We have another great interview for you! Our blog is getting better and better every day, we hope you agree!
Today we would like to introduce Kris Rides CEO and Co-Founder of Tiro Security. We talked about some very important issues concerning recruitment in the cybersecurity field. Kris told us about challenges in providing staffing and professional services to clients and we discussed what kind of qualifications should a good IT security specialists possess. Enjoy!
[Hakin9 Magazine]: Can you tell our readers a little about your company? What do you do?
[H9]: What was the reason behind creating Tiro Security?
[KR]: I had spent 14 years in tech staffing all for the same company and was itching to start something of my own. Meanwhile, one of my best friends, Rob Pope, was having his second cybersecurity business acquired. We got talking about demand in that area and where we saw gaps, and thought we had a unique proposition.
[H9]: What kind of challenges does your company face? Do you prefer to work with small companies or big corporations?
[KR]: On the staffing side, the challenges are getting clients to move their processes quickly enough to get the candidates they are looking for. Many clients will apply the same process regardless of what skill they are recruiting for, and in a high demand area like infosec, that’s not going to work.On the professional services side, the challenge is often getting small to medium businesses (SMBs) to understand why security is a worthwhile investment. Thankfully, many of these clients are driven by the companies for which they are vendors to ensure a certain level of cybersecurity is met. The cost of the Target breach, which came through a vendor has topped the $250M mark now. That has given the audit and compliance departments more power when selecting suppliers and so now SMB’s are actually seeing a good security program as a competitive edge.
[H9]: How should recruiting process for infosec look like? Why don’t applying standard recruitment procedures work properly?
[KR]: Things have to move along quicker because the candidates are in higher demand. Waiting several days before giving resume feedback and then setting up interviews with in some cases weeks in between doesn’t work. Most candidates are part way through the process elsewhere so if you don’t move quickly you tend to miss out on your candidate. Also many job specs are wish lists taken from jobs specifications found online. My advice to clients looking to hire is decide what is absolutely essential and then what’s desirable and ensure your internal and external recruiters understand that to give you the greatest pool of candidates. Other than that in such a candidate driven marketplace take the time to give detailed feedback to ensure you get better candidates.
[H9]: Tell us about the professional services you provide. How did you end up providing from recruitment to professional services?
[KR]: Rob’s first company was one of the largest penetration testing companies in the United Kingdom before it was acquired. We realized we could fulfil our clients’ penetration testing needs with his hands on manual testing skills. We were dealing with CISOs who were making hiring decisions whilst they were also the ones looking to bring in third parties for these testing projects. The Target hack brought the need for vendors to have a certain level of security to the forefront, and the next thing, we had several Fortune 100 companies recommending us to their vendors.
[H9]: The penetration testing space is very competitive, what made you stand out to Fortune 100 companies?
[KR]: Most Fortune 100 companies want to work with smaller, cutting edge vendors that supply niche solutions. A majority of companies expect vendors to pay for their own security testing; it is preferable to have a trusted company perform the testing, and that’s where we come in. We provide affordable services better tailored to SMBs’ needs than some of the security testing giants. We have a simplified reporting structure, and we will then handhold companies through the process following a test. Off the back of this, we have helped our clients put together security programs from scratch, helping them write policies and choose software and third party providers. Many of our clients use our Virtual CISO to manage the project.
[H9]: How does your “Virtual CISO” service work?
[KR]: The Virtual CISO works very well for SMBs that don’t have the requirement or the budget for a full time senior security staff member. Perhaps they have client or regulatory obligations and need to ensure that security related projects are being moved along. This is where having a Virtual CISO, who is retained to work an agreed amount of days per month and to be available outside of that, will help.
[H9]: You offer permanent and contract staffing. Which is more difficult to recruit for? Which is better from a cybersecurity standpoint? Or does it depend on what a company needs?
[KR]: They are both challenging and involve a lot of networking to build a strong candidate base. My recruitment team attends all local conferences and is heavily involved in the local infosec community. Giving up time in their evenings and weekends shows our candidates and clients that we are genuinely passionate about what we do, and also helps to build trust. Contract staffing is particularly hard to recruit for—permanent employees are paid so well, and in the U.S., benefits such as healthcare are expensive. Therefore, the pool of candidates who are able to do contracts is much smaller. There are benefits to both and only the hiring company can make that decision based on their needs.
[H9]: You hire IT security specialists, how do you choose them? What kind of qualifications should good IT security specialists possess to be recruited by you? How could they impress you enough to get recruited?
[KR]: We have a small team of security professionals working on our professional services team. Rob Pope, the fellow founder, has been working on the technical side of information security