EP 014 Abigail Moss Discussing 'Why Are So Many Employees Tentatively Looking For Another Job?'

Show Notes

Abigail Moss is an Associate Director at Eames Consulting, where she heads up our growing Cyber Security, Information Security and Digital Trust Practice 

 

Abigail has been working in recruitment for over 15 years, always in high growth sectors. She has been with Eames for the past two years where she has grown and developed the Cyber Practice , personally leading on all senior cyber security hiring at Eames and her established team of cyber recruiters support a large number of Insurance/FS clients in building out complete cyber security teams. Abigail is a passionate advocate for Equity, Diversity and Inclusion and sits on the internal ED+I committee at Eames. Prior to joining the business, Abigail has a wealth of experience in recruitment, working in her previous agency for nearly 12 years.

 

Abigail is aware of the importance of understanding changing attitudes in the workplace and has spearheaded various reports and analysis to understand the changing landscapes, most recently producing a report into understanding the changing attitudes and trends in the cyber, infosec and digital trust marketplace.

Linked In Profile
https://www.linkedin.com/in/abigaillmoss/

Website
eamesconsulting.com/ (Eames Consulting)

Phone
020 7092 3253 (Work)

Email

abigail.moss@eamesconsulting.com

Security Circle ⭕️  is an IFPOD production for IFPO the International Foundation of Protection Officers

