About this Episode:
How has the Covid-19 pandemic affected the employment prospects of cybersecurity professionals? In this episode, Owanate Bestman, the founder of Bestman Solutions, will share his take on what you need to know to stay employable in troubled times. Discover areas of growth in security, what employers are looking for, and what skills you’ll need in 2020 and beyond. Listen up!
TestGuild Security Testing Exclusive Sponsor
Micro Focus Fortify is the recognized market leader in application security and is the most comprehensive and scalable application security solution that works with your current development tools and processes. Try it today
About Owanate Bestman
Owanate is the founder of Bestman Solutions, a search and selection firm dedicated to meeting the demand for cybersecurity skills. Owanate advises CISO’s and Heads of on market factors which could impact their headcount goals and designs bespoke solutions to address this. Firmly embedded in the cybersecurity space, he possesses a strong network of exceptional technical and non-technical security practitioners who have assisted leaders in meeting their business objectives.
Owanate has spent almost a decade recruiting in the Cyber Security field, securing individuals and teams which meet specific technical and/ or leadership requirements for some of the world’s most innovative firms, to the mutual benefit of individuals’ career progression and the needs of the company. Before this Owanate recruited Technology and Operational Risk specialists, during this period he was successful in staffing several high profile banking regulatory programs.
He founded Bestman Solutions in 2020.
Connect with Owanate Bestman
Joe [00:01:44] Hey, Owanate. Welcome to the show!
Owanate [00:01:47] Hey, thanks for having me.
Joe [00:01:49] Awesome. Great to have you. And I'll be honest, it's the first time actually having a recruiter on any of my podcasts. In the U.S it might have like a negative connotation so I'm just curious to know like what is the life of a recruiter? Sometimes people think they just try to get them into jobs and then it's done but it feels like you have more of a personal hands-on approach than that.
Owanate [00:02:06] Yeah. Listen, I'll tell you something. The connotation doesn't only lie in the U.S. There's a little bit of a stigma attached to my role as a recruiter. But the further that you climb up in the two chain, the more you add value and it can be seen as a pushy sales role. But as you get on, no one likes to be sold to. So it becomes more of a consultative role. But I'll tell you something, the stigma is strong. And it's not just in the U.S.
Joe [00:02:36] How do you overcome that stigma? It does sound like you do more like you try to match the right person with the right job. and not just trying to get a cut of whatever you get from getting that referral is that how it works?
Owanate [00:02:47] Yes, that's how it works, I think. I mean, how you get over that is you specialize within a certain area. I think I wouldn't advise recruiters to try and place any in everything because you can't then be a specialist. You can't try and place a first-line support person in the next role you're working as a project manager then the next role is a Java developer. You burn bridges because you're learning and as you learn, you make mistakes. So if you're gonna make mistakes, make them early, make them swift and make them within one particular area. Now, how you overcome that is you don't give the hard sell, you just build relationships and you need to be a people person. I won't say it's so much of a secret, but you don't need to do that much to stand out as a good recruiter. It's a case of knowing your subject matter. Realize that you're dealing with people, not products. Get back to them when you say you're gonna get back to them and sounds great of a cliche, but just be straightforward and honest with it. If I don't have anything for you, buddy, I don't have anything for you but I tell you what we can do. We can try to approach these organizations and so forth. So and people respect you more because you own (??). And the security, just digressing over security is very incestuous. And what I find is that it's initially hard to get people's trust. A lot of the security practitioners start with the glass half empty. So you need to earn the trust. And once you've got the trust, then it's cool and it's okay. And they tell their people and you just spread organically from there and it's free doing it that way rather than paying for expensive advertisements.
Joe [00:04:27] Very nice, so you said it's good to have the recruiter that actually specializes in an area, so why cybersecurity for your specialty then?
