Category Archives: Career advice

Don’t be a needle in a haystack

“A winner is someone who recognises his god-given talents, works his tail off to develop them into skills, and uses these skills to accomplish his goals.”

Famous words from Larry Bird, a former NBA basketball player who was forced to retire from the game at the age of 36.

He’d had a seminal career though; part of the 50-40-90 Club, which in short means having had a “pretty fly season across the board”, a member of the Dream Team – the winners of gold at the 1996 Olympic Games – and to top it off, the only NBA basketball player to have achieved Most Valued Player, Coach of the Year and Executive of the Year.

Now while the idea that some of us are destined to be great is debateable – born to do it so to speak – the suggestion that we are able to shape something we seem to be naturally good at is self-evident. We might find painting a work of art, kicking a football or quantum mathematics easy to do, but it is dedication to a discipline that really makes something out of nothing.

For security consultants, chief information security officers and the like, in the midst of looking for a new career challenge, there’s a question that needs to be asked: “What sets me apart from my contemporaries?”

It’s an important question and should not be mistaken for conceit. It simply is a short and simple way to analyse how far you’ve come, what knowledge and talents you’ve acquired and how this all plays into where you want to go.

In the IT industry, branches of which include information security and risk management, business continuity, ethical hacking and penetration testing, what matters most is leadership, a specialism, a flexible way of approaching projects and business in general, and a willingness to adapt.

With regards to a specialism, this speaks for itself. Businesses are looking for someone who has a command over a typical area, be it cyber security, sales and marketing or in disaster recovery. What we’re talking about here is clout, unwavering technical knowledge. Though general knowledge is important, you can’t be a jack of all trades. To stand out, one requires a marker: “This is me; this is what I excel in.”

In reference to flexibility and adaptability, this is about being able to respond to change and possessing the ability to be reactive to new developments. The IT industry is currently undergoing transformation on a daily basis and constant change is almost the norm. You have to be willing and able to grow, to progress in a personal and professional capacity. Those who are happy to do the same old thing had better look somewhere else. Dynamic is what it is all about.

So take a leaf out of Larry Bird’s book and be the kind of person you want to be. This industry is growing all the time and as more and more people come into it, competition for positions, though plentiful, is going to be greater than it has ever been. Be a leader and step forward.


The funny thing about the bustling security industry

In this day and age, characterised by economic stagnation, dwindling spending power and limited opportunity – further compounded by the fact that it had seemingly poured cats and dogs since time immemorial – the idea that businesses might struggle to retain staff appears at first anomalous.

But it really isn’t. Even in the hardest of times, people still keep an eye on opportunities, be it for reasons that their current position isn’t just a means to an end; they’re looking for a promotion; or even a career change. Life’s an experience, after all.

Some industries buck the trend, like for example security, which, by the nature of its growing importance in society – it’s becoming an important facet of most people’s lives and of businesses – is expanding. Staff retention in this context takes on a different meaning.

Here’s a very apt example that has wider resonance. A new report from the Intelligence and Security Committee – a must read for CIOs, CISOs and the like – has observed that the UK’s Government Communications Headquarters (GCHQ) is at real risk of losing out on a generation of skilled professionals.

The reason is simple – they can’t keep hold of them (which we’ll come back to). The problem this results in, however, is very serious. Without this important, proficient and accomplished workforce, the UK’s ability to be at the top of their game and ensure that cyber crime is thwarted is at a real risk of crumbling. That’s not a pretty picture.

Iain Lobban, the director of the GCHQ, is very candid at the dilemma this reality poses. Because it’s a healthy industry and there is a growing demand for cyber security experts across the globe, professionals are simply doing what is normal – packing their bags and heading off.

When you’re presented with a great opportunity and a bump in pay, it’s logical. The government simply can’t match the salaries being offered. However it isn’t all bad. For one, it paints a very good picture of the private sector in this field and, in general, of the industry as a whole.

If, for example, you log onto Acumin’s website – a leader in information security recruitment and risk management recruitment services – what hits you is both the number of jobs available and the variety. This is an industry that is on the precipice of serious activity.

So, while the picture for the government isn’t going to change in the interim, there is a business model that can work to a satisfactory level, Mr Lobban has explained.

“One of the things that I’m looking at is whether or not we can recruit people, train them and then employ them with the expectation … of losing them at the end of that period,” he said.

“And, as they move into industry, for them to be useful for us. If they’re working with some of those companies that we work very closely with, perhaps there is a benefit that we can get from them.”

It’s not perfect, but neither is the weather or the economic situation. So, we do what we do best and we adapt, always optimistic. That’s called character and Brits have plenty of it. And hey, even Carol Kirkwood, the BBC’s popular weather presenter, says that there is sunshine around the corner. Let the good times roll.

