and we got a very consistent answer and statistics of people agreeing with this, that a lot of women or people of color, or you said, neuro-diverse people, will avoid if they’re not 100% qualified. They say, “Oh, I’m not going to do it.” Whereas a lot of other folks will – If they’re 40% qualified, they’re like, “Close enough.” But I really like this idea of like cutting it down to three you need, because I think it seems to me that a lot of the sort of issues we’re having here is this sort of templatization of job descriptions and also, like you said, that notion of like it’s like packing for a vacation. You got to pack everything. It’s like, “All right, we’re getting it all into this one little bag. We’re only going to be out of town for two days.” Figure it out.
I think is there a benefit I think to maybe just scrapping the sort of HR job template in the case of security and sort of custom writing these on case-by-case basis? Do you think that all sort of clear the clutter maybe?
[19:49] KS: Well, I mean, I don’t understand how we don’t do that. It should be per position, not as a standard. I say that’s a candidate. That candidates should provide a resume that fits that job, and that means they’ve taken the time to do it. Organizations should take care. This is their external marketing. This is how candidates perceive them in the market, and we are in the candidate-led market in cybersecurity. We are all trying to find the A players in the market. That’s what all organizations want. They want the best that is out there for the price they’re willing to pay.
If you’re market the wrong job description or just generic terms, you’re not going to appeal to the market that you probably want, which is the market that everyone is going after. If you want the best, you need to market it better. There are certain organizations that do it very well, and there are certain organization, especially large companies that don’t, because they just get generic HR people to often write their job descriptions.
The risk and security teams are often very busy people as they have a day job to fulfill and they will have a look at it and go, “Does it do what I basically need?” “Yes.” “Let’s sign up for that.” That’s commonly what we see as that issue, and I totally get that, because CISOs are very overworked in terms of their jobs. Many security folks will say that they are, and they don’t have the time to do recruiting. They don’t have the time to do job descriptions. They have HR partners for that reason.
That then means you’d go out to a non-specialist and you go out there and they are trying to search for people and often search wrong and waste time, or they come up with these generic job descriptions that don’t market the company appropriately, and marketing the storytelling is the two biggest skills I think companies need to realize when they are doing cybersecurity. Like I said, some companies are doing exceptional. Some companies have podcasts, marketing tools. They’re holding events to try and look candidates saying they’ve got really good internship programs. They are trying to do as much as they can to build a talent pool or to increase their talent depth for when someone leaves. They now have a number of names that they can go that they already know, and that is impressive, and that is talent strategy. That is talent marketing. That is where it needs to go. If you’re going to get ahead of the curve or the talent on war as we call it here. But you have to get ahead of the curve, and it means being creative, and it means being a marketer, and it means being a storyteller. That’s where leaders in cybersecurity need to convince their HR and talent acquisition to transition to in order to get ahead of the curve and actually decrease the time, which is what we all want. We want that pain to go away. We need to decrease that fill time, and that’s where we’re focused on, and that’s what we’re focused on doing.
[22:52] CS: Yeah. For as long as I can remember, going back to college, they would say when writing a resume, they said customize it to the job, but also like in the cover letter and in the resume, you need to tell the story of why you would be perfect for them and build the bridge to the employer. But we don’t see a lot of that in the other direction where they’re building the bridge to the person that they want, and I think what you’re saying here makes a lot of sense in terms of like we both need to be on either side. We need to be building the bridge to each other. You need to see why you could work here and why you’re not having to swim across the moat filled with alligators and to even get to our front door.
[23:32] KS: Absolutely. Absolutely. I say to every candidate that interviews for us. When I’m preparing them for their interview, I always, “Look, utilize this as a two-way interview. It has to be like that.” We’re no longer in that bureaucratic society where it’s a one-way interview. It has to be two ways. Organizations need to be aware of that, that they are interviewing and the person is interviewing them. Because, often, we know that candidates will have 5, 6, processes if they’re actively looking. Even if they’re not actively looking, they will guarantee, have other options, or at least have two or three other options. You can sort of guarantee that in the recruitment market that you know you’re fighting for that talent. You need to be able to put the right solution in place, and that is from that job description. That job description is the first thing that people often see going into the process. If you’re talking about a talent identification and talent acquisition process, the first point of call is often that. The second point of call is often a talent acquisition person or a recruiter. You have to screen them. You have to make sure that they are saying the right things. They are marketing the organization and the appropriate ways and able to answer the questions that the candidate might give them. Then it’s all about the process from there. How they get into the process? Who’s interviewing? How well are they interviewing? Is that aligned with everyone else in the process? Are we all saying the same sort of vocabulary? It’s them little details that give you their marginal gains, extra 1% that we’re incredibly focused on here that allows us and allows organizations to win. That’s what we care about, is our clients winning. That’s all we care about, and it’s them little 1% through that process. As you said, it starts with that detailed, but very concise and very specific job description.