Owanate [00:04:35] Oh, right. Well, number 1, I fell into recruitment and any recruiter, at least on this side of the pond, they say that they started recruitment consciously. I purposefully I highly doubt that. So I fell into security and I started placing I.T. first to third line support. Then I moved into operational risk in another organization, and that blends nicely with security. I'm fortunate enough to have started my career in recruitment security before it was such a big thing when security was just seen as a blocker to the business. So I didn't have that much competition. So I wouldn't say that I chose security by design. I kind of fell into that as well. But once I got the taste for it, I wasn't going anywhere because I said it's a difficult area to break into. But once you're there, you've gone so far into the river that there's no turning back. You're in it for the long haul.
Joe [00:05:31] Awesome. Sounds like it was a good choice, because when I look at things like the US has something called a job outlook for different professions, and one of them is cybersecurity professional, I think they said the demand in this area for that type of role is gonna be higher than average from 2018 to 2030. So why do you think there's such a demand now? Has there always been a demand for security? And that's how you actually said, oh, yeah, this is probably an area I definitely wanna focusing on.
Owanate [00:05:56] I wasn't aware of the demand at the time when I got into it. A few years afterward, I kept on hearing this figure being bandied out four million, and the figure was that there will be four million unfilled positions in security by 2022. So, I mean, I start when I start doing more research and becoming associated with more associations within security, I realized that there really was a skills gap. Now there's a skills gap. And whether that skills gap is translated into actual positions is something else. So what I found still was that even though it's an area that's highly sought after and high-end managers want a lot of talent within that, they still want the best talent and it's still tough to place people. So it's not a walk in the park by any means. So I wasn't aware that it would be such a… I won't call it lucrative, but reputation, really lucrative and path. Wasn't aware of that.
Joe [00:06:53] Go you. And so I'm curious also of things have changed. I think I watch the presentation of you in 2019. It's only a year ago, but it seems like a lifetime since everything we're going through.
Owanate [00:07:02] You're telling me.
Joe [00:07:05] I think you said that it was a candidate-driven market back then and the candidates could choose between three to four opportunities. Is that still the case this year, especially with Covid 19?
Owanate [00:07:14] On the whole, no. It's, what we're finding is that there are more candidates on the markets fighting for fewer positions. But let's not forget that security is vast. Security is broad. We have the non-technical areas, the GRC governance risk and compliance, even data protection that falls in the security business continuity that also falls under security policy assurance and right the way through to the technical side of things from Pen-Testing to security architecture. There are certain areas that do have a strong skill shortage and candidates can take their pick over where they go. Part of this key area is DevSecOps and the need to promote more secure applications at a swift pace. So there's a real skills gap here with organizations wanting to marry up the release of swished applications with secure applications and security practitioners who understand the language of the coders and to create a more adhesive culture, as well as being able to roll out a secure application as swiftly as possible. That's a big skills gap, and that's certainly an area that will grow. I mean, the last record I checked was maybe I think it was IBM study that hundred and eleven billion lines of code written every year. I think you'll know more than me and I'll be in every coder you speak to. I don't think you'll find one that says that the same that he or she is going to write less code this year. It's just constantly increasing. So with that increase comes more vulnerabilities and security is primed for that. But on the whole, it's a buyer's market out there. And a lot of high-end managers and friends who call the shots in terms of what they're looking for and more importantly, what they pay as well because of Covid. But this should not last forever. We are seeing some improvements.
Joe [00:09:08] Interesting. I think also in the same presentation, you mentioned that the security positions were harder to fill remotely for some reason because people want everyone on site. Well, obviously, that's not the case. Can't be the case during the Covid 19. So do you think there's gonna be a shift where security positions will be more accessible to remote positions or will it still be… require someone to be on-site?
