RCR 014: Cybersecurity Hiring (Part 2) - CISSP Study and Training!

Description:  

In this show, Shon will go over the key aspects of HR/Hiring professionals. This is part 2 of 5 in the ongoing series designed to help HR/Hiring managers as well as those looking for cybersecurity jobs.

These videos will go over what the hiring professionals should be looking for and what potential candidates should strive to achieve to meet the growing cybersecurity job demand.

This part of the video series will go through what the HR/Hiring manager should consider when evaluating candidates for cybersecurity jobs. We will go through outsourcing (Locally/Globally) compensation and the value of certifications.

Transcript:

Give you the tools you need to meet your regulatory requirements while helping keep the evil say hi my name is Sean Gerber and I'm your host for this action-packed informative podcast join me each week cuz I provide the information you need to best protect your business and reduce your company cyber risk I shall give her back again on this episode that we've got set up this is now the second iteration of the second part of our human resources peace at this around cybersecurity more than a job description and I'm going to focus in this part specifically on the human resources aspect of it and so the point of this is that you got to decide from a human resource standpoint when you're looking at a cybersecurity person what is your overall goal so your goal is to grow the resource now you got to ask this is how deep is your stable that's that I've got his how many people do you have that you can go ahead and tie into and bring into your organization if you have a lot of cyber security people that are around or even it people that really care kind of passion about this then your stable might be pretty deep however if you only got one person has a thoroughbred or maybe not even that glitter that from a human resources standpoint resources internally are a great place to start is you get going in this space and you see what hey I can't afford a cyber-security person cuz I'm a small and medium business but I've got some really sharp it folks that I think could probably do this that's what you need to focus on if they need to be passionate about security because if they're not it's going to basically just be like Ian I want to go to sleep this is stupid is boring I don't want to do it right so you need to focus on if you're going to hire from internally they've got to be passionate about what they're looking out for and they need to have a strong capability coming right out of the gate call the security Kudos of the security make it happen it doesn't matter it's not going to it's not going to work so focused on people who have one I have humility they know they don't know much and they want to learn and that they're willing to grow if you focus on those people and then to have somebody that has you have a resource that you can tie into some sort of somebody within your organization that you can draw a pun if you need a thoroughbred right away I'm not saying that's me by any stretch of the imagination I like this old donkey right really hard and put away wet so I am not a thoroughbred from that standpoint but if you want this Rockstar from JPMorgan or from Citibank or something like that well you're going to need to pay form right it's going to cost a lot of money but that there are some things that come with that if you decide that and what you want to look for from that point of view is a CSO security information security officer and information security director or a senior security architect they will be able to give you that level of expertise you may need so if you go down this path and you're really looking to want to start a little bit higher rather than trying to grow it from within one of those three roles would set you up very very well as it relates to finding a good resource I can get moving right away now you can Outsource this can be done locally or can be done globally not for a small town you might want to go Global might be hard to find it in a smaller area however you can find these people locally and do you want to be able to rent the capability so a so security and Fire Chief Information Security Officer as a service or security-as-a-service on this going to happen for United States india-china you name it you can get it now you have to ask yourself though from a compliance point of view you may or may not want somebody was in those countries especially if you had a regulatory requirement around the US government that make put you in a different position so but you can get these resources from other places India and China have great people that can do this however you got to let know who is your audience and who are they going to talk to that can cause you some challenges but there's some really good resources and all these places can be a driver on and you may or may not get what you really are paying for and I don't mean this in a bad way but right now because cybersecurity is hot right and people are always looking to get into it there's a lot of people out there that'll say hey I'm a cyber-security expert I met a person while back that said I'm a cyber-security expert when I start asking deeper about what this gal knows and she's super nice gal and nothing against ladies or men or any of that doesn't matter it all comes right down to she didn't have the experience to really call herself as a cyber-security expert in all these areas now she's very good and compliance but she wasn't good in other areas she just didn't have the expertise so the cool part about that is you just really have to know and that's why the training is put out there so that you can idea what you're really looking for when you're trying to find a cybersecurity person and you need to ask the right questions no matter if the guy or girl doesn't matter okay you got to have the experience and resumes can be deceiving right be off in the room then comes down to is compensation what are you to pay these people you can look online and you get goes from all over the place