[25:20] CS: There you go. Do you want to talk at all about the sort of – We talked about the skill’s half-life, where even if you’re not doing education thing, but you’re just learning the industry. So much information is worthless after 6 months, or outdated, or whatever. Do you feel that the speed of technological development is preventing potential cybersecurity pros from keeping up with these innovations?
[25:46] KS: It depends on the individual. I honestly think that we are very fortunate in cybersecurity. People are aware of that. I think if you’re not, you’re in the wrong industry. I think if you don’t want to learn, innovate, change, you are in the wrong industry. You can’t stand still in cybersecurity. But there is – We can’t. We can’t stand still. If we stand still for a month or two, we no longer exist in doing what we do, because our competitors take us over or we don’t keep up with the latest trend. There are certain growth areas, such as incidence response, application, security, cloud security and product security that are them four areas are high-growth. There’re a lot of different areas going into them without going into the technology side of containers or the account providers. You can start going in and going very complex with that. It is all about keeping ahead of the trend to make sure that you have a job in 5 to 10 years’ time, and that’s where you’ve got to keep asking what’s your why and where do you see yourself in 5 to 10 years’ time? Where do you see the market?
That’s why I’m always saying, “Ask. Ask.” Ask us what we’re in trends. Where do we seen them going? Ask the CISO what are they seeing? You have to keep asking questions to make sure that you are maintaining with the trend, with the curve. Yes, okay, you want to keep ahead of the curve, but that is incredibly difficult to do in ensuring the knowhow and got that exposure. If you want to stay with the curve and make sure that you keep current and don’t fall out of the employment circle, which can happen to many industries as they have done previously, you got to keep learning and keep educating.
What’s been great the last 2, 3 years is seeing many of the providers like the Infosec Institute and some of the other companies that were in the space actually providing education tools, the chance to actually use some of these technologies, whether it’s on the forensic side or the real like tool side of the same tools, etc., but actually getting that hands-on experience as well as not just listening to a speaker or what it could be. I think that’s where organizations are now looking who’s actually got hands-on experience that can actually bring that in and actually provide, utilize that in-house, and them learning tools are allowing people to keep advanced and keep ahead of that to actually empower and enable some of the organization’s problems.
[28:16] CS: Let’s turn this around a little bit to the other side of the equation in terms of people looking for jobs. Hopefully we’ve removed some of the barriers to entry here. We’ve eliminated the education requirements and we’ve sort of paired it down to the things that the company really wants. If you are someone who is just kind of getting started in the industry and maybe you don’t have a lot of hands-on experience. What are some of the things that you can do with your resume in your cover letter that will sort of make you standout and come to the attention of the companies that you want to work?
[28:49] KS: I think it’s a really good question, and I’ve been asked that a lot by candidates obviously with the current climate. I think it sort of makes you think, because it’s not just what we look at. We’re trying to put ourselves in the shoes of the hiring manager and what they’re looking for, and that’s very difficult, because it’s the individual, and that’s where it’s slightly complex. But the generic things that we say is very much around keep it short. Try and keep it two pages or less. No one really cares about what you did 10 years ago, even 5 years ago. Everyone’s about now in the present.
As you just said, cybersecurity is ever-changing. You won’t have been doing the same technology. We don’t be maybe using the same technology 10 years ago as you are now. It’s adapted. It’s changed. People care about the near and the present. That’s the first thing. Keep your previous jobs very small. You can keep the jobs in there, I think that’s really important, so they don’t think you got gaps in there.
[29:51] CS: Or just highlight the one thing that you did 10 years ago that still relates to what you do now, or whatever. Yeah.
[29:55] KS: Exactly right. Exactly right. Then achievements, numbers and tools. Any, as we said, data is king these days. It provides evidence. If you can show a 50% reduction in threats because of something you did, that’s great.