Owanate [00:09:29] No, most definitely. I think in terms of the mandates I'm working on now when the mandates are being prompted to work on in the future unless there's a man managerial and a bad man, I don't mean gender man or female managerial aspects of it. Unless you are managing a team, then there is a very relaxed approach in regards to where you are based. Now, the more technical you are, the more relaxed the approaches and even pre-Covid. I mean, most pen testers were working from home anyway. If you do get a pentester for a contract position, one of the stipulations was, “Hey, I'm home-based. Is the client go with that?” And they are becoming more cool with that over several, over a number of different areas within security. So, yes, we are expecting more flexibility and I'm seeing more flexibility as to where individuals are based than it actually opens things up as well and actually works quite well for diversity reasons as well. Not to digress too much, but there are single parents and certain childcare responsibilities that can't travel halfway around the country to work on the job of their dreams. Now, at least there's an opportunity to do that.
Joe [00:10:38] Absolutely. And, you know, you didn't mention there is a skills gap. There are some skills shortages, one of them being DevSecOps. So it seems like now, where was like a candidate can make and call the shots, it's like the employers are now being able to call the shots. So what could set someone up apart from other candidates in an employer's eyes at this time? Like any other skills besides DevSecOps or is there any certification you think are really hot that security professionals could have to help their chances of getting hired?
Owanate [00:11:07] Yeah. In terms of certifications, I'll start off with that first. I think sometimes firms can be a little bit OCD about certification. Years ago when you saw a job specification all they listed was security certification is necessary. Now they meant anything. They meant CISM, CISS, CERA, CISA, CEH. But now we're seeing firms being a lot more prescriptive with qualifications and certifications they're looking for. But I don't wanna put certifications on a pedestal here because let's face it, I don't mean to make any enemies by saying this, but it's a very lucrative industry. What certifications prove from my conversations with hiring managers and from the people I faced, is that it evidences that you have working experience of that particular field. Now, many people would pay for certifications and not have adequate work experience and just assume that they want to land that position. Nine out of 10, it doesn't really work that way. It's a case of getting the work experience first, which can be a lot harder, a lot harder than it sounds. Even if you put your hand up at your existing firm and get involved with a project, even on a more voluntary basis, that will bridge the gap between where you are now and where you want to go. And that's more likely to land you that position and the certification is just an icing on the cake, and it is the ability to demonstrate to the hiring manager that you can back up your experience with sound methodology around that.
Joe [00:12:48] How do you stand apart now from all these other candidates since it seems like the job market is a little heating up more for candidates or for employers?
Owanate [00:12:57] Standing apart is somewhat challenging because, for every application you put into a position, it's extremely competitive at the moment in terms of who you are up against. Even individuals who have more experience looking to take less money because of the current climate. And by standing apart, you need to promote yourself and you need to be a salesperson that starts in your public profile. That's in your LinkedIn profile. That also starts in your CV as well. There are 63 million decision-makers on LinkedIn. But yet when I look at some LinkedIn profiles of security practitioners, they, number one, don't sell themselves. And sometimes it's hard to tell specifically what they do within security. Now, I say that because 77 percent of recruiters use LinkedIn globally. Now, I'm not too sure what the other 23 percent are doing. We'll be frank with you. ut by raising your profile and putting a good effort into your LinkedIn profile, as well as looking for positions instead of going to the Martin, you also let the Martin come to Mohammed. Now, there are recruiters that, what, not just myself, who works for an external headhunter. There are people that work internally as recruiters for an organization whose main role is to find people for their position. How are they gonna find them? They're gonna find them doing a keyword search. So it's sometimes going back to basics. When you apply to positions you must spell out security over and over again. You must spoon-feed the first person viewing your CV. Your LinkedIn profile without giving too much away. You don't necessarily need to give out any confidential to them. But you must be able to sell your skillset. And specifically what you do within security, either what you do or what you want to do. And you can tailor your profile to what you want to do. I'll tell you something that surprised me. A lot of people didn't know this. When you apply for a position, the first person to look at your CV have the assumption that they don't know security because the first person to look at your CV is not the decision-maker at all. Often the decision-maker will review your CV at the latter stages, the second stage, the third stage of the assignment. Now, if you're dealing with someone that doesn't know what security is, what they are going to be doing is they're gonna be looking out for security, security, security. If security is not in your CV, if it's just to say it's Pen Testing or you're just abbreviating USOC, what you're using all the time, there's a strong likelihood that your CV will be relegated down the list even though you have this suitable skill set. So it's almost a case of stepping back and thinking at a more simplistic manner. On top of that, there are algorithms that will decipher where whether your CV is shortlisted or whether your CV is rejected. And if these algorithms aren't programmed correctly by the first line and by that I mean those reading your CV. Then if you use too many abbreviations, then you're CV could just get lost, whereas you very well could be suitable for that position. So it's good to go back to basics and realize some of those fundamentals.