Transcript

Yoyo 0:15

hi, this is Yolanda. Welcome. Welcome to the Security Circle podcast if poe is the International Foundation for Protection Officers, and we're dedicated to providing meaningful education and certification for all levels of security personnel and make a positive difference to our members' mental health and well. Today I have Abigail Moss. She's the Associate Director of Eames Consulting. She leads the permanent cybersecurity desk responsible for all permanent cybersecurity hires in the uk. If you have been thinking about moving into cybersecurity, we've got just the person for you. She's been in recruitment since 2008, so very seasoned I would say. She's passionate about working with candidates to help them to advance their careers in business. The cybersecurity market, as we know, is rapidly changing, and there's always something new to learn. We are going to talk about a recruitment survey that Abby has produced, focused on workplace trends and attitudes, and their findings are amazing. Welcome to the Security Circle, Abby. Thanks so much for having me. Really, excited to talk about everything today. Really. Well, we are talking about your favorite subject and that does help. But look let's go straight in this security survey. We've already had a conversation about it. I think it's phenomenal. It's, thank you. It's very very current, very relevant, and you're asking all the important questions. So starting from the very, very beginning, if you don't mind, what made you do this, survey for the recruitment. So I've noticed there's a real shift where in the marketplace, particularly within cyber pretty much everyone I speak to, even if I'm hiring for them, is tentatively looking to make a move. And I've been a recruitment, as you said, for a long time. Probably could have recruited Jesus, a couple of his apostles. You never know. And I've never seen the market so. So volatile. So I really wanted to get under the skin and find out why there was such a shift for people to be wanting to make a move that the last time I remember it being like, this was sort of six months after the Layman Brothers banking crash where nobody moved for like six months and then everybody started moving once the dust had settled. But this feels like it's sort of been a bit more long term. Some of that, of course, is due to covid and you know, there's been it's a weird world we're living in, right? There's been a collective global trauma. That people are basically just ignoring. So I wanted to sort of understand the composite factors around that because ultimately for me to do my job effectively, particularly in permanent recruitment, it's about understanding why people are looking to move and making sure that if I'm he saying someone, look, quit your job because this job is going to be a better step for you in your career. It's going to improve what you're looking for. Then I have to understand what's going on in the rest of the market. To your point about the market being very volatile, cause I think that's very interesting. What sort of indicators do you get as a recruiter that the market is volatile? So you, ty typically you know, pre covid you would have you, they would be almost like a third of people who are actively looking, a third of people who are actively hiring, and a third of people who are somewhere in the middle. What I've seen in our space, at the moment, Pretty much everybody is hiring. There is a massive skills gap, so therefore everybody is, if not actively looking, tentatively looking. And you've got an increasing number of pressure on people because unlike a lot of spaces where there's been a kind of gradual expansion of the industry as a society, opened ourselves up to a lot more risk because, you know, March 23rd overnight, We, everyone moved to remote working. So you've got a lot of legacy issues in that sense. You've also got the fact that the expansion of of threat actors has changed. And the other thing is that y you know, you won the clock back even, you know, three years. You could say, well, I'm too small to get hacked. I'm too small to be a victim of a threat actor. Whereas now, You can be a one man band and still lose. You can be an individual person and have your photo cloud soul, and people want you to give them Bitcoin to the tune of a thousand pounds. So yeah, ev all of those composite things have made the landscape change so much. And then there's the, uh, expectations and the education piece that needs to happen with within wider businesses. So I, I really wanted to get under the skin and find out what was happening that maybe I don't see every day. So that I can then provide one better, more meaningful career advice, but also when I'm speaking to businesses who are saying, Hey, Abby, I can't hire and I get a lot of people telling me that I can go to them with tangible, empirical fact and say, this is the problem globally. This is the barometer of where clients are at. I reckon that you are at this point, and this is the changes you need to move to get to this point. Now look, that's a very good segue into the research that you've done. Uh, and it's fresh off the press really Abby, are we chronically understaffed? Let's tackle that very first important part. I mean, basically yes. And there's a lot of evidence that supports that. So that's not new information. So last year there were 1200 permanent vacancies in the UK within the cyberspace that weren't filled. Which, and that's due to a talent shortage. So when I was asking the question, had a series of, of statements that people had to answer, how strongly they felt about them. So 46% of people said that staffing in the strongest terms was a problem. But then 83% of respondents said an increase in staff would have a pivotal impact on their team's performance. you've got half of the people saying that there, there's not enough people to do their jobs effectively, but almost all of the people saying we can really do with some help guys. And sort of dipping into that data a little bit more to understand that, to give some meat on those bones. One of the questions I asked is what the most significant change to people's roles had been over the last six months, that could be job title, salary, or an increase in responsibility. Over half of people cited the increase in responsibility as the most significant change. So that tells me companies are taking advantage then they are demanding more from their existing workforce. There's clearly a shortage vacant posts and the expectation that the workforce pick up the flack. I think it's like that in a lot of understaffed sectors, right? I mean, you only need to look at what's happening with the nhs, with paramedics, with firefighters, with teachers. It's not it's not a new problem to have a sector that is understaffed. What is interesting is that this is, uh, this is predominantly within the private sector. This is predominantly people who weren't under as much scrutiny three to five years ago. So the scrutiny has increased. The responsibility has increased. In a lot of cases, the salary