[30:13] CS: Keep those numbers on the job too, like while you’re doing the job. Make sure if your boss says, “We’ve brought the number down.” Make a note somewhere, man.
[30:23] KS: Absolutely. People can see that. People can feel that, and that’s what I’m talking about, about being a marketer, being a storyteller. You have to be able to tell your own story. No one cares that you turned up to and worked 40 hours a week. People care about your actual achievement, your actual experience within that position. That’s what crucial. That’s what people would look at. Okay, there’ve been a – Biggest retailer in the world, but what did they actually do? What did they actually achieve? Were they actually hands-on? Were they actually dealing with this at all? Were they using this same tool or were they part of the sock, or whatever it can be for that position. That’s really crucial.
The third part is the most critical, right? If I look at jobs on LinkedIn, and we can all do this. We can all go in LinkedIn, put in our favorite job, put in CISO. So many applicants inside. I guarantee it’s at 300, 400 applicants, maybe more. Then they probably either got a – They got an internal team on that. They got internal referrals. They got external referrals, and they’ve got recruiters on there. You’re talking about 5, 6, avenues. That’s about going to job boards. That’s about going to like brand and conversation, job people that they’ve had previously. There are so many different ways of getting to people, which is all the ways we used, by the way, as well. If we’re recruiting, you’re talking about 10, to 20, to 30, to 40 different avenues by the time you start getting some recruiters for that organization to sort from and you expect your resume to get to them, get to the hiring manager on the desk and actually be seen and looked at. The chance of that is – Okay. It’s not the same as what Richard Dawkins says about us being born. But it’s a real hard chance.
[32:09] CS: It’s overwhelming to some people.
[32:11] KS: Absolutely. I’m sure, you’ve gone, like if you go and look at a new job and you see 400 people have already gone from LinkedIn. I’m like, “Well, I’m not going to apply for that.”
[32:21] CS: I’m not the one. Yeah.
[32:23] KS: Yeah. If my profile doesn’t line up exactly, I’m not going to stand out. What do I do? Well, I apply and then I follow up and I keep following till at least someone answers my call or someone answers my email and I keep doing it. I deep trying to get referred in. I use a recruiter and I call the recruiter till they’re fed up of me. I never ever – By the way, other recruiters might be different. But I never ever get fed up by a candidate that keeps ringing my phone about an opportunity.
I want to understand not that they’re hungry or passionate, but I need to understand about their profile. I need to be able to tell their story. I can’t tell it off a resume. There’re only certain amounts of information that a resume can hold. If I see a 12-page, 15-page resume, I’m already bored by the first page, and that’s no disrespect to the person, but we get through so many resumes, so many applications. I don’t have time. But if someone’s got a two-minute pitch to me about their candidacy for a position, I can either tell them that they’re right for the role or they’re wrong for the role, but at least I get an idea if they are right for the role from my perspective, and then I can present them to my client. That is the key. It’s all in the follow-up, and people forget this. People get so held-up. I don’t even read cover letters anymore, because it doesn’t tell me enough. Often, cover letters tell me exactly what they just told me in the job description – Sorry. The resume. Sorry. The resume tells me exactly what’s on their LinkedIn quite often. I could have just searched for them on LinkedIn and found that. What are you telling me differently, make me standout and make me go sit up and go, “Okay. They are the ones I need to call back. There are the ones I need to get in for an interview.” That’s the difference. It’s all in the follow-up. The resume is just not enough anymore.
[34:17] CS: Now, that sort of brought up another thought that I just had, but I think we’ve all had it before. We’ve applied to what we thought was a job we would have been 100% perfect for. It absolutely lines up with our experience and don’t even get a call. What are some – Without being a nuisance or whatever, but like what are your some suggestions for sort of like making your case even when you think you’re perfect and you’re not and they don’t think you’re perfect or they didn’t see you or they got bored after five resumes or whatever. Do you have any other tips on that?
[34:49] KS: Yeah. Again, it’s incredibly complex, because you don’t know who else is involved in the process. That’s the key thing. I think always have more discussions. Talk to more people in the company than you need to if you’re going directly. If you’re going for the recruiter, ask them what will make you stand out as a candidate for this position. What was the hiring manager or the HR director said to them about what they key parts of this position? Ask them more questions, and that’s where ask, ask, ask comes into it, because it’s such an important way.