Joe [00:16:09] I'm glad you addressed that. One of the questions I had was how do most agile folks know what they're looking for in a security professional? Sounds like most of them don't. So besides security, I know you don't want people just stuffing the resume with random keywords, but are any like the central keywords every security professionals should have besides spelling it all. What are some examples of other keywords?
Owanate [00:16:30] All right. Yeah. One of the good things is to go straight to the qualifications instead of I mean, obviously, you need to be quite experienced for this. But instead of CISS, spell it out Certified Information System Security practitioner and put CISS in brackets. CEH., instead of putting that, spell out, put security qualifications and then hyphen Certified Ethical Hacker. The same is CompTIA. If you've got CompTIA, which is Ssecurity+, which is a really good entry-level qualification, by the way, I strongly, I highly recommend that. Spell that out. If you're just starting off in the field and you have a degree in Information Systems and your dissertation was on something to do with security, spell that out. If even to the point of physical security you need to spell that out. But also there's something called and I revert back to the phrase spoonfeeding moving the LinkedIn profile aside, I wanna let the listeners know something. There's nothing wrong with having three or four different versions of your CV. Nothing wrong with that at all. Let's just say you're experienced and you apply for a position that's more project orientated and you've been, you've led a number of projects to do with the implementation of a new tool. You can have a PM orientated CV. Let's just say you also manage a team. You can have a more managerial related CV. Per CV it must tie in with the job specs you are actually applying, for the position you are applying to. And look at the first you bullet points and of what they're looking for and your CV ideally should reflect this. Once again, you're either spoon-feeding the person that doesn't know that much about security, or you're spoon-feeding the algorithm and letting them know exactly what they're looking for. So everything on a reactive basis is within the job spec on a proactive basis that must be a happy medium within your LinkedIn profile. So security vulnerabilities, threats, mitigation, spelling out your certification even within your interests, you know, follower of this security association or that security association that has to be spoon-fed. Assume you're speaking to a child. And it sounds a little strange because if you're in security, let's face it, you're pretty smart or at least smarter than me, but you need to dumb down what you've done because the person looking at I don't need to patronize anyone. I'm sure there are a few exceptions to the rule, but in many situations, the person looking at your CV in the first instance is not a security expert and may not be working on a security role next. I've got in mind.
Joe [00:19:15] So, I don't know. This is technical but then if someone really wants a position, they would look at the job requirements and just create a unique CV, a resume specifically for that position, rather than having broad four of a maybe. Is it overboard to have one tailored specifically in the words of the employer that they want to work for who's using?
Owanate [00:19:34] Yes. The reason I say that is not because it would look like subterfuge or anything, but because it's a lot of time and effort.
Joe [00:19:41] Right.