I've seen security officers down to as low as $70,000 which is great if you can get it but I guarantee you get what you pay for so you might get someone who says hey I'm a security officer I can do it and they're paying him 70 granted you're going to get $70,000 in quality right but I've also seen guys that have commanded serious money that at the end of the day my love serious money not me serious money not me but they're at my level so you got to cut away all that right so how much are you willing to let go you got to ask how much money are you willing to put into this to it to get you what you want if you have a regulatory or compliance requirement you may want to spend the money if you don't then I would start lower I just really would and also what is your risk tolerance Lehigh rastello tolerance are you willing to accept a lot of risk if you are I would go lower and groom that person because bottom line is they're not going to stick around I mean it's hard to keep them around I should say because if they start building these these creds and they start growing as far as a security professional they're going to keep their eyes open and they're going to get poached by somebody so you want to come by also keep that in the back of your mind now sis outstanding security officer will range from on 250k to $380,000 US Standard right so with $380,000 you're talking to JPMorgan Citibank big regulatory Banks and so forth a lot of regulatory requirements you're going to command that kind of money and I've seen some upwards of $500,000 for a security officer I don't know it's plain to man I ain't getting paid that for the matter is is that that's that's really good if you can get it good on your right but you're talking to Cisco is probably making it on the average between about 180 to $200,000 with compensation packages and so forth may have bonuses in there you may not depends but that's about the average rate for a security officer depending on the size of your organization security card to text about 85 come in at now these numbers are numbers I pulled off the internet I don't know what they're worth you can say hey I'm more free undergrad well it doesn't matter what you think you're worthless best comes down to what they're willing to pay you so you got to ask yourself is 85 264 scooter architect that'll get most businesses in a really good spot it really will security analyst about 5280 that's about depend on the analyst that you pick up it'll get you up half to two-thirds there so you can wait payscale.com and again it fluctuate terribly but I will say it hasn't gone down it's gone up so these numbers are based on night 2017 2016 numbers to any way you can play with the rules title something else to play with if your HR person you're going well and I don't know if I want to hire a security officer cuz the moment you put out that I want to hire a security officer goes up I want to hire a security leader okay or like a director of information those titles you guys are well more verse in that than I am however you can play with that little bit the following is you get what you pay for and you get with your title is always look for a way to grow somebody into this role if your small to medium-sized business look too grown into it having the title of Cisco can also affect other things and you need to keep that in mind you can use it like carrot if your HR you know what I'm going to give you this title but only after X amount of years and you show consistent Improvement then we'll give you that moniker now it just because you give him the title doesn't mean you're going to pay him that right but it also helps them onto the next role as well certification so you got to ask yourself is do you require certifications prior to hire locations of tuffnut and I'll be honest with you I level of Creedence and certifications in the fact that they're getting harder and harder to accomplish you've got to have some level of expertise like the cissp foundational knowledge before you can even become certified get into that certification earlier but you don't become quote-unquote certified until you reached all the requirements and one of them is time in the seat basically time in the jet you're you are you're inexperienced your experience as paying off so those things are good I see valuable things in there now however experience in many cases over a certification just because the experience can go way further than any test you take so that's where is HR of got to weigh all this stuff out some people say I got to have Security Plus certification I got to have cissp I got to have Network plus I got to have but in reality the only as good as the person takes the test and obviously you know you got to do the interview process and so forth but those are going to get into the gate so cissp certified information security systems security professional certified information security managers of cism CompTIA Security Plus good foundational course just get the basics certified ethical hacker and then g-sec which is a Sans giac Security Essentials so all of those are very valuable and they're great ones to get you somebody started and if you're going to have to have a certification requirements you yet you can cut out the feel a little bit from everybody throwing their stuff their information out there then do it like that you know these are some really good certifications to use if you're looking for Lobster who's trying to apply for the role and they don't have a cissp and you don't want them I mean realistically cuz that's just part of the entry to get in and the test is a booger it's painful and sucks really really bad but it's important to do and it does give you some fundamentals and foundational aspects that use myself as an example I didn't have before the role I was and I didn't have a real good handle on disaster recovery and business continuity however the cissp help help get me set up so that when I did that opportunity to come up and I had to talk about it I actually understood what they were getting that so that's the foundational aspects around it okay hope you enjoy this time