If you’re trying to go direct, get referred in. Get in referred in by someone else in the team. Do you know someone? Security is a small market. I know like on our database we probably have anywhere between 6,000 to 10,000 people, which sounds a lot. But it’s not once you really know the moving parts.
[35:43] CS: Yeah. Like all the way across the country. Yeah.
[35:45] KS: Exactly. I would probably know at least one or two people in majority of the security operations across the United States. That’s not because I’m good at my job. It’s just because I get referred into different people. I go and ask people and I go, “Oh, can you refer me into here or can you push into here?” Over two and a half years, I’ve been able to grow my network. That’s the key for people, especially like younger people, is network, network, network. You have to keep doing it, and it’s tiring. It is tiring. We don’t all have the time to sit on LinkedIn and do it. That’s part of my job. I have to sit on LinkedIn. It’s where a lot of my happens. It’s where a lot of my conversations happen as well as the phone, and that’s my job. So I get to network as my job for 24 – What feels 24/7. Anyway, but it’s a huge part of the job and that’s crucial, but it’s the same for people that are looking for their next opportunity or even not looking to keep networking, because it’s a way of learning. It’s a way of having a better network. But if things do go wrong or you need to change, they are the first person you go to like the recruiters to go and get your next position.
I think like the power is in the question. The power is in the network and the power is in the follow-up, and they are the three things that I can say, is how you qualify if this is right for you. Because even if it looks good on paper, what the opinion of the hiring manager might be slightly different to what’s wrote on the paper, because people’s opinion change and it can be a timing thing.
We have that with a couple of clients where they’ve gone – We’ve been searching for three weeks and they’ve gone, “Actually, the CISO’s changed his mind, and we’re going to revisit it next week. We’re going to have a lot of discussions about what he’s actually looking for, because 10 candidates had been rejected. They are perfect on the job description, but are not meeting his needs.”
Then we need to understand that and we always push back on our clients going, “This isn’t working. We can’t keep working like this. This isn’t helping your reputation in the market because you’re mocking around candidates. But secondly, these candidates are going to be candidates that you’re going to want in 2 to 5 years’ time. If they have a bad experience now, they’re not going to want to come back and work for this manager or this company again, and that’s the pressure and the risk that you have when you market or get that opportunity wrong, and that’s the hard thing for candidates, is trying to match the individuals’ opinions or expectations.
[38:09] CS: Obviously, the past few months have probably completely changed the employment landscape yet again with an employment meeting what it is and a lot of people’s job being furloughed and people looking for new work. Can you talk a little bit about what the job market is right now in the age of COVID-19? Are there companies looking for candidates? If so, where? Who’s hiring? Have the processes changed for being noticed or getting an interview or is it all just – Since it’s all online anyways, is it pretty much the same?
[38:40] KS: It’s an interesting question. Firstly, it’s such a strange time to be a part of, right? There’s a lot of moving parts. There are a lot of things trying to understand, and we work globally. I’m very fortunate that I only focus on North America, but our company focuses globally. So we see different things in different areas. If we’re just talking about North America and our main focus is US and Canada where we’re at with that. If we look at them two markets, it’s slow. Every process is slow. Every candidate would tell you slow. Every hiring manager would tell you it’s frustrating right now to do what they want to do. There’s been a lot of cutback. We’re seeing lots of clients and a lot of companies that we deal with pullback and just go, “Let’s wait. The market is a little bit unsteady.” Let’s see what the president does. Let’s see what the markets do and let’s make this plan from there.
As someone who understands business and runs this strategy here, I totally understand that. We’ve done exactly the same from the hiring process. Internally, we’ve put things on hold and focused. However, the risk doesn’t go away and as what we’ve seen, the risk has accelerated from cyber threats or fraud attempts and a lot of other threats industry-specific and state-specific from that.
When you’re looking at what has accelerated, what we’re seeing is a lot of fortune 500 companies that are big targets have kept up hiring or haven’t let anyone go. Those are two strategies that we often see. Because they’re high targets. If you want a major bank, you go after the top ten banks. You want your big payday. You want the exposure if you’re a state entity, or you’re group that’s trying to get attention. They’re still at risk and they’re regulated from a breach response standpoint and they’ve also got a lot of shareholders to please. They don’t want to lose that money. So they have to make sure that that risk and that PR crisis doesn’t occur for them.