hasn't increased. But the same number of people who said that their teams were chronically understaffed, Is the same number of people that were experiencing burnout. So half the professionals are experiencing burnout in the cyber space. When you compare that to wider tech, you're looking at about 18 to 22%. Okay. So let's talk about burnout then. Tell us about those, statistics. I mean, they're pretty damning. When you sort of, uh, jump into it, you've got 83% of people saying that they need more people to do. To do the job better. One of the questions we asked was around mental health and 85% of pe of movers. So we, we termed movers as people who would be open to changing jobs in the in the next 12 months, of which we had 70% of those in our survey, 85% of the total respondent said that the impact on their mental health was a key factor and. When you sort of dip into that data and sort of understanding where that might come from. only 61% feel that cyber is taken seriously, is an integrated department. You've got a colossal number of people talking about missions and values and feeling more aligned with that to help them to do well. And 78% don't feel that they're getting the acknowledgement to begin with. When I sort of looked into the more finer details, like free text box, the information pretty damning. Some of the things that people have said in terms of why they're experiencing burnout unstructured wa ways and unavailability of support from manage. The job load is not manageable. The workload has simply run me down. I've never been this run down. The team simply is chronically understaffed and I just dunno how much longer I can go on. I mean, death, that's a huge cry for help, isn't it, that individuals, this is a very strong indicator as well, that there is a high likelihood of some mental health impact there. Uh, to anybody who's feeling like that at the moment. I mean, what would you advise apart from obviously get another job that's more money and less stress? So one of the questions that I always ask people when I'm speaking to them is, are you really okay? And you find a number of different ways to ask that because sometimes people just need to talk. Because I, my, my area of expertise is basically senior appointments. So I might be speaking to his chief security architect or a CSO or someone. So if somebody's experienced a breach and they've been, you know, three, four weeks of 90 plus hour weeks to try and resolve the situation, and I know a couple of other CSOs who have been in that experience as well, I might send a few WhatsApps and be like, look, there's someone I know who's really struggling. They've gone through a pretty major breach. I've done all I can to sort of help them. Cause a lot of people call the recruiter first. I'm like, why are you calling me? Should be calling the ico. I'm very low down on that list. Yeah. But I, you know, I do, uh, I do genuinely try and help. So I've been able to set up some peer-to-peer conversations. I think the most important thing that I would say to anybody to do if they are, you know, that particular individual I know the person who made that comment in the survey and helped them to access help through their gp. And sort of make some next steps for them. And but I think find someone that you can ask for help from and make sure that you are getting it. And my experience is a lot of CSOs feel frightened or senior security professionals feel frightened to admit how much pressure is. But when I've been able to empower them to have conversations with whoever it is that's managing them, the c f O, the c e o, whoever they're always surprised at how understanding those people are. And I think that part of the challenge with the cyberspace is it's, you know, it's 15 years behind the rest of the tech sector, right? So we, they don't know how to talk about their mental. You know, that's, that really surprises me. But I've also come to learn that ciso, the chief Information Security Officer role is quite an isolating role. You know, you don't have a lot of peers at your level. There are very few people that you know, you can trust who are confidants in your business. And most of it has to be external. And there are huge amounts of pressures and probably for some organizations, A high degree of lack of support. You know, and so you've gotta see, so there saying, look, uh, I think we can be better, but how open is the business to listening? So that's another very frustrating element notwithstanding obviously uh, being subject to a significant breach. Exactly. And we're hearing it now all the time, you know, these breaches. So look let's talk more about, uh, this 72% voicing that a company's approach to supporting mental health and wellbeing is focal. Yeah. It's it for them. That's what, what is gonna make life better for them? So they, if they were looking to move, that is something that they would want to focus on. What was interesting is to everyone that I spoke to and my team in its entirety carried out the survey, so I didn't speak to every respondent myself, but it came into sort of a recognition piece, recognition of the stress, recognition of the hours, recognition of the fact that actually insecurity you are con you are in a state of kind of constant. We call it, uh, left of bang. If you wanna Google, if you wanna Google left of bang. Uh, it's quite a cool, It just like, it's in summary, it's a bit like being ready, alert all the time. You know, you are expecting the phone to go off and you are not, it's not very relaxed when you are in, when you are like that all the time, it's not very relaxing is it for your life? No, or whatever it might be, it's hard to get that perspective that you might need. And so because you're in the, that this state of high anxiety and high preparedness, that has a huge, you know, knock on effect. Right. And when and. It kind of ties into one of the other things that came out of the survey, the biggest change across all respondents, or the biggest thing that would make the most pivotal impact to people's ability, feeling more valued, feeling more aligned, et cetera, would be that recognition from leadership. So when I spoke to people and said, well, what does recognition look like? A bonus, is it uh, is it praise? One of the guys I spoke to said, I just want someone to recognize how hard my job is. And that and that was really interesting because the majority of respondents didn't know how risk adverse their leadership team was. Yeah. So that kind of makes sense, right? But if you are managing risk, particularly cybersecurity risk, and you don't know what the tolerance level is of the business that you're working for, then it must be really difficult to feel motivated, to feel empowered, and to have that level of alignment. And so I think it's. It's a lot more complicated when you peek under the hood than. Than people first thought. Right. Because yeah, security people historically have been known as the mercenaries and you just pay them enough and they keep you safe. But it's, uh, you know, we're not in 1993 anymore. Right. So