Infosec Recruiter Interview: John Maughan and Chris Currie
Information Technology is the engine room of the modern business, according to recruitment consultancy ITHR (IT Human Resources) in London, England.
If that statement holds true, then it wouldn’t be a stretch to suggest that John Maughan (an ITHR senior recruiter) and Chris Currie (an ITHR IT resourcer) are in the business of helping companies to keep their engine rooms functioning properly.
Established in 1998, ITHR, which has around 50 consultants, provides IT/IS professionals and employers with recruitment solutions. InfoSec Institute recently interviewed Maughan and Currie for their take on the IT/IS industry in the UK.
1. What positions are currently in demand?
Maughan: One of the key areas we’ve all been concentrating on is penetration testers. Here in the UK we have sort of a governmental scheme. They check accredited penetration testers. [Penetration testers] go onto client sites doing an overview of their security procedures. About 90% of the time they go to a customer site, the first problems they encounter…are security passwords that really aren’t that secure. They’ll use the common ‘admin1’ or stuff like that. It’s a hacker’s dream… And these [penetration testers] are going , spending a couple of days there and saying to these companies, ‘Look, your IT really needs to have a lot more secure passwords than what they have set up before we get into the nitty-gritty of seeing how well your web-application side is.’ So there’s been massive demand in this area over the last 18 months.
Currie: At the moment, I’m currently looking at a couple of different industries within the security space and there’s a lot of demand for guys experienced at dealing with cyber crime and also e-crime as well. Cyber threat intelligence analysts are guys that are quite highly respected—guys that come from a network-administration background, network-engineering background. They’re the guys that are going to be brought in on massive salaries to try and prevent any little flaw in a network for a company.
2. What positions are currently seeing a decline in terms of demand?
Maughan: Over the last three months, I’ve found that a lot of customers and clients have said, ‘Well, we’ve paid a lot of money setting up these new firewalls, bringing in the latest technology. But still the improvements that the [vendor] said it would [provide]... haven’t materialized. We don’t know who to turn to.’
Currie: I agree with John. Protection is kind of a dying market. It seems like prevention is the new protection.
3. What hard and soft skills are most in demand?
Maughan: We often get job specs from our customers, from our clients, and they come through in three or four pages. They demand the latest of certifications, the latest of accreditations, which is great. When I’m looking for guys, I look at where the guys have worked. I don’t just look at the first page where it’s got the accreditations. Where these guys have worked and how long they’ve worked there, for me, is more important than a few certifications. They might not have the latest accreditations, but that might be because the companies they are working for at the moment aren’t putting them through the latest accreditations that are coming out yearly. So, in terms of technical background, it’s what they’ve done, what sort of environment they’ve worked in. But when you’re speaking to guys, it’s then definitely more the soft skills in terms of how they come across, what sort of team environment they’ve worked in, how big a team environment, what sort of customers they’ve supported. That all adds weight to a person’s application rather than a guy that’s got all the accreditations under the sun, but he’s basically been training for four or five years and has had very little on-site, real-time work experience.
Currie: I do agree with that. It’s sort of the chicken and the egg thing. If you want to get into a good company, you need to have experience, the harder skills. It you’re going to bring it back to basics, obviously it makes sense to have some kind of programming knowledge behind you. If you have any of the cores, then you can’t really go wrong – your C++, your Java, your networking skills, probably a degree in some sort of computer-based or network-orientated course.
4. What technologies are most in demand and what technologies are dying?
Maughan: One of the massive demands is penetration testers, the guys that come onto the sites—they’re highly in demand. They’re sort of your ethical hackers and they often have a web-based-application background. They can come from a variety of backgrounds. In terms of technology, I think these guys see security in a different light than other people. They sort of can see it as a whole picture. Penetration testers are looking at it in a completely different light.
As a recruiter, you’re speaking to companies that are very much looking at the forefront of the new technologies, but you can’t neglect the customers that haven’t got the budget to spend on their IT network, on their IT infrastructure. There’s always going to be the customer looking for the latest technologies, latest information, latest guys that are up to speed; but for me, as a recruiter, there are just as many customers that are saying, ‘Yeah, we’d like to bring this in, but unfortunately our company’s budget goes elsewhere. So we still need guys that have good knowledge to support the older technologies.’
Currie: If you’re going to go the ethical-hacker angle, you’re definitely going to need to be able to program in one or two of the cores. There’s such a broad scope for all this stuff. There’s always going to be a demand for the new stuff. Companies always want guys that are clued-up on the latest technologies, the latest programming languages. But they always spend for the older stuff as well. It’s always changing and companies are always going to want different things. It’s just keeping on top of what’s current.
5. Who was the last security person you hired and what set that candidate apart from the pack?
Maughan: The last guy that I just placed was a CREST-certified penetration tester. In terms of what set him apart, he can go very much on the technical level. But then, with what he does in terms of going on site to these customers, he can give it in layman’s terms as well. ‘If you don’t introduce this, if you don’t do this, these are the problems you can have. It will cost you x amount. But, if you don’t bring it in, these are the issues you face.’ He gets it very much straight down the line.
6. How has your department grown and/or changed? How do you expect it to change in the future?
Maughan: When I joined, there was a team of two or three of us in our department focusing on infrastructure and security at ITHR. And now we’re a team of eight or nine at the moment. We’re always looking for guys to join us.
7. Without naming specifics, what are biggest security threats?
Maughan: A lot of clients aren’t focusing so much on your external threats, your worms, your Trojans, your hackers, et cetera, as they are on your internal threats. It’s making sure that internally you’re secure. That’s a key thing. There are so many ways you can access information whether it’s as old school as calling up and getting through to someone who might not know procedures, policies within a certain company and getting information that way, or if you try to hack into a network, hack into a server. It’s sort of educating within as well as making sure that your new people that are joining your company know what the procedures are if certain things happen.