The other areas are cash-rich companies, like Amazon, etc. They are doing very well at the pandemic. They are seeing new areas that are coming out, new threats or new ways of working where they’re having to adapt their security staff and breach stuff and having to meet that need. In the other area, which has been great, is being really exciting to see, is critical infrastructure and governments, because they’re having to keep running. They can’t stop running and they can’t let their guard down for any reason. The government entities, I live in Virginia, right now are a lot of the government entities. We are seeing constant hiring, constant growth. There are a lot of new roles being opened up, and that’s the same in the critical infrastructure space.
Don’t get me wrong, there’re exceptions. There are exceptions in healthcare, pharmaceutical obviously are doing very well right now at this crisis. But they’re the sort of free that we see quite often is your fortune 500 cash-rich companies. Like I said, your real critical infrastructure entities that are seeing more exposure of risk and having to deal with it. They are the ones that are really hiring right now and really accelerating in funding from that respect.
Unfortunately, if we flip the coin, you’re seeing retail furlough and get rid of entire security teams. You’re seeing hospitality exactly the same. Obviously, your whole tourism market, like the airlines and stuff like that has been hit, oil and gas companies massive hit. You’ve got the reverse, and that’s where we’re seeing a lot of good talent opening up for the other companies to take advantage of, and that’s the message to our clients right now, is take advantage of this time while there are a lot of candidates. Not necessarily cheaper rates, but you’re going to get them a lot easier and a lot quicker than you could have done previously.
[42:46] CS: Let’s talk a little bit about salary then. It’s this common conception that cybersecurity is this high-paying profession. I mean, obviously it can be at the CISO level, but what are salaries like for people entering the profession and what can you expect to move towards as you reach higher titles in the industry? Obviously, like you said, it’s a little maybe depressed at the moment, but just so we can be realistic with people.
[43:09] KS: Yeah, and we’re trying to analyze that. Like I said, we’re incredibly data-driven. One of our services is salary benchmarking for our clients. We constantly reach out to other companies and say, “Look, this is what we’re currently seeing.” We don’t really know what the fallout is from a salary basis. We all hearing of companies potentially going to fire people, then rehire them on a lower salary, which is obviously a fear of the market right now. I would suggest in cyber that you don’t need to do that. I think you can wait for that right opportunity. But your circumstance might not allow that. You might have to go back to work and earn money for your family.
That’s a risk, and I them organizations will be found out from a branding perspective. I think Marc Cuban summed up previously earlier in the pandemic saying that brands is make and break time for these brands that are not going to look after their people. I think the cyber teams are going to find that as well. Don’t look after your people and they won’t stay or they won’t come back. That’s what’s it’s going to be, and they’re going to tell their friends and that’s going to work out to the bigger market. That’s the first thing on salaries, is I don’t think people should go back to their pervious jobs unless obviously circumstances say otherwise.
In terms of salary banding, what we see for 2020 and going into 2021 as well if people are starting to financially plan for that, sort of your entry rows are anywhere between your 50,000 to 90,000 depending on the skillset and depending on where they sit. What I mean by that is how big the organization is, your exposure, and whether you got any sort of previous experience as well.
Once you start going sort of 2 to 5 years of experience, you start looking between the 90 to 130 banding, what we call sort of an analyst, a consultant or associate banding. That’s how we class it. Usually, experience is so opinionated again, because you came from an IT background of 10 to 15 years. There’s not one path, and I love talking about career paths all day in cyber, because I love it. It’s fascinating.
[45:20] CS: It is fascinating. Yeah.
[45:21] KS: When you get into sport, you go into an academy, you go straight way up. You go into the first team. That’s it. There is normally one route in, unless you get some exceptions. But them exceptions or anomalies. In cyber, when we’ve done a lot of pointing, we go, “Okay. There’s a dot there. There’s a dot there. There’s a dot there. There’s a dot there. There’s not one path, like there are so many ways in.
When we say years of experience, it’s years in the workplace and years of experience of cyber either a cyber –
[45:51] CS: Not necessarily five years being a threat responder, but five years being something of security. Yeah.
[45:55] KS: Exactly right. Exactly right, because that is just as important. That is just as important, because you can navigate that and you can tell a story about how that relates to that job and how that relates, and that’s where storytelling comes in.