to your point about recognition then, do you think that we are just generally quite poor at giving recognition in the corporate sector? The private sector, you don't expect it in the army. You don't expect someone to say, yeah, well done for, you know, Doing something that most soldiers would say was, would be a perfunctory part of the job. So my question is are we just really bad at it? Because I have a friend, she said the same thing. She said, you know, I've been in my job two years now. I dread my annual reviews because my boss never says anything good about me. He never says, well done. I don't even get an email saying, good catch, or, you covered us there. You got our backs or anything. So she's starting to feel that her boss is indifferent to her existence. And I'm just wondering, picking up on what you are saying. Considering the statistic here says a staggering 93% of professionals in cybersecurity are expressing the need to be more aligned with the company's mission and vision. Well, I wonder how many of them are not feeling very connected to their line management. Why is this, I don't expect you to have value the world answer for everything. Well, I've got, I mean, there's a lot of points within that, but I I do have some sort of observations, which I think form part. I dunno if you saw on LinkedIn the other day I posted a poll basically, to whom do you think the CSO should report? Yes. And I think I said straight into the board. Yes, you did. And it's, but what was really interesting is that the people who responded me, I mean, we got a decent number of response, I think 30, 35 responses. So, you know, not enough for it, for me to have included it in the report, but enough for it to be indicative. And there wasn't a clear winner. Yeah, so you know, people said direct into the board. Some people said into the c e O, some people said into the C R o, chief Risk Officer, some people said into the chief financial officer. It's sprawled a separate sub debate as to whom the c o should report, because Yeah definitely not, yeah, definitely not the chief financial officer. Because I consider the CSO role still a security role, right? And so why would you have security reporting into finance? Why would you have security of support reporting into risk when really your your chief risk officer is your. This is who you are, exactly who you're collaborating with, almost on a daily level to get aligned with all of the key strategies. So they should both be reporting into the board in my happy little world. But it's really interesting cuz one of one of my long-term clients slash candidates, dependent on what day of the week it is, drop me a line and said, you know, I actually think organizations should have two CSOs if they're of a certain size. One for first line, one for second line. Oh yeah. Good. And it's like, okay, so then, so the fact is, it's not if you take most other areas, whether it's infrastructure, whether it's software development, there's a pr, there's a roadmap that kind of is the same across all industries. Same with schools, right. You have a head teacher a deputy head teacher, you know? Yeah. Then it, depending on the schools, like various other le like middle leaders and then the class teachers it's fairly, you know, out of the box form. Yep. And it spreads the risk. Spreads the risk and it spreads the responsibility in the sense of it's not resting on the shoulders. One person, something goes a bit wrong. Right. Of bank. Yep. Yeah, I see that. And then don't forget, you know, because there's so many parts of a CSO role, the Chief Information Security officers, not only responsible for the systems and the technology, but the direction of transformation projects and, you know, new strategy. As well as, you know, technical support. And then I think most importantly, human engagement. Right? So it's a not for one, one role. Yeah. Yeah. It's a not for one role. And also, you know, the big, the biggest threat to cybersecurity is the people in the org, right? Like, like there's a reason that Zero Trust is still being talked about. And in spite of, uh,, the usability of it as a genuine, Process for life. Yeah. But it's, you know, getting people on the journey and getting non-technical people, even non-cyber people to, like, I, I've had conversations with CSOs who are just like, just a very inward facing chief technology officer. They're not, they, you know, they're all about the architecture and they think security's my problem and you know that, but you know, that's a big huge, we're trying to dust, we're trying to dust the cobwebs off that kind of attitude. Now, that's not progressive. That's not how you keep a business security strategy in alignment. It's not how you all work together on the same page at all. You don't go in and just fix things with one mindset because that's what your specialism is. There's so much to, like, when you think about it, there's, I've, I have seen so many different setups for security teams. So you've got some security teams that are federalized where every department has a security person attached to architecture, has a security architecture team, developers has a, you know, a PM who specialism. Security, whatever it might be, and that works in some organizations and other organizations that wouldn't work. Then you have it as its integrated department or in and of itself. Then you have major international companies who group security in like, Digital marketing and data. So the same budget that's going to your Facebook advertising is being competed a against from cybersecurity, which sounds mental, but then it leads the cyber security is in a profit making center. So it's a really weird world for such an important industry and an important set of people. Where there is, so, where there isn't a c uh, there isn't an out the box structure for a security environment. And I think that's part of the problem. So when people are talking about recognition, they're not talking about someone saying, oh, good job for turning up. But equally, if you think of people being left a bang, right. Of bang. Yeah. If it, if something goes right of bang. Then. You know, you know what? Regardless of what the outcome is, the soldiers all come, there, there's a lot of camaraderie. Ofsted rock up at a school. The teachers all come together. There's a massive, fire and all the firefighters go and do their very best and then come together afterwards. In security, the Caesar will bring everyone together and I talk about it being in the rain, right? The CSO will come with the umbrella and keep everyone dry as possible, but nobody's keeping the CSO. Yeah. And because of that, you are having leaders whose mental health I mean in some cases are circling the drain, or at least, at this constant high left of bang state. Yeah. And the lack of understanding in terms of what the role entails, therefore means that people are more vulner. I was gonna say it's very vulnerable, but that's not the word I need. No, making up words is part of being a guest on the circle. Ok. We're going with vulnerable.

