Security - questions

Most candidates automatically push to get into the information security departments in the city financials. It seems the obvious choice if one wants to eventually be Head of Information Security at a bank later in your career. However, some such candidates can get stuck in junior analyst or administrator roles for quite some time. Consultancies, whether small or large, are always going to be motivated to get you into a position where they can charge a significant daily rate for your expertise and this can only benefit you in terms knowledge and experience. It is unlikely that a recruitment agency will be able to help you at this stage in your career so you should apply directly via the consultancies and practices’ websites.

If your current employer does not have any positions then how can you make yourself appeal to the recruitment market as a whole? First you must draw on what policy focused experience you do have. What standards do you know and what risk analysis methodologies do you understand? What awareness work have you been involved in? Push this experience on your CV. Do not go into too much depth with the technical experience you have. What you leave off your CV is as important as what you include when you are changing direction. It is important to come across as knowledgeable without being overly excited by the technical aspects. Shy away from long in-depth lists of technologies you can use. It will and should still be obvious that you are in a technical security role and we would not recommend you changing your job title. Your technical abilities will still add value so do not try to deny them. Proving that you can hold your own in the policy arena can be addressed through the addition of a professional qualification.

This is not an easy move to make, and one which gets increasingly difficult with the more years’ experience you have in security, however, it can be done. The best first step is to take a professional qualification that covers a wide range of areas of information security – we would suggest an MSc in Information Security or the CISSP. This will give you a good theoretical grounding of other areas of information security that you may not have practical experience of and demonstrate this to potential employers. The smoothest way to make the transition is to find out if your current employer is willing and able to offer you a wider remit. This way you can split your time undertaking a mix of hands-off and hands-on security tasks and gradually make the move without taking a drop in salary or status. If you cannot or do not wish to remain with your current employer, you can check the market for a role that will offer a mix of technical and non-technical security work, which is more likely to be successful if you are taking a professional qualification. If you want to go straight into a technical role you will probably need to consider accepting a drop in salary, as the new employer will be investing in you and there will be a learning curve involved. Although you may have climbed up the ladder previously in a non-technical environment you will be moving a few rungs down, as well as sideways.

When assessed on daily rate it is likely that almost anyone who describes themselves as an information security professional could command more money contracting if they land in the right place at the right time. However, permanent positions do provide a number of very useful side benefits, including a greater likelihood of promotion, holiday pay and flexibility, and the fact that most employers will pay for professional memberships, course fees and exam fees. Essentially, in the short term if you can get a contract you will make money. Longer term, it is unlikely that you will experience the same progression that your permanent colleagues will so the benefits will fade.

There seems to be a common misapprehension that if you stay less than 2 years with an employer it will reflect badly on you in a future selection process. Arbitrary time limits should not be applied to any decision as to when to look for another position. If, after 3 months you are totally convinced you have made the wrong move and you have legitimate justification, then it is unlikely that a future employer will discriminate against you. Everyone is entitled to make a mistake.  What is important is that you CV does not reflect a pattern of only staying with employers for a short period of time – you need to be able to demonstrate commitment. A pattern of frequent moves will begin to affect your credibility in the recruitment market. You can make one but not three mistakes.

People often seem to think that a CV should never be longer than 2 pages. However, a CV should be whatever length it needs to be to efficiently and effectively describe your life and career to date. The older and more experienced you are the more there is to tell. As a general rule a CV should not be longer than 3 pages and anyone reading your CV should be able, within 2 or 3 minutes, to have a clear idea of your background and experience. Nobody wants to read anything longer. In fact, providing a CV that is either too long or one that is too short and fails to address obvious issues, will result in a question mark about your judgement.

It is also inappropriate to include with your CV copies of certificates, staff appraisals, job specifications and references from previous employers. These only add to the amount of paper and can distract the person reading your CV. Guidance on CV preparation is available at Creating a strong CV in the career advantage section.

There are essentially two types of lies that are contained in CV’s. First are matters of verifiable fact. Your age, qualifications, the periods of time you spent working for previous employers and your job titles. Outside of taking up references from your previous employers, very little other formal verification is made of your CV. However, if your employer discovers that you obtained a position on the basis of a CV that contains a material misrepresentation of a verifiable matter of fact, you will almost certainly be summarily dismissed and possibly prosecuted. It is a risk and cannot be encouraged.

The second type of lie and by far the more common, is the embellishment and exaggeration of professional experience. Such representations are intangible and therefore less risky to make. Formally you may not have been a manager. On your CV, this does not stop you describing all kinds of responsibilities and achievements that belie a rather more modest job title.   As a candidate in a selection interview you may embarrass yourself or more problematically be offered and accept a position that is beyond your capabilities. The former is quite common, the latter quite rare. A Chief Information Security Officer on discovering that an Security Consultant did not quite have the experience they were led to believe would probably allow them a short period to become proficient.

Many companies are now relying less on assertions made on a CV’s and far more on their own objective based selection processes. These involve applicants demonstrating the skills and experience they describe on their CV’s and make any misrepresentations rather more problematical.

The evidence we have seen is that this is not the case. Although the majority of people in the industry are men, and in line with this, the majority of department heads are male, this seems simply to be a result of the work appealing more to men as, according to our records, female applicants have generally faired better than their male counterparts when securing roles. Indeed there might even be a positive influence in favour of women in an attempt to redress the balance.

Whilst there is a bias towards candidates with experience of UK practices, UK culture and the scale of UK operations, who speak good English, this can’t be classified as racism. Hence, although people often find it hard to secure their first role in the UK for this reason, it is not a racially motivated bias. “Hitting the ground running” is a regularly used term by recruiting managers and for this reason they look for those who have UK experience or experience in a very similar environment. We have not noticed any bias against ethnic minority candidates either UK born or immigrants with experience of work in the UK. 

This is a complicated issue. The way most departments are set up inevitably means that there are many more jobs for those with 1-10 years experience than those with 10+ years experience. However, because information security professionals tend to stay in their chosen career for a long time, those with many years experience often perceive the market as ageist. Whilst this can be true of some employers, we would argue that it is not as bad as many believe. Perhaps this perception has not been helped by the fact that in recent years there has been a trend for security to answer into risk management, a department that is often led by someone less than 40 years old.