A manager, often, we see that banding around people that normally got 4 to 8 years’ experience, normally sitting in a manager sort of position. A manager can be a sort of SME type or a manager of a team. It could be like a SOC manager. It could be an IR manager, whatever it could be. Often that job title is anywhere between 120 to 200. The reason because of that gap, and that’s quite a large gap and we’re going to talk about the CISO position in a minute where the gap becomes huge. But the reason because of that is because every organization values it differently. Some cyber managers would be a cyber director in a larger firm. They could be a deputy CISO in that respect. They could have more responsibility than a manager who’s just overseeing a small team of threat intelligence people. It depends on the responsibility. It depends on the size of organization and it depends on the location. The last thing it depends on is whether you’re regulated or not. I could touch base on a little bit of that in terms of how that’s now working out in the industries.
The next one is director, so what we call directory can be – Obviously, director can be broken into sort of your VPs, your SVPs, your SMDs, your different titles that the banks love and the insurance companies love to throw in now, and it seems like healthcare and pharmaceuticals are now following suit with that. But you’re sort of looking to 7 to 12 years, maybe a little bit more depending on the appetite of the person and whether the pathway to the next step up is there. That’s anywhere between 150 to 250 we’re often seeing.
[47:46] CS: Okay.
[47:47] KS: Again, a bigger gap. As you go up the pyramid, it gets a bigger gap, but then jobs becomes less and less. They start filtering out once you get, obviously as you know, to the CISO position where isn’t that many positions and you’re fighting out with hundreds of other people for that position.
[48:02] CS: It might only be in certain parts of the country too. Like you, there might not be a ton of CISO positions in some place that doesn’t have a huge tech center.
[48:11] KS: Yeah, absolutely. We do that a lot for our clients. We could go and we can talk about talent strategies and how we find them for our clients if you like, but like we start off local for our clients and then we start mapping it out, because like we know that there’s not always the best talent in certain aspects of Kentucky. You might have to have someone who’s remote or might have to pay a lot more to relocate them because of that talent is not there. I’m not picking on Kentucky such. That’s just an example.
But when you start getting to that more rural areas, or like you said, less tech hubs, you start having to fight with other companies that are all fighting for the same talent. What certain organization, is there’s a big financial services found here in Virginia who just started to try and pay premiums on people to get them away from other companies. That has a very short-term effect. We know money only drives people for a certain amount of time. That’s human psychology, Maslow’s hierarchy of needs, if you believe that, suggest that.
[49:12] CS: Yeah, of course.
[49:13] KS: But once you start thinking about, “Okay, what’s the wider picture of this? Okay. Here’s your salary band, but this is the other benefits. We’re going to provide you of an education. We’re going to provide you with access to this, access to that. Here’s your 401 (k) to provide your future. Here’s your healthcare. We’re going to provide you with a healthcare for your family.” You start providing bigger benefits. You don’t have to pay as much as just trying to compete. At the end of the day, cybersecurity, unless you’re a consultancy or a vendor as a call center, and we have to be more critical in terms of what we are paying. That’s where our clients tend to come to us and go, “Am I paying appropriately to get the right level return that I want?” That’s where you can push back on your job description and your talent searches and talent pools. Often, people don’t like that, especially candidates, because I can take jobs out in New York and put them in Dallas a lot cheaper, but also the talent could be better there. That’s where companies have to be awake to that, is like, “Okay, I can go to Kentucky and pay $50,000 less maybe than San Francisco or New York. But is that actually realistic? Is the talent there?” Then you just got to start looking at, “Okay. How long am I going to be able to keep this talent? What have I got to invest in this talent to keep them there? What about relocation fees? Does it actually make sense for me to put that position there?” That’s where it become a whole data play from a talent strategy perspective in terms of that is that worth putting there?
It’s a little bit more than just when we say salary bands. For a candidate, this is great. But for a client, there’s a lot more external and internal factors that they have to consider as to whether they’re going to base this position here or whether they’re going to pay that salary banding. That sort of brings me on to the last point, CISOs. CISOs are great for this, because it does depend on the size company. It does depend on whether you regulate it and it does depend on the risk factors that we tend to see for that organization, i.e. what is their reporting line? Are they having to report to the board because they value security so highly because the risk is so high? That’s going to push your salary banding up a lot more towards the C-suite level.
If you’re two or three down, which still blows my mind, but still happens, and I’m sure a lot of CISOs listening to this, it hurts them because I am having to now be a career coach to CISOs to try and help them improve their reporting line, which I never imagined doing by the way.
[51:34] CS: No. No.