20:46

thinking about getting yourself qualified, try IF pose. C P O qualification. C P O stands for Certified Protection Officer. The course includes security, risk management, effective communications, anti-terrorism, and V I P protection, security awareness, Interviewing and statements, legal aspects of security, ethics and professionalism, and many, many more. Sign up to fpos CPO O Certified Protection Officer Course. Contact us now@www.fpo.org.

Yoyo 21:30

So look you've said here, uh, and I'm gonna read this paragraph. So a staggering 93% of professionals in cyber expressing the needs of being more aligned with the company's mission and vision. Wow. I mean, what are businesses getting wrong if their employees are needing to feel more aligned? And that's a high, that's 93%. And Abby, as a second question, you know, is it perhaps because hybrid working is having an impact on people feeling more connected? So there's two questions there and I'm gonna answer them in a reverse order. So a lot of security people, even before covid were even a hundred percent remote or certainly hybrid. So I don't think that's a new challenge. I think that by the way, hybrid working and remote working hel can help to solve the staffing shortage because if, I mean, if you are an application security or a pen tester, you don't actually need to be in the. But you do need to be engaged and supported. And certainly like when we looked at the respondent site it, we haven't put it in the report, but 91% of people said that they are working in an office less than once a month. Okay. Or mandated to work in an office less than once a month. So, and then there was a, there then followed up with a lot of people and that's kind of been the same before the pandemic. So that, I don't think that's necessarily the problem. In terms of what are companies getting wrong? I don't, I think it's, that implies that a choice is being made by companies. This is negatively impacting, and it's a conscious choice. I think. I think it's I think it's more, more complicated and more nuanced than that because the threat landscape has changed. The people who tend to be involved in hiring a c. Don't have the full understanding of that. A lot of the more technical CSOs aren't as equipped to be able to have those influencing discussions to explain what they need, and then those who aren't heard as seriously or feel that they're not heard as seriously. And then you roll into it. The fact that governments recognize that, and not just in the UK by the way, like globally, recognize that this is the problem. So they're putting out all this legislation and all this minimum standards and all of these posts that need to be filled without looking at. What's going? I mean, and when they do try and look at the talent shortage, they completely mess it up. Like, you know, suggesting that ballerinas should be security professionals. They, I mean, they absolutely could be. It requires a high degree of precision and learning, but that's not necessarily the way that you would go about it. So it puts a strain on it, right? Like, you know, think of when the government launched their vaccine program. I can remember going with my husband to the local rugby stadium and queuing with what felt like 11 billion people for him to have his shot for an hour and a half in the sunshine. Which was lovely. I mean, we're both very white, so we got quite pink by the end of it. But, you know, but when you that, that required like a wholesale infrastructure pause to. And the cyber industry is being asked to make this wholesale change with no, stop the clock, bring in new people, and you've got people. What was very interesting is that in the survey, and I've, I don't talk about it in the report, so this is like a sneak peek for your listeners. They all talked about how it's important to have diverse employees in a diverse makeup. And the, again, we had very diverse, somewhat diverse, not at all diverse. As such as, and we broke it down. It didn't say, are you diverse or not? We looked at gender, LGBTQ plus race, religion disability. Disability neurodiversity. Yeah. Well, we broke it down. Neuro and physical disability. At or don't know, was an option. Now any of the things that you can't visibly see. I e Yeah. Gender, race people said they didn't know. But they said some, they with somewhat diverse gender, with somewhat diverse for race with some, you know, 85%. Of, uh, my respondents were white men of a certain age, so season that seasoned. Yeah. And any, if any of them are listening, you are all very handsome and very talented, and I'm very delighted and humbled that you took part in my survey. And please keep doing that. But my point being that those people genuinely feel that their teams are diverse given the talent pool that's out there, right? So then you need to look at what skills are important and women self reject much more than men. So I joined Eems two years ago and I had quite a long interview process, some formal stages for some informal, and I tried to rule myself out at the final stage cause I saw the job spec. Cause I'd never been, I'd never seen the job spec until the final fail. I can't do that. Yeah. I got through like, so many stages of interviews to that point. And the recruiter was talking to me. Abby, they know what they're getting. They've met you multiple times, like, you know, chill out. So if I can do that as a recruiter and, you know, I'm not backward, wo women who might, you know, who might be a service desk scandal analyst, service desk analyst would make a great. Infotech analyst or great SOC person or a great, you know, you've, they've got the foundations to be a security engineer or look at things completely out there. I do not believe that somebody who's been working in marketing wouldn't be an amazing i d A professional or G R C. Professional. So look at what your minimum standard are. Cuz I, I go through a a process with my clients when I'm taking a job brief called ragging red, amber, and green. Okay. Yeah. Gotcha. And we, so the, and basically red is, they've just chucked it in there because they think like cism, I haven't seen the cyber spec for years. That doesn't say cism in it. Or csp. And do you know how many times people actually. I mean, if you're talking about the senior appointments, yes, of course. But you know, for if I'm jumping on a briefing, An I d A analyst or a tech risk analyst, do they care? No. So that can go then there's the nice to have stuff like, you know. Yes. So, DevSecOps role if they've worked in a C I CD pipeline. Okay. That's a nice to have. But actually you can still do DevSecOps without having had that level of experience. It'd be tricky if you could do it. So that comes out. And then what you're left with is the o only the essential bit. And that still doesn't mean that you're going to get more women applying, by the way, because you'll get men who will apply if they meet 30% of the green, and you'll get women who apply if they meet 95% of the green. Oh, wow. But at least that's a big difference. That's a big difference. But