Owanate [00:19:41] And we are seeing one position released and up to 200 applicants applying for that position in the first 48 hours. And that is not an exaggeration. So I wouldn't in good faith advise that. I think I'll have some a few threats by my e-mail say that you know I just wasted 10 years of their lives. But what would eventually happen is if you start off within that vein, you can have about four, maybe five different versions of your CV, and then you will train them out per their assignments. But I will add a disclaimer in this, and that is your LinkedIn profile must be a happy medium. And that takes a little bit of skill because you don't want to look like you're and I'm not advocating anyone to lie in their CV at all. But if most experienced practitioners put everything they've done in their career within their CV, you'll be looking at or as you Americans say, resumes. I'll stick to that. Sorry, Okay. CV It's not curriculum vitae. It's a resume. So if you were to list everything you've done on your resume that resume, it would be 15, 17 pages long and no one would read it. So be selective based on the positions you are applying to. And it's gonna get to a point you're going to have resumé one, two, three, four, five. You see this position ah it's managing a team. Has/ Must have technical knowledge of this tool or CV four is perfect for that. And your LinkedIn profile and all other social media must be a happy medium.
Joe [00:21:11] Very cool. So besides technical skills, are there any, like, common skills, particularly in security that people look for, you know, teamwork? I guess it's just a buzzword. Everyone there was (unintelligible) anything like kind of niche within security that's well a lot of a soft skill that a lot of teams seem to be looking for.
Owanate [00:21:25] Yes, this is niche, but it's often cliched. And I've heard it for a number of years and I keep hearing it. And that is the ability to relay technical aspects to a non-technical audience, and that is from mid-level positions all the way through to CSO positions. And it makes sense because if you were in front of the business or if you're CSO and you're in front of the board, you know, they don't care how many false positives you found in this month's metrics. What they care about is what does this mean for the organization? You know, how this affects our risk appetite? Does it mean, are we gonna find, you know, have we been breached? How does that affect our bottom line? How does it affect the shareholders? So an appreciation for business as well and also an appreciation that security works for the business and it is in line with their risk appetite. So that's a soft skill that has not gone away. And it's pretty transient from mid to senior level. Every now and again, I speak to a hiring manager about maybe juniorish position. They might bring that up, but it's not really the end all and be all. Things such as an inquisitive mindset, I think that's absolutely crucial. Not to accept things as they are will seem to be the key things. Yes, we hire a team player as well. That's also important. Yeah, I think that's how it's summarizing.
Joe [00:23:01] Nice. So I guess another question I have, this probably hurts for a recruiter. I know the last time I got a position based on my resume, it's always been I knew someone and they go to my website and then they contact me. So with 200 people applying to the same position with a CV or a resume like is there anything else I could do to stand as the best to have someone within that company that they can reach out to or any other hacks like that that they could use to help elevate themselves?
Owanate [00:23:28] Yeah, you're absolutely right. And, you know, I love these positions where you'd have 200 people apply in the first couple of days is often not from a recruiter. It's often from the internal recruitment team. And yes, it does kind of hurt. However, who do you know within the organization? You know, often you need a predecessor in that organization, and saying this remember, are you familiar with the phrase Six Shades of Kevin Bacon?
Joe [00:23:55] Yes, yes. Yup yup.
Owanate [00:23:57] Well, I feel like it's two shades of security. It really is because it's so incestuous. So if there's anyone, you know, within that organization reach out to them so that they can put a good word for you. And the thing is, I would tell you something. And I last week I got I received a call from, well, she's not chief information security officer, but she may as well be in regards to the level she's had. No, she said to me, yeah, well, we're recruiting for this position. I'm not allowed to use recruiters. Otherwise, I would have used you. We've had 200 applicants. he said over 200 applicants. And this position has been out for three days. We've got one internal recruiter guy because we let go of the rest. We don't know what to do, how we're going to you know, how we're gonna manage this to work? Two hundred. How are you gonna sift through that? I said, I'll tell you what, I was in a similar position recently, which is true, and let me send you some profiles. These guys are good. You know, I know you can't use me within them, so I send her the profiles. I know at least one of them got an interview. I'm not getting anything for it. But the fact that someone close to her was able to get into her air and said, this is the kind of individual you wanna be going for, you know. Any sort of connection. It doesn't need to be someone that's worked there. And that's a beautiful thing about LinkedIn as well. I don't know any other network that can give you that sort of exposure to who you are connected with and who he or she is connected with at all. I think you need to be a little bit brave. You need to get out of your comfort zone and you need to ask the questions as well. If you see that position and you've seen how many applicants are applied. Well, nothing wrong with picking up the phone to the hiring manager or send in an email to the high manager or HR. Whoever is listed, pick up the phone to them, send them a message. These are all little things that help you stand apart. And I'm assuming that it may very well be out of your comfort zone because those kinds of behaviors are usually associated with salespeople, people that can yes, people can sell themselves. And, you know, it's not in everyone's nature, but it pays a lot to get out of your comfort zone because you immediately stand yourself apart from the competition, because you could tailor your CV all you want. But if you're one hundred and forty-six out of 200 applicants and they just look at the first 50, well, it's much you do about nothing.
