High-Profile Hacks Prompt High-Powered Hires

A recent flurry of high-profile security executive hires and an increased demand for more skilled security talent during the past few months reflect how organizations are rethinking the role of security executives and the skills they need in their security teams to better protect intellectual property and other sensitive data.

The timing is no coincidence, experts say: The rapid-fire succession of major hacks of security and technology firms this year -- think HBGary, Epsilon, Sony, and RSA -- have driven home the reality that no one is safe from attack.

Big-name security firms, like RSA, and incident response company Mandiant recently have carved out new CSO positions and filled them with big-name security experts. The beleaguered Sony also has created its first-ever CSO position.

Security professional recruiter Lee Kushner says he has been inundated during the past few months with requests from all types of industries, including travel, leisure, retail, and hospitality, looking for security professionals with hands-on experience and expertise in identity management, SIM, vulnerability management, data-leakage protection, GRC, and incident response.

"The two areas where people are hiring are candidates with three to eight years of experience and have a really developed technical skill, or candidates that have demonstrated leadership experience or subject-matter knowledge in any of these areas," says Kushner, who is founder and CEO of L. J. Kushner and Associates.

He believes this increase in demand for more skilled security help, as well as the big CSO hires, are in reaction to all of the recent data breach news. "We're seeing a lot of people retooling and recommitting to their [security] programs," Kushner says. They now realize if they don't do it right and get hacked, the business will suffer, he says.

Bill Phelps, national practice manager and senior executive for Accenture's information security professional services and consulting practice, says the big shift in security hiring began about a year ago. "For the last year, it has been a very tight market. We're hiring, and all of the major [players are hiring]: Deloitte, PWC, and boutique managed services companies like Verizon and Secureworks," Phelps says. "Everyone's hiring."

CSOs are getting more of a voice in the business now, too, with many of them now vice president-level rather than just director positions, he says.

Security firms are also creating CSO positions that draw on their internal security experiences for customers, as well as from their customers' experiences, to shape their product directions.

Take Mandiant's new CSO, Richard Bejtlich, who just got a second title added to his business card: vice president of the company's managed services offering. His counterpart at EMC RSA, Eddie Schwartz, also wears two distinct but related hats in his new role as the security division of EMC's first CSO, where he works closely with the security firm's customers.

Bejtlich, the former director of incident response and head of General Electric's computer incident response team who was named as Mandiant's first-ever chief security officer in March, says businesses are finding that their security leaders need to interface with both their internal security operations and with those of their customers. "I literally have the same concerns [our customers do]: They're concerned about intrusions, insiders, supplier relationships, vendors, travel overseas -- the whole gamut [of security]," he says. "When I talk to our customers, I know what they are experiencing."

He says the shift in the CSO role demonstrates what's also happening in the CIO and CTO worlds: The job no longer can be just be "inward-facing," but requires interfacing with customers, as well.

RSA's Schwartz also serves as the internal security exec for the RSA division of EMC, as well as interfaces with RSA's product strategists and customers, to keep the product lines in line with the threats. "A lot of customers are facing the same problems. Part of my job is to talk to them" and help shape RSA's own offerings based on what customers are facing, he says. He works closely with EMC's global security office and its global security officer on internal security issues, and RSA's office of strategy on product strategies for its customers.

Security executives are grappling with how they can set up the proper incident-response processes and how to collaborate and share experiences with other companies. "What security executives and [other] executives want to know right now is, how can we have effective processes in times of crisis when we're suffering the kinds of attacks like RSA, Lockheed Martin, and different government agencies are suffering?" RSA's Schwartz says.

"If you take the viewpoint that the attack on RSA was an isolated incident, that would be a very naive viewpoint. You have to believe that all authentication systems would be fair game for adversaries ... there are certain classes of adversaries that are going to specialize in different types of attacks," he says. "So how can companies get together and talk and get more visibility [into these threats]?"

Meanwhile, there's still a shortage of skilled security talent. "There's no pool of talent waiting out there," Mandiant's Bejtlich says. "People who know how to handle intrusions or clean-up ... have already been hired."

About half of Mandiant's new hires have been hot recruits of talented junior-level people, he says.

Nicholas Percoco, vice president at Trustwave and head of the company's SpiderLabs ethical hacking team, says he combs hacker conferences like Defcon and in places like Brazil to find indie researchers who fit the bill for his firm's research team. "Skilled security people are not easy to find," he says. "Our most recent hires are not people whose names are known in the industry; they are people who we've discovered."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.