Big Four Information Consultancy roles for the taking

Defining a manager is a difficult thing. The Oxford English Dictionary describes it as being a “person responsible for controlling or administering an organisation and/or group of staff”. We wouldn’t disagree with that description, but it perhaps doesn’t tell the whole story.

We particularly like the quote from Frederick W Smith, founder, chairman, and chief executive officer of FedEx, who said: “A manager is not a person who can do the work better than his men; he is a person who can get his men to do the work better than he can.”

Not bad eh? Responsibility, of course, is inherent in this position, as is leadership. A manager is much more than just a chief; s/he is an integral cog that keeps things steady while simultaneously charging ahead into the unknown. Hard work and management go hand in hand but so too does success and a feeling of ownership.

There are a couple of management jobs that have popped up on our radar that we thought we would direct your way. They are both in risk assurance, one of the most dynamic and versatile industries going.

Both require a sound grasp of risk management, which they are able to modify to adapt to fit particular client briefs. As such, strategies that identify, assess, prioritise and solve risk problems are bespoke. Good managers know that no one solution fits every box.

As ever, these management positions demand a depth of skill and expertise to be able to take charge when hitting the ground running. Take the Risk Assurance Senior Manager position, the employee is looking for a candidate who not only has financial services experience, but is also capable of delivering complex engagements.

For the other role as a Risk Assurance Manager, what is desired is someone who can help identify clients who need help in developing their risk assessment plans, which involves establishing what these risks are, how to evaluate their level of threat, how to design controls to minimise their threat and how to put in place monitoring systems to ensure they do their job.

Even though he was speaking in the 19th century, Samuel Wilson, a US meat-packer whose name inspired the national personification of the country’s government – Uncle Sam – made a very astute comment.

“As population susceptibilities are better understood, we will be in a better position than we are in today to make informed decisions about risk management,” he said.

Many years on, a job in risk management is one of the most exciting around, with a body of knowledge to boot. Be part of the generation that takes it forward. Be a manager that matters.

The attraction of contract working: Part One

Contract work is, these days, a growing phenomenon. More people than ever before, especially in the Information Security industry, are considering shifting to this unique style of working. And it appeals to both individuals and organisations, principally because it is a flexible, easy and productive way of working.

So just what is contract work? Although there is no fixed, universal definition, it can perhaps be best described as being an agreement between an organisation and individual to hire that said person for a finite amount of time – variable to the specifics of the contract of course. It’s that basic. It can either be long-term or short-term. In the context of our field of work, it is understandably a popular way of working.

The best way in to this kind of work is to sign up with an established agency that has a history of success in this field. The benefits are palpable. As specialists with knowledge and experience of our business, agencies have the knack, the resources and contacts to make highly-focused contract work a reality.

For example, let’s say you are a CLAS consultant with current DV Clearance. An agency can, on talking with you and going through your CV – which, by virtue, implies detailing your skills and work history – filter out irrelevant contractors and narrow down potential clients that might appeal to you. Moreover, in having developed relationships with such organisations, they will be able to best assess whether your appointment will be a productive one for both you and the contractor. The end result is to produce a harmonious working relationship that leaves everyone smiling.

The development in contract work can be seen as a natural by-product of a globalised world and how, every day, it is impacting on the ways in which human beings organise themselves with regards to work. It’s all post-industrialisation, chiefly post-World War Two.

Whereas 9-5 has long held the post as the most natural and sensible way of working, the more connected nations became with one another, in terms of trade and communications, the more it began to impact on how various organisations, companies and buildings came to work with one another. 9-5 began to feel too rigid, when, for example, your customer operated in India. India is five and a half hours ahead.

Consequently, habits and longstanding ideas, once deeply entrenched, began to transform. Hours changed, flexi-time was introduced, and people worked and finished earlier (8-4) or worked later (1-4). Others realised that some jobs were superfluous to their operations and staff rosters were streamlined. It wasn’t all fun: it meant making difficult decisions and it meant people were made redundant. To be blunt, it was collateral. Contract working and indeed flexible working – the big buzz of the moment – emerged.

Making it along the security highway

How does one succeed in anything, let alone in the information security & risk management industry?

Through CAD?

CAD is, as we understand it, is an acronym for computer aided design, which security professionals might agree makes no sense in the context of progressing in their respective careers.

However, here it stands for something altogether different. Simon Hember, Managing Director of Acumin Consulting recently presented at a well known conference, on the Development of the Information Security Professional, in which he described CAD as:

Clarity – how clear is it in your own mind what it is you want to achieve?

Awareness – is your currency as a professional valuable?

Direction – are you positive that you are heading in the right direction?