actually if you adjust those parameters and then what will happen is, People will say, okay, well I've seen people that of the green criteria matching 70%, actually I n need this 70%. So then take out the 30%. And then again, that will encourage more people to apply. So then that helps you circumvent the Candidate shortage. And the crazy thing is there isn't a single senior lit, there's one apart from that one particular person. There isn't a single person who's just said to me, Abby, what do I need to do to make wo make women want to come and work for me? And there are some roles that are not going to be appropriate for everybody. Like, you know, I couldn't do a 24 7 sock roll. I'm a working mom. Yeah, it's, it wouldn't be right for me. But there are some roles that I. Ah, I'm not plying. But I could be a, I I could be, uh, I could get, I could go into y down quite easily. It's the training period. For that sort of a role. Explain Idam identity access management. So a basic identity access management role is looking at provisioning and deprovisioning. It's looking at pr, setting up processes when a com, when somebody joins a company and when they leave a company. Who can have access to what systems it get. If you think, for example, of an insurance company, there's also certain combinations of access that shouldn't be allowed, and it then with within that space, there's a common sense approach. So for example, you're talking about. An insurance company, a house insurance company. Your house is Burglared. The first person you speak to should absolutely have access to take that information, see what should be covered by your policy, and then refer you to have some sort of claims assessment and claims adjustment. But they should never ever be the person that approves the claim. Yeah. For example, second line is that you need a second line. You need a checks and balance. So yeah. And that's massively oversimplifying it. And for anybody who is in identity access management, I'm not devaluing your career. I think that you are exceptionally talented people, but my point being that you don't need to have a degree in soft No. Or cybersecurity to do that job. And I think a lot of people think that a lot of people would want to get into tech or cyber. I feel that they couldn't because they've, you know, they've done their career for 10 20. And therefore that there would be too much of a hit. But actually there are a lot of people that might be wanting to leave another profession and it wouldn't take that long to retrain them. So I think that the industry needs to sort of recognize where there can be quite easy wins. I can see certainly on my own LinkedIn profile amongst my network of people. Certainly coming from a physical security background looking and very open eyes now into moving into cybersecurity or information security, data protection in some form or other. And there are lots of courses out there. You know, if we exclude the C I S M and the C I S P and we exclude all those for now, but there are so many courses that you can get started on. As we're finding as well, I think an employer's always looking for more than just what is in your silo. If you have other things to offer, including data protect. Sometimes I think employers are being a little bit cheap because you know, they're looking for somebody with a physical and an InfoSec background. But ultimately, in large organizations, that's two people. That's two people's jobs, you know, and expecting one person to manage both is that something you come across quite a lot as businesses are trying to group security related things? Yeah. Very often when I'll get a job spec in it, it's just like, Hey, well, you're looking for a whole cyber security team here. Yeah. Take it away. And, but they but this is also the problem, right? Like, like how many jobs, how many job specs are written in the first instance by someone who is not doing the job? Oh, so many. It's like, right. And so it's a case of, okay, what, uh, one of the que when I see a job spec like that, like. You've got two options when you see a job spec like that. Yeah. Can either say, sorry, it's not happening. Or you can actually try and be impactful and that might mean that you end up walking away from the business, but you have to show why. So I say, look, I've got a lot of questions. Can we have a chat? Look at your job spec. Sit down the c like enjoying your coffee. Good. Okay. Talk important to me. Yeah, absolutely. Have you got chocolate biscuits? Or in our case, chocolate ra. We've got really great chocolate raisin. Yeah, we've got chocolate raisins today. Not chocolate biscuits. Chocolate raisins. Yeah. Good good. Chocolate to ratio. Raisin ratio. Classic, but talking to'em, saying, look, take the job title. Take, you know, the key responsibility and stuff you described what a cybersecurity team does. What's the mission? You know, people coming in, this is a permanent hire. We're looking at a two to three year mission. What does, what's the As is what's the two B, and how do you what is this individual responsible for? Yeah. And that you don't have with hr that eventually you do have with someone in a leadership role. Yeah. And they talk you through what the mission is. It's like, okay, well that's not one person, is it really? You've described to me you've said security specialist. It's my favorite job title, security specialist. But actually what you are looking for is an InfoSec PM. To manage the change you're looking for almost certainly a cloud. Uh, I will accept cloud specialists, someone who's done a bit of architecting and a bit of engineering, and then you're probably also looking for some sort of more junior person, or you are looking for, as you're aws, whatever, pick your poison. An analyst you're either looking for an analyst and a special. Yeah. Or you are looking for a specialist and a lead and then somebody to mind and when you break it down and you show the client why that is and you show them what they're asking, and well, you know, the person who's leaving is going on to do something else. Why do you think they're leaving? Yeah. And that's, that again, was why did the report, right? Because. Saying, why are you le, why do you think they're leaving? Like, oh, well they said this. They said that. Okay, well look, this is, I've surveyed people who have been in these sort of roles. I've asked them these questions. We've dug deep. We've really taken the time to understand what is going on because I've got a degree in English literature. And I can't pair my Bluetooth headset with my laptop. I have to get my team to do that for me. Yes. But I understand people, and this is, here go his some empirical fact. You can't hide from it. It's the. Don't feel bad that you can't pay your Bluetooth. I think even for e even it, it's, it tech doesn't make it easy. No. For a lot of people, I've struggled with a few things that I shouldn't have struggled with because tech tech can make it hard for me sometimes, trust me, it's, I feel sorry for people who are retired trying to keep on top of everyth. I