General security

Interview: CEO Mark Aiello of The Revolution Group

Ian Palmer
January 10, 2013 by
Ian Palmer

[caption id="attachment_14278" align="alignleft" width="169"]Mark Aiello Mark Aiello[/caption]

secureRevGroup, a Wakefield, Massachusetts-based information security professional services firm, started in 2009 as a division of The Revolution Group. InfoSec Institute recently spoke to Mark P. Aiello, CEO of president of the company, to get his take on various issues related to the information security industry.

What positions are currently in demand?

What's interesting in infosec still is that there are all kinds of titles that different companies use, and you have to really get to the nuts and bolts of what they need people to do. There may be five or six generally accepted and used titles that all do the same thing… Security architects – that's a huge demand right now. But it means different things to different people because, from an architecture standpoint, you have application architects, you have people who are knowledgeable on the development side, and you have people on the network side as well.

Most of our clients, when they say they need security architects, they're really looking for somebody that can help them bake security into every nook and cranny they have – be it the applications, be it the network and even in some of the training applications they have for their users or their stakeholders to help with training. 'What is the right way that we're going to teach people how important security is to us, how everything needs to work, how all of this needs to be tied together and not developed in a small, little vacuum?'

The other area where we see huge demand is hands-on security engineers and hands-on security analysts that have the CISSP certification and that have a background in end-point security, firewalls. They're really security people, not network people who do some security.

For which positions, if any, are you seeing dying demand?

Dying is a strong term, but the ones that are on the downside are those general network admin-type roles where people want the old Windows NT or whatever Microsoft's latest certification might be. We're seeing those kind of disappear and being replaced with people that are much more specialized.

An example is a Check Point certified person. Check Point is so big that it's so important to an enterprise that they really need people who really know Check Point and everything there is to do with it.

What hard and soft skills are in demand?

The hard skills are kind of a general knowledge of the current technologies that a corporation or enterprise will utilize to address what's the most effective solution today to their current problems. Then with that, if they have the right people doing it, they have information security people – not just IT people – who are involved, and people who have certifications who are serious about a career in information security.

Those would include CISSP, which is the gold standard from our standpoint; CISA; CISM;. And they might drill down a little bit deeper and become a certified ethical hacker.. The hard skills are that real, good solid knowledge of the industry so they can bring the right solutions to bear.

As for soft skills, they include the people who are able to articulate to the stakeholders or the users or senior management what are the real cyber risks that we're seeing and that we're likely to see. They are also capable of being part of a real discussion about what's the right solution to try to mitigate, if not eliminate, those risks.

What technologies are in demand?

There's a huge demand for mobile security, and it's such a broad area. But it's basically everything that we take with us and to make sure that the bad guys that are snooping on us can't get in . And then we're seeing things like specific technologies. Check Point is really hot and big. Juniper is big on the firewall side.

And then we're seeing that other area of risk assessment and compliance – not just throwing these technology tools at a problem, but understanding what are the risks associated with this, what's the compliance obligation.

What technologies are seeing dying demand?

I'm reluctant to say what some of those might be because I'm not sure that I want to offend some of those companies using such technologies. But it's more of those older and traditionally more complicated-to-implement technologies. There are some companies out there with hardware and software solutions that are just so large and complicated to implement that those are kind of dying.

Mobile phones, iPads, mobile devices, tablets and apps have really changed a lot for people where they shouldn't have to go to a six-week class to learn how to use it. They should be able to have a clue of how to use it when they take it out of the box.

Who was the last security person you hired and what set that candidate apart from the pack?

The last one that we hired that really separated herself from the pack was a director of information security that we hired for one of our clients. And what really made her different was her ability to blend her hand-on technical background with her ability to analyze problems.

She had a very hands-on technical background and at some point branched out, as people may do, and sort of left the technical world. But that really was her sweet spot. She wasn't a director. This is a promotion for her. This is a company that's more progressive than some that was able to identify that diamond in the rough and say, 'Here's somebody who didn't come to us as a director.

But she's come to us with such a great background that she'll clearly be successful in this role and will hold onto it for a longer period of time.'

How has your department grown or changed and how do you expect it to change in the future?

We previously were an IT staffing firm for the most part. The parent company is The Revolution Group. We were named in 2004 the fastest growing IT staffing firm in the United States.

In around the middle of 2009, we shifted our focus. The senior management team and the board of directors got together and took on a proposal to focus on the information security space. We recognized that we had a competency in information security.

So we really drove a stake in the ground and said, 'We are going to build our company on information security. We're getting away from the IT.' In fact, we're well over the 50% mark in terms of our information security business and that's growing… We'll probably double our internal staff [in 2013], from about 15 at present, with sales people and recruiters to meet the demand that we're seeing from our customers.