Who would have thought that three simple words, backed by three relatively straightforward questions, could be used to weigh up what it is you do in life.

In an age of uncertainty – general economic malaise and the so-called crisis of capitalism – these words take on an ever greater significance.

As security professionals, whether it is working in forensics, cyber security or ethical hacking to name but a few, the choices you make now can have a real lasting impact…for good and for bad.

One of the biggest realisations for such individuals is the pace of change affecting our industry. The choices you make – and indeed, the choices you can make – are affected by what is going on.

In the space of 30 years, we have gone from the introduction of ARPAnet (1969) to the creation of the first computer worm (1979) to the first computer virus (1983) to the invention of the web (1989) to 51 million people globally banking online (2008).

What this highlights is the continuous and in some cases unpredictable changes that affect the industry but also the dualistic quality of things. With every bit of progress – ARPAnet and the web – there’s always an underbelly of wickedness – computer worm and virus respectively. That hasn’t changed – it never will.

As such, you as a professional, well, you’ve never been so in demand. Sure job opportunities will increase, but so too will the competitiveness of securing high-quality, career defining jobs. The kind of work you can look back on when you retire with fondness. “I did some good,” you’ll say reflectively.

Consequently, CAD becomes a part of your philosophy that ensures you know what you’re doing and that you stand out. It’s getting tougher.

“Back in the late 90s when we started recruiting in information security you folks were a scarce commodity,” said Mr Hember.

“You only had to have the word security on your CV and employers were queuing up to hire you. As times have changed, this is not so special anymore.”

Which is not say pack up your bags and exit the building – it’s a wake-up call to take control of your career. Of your destiny if you want hyperbole. In our next blog we discuss how you can start to do this, but for now, a quote to meditate on, from the classic sci-fi movie Terminator 2: Judgement Day.

“The future is not set. There is no fate but what we make for ourselves.”

Be the muscle for the digital age

Neelie Kroes, European commissioner for digital agenda, said in a speech recently to the European Parliament Committee on Industry, Research and Energy that her ambition is to “reinforce” the European Network and Information Security Agency (Enisa) as the world moves to even greater connectivity. Globalisation in a trade sense of the word was step one of two of making the world a smaller place. The digital age is step two. To add a bit of magniloquence to the blog, the revolution to bring humanity together is on the precipice of being achieved. World peace will be the final chapter to that story.

Anyways, that’s a digression. Ms Kroes outlined two ways in which this can be achieved.

“First, ENISA must be able to attract and to retain the very best IT security experts in Europe. Second, ENISA staff and stakeholders must have the best conditions for networking. This is essential for the Agency to carry out its mission successfully,” she told colleagues in Brussels.

What her comments highlight is the simple fact that this is an important age for professionals operating in governance & compliance and the information security & risk management industries and all affiliated sectors. What she wants is for robust defence mechanisms to be in place by 2015, which experts like yourself can help make a reality. The European Commission wants digital security to be more “muscular”, language which suggests a move towards being more proactive – swift and thorough reactive approaches are brilliant, but preventative is always preferable to damage limitation.

Interestingly, in her speech Ms Kroes suggested that powerful countries like those in the eurozone, China and, of course, the United States would benefit from working with, cooperating and up-skilling so-called “third” countries – by which we deduce she meant third world/emerging countries.

The truth is, in order to minimise their chances from being caught, punished and reprimanded by the authorities, cyber criminals attempt to lose themselves in a digital and physical maze within these respective countries. Cross-collaboration, the sharing of information and a genuine multi-disciplinary approach has positive outcomes for all stakeholders.

This has already been touched upon in the idea of Pefias – a pan-European framework for electronic information, identification, authentication and signature. Can you contribute to this? What ideas do you have? One place to share your thoughts and ideas is at our monthly RANT event. Be part of the conversation. Be the change Ms Kroes is looking for.

Get Tweeting for Recruitment

It seems like there was never a time when Twitter wasn’t around, such is its ubiquity in contemporary society. From the general public posting ramblings to celebrities waxing lyrical about their lifestyles to the government keeping the public updated about its various endeavours (many of which no doubt centre on the economy!), this social media site has grown exponentially in the last few years.

Twitter has, in short, transformed the way we interact with one another, how we communicate news and information in general and how businesses and organisations conduct their operations. Its success is owed to its simplicity and unmediated real-time nature, USPs that manage to appeal to a wide demographic of people.

The IT security market is no stranger to this medium, which is ideally suited to recruitment. Whether it’s used to source or post job vacancies in, for example, the information security, technical risk or IT forensics professions, or as a means of networking with industry specialists, Twitter is the perfect tool for businesses and prospective employees to connect.