[51:36] KS: But there are some CISOs that I speak to are 150, 180. I’m like, “You are overseeing a security program. Firstly, how are you hiring people that are below your salary? Secondly, how can you convince me as a candidate that they’re taking security seriously when you’re not being paid well enough? You’re not being valued at your job.” That’s the key thing.
What I’m not trying to convince CISOs is to try and be, “Okay. You’ve exhausted all options. You’ve led with data. You’ve gone to that board and said, “I’m going to leave or I want to do this, and this is where the market values me.” Whatever you need to do to get that conversation going, and we provide a lot of suggestions on that.
[52:18] CS: I just have kind of one or two more questions for you in here anyway. But apart from – I’m sure we do have CISOs listening, but what we get a lot of is people who are just not only at the bottom rung of the security ladder, but who are just thinking about even just entering the industry. As someone who helps cybersecurity professionals at all levels, do you have any tips for new comers who might feel intimated about where, how to start their job searches or what of their skills to sort of emphasize in that respect?
[52:48] KS: Yeah, absolutely. I think it’s obviously a focus point with the myth of the skills gap. Our key messages is we don’t really believe there’s a skills gap. We just believe that people need to change their behaviors and beliefs in terms of what that looks like and how that works, and we’ve touched in job descriptions. We’ve touched on salaries. They are key things to create the skills gap.
But the second thing is the amount of young people we’re now producing for cybersecurity, and our fear and the fear that we’re – Fear is the wrong word. But our sort of exposure to the market allows us to see into the job, the job economy as such. I’m very fortunate to deal with some of the best universities in the United States and actually talk to them about this. I’m trying to teach some of the professors saying like, “We are creating fascinating, exciting, degrees that are very cyber specific. We’re developing security architecture and engineering specific degrees. We are teaching more assurance degrees now, more instance response and digital forensic degrees.” There’re a couple of brilliant digital forensic degrees that we are able to recruit for our consultancies directly from them universities.”
However, when we talk about the pyramid with the CISO at the top, what we’ve currently seen is there’s a pyramid at the bottom. So it’d become a diamond.
[54:21] CS: Interesting.
[54:22] KS: Three level jobs of very, very small write up, and we’ve turned this industry into a lot of midlevel people that are finding it hard to get up and we found that there’s a lot of entry-level people that just can’t enter the diamond.
[54:37] CS: Right, and a lot of people feel that, I think.
[54:40] KS: Absolutely. We can’t hide that. That exists. That exists. What we’re trying to communicate is that the market, we now need to start considering, isn’t an entry-level market for people that are coming into the industry because of trust. Do you trust a graduate to come in and take an exposure of risk? Do we actually want that? We all seem to put on job descriptions. Obviously, I don’t design the job descriptions, but what we see is minimum two years’ experience. Do we just not want that?
The third thing is are we able to get them internships or any type of experience to get them on the road and get them some real-life experience? Be we always hear that famous term, “What real-life experience do you have?” If you don’t give the people the opportunity, they can’t get the real-life experience. We all know that. We’ve all had that for the last 20 to 30 years. It was exactly the same when I came out of university as it would be to anyone else’s generation that came out the university.
That comes back to our why don’t we just abolish degrees as a need? Because then people that don’t have the degrees and normally got the real-life experience, and that’s where that sort of half a dozen and one, half a dozen of another, is that catch 22 scenario. What we need to make candidates aware is that we need men to go and get IT experience or risk experience. Look at different areas where you can touch cyber. You might go into an incident management role or an IT help desk role or a IT support role or risk analyst. Something that they don’t see as a – Something they see as an avenue into cybersecurity, and they’re some of the areas, and that can get you a real-life one-year, two-year experience and they will allow you to work on tools like Burp Suite or FTK in forensics or whatever it is. That’s the way of learning, and that’s the way of getting that experience.
In terms of internships, there are some great ones out there. Unfortunately, companies still don’t value this as real-life experience, and that’s the thing that we get. I’ll go, “Well, they’ve just been at Aeon and completed a three-month internship or been at Walmart or been at Facebook or Google and some of these large organizations that provide excellent internships.”
