I embarked on trying to find out why this is happening, why so many qualified individuals struggle to find employment as an executive in information security, only to experience the same frustrations I've experienced.
Knowing many CIOs and other executives, many of them good friends, I have asked them for insights about my recent experience. They responded that CIOs are under heavy pressure to do more with less and get twice as much done. Moreover, businesses are also under a lot of pressure these days, and directors' roles may have been diminished for political or other reasons.
Then why is it that when a serious breach occurs, the executives panic and find the budget to spend extraordinary amounts of money to remedy the breach? Why is it that they seem to degrade a vital component in any business, the security of their data? Don't they know that one serious breach can jeopardise the existence of their business, and perhaps lead to criminal investigations? Why is it that many organisations just have one security executive with no staff and hardly any budget to work with as just a figurehead in the organisation? Several states, and the federal government, have enacted or are now enacting tough laws, some of which carry severe penalties should a serious breach occur, including requirements of complete public disclosure to all the victims associated with the breach.
Never mind the mountains of lawsuits that can put a company out of business. This is what's going on. Many companies are revolting, but the laws are being enacted, and ignorance is not bliss. Doing more for less is not the answer. It is not good business to put an organisation's assets at risk, particularly in this economy where security staff are being depleted and undervalued. This is not an area where businesses should be doing more with less. They should be doing the opposite to ensure their survival.
At the federal level, top information security specialists have been saying for years that our current infrastructure is at grave risk. Serious breaches have since occurred, and the government is now scrambling. Most of the agencies have been mobilised, and at least four of the national laboratories, are in an all out effort to combat breaches and prevent future ones. Billions of dollars were budgeted to upgrade and secure the nation's infrastructure, and why was this? Because the same pattern keeps repeating itself. Security is ignored or pushed lower in priority until a crisis erupts and then there is a scramble to correct the problem.
The federal government is now hiring information security specialists, but mostly in engineering or analytical roles. Few, if any, management roles are being developed, a serious oversight, because experienced leadership is needed badly.
Another problem the federal government has is the requirement that job candidates have an active security clearance to even be considered for opportunities. This is the case at many of the primary contractor and subcontractor vendors, and they often hesitate to sponsor qualified individuals who can obtain clearance.
Clearances don't just appear out of thin air. The federal government must instruct the vendors to sponsor employees to apply for clearance. Understandably, the process of getting a clearance is time consuming and heavily intrudes upon an individual's privacy, and not everyone is clearable. It is expensive, yet this investment must be made to bring qualified individuals on board to secure the infrastructure of our nation.
The problem of relocation
The current economic climate makes it difficult for information security executives to find work and difficult for them to relocate when many companies are not offering assistance. It is also difficult for many companies to find qualified candidates, since everyone seems trapped even if they are offered relocation assistance. In an informal roundtable discussion in Silicon Valley I was invited to, several interesting discussions took place with some of the companies in attendance. What was evident was the inability of top candidates to relocate to where the demand for the jobs are. The fundamental reason is economics: People are trapped because relocation assistance might not be available or because it's not enough to cover the costs of relocation.
People are having difficulty selling their homes, the cost of living is high and carrying two mortgages can be unrealistic. Housing is problematic and is preventing companies from attracting top talent from other parts of the country. The pressure is on for companies to come up with innovative ways to accommodate this hardship, subsidising an apartment for up to a year to give people time to sell their homes, or paying commuting expenses until they can purchase their homes would be a start. But very few companies do the latter, and they only offer relocation assistance for certain strategic positions or key employees. The expense is understandably substantial if they cannot find local talent to fill strategic positions.
These are tough times never seen before by any of us. Some of the executives I've spoken to shared stories of desperation, some of them have lost what they had worked most of their lives to achieve or had their roles seriously diminished.
Yet I do see a vision of the security executive playing an integral part in supporting the business and adding tremendous value to organisations of all sizes. These mindset changes have occurred in a number of organisations. They've discovered that security executives bring in enormous value and business leadership.
The author is a Chicago-based IT security practitioner looking for employment.