When using Twitter as a recruitment service helpful tips might include utilising hashtags so that tech-savvy professionals looking for work can easily find a job in their given field. For example, let’s say someone is looking for positions in information security – Acumin would post the following “#infosecjobs” in a tweet with an appropriate link to a specific job. This creates an easily searchable trend,  which simply cuts out all the clutter and connects agencies to professionals in a simple and efficient way.

Organisations wanting to headhunt professionals in their sector can take advantage of the many Twitter offshoots, which offer unique ways of engaging with the medium. Take for example, a user-generated Twitter directory which like the service itself, operates on a simple interface.

Equally, there are ample aggregators out there specifically aimed at bringing together jobs in the information security and risk management sector, which can be discovered by conducting a simple search. Check out, as just one example of this.

Professionals and agencies working in any given sector can keep a real-time conversation going through their own tweets, @ replies, and retweets. It can be a great tool for keeping abreast of industry developments by following businesses and specialists within the sector. There is a lot of following on Twitter and features such as suggested follows and browsing others’ connections make targeting appropriate sources easier.  To this effect a budding IRM professional might demonstrate gravitas and expertise through posting comments and links about relevant developments in their sector, content an employer might chance upon which also enhances the poster’s own brand.

It’s about the two-way conversation – are you tweeting today?

Follow us on Twitter: @Acumin

How easy is it for us to find your CV?

Search for advice on writing a CV and one of the first things you will read is that it should be no more than two pages long.  The last thing a hiring manager wants to do is read through reams of paper detailing your every project and anything else you’ve ever done or thought about doing in your life; brevity is encouraged, you must engage your reader to keep their attention.

Much of this advice is good. CVs should be succinct, on-topic, and objective. Follow the old mantras about CV writing down to the line though and you are left with a document that will look pretty uploaded on your favourite job boards, but will often see you overlooked for roles for which you are perfectly suitable. A CV is no longer a record of your most worthwhile achievements; it is now a digital resource, a way of indexing your experience.

Ask most jobseekers what they do with their CV once they have finished writing it, and I doubt many will tell you that they print it off, read the advertising section of the newspaper, and then start sending out copies in the post. Typically you will upload it to your favourite job board or send it across to a trusted recruiter. That’s the hard part done, you’ve ‘got yourself out there’, now it’s just a waiting game until the right role comes along, right?

Wrong. Too many candidates fail to consider how life is on the other side of the fence, how we engage with their CVs. This is particularly true when recruiting information security and risk management professionals, who can have very niche skills and responsibilities. So here it is…

Whether it be sat on or a recruitment database, it is important to consider how it is accessed. I can tell you that if I know you as a information security candidate, I might search for you by name, but otherwise your suitability for the roles I am working on depends completely on your CV’s ability to match my search. Any recruiter with a little training will understand Boolean search strings, and now in order to ensure you are considered for the most relevant jobs, candidates must too.

CV writing should now be seen as SEO. Consider the meta keywords that will bring you up in the searches for the roles you’re interested in and consider the search hits that will display your profile above your competition. It’s also important to understand the value of your skills, too often I learn about a candidate’s experience with an in-demand technology only when I have invested the time to speak to them.  All recruiters know those calls when a candidate will phone in and enquire as to why they haven’t been contacted about a role for which they believe they are perfect, considering the above, the reason for this becomes quickly apparent.

CVs aren’t telling us enough.  For example, a candidate might simply mention ‘security monitoring’ in one of their roles, when actually they have good knowledge of IDS, IPS, and SIEM systems – which are highly sought at the moment as they tick a few of the required boxes for PCI compliance. Or what about the information risk hot topic of the day, application security, expertise in this area can see some candidates command impressive increases in their salary. Whilst ‘application security expert A’ gets his pay rise, ‘expert B’ is failing to get interviews. I bet you know by now which candidate has written their CV with search terms in mind, who has discussed their experience in a way that makes it clear what they have been doing, and who details their specialisation most effectively.

Ultimately, your hiring manager or recruiter only knows what you tell them, and your CV is your primary form of communication. Your job search may end up a success but think about the exciting opportunities you might have missed out on due to an inability to consider what happens to your CV once it leaves your hard drive. Whilst a strong understanding of the market is going to help, overcoming this is relatively easy – technical skill profiles or project overviews are certainly one way to progress yourself up the search results, particularly in product heavy roles such as IT security engineering. For some, particularly technical security contractors, you might consider writing a version of your CV that is considerably longer than you would normally like, with a simple disclaimer that it is a keyword-optimised document. Another useful measure to take when uploading your CV to a job board is to utilise ‘personal summary’ or ‘about me’ sections to search optimise your profile.

It’s time to stop thinking about how your CV looks, but rather how people will find it.

– Ryan Farmer