Joe [00:26:24] So I guess that's one of the benefits of using a really good recruiter like yourself. Like this is Owanate a certified person. So we'll bump them up in the queue. Is that one of the reasons or benefits of using a recruiter as well?
Owanate [00:26:35] Yes, but it all depends on the organization as well for my wanting, my advice, and everything I'm willing to give even before I earn any sort of fee. A lot of the times we got a phrase in the UK, I don't know if the US, have it. It's “computer says no”. And that phrase is, it epitomizes the fact that processes can get in the way of common sense. So it could be a case of “No, we're not using any recruiters for this or you're not on our preferred suppliers list. So we're just dealing directly with it.” All this time, they could just look at the first 50 people and just do a word search and interview individuals that are not suitable. In the meantime, it leaves suitable applicants hanging. Whereas a recruiter such as myself can come in and say, look, all right, come to the market with this. You're looking for someone with these particular skill sets. Well, I've shortlisted these five profiles for a number of reasons. One of them being that they come from a similar organizational size so they can roll the sleeves up or they're not siloed off within one particular skill sets. I've got reservations about this one, for this reason, however, this one's a shot and you can really add color and real commentary to it. And it's left on the organizations to open their minds to that. It's let me know if I'm going off on a rant here, but it amazes me how organizations will sing from the rooftops about we do things differently. And, you know, we want a diverse workforce. We like to think outside the box, but they still follow the same stringent archaic processes many organizations do. And that's to the detriment of the talent pool that gets into their organization to not only secure their systems, peoples, and assets but also to be an ambassador for their organization as well. So it's just one of the ongoing battles of a recruiter.
[00:28:38] Okay, Owanate before we go is there one piece of actionable advice you can give to someone to help them to security career or job finding efforts? And what's the best way to find and contact you or learn about Bestman Solutions?
[00:28:51] The main piece of advice I'd give is to get out of your comfort zone and network. The more you network, the more individuals you'll meet, the more knowledge you will have about the organization's unique challenges they are facing. In terms of finding me, people can go to bestmansolutions.com. And also on LinkedIn. Owanate best man at LinkedIn and I'm very approachable and happy to answer any questions. One thing I will add as well is that we were talking about certifications. Last month, I compiled a list of 10 free training courses in security and free. So instead of necessarily investing in a certification, you are not sure you want to do because this, you know, this time and more importantly, financial implications associated. Feel free to check that out as well. So it gave Scott (??) Cryptography and some of the basics of Pen Testing as well. AWS and fundamentals. So these are all free. And it just gives you a chance to test it before you spend money on it. And that's I don't want causes myself. Well, those are some free ones for you. So it's of no benefit to me.
Rate and Review TestGuild Security Podcast
Thanks again for listening to the show. If it has helped you in any way, shape or form, please share it using the social media buttons you see on the page. Additionally, reviews for the podcast on iTunes are extremely helpful and greatly appreciated! They do matter in the rankings of the show and I read each and every one of them.