was talking to a CSO and it's a cso I know very well, so is very happy to tease me and be like, can you print? I was like, what do you mean? Can I print? Of course it's looking, can print like what was what around the question. He's like, because people can't print anymore. Like, he's like, the printers are so difficult and so complicated, people can't print anymore. It's just like, and he's like, I've got a theory on that. Abby, what's your, I I won't name drop you in case you're listening but you know who you're. What's your theory friend? And he's like, I think it's something that came up out of as GDPR came in. So the printers make it really hard for you to print so that when you eventually clown print you, when you do print, it's like you've had to go through so much, you know, challenge to get there. I'd love to have a chat with this guy or gal because it would imply that there was a security by design implemented at Dan. I just don't doubt for one second that has not happened because security by design is so incredibly rare. But wouldn't it be good if that was the world we lived in? My printer actually doesn't work well, actually, my printer does work. My printer works beautifully. When it wasn't just like my. No, it's just the tech I have in the house now isn't suitable for it. So even though I've got an, I've got a really old iac, which I had reconditioned that won't connect to the printer anymore because the iMac's too old and even the new Mac I have look at me sounding like I'm bloody nosey. The new, yeah. Very happily. The New Mac I have, whereas only is five years old now, uh, coming up. That's that's too new for my, uh, printers, I'm thinking was poor print. So the printer's gonna end up on the junk pile? Yeah, because it's just redundant now and I just, I feel really bad that. From a sustainability point of view, there's gonna be a lot of tech like that dumped in into landfill, and yet it's very u it's very usable. It's just the tech is just moving so fast and it's, I mean, I, they you can't, you know that, do you remember the old printers with the fat u sb on the one end and the normal one on the other? They don't make those anymore. I've got my, my, my printer came and it's like, right. You know, download the app. Like what? Download the app. I don't wanna download an app. I just want to pluck it in and Oh, we don't, gimme some ideas there where people make mistakes when applying for jobs for cvs. Let's talk about algorithms. Let's talk about why people might just common mistakes on cvs. It's because I'm aware of a lot of people who are either looking for work or thinking about moving. And so this'll be, let's look at some sort of tips from a applicant's point of. So it so some places where you upload your CV dependent on the job board or what applicant tracking system or at s as we in the know, call it, depending on what is used, if you have too many charts and pictures and. You know, text boxes in, it'll spit it out. It won't like it. So I've had cvs where I, where you as the accent you have to fill in like this. My name is, my email is my number, and then I'll open a cv and what I see is basically a corrupted data file with like loads of like wing dings and stuff in it. And I'll call the person and be like, this is what I'm seeing. And you can hear this like mortified pause at the other end of the, it really shouldn't be like that. Like can I send you my cv? They send me this beautifully text box, moved around cv and I know the second that hits my inbox, that one, that one of two things is going to happen. My preferred option is I will send them a CV template and they will send it back to me, but people can be quite precious about their cvs and they won't want to change it. So I, then I'll then have to try and find a way around it, because then my clients will call me up. Particularly, you know, in the insurance and finance space, they there's a lot of buffers and gdpr things like, we can't read this, that's come through. So that, that's a challenge. What is very interesting for, given the, particularly in the security space, you're talking about people who are, who check and double check, please do spell. Please spell check. Like, because and if you're saying that you've got good attention to detail, make sure that you've applied that to your own cv. I think what's happening, you know, when you link it into the burnout stages that people are hacking it together at like one o'clock in the morning and then doing a kind of mass jo mass job application. But actually it's a little bit like when you've had when something's happened and you might be really round up and you write an email, but don't send it till you slept. That's definitely something that I would advise people to do. In terms of the actual application, I recognize if you're talking about company specifics, that there, there are some portals and I agree that are rubbish. You know, you've got your CVM and they ask you the same information. Do put it in. I know it's annoying. It's not something that, that we as recruiters enjoy doing either, but do try and put it in and be accurate. Make your profile relevant. So your CV structure should be your name, brief profile. this is what I have been doing. This is what I would like to do. This is why I think I could add value to an organization, and it doesn't have to be particularly more complicated than that. It then keep it clear, so, you know, my role has been this, these are some of my key achievements. My previous role was this. These are some of my key achievements. And then the other thing I would say is, Don't send me or anybody like a 10, 12, 15 page cv, like, you know, two pages early and then obviously, particularly the market that I deal dealing with, it being senior appointments, earlier, career history, available on request. Yeah. You know, if you are a Caesar, you don't need to put about that time that you were a Health Desk scandal analyst in 1992 or a summer camp in, uh, 1989, or that you were Head Boy Con, Kentucky Fried Chicken, night Shift worker, sandwich Artist. Done all of those. Cool. Okay. So, uh, anything else? No. In terms of algorithms, When you key with your LinkedIn profile, make sure you that you think about key wording. So if, for example, your cloud security specialist put the types of cloud that you are a security specialist in, okay. Because that, that helps recruiters, a lot of the time I hear things and see things on recruiters are lazy. We're not lazy, we're just stupid. We don't do your job. Yeah. You know, I'm I genuinely could not tell you. The pluses or minuses of Kubernetes for containerization. Yeah. I know that it's really popular in gcp. I know that a lot of my Azure architects like it as well. I know that AWS architectures are a little bit lukewarm on it. I can't tell you why. Yeah, I don't and frankly, I don't need to. Right. I'm not being employed to do the job. But help me help you if you've done secure containerization in Kubernetes. Then put it on your CV so that I can find it, because I'm working with half a dozen clients that are looking