Currie: Here in the UK there seems like there are a lot of remote database-security threats. These big companies… are getting hacked by guys that are 15, 16 that are using simple network scripts. These big companies haven’t wised up to the fact that nothing’s being done quickly enough. It’s costing companies massively at the moment. They’re now trying to get people in, trying to get specialist teams in that can deal with it. But there are not enough people. The demand is there definitely for hackers from the other side to come join the good side, if that makes sense. That’s my understanding of the industry at the moment.
8. What’s the hardest part of the job and what’s the most enjoyable part?
Maughan: To me, it’s educating customers. Because of the boom within the last three to four years, I think certain customers or certain companies have taken on a lot of the market and taken on a lot of the guys by paying above and beyond what individuals should be valued at, because there’s that demand. And I can understand it from both points of view. I can understand it from a client’s perspective. They’re saying, ‘Why should we be paying x amount for this guy?’ He’s only got two years’ experience.’ Then their competitor down the road will say, ‘We know the value of that guy within 18 months’ time, so we are prepared to pay him beyond market value to get him on board now.’ I tell clients, ‘There are only a finite number of guys that are available, that are looking or that are coming out of universities at the moment, and they are an in-demand sort of skill set at this time. If you don’t look at them, speak to them, there are 10 other companies that will.’ It’s more about [ITHR] getting the right candidates and then going to the markets and saying, ‘Look, this is the guy I’m working for. This is his background.’ And within a day, if I can approach 10, 15, 20 companies, I’m 99.9% confident that 90% of those will say, ‘Yes, we are interested in him.’ So it’s finding the guys and going to market with them rather than finding companies who are looking.
Currie: From a resourcer’s point of view, there’s no particular part of the job that isn’t difficult. But I guess when you’re hiring for something that’s quite niche, where there’s no supply, it’s tough trying to find those kind of different candidates. If you don’t put in the time, you won’t reap the rewards. So that’s probably the hardest part of the job—spending quite a bit of time if you’ve got something really obscure. My most enjoyable part of the job is placing someone in a role that they’re good for.
9. Which, if any certifications and degrees, do you see as important for hiring and career advancement?
Maughan: Within the last three years, guys have been coming out with degrees that give them an insight into specifics of security tools, give them first-hand experience…in IT security. You need guys that have a good background in network infrastructures, your Ciscos, or CCNA [Cisco Certified Network Associate], CCNP [Cisco Certified Network Professional].
Currie: From a security point of view, obviously you can’t go wrong with a degree from a reputable university in something computer-based. It shows that you’ve got quite a good technical background. That will cover both the theory and the technical aspects as well. And obviously it breaks down into your different niche certifications as well. One of the trickier ones to get, which requires five years of professional IT-work experience, is a CISSP [Certified Information Systems Security Professional]. That kind of splits into a number of different branches or niches. Another good one is CompTIA as well. If you see a Security+ or a Network+, it’s always going to be thumbs up. It always stands out whenever I’m looking for something involving security.
10. What will get your resume thrown in the trash?
Maughan: It’s difficult to say. We see so many CVs. The mistake a lot of people make is putting too much information on it so that it just doesn’t flow. For me, the things I want to see on the first page are degree, education and grades. What certification he has got comes next. I look for companies they’ve worked for, how long they were there.
Currie: Like John has said, we look at so many CVs a day. Sometimes, obviously, it becomes a bit of a routine. You want everything laid out nicely. If it’s all cluttered and all over the place, it’s just difficult to decipher what it is you’re trying to show. Obviously a CV is not 20-pages long and it’s not one-page long. With UK standards, it’s two to three pages. Make sure it’s nicely spaced out and shows everything you need to show.
11. What would you tell a high-school student interested in pursuing IT in college?
Maughan: For me, I would tell them to get a good background. Work in a variety of different areas to get knowledge of the software side, the programming side, the network side. I think that’s what they’re looking for—guys that cover a number of areas within security. If it’s your first opportunity, look at companies that will give you scope to look at a variety of areas. After earning your degree, look at some of the smaller companies that will say, ‘Look, we are looking for a guy to do a bit of everything.’ From that, you’ll find an area that does take your fancy. Then focus on that.
Currie: It’s a long slug. It’s something that’s going to take time. If you’re coming fresh out of college or university with the right qualifications, you’re going to have to start out with the smaller companies. You can’t just go from college, say, to Microsoft. You’ve got to kind of work your way up. A bit of advice would be working with companies on an intern level, get work experience, start off kind of small, get testimonies from these companies that you’ve worked for on an internship level. Just chip away slowly on the market. Like John said, have a good ground of everything. Then eventually find your niche and hone in on it.
12. What security sites you visit?
Maughan: For me, a lot of the guys I deal with…do their own blogs. A lot of them are the ethical hackers… They’re the sort of blogs I like to read daily. I always have a look at a lot of customers’ websites. They’re often a good avenue for information.
Currie: You can’t go astray with forums. There’s always going to be a mixture of folks—people that genuinely know what they are talking about and people that don’t. You’re still going to get a good overview of the industry as well—nothing in specifics. You’re always going to get the latest news on security breaches or hackings.
13. Who is your favorite fictional hacker?
Maughan: For me, I don’t have one, really. It’s one of those taboo subjects.
Currie: I don’t condone hacking. From the ethical point of view, I find it fascinating. I‘d say Neo from the Matrix. You never really see him hacking in the movie, but I think it’s one of the best sci-fi movies of all time, so definitely Neo.