And we intend to pick certain geographies within the country and begin to really penetrate some other areas besides the ones we're already in.

Without naming specifics, what are the biggest security threats that your clients are facing?

The first one would be our clients' own employees that are just lazy or lax. You can't say that people are not informed. Even my mother is not clicking away at every email attachment that she gets.

You can't say that people working right now are not aware of these types of issues, but yet people still do it and they're fooled every single day. I think the number one security threat is the people who are just not paying attention… I think we're going to see more foreign state-sponsored hacking.

It's a big issue and perhaps becoming an even bigger issue. I look at some of the requests that our own firewall receives every day, and I'm amazed at how many of them come from outside the United States. And I say, 'How do we become a target? Why us? What do we have?'

So I know that if it's happening to us at the scale that it is, it's happening to everyone. And then I think the whole mobile device management, BYOD [bring your own device] area also presents security threats. There's so much of it, and there will be so much more of it.

It can be really easy for somebody to think that, if they have the device on them, it's safe. They don't recognize what the risks are of not simply password-protecting their screen – just simple precautions that they can take.

What is the hardest part of your job?

Most of our client companies are really risk-adverse in hiring. It doesn't mean that their turnover is any less; it just means that they want to make the safe choice – not necessarily the best choice.

Too often the difficulty is to convince our clients that these individuals are not commodities. They're individuals and they're unique. They view too often the skill sets as a commodity and that transfers over onto the individuals themselves. And they figure that, if they just wait long enough, they'll find the perfect person. Too often the individuals' soft skills or growth potential are less important than their hard skills.

What is the most enjoyable part of your job?

I don't think in the history of commerce that there's ever been an individual who takes a new job because they think their life is going to be made more miserable. In the history of the world everyone accepts a new job because they believe it's going to make their life better in some capacity. It might be a better commute, more money, the work, the people, People never say, 'Yes', to a new opportunity without thinking it's going to make their life better. And that's the enjoyable part for us.

Which, if any, certifications and degrees do you see as important for hiring and career advancement?

For us the CISSP is still the gold standard. It's the gold standard among our client companies. It's broad enough that it gives somebody really good exposure to what information security is all about. Beyond that, they might decide that they're going to pick and specialize in areas. It demonstrates that this individual is serious about information security.

The other ones like the CISA, the CISM – they're also in that same category where they show the client companies that this person is serious about getting involved in this aspect of information security.

What will get a candidates resume thrown in the trash?

It's kind of rare that resumes get tossed into the trash because 95% of all resumes are electronic. Probably 98% of all searches start with an electronic search. Rare are the days where someone goes to file folders on their desk filled with resumes to thumb through the papers to see who they may have spoken with recently.

Most of us have some sort of applicant-tracking system or database of all the candidates. Then are many different resources such as LinkedIn, Twitter or any of the job boards. It's always a keyword search.

My advice is keep your resume short and simple. You should customize it, not embellish or fabricate it, for the job opportunity. Read the job description well and make sure that your resume says what that job description needs it to say, if you believe that you're the right person for the job.

Use the right buzz words, the right key words. The trash for the resume of the job seeker is having your resume not getting flagged. If no one looks at it, then it's essentially trashed. We tell people, keep your resume two or three pages.

What would you tell a high school student interested in studying information security in college?

If information security is where you want to be, be serious about it. Don't just dabble in it. Make sure that you attain the certifications. Make sure you do lots of networking.

There are lots of meet-up opportunities for infosec groups once a month that you can go to. They're free or some of them are very, very low cost. Listen to the various speakers that they might have at these types of things.

Also, make sure you do a fair amount of research of what's happening in the industry. Right now I think information security is one of the fastest growing and one of the least serviced markets.

What security sites you visit?

Of course there's the InfoSec Institute's resource page. CSO Online is another one. I look at that weekly. SANS Institute has some really good stuff. One that's kind of off of the beaten path from most of them Treadstone 71.

What is the last security book that you read?

The last security book that I read was CISSP for Dummies. It's light reading in terms of what the subject matter is, and it's a really good brush up, overview, refresher. I don't know that it's going to enable anyone to pass the CISSP exam, but it's a pretty good refresher if you need it. We have a couple of copies here at the office as resources.

Who is you favorite fictional hacker?

It's a tie between Marcus Drummond who's in the Mitch Rapp novels or Chloe O'Brian from the TV series 24. Those are my two favorites.

Ian Palmer
Ian Palmer

A Canadian currently based in Ontario, Canada, Ian is a researcher for InfoSec Institute. Over the years, he has written for a number of IT-related sites such as Linux.com, ITManagersJournal.com and ITBusiness.ca.