for cloud security engineers. So if you are a bit more explicit on your CV or on your LinkedIn profile then it helps me and I will tell you what I can and can't understand. Very often what I say to clients is, look, I don't want to waste your time, so please get, please tell me three or four technical questions that I can ask the candidates, but don't tell me the. And then I will write down what they say and if it's the sort of thing you're looking for and it makes sense, then you know that they're the right person. But don't tell me what they should say, cuz I'm not gonna know I'm not going to know if one thing is a is tantamount to another thing. Yeah. So that helps me to help you. And an apologies in advance for anyone who does deal with me cuz I, I do try my best, but I'm not, A technician? No, I think I think, you know, the, in the capacity that I. Worked with you already, I think you're one of the finest. I'll be very honest. So anybody thank you, anybody who is looking to transition and even want some career advice, you never know whether you are picking up a customer in the future or whether you are picking up an applicant that you can place somewhere, uh, definitely get in co contact with Abby. Abby will make sure that we've got your website address, your blog, details. And also we'll put details around for the the National Cybersecurity Center. Uh, free cyber action plan. So for anybody who's thinking about moving into cybersecurity or looking to diversify and because it's just appealing, you know, there's a lot of momentum moving into cybersecurity cuz it's not just about being a hacker. It's not just about working in dark rooms on laptops. No. Cybersecurity is about data protect. And if and data protection is a key and emerging part of security, and it's also very vulnerable to emerging and very sophisticated threats. And if you look at the National Cybersecurity Center, also abbreviated to N S N C S C, they do this free cyber action plan and it that basically gives you a baseline of what you need to know for an individual, for families. For solo printers, for business owners, small organizations, and it just gives you an idea about the very baseline that they're looking for. And they said on their website, if you look at or provide the details, 39% of all UK businesses reported a cyber attack between March, 2020 and February, 2021. And that's from the cybersecurity breaches survey 2022. So probably. Why there's a lot of energy and fluctuation if we circle back to the very beginning of our conversation. It makes sense, doesn't it? That there's a lot of activity. There's a lot of attention, but maybe it does need a very much a settling down period. Yeah. And just some better understanding about the industry, but when people do see the links to the book, they can download the, uh, the report or the exec summary of the report anyway. Uh, so hopefully that should answer some questions. And just, you know, if you are in cyber, if you're in a leadership role, ask for help if you need it, because acknowledging that there is a problem is part of the way of solving it. And my advice to anyone is don't feel that you have to be the strong and silent hero. The problem with security and I avoid, I'm always telling people to not start sentences off with. The problem is, but it's a bit addictive. The challenge in security is that everyone does feel a bit like that. Everyone does take a lot of personal burden. And it's just the makeup of how our industry is. So this survey Good. Is very successful. Thank you for taking the time to do it. So what's next for you? Are you planning to do these surveys again and make sure you keep us, tagged in on your polls on LinkedIn? Definitely gonna keep thanking you and thanks for the permission. But yes, this is definitely something we're gonna keep doing. So, the plan is to every six months to do some research based off what the last research told us, rather than having like a structured set. We're going to ask the same questions every time if that's not gonna be helpful. I'm gonna be looking specifically around what recognition should look like versus what it does look. And also trying to dig a bit deeper into the mental health piece within insecurity. And then something that's come out of it from discussions that I've had from people in the space and indeed like further discussions that I'll be having with other people once they've read the report is we talked at the beginning about how there isn't a kind of out the box cybersecurity setup. One of the pieces that we're going to dig deep into is what should the setup look like, because very often. It's the people who are doing the job that can give you some really good insight. So sort of come up with a couple of models and and basically see where the industry takes us because it's the it's all very well and good me saying I'd like to, you know, talk about baking, but I don't really think that cybersecurity professionals much care about how fluffy or Moisty Sponge is. But I do think that they would care about how to. Retention, how to improve overall security posture without feeling left of bang all the time. Yeah, absolutely. I've got some with some of the respondents. I've already got some calls and meetings scheduled and if anybody wants to grab some time with me, then feel free to get in touch with me through the link that I know is gonna be in the podcast and be really interested to hear what the industry thinks. Yeah. And I think also just going back to the beginning where we talked about, this burnout I think anybody who recognizes they're in burnout has got to ask themselves some very serious questions. is this sustainable? Is this something that I should be putting myself through? Because let's face it, we all have choices. Is this going to change? Is there somebody in my organization that I can talk to about it? Are there people in my organization willing to listen? And I guess you kind of going through this mental checklist, if you know that's a no. You've got an alternative. You can either stay and put up with it or you can leave. What I say to people is, what one thing would make you feel 5% better? Because we know if we feel 5% better, we get 50% better outcomes. So what one thing could we do? And then that's what, that's always a really good jumping off point. So, and it's different for different people. And that's kind of, I guess what one of the research products we around is like what one thing would have that improved? What a way to leave it. So if we feel 5% better, we have 50% better outcomes. Wow. Okay. Don't say you don't learn anything on the Security Circle podcast. Thank you for having me. It's been really lovely. Abby. It's been a pleasure. Stay in touch with us and good luck with your survey and we'll pick up with you certainly the next time another one comes out. Okay, thank you. Really appreciate it. Have a great day, Elland.

47:31

The security circle is global, and we are thrilled that our listeners are all around the world and in every continent. Thank you for being a part of our journey.