I’ve witnessed a lot of them. I’ve been inside them to be able tell my clients, this is what’s going on. But many of them don’t value that because of the company policy, a bit like the degree that value that as real-life experience. Now I still say, “Go and get that experience, because the network that you get from them experiences is by far more valuable than what you actually might learn on them experiences.” But be open if you’re entering this market. Be open to cyber jobs, be open to IT jobs, be open to risk jobs, and certainly don’t take the first no, because you’re going to get a lot of nos in your career that if you stop now, you’re never going to be successful in cyber security.
[57:57] CS: Okay. So as we wrap up today, I want to talk a little about BeecherMadden. I want to get a sense of what types of services do you provide for your clients and what sort of people who are going to be listening to this might want to use you and so forth?
[58:14] KS: Yeah. We have the traditional recruitment services. We do permanent and contracting. We’ve been there. We’ve been in the cybersecurity and risk sector for a number of organizations. We have well over hundred clients that’s just in the US alone that we’re very fortunate to work for. From a candidate perspective, to provide a better education, the organization is the one that pays us. They contract us to find these people for them.
The candidates are always willing to approach us and see what opportunities we have. On the client side, we provide that model as well as the executive search for the CISOs, CIOs and similar positions. Then away from that, for the client perspective, as I was going to say, is around data analytics. We provide a lot of talent pools. We can tell you where best provide it, where best to put that skillset. We do skills audit for our clients. We do a lot of consultancy where we would go onsite for a number of days for our clients to actually work out like, “Okay, what do they need?” How better can we improve their processes? How better can we actually make them more attractive for candidates to hopefully decrease that field time and actually decrease their risk, because people are risk and recruitment is a risk to the business? We help them better understand that and better help CISOs educate HR and talent acquisition on that as well because obviously there’s a lot of generalist that don’t understand what they’re looking for or how best to speak to the market as well.
The last bit is salary benchmarking. That’s where we’re probably really utilized in the marketplace right now, is we do a lot of salary benchmarking for our clients, and we do that globally, which allows CISOs to get their board and say, “This is how much it’s going to cost. I think I can get this person for this. Can I get signed off to go and do that?” We can do that a lot quicker. Evidence-based is exactly how CISOs and heads of security are going to win in this market and keep ahead of their competition, but also keep their board happy, which is ultimately the CISO should be – Their CISOs goal is to keep the C-suite and board happy, because that makes them have an easy and stress free in somewhat a life I suppose, in somewhat way. I don’t know. When some of these CISOs are telling me they’re burning out, but I think keeping them off their back is – Hopefully it will make their job easier.
[01:00:55] CS: If our listeners want to know more about Karl Sharman or BeecherMadden, where they can go online?
[01:01:00] KS: Yeah, of course. Yeah, we have beechermadden.com and then –
[01:01:05] CS: B-E-E-C-H-E-Rmadden.
[01:01:08] KS: M-A-D-D-E-N, yeah, .com. Not short at all. Yeah, ultimately, fine me on my LinkedIn. Reach out. I’m always willing to have conversations with people. Most people find my number. Most people find my email very easily as well. That’s the problem with media these days, especially when I leave it on my LinkedIn half the time as well.
Yeah, obviously, I’m absolutely happy to have conversations with anyone and see how it can benefit their career or benefit the issues there have in their organization from a starting perspective. Yeah, happy to keep educating and learning myself as well.
[01:01:46] CS: That’s awesome. Karl, thank you so much for your time and insights today. I really appreciate your time.
[01:01:50] KS: No. I appreciate yours, and it was great being a part of this.
[01:01:53] CS: Good. Well, we’re happy to have you. I’d like to thank you all as usual for listening and watching. If you enjoyed today’s video, you can find many more no our YouTube page. Just go to youtube.com and type in Cyber Work with Infosec to check out our collection of tutorials, interviews and past webinars.
If you’d rather have us in your ears during your workday, all of our videos are also available as audio podcast. Just search Cyber Work With Infosec in your podcast catcher of choice. If you wouldn’t mind, leave us a five-star rating and review. It really does help people to find us.
For a free month of the Infosec Skills platform discussed in today’s show, just go to infosec.com/skills, sign up for an account, and in the coupon line, type cyberwork, all one word, all small letters, no spaces, to get your free month. You can also use our free election security training resource to educate poll workers and volunteers on the cybersecurity threats they might face during the election season. For more information about how to download your training packet, visit infosecinstitute.com/iq/election-security-training or click the link in the description.
Thank you once again to Karl Sharman and BeecherMadden and thank you all for watching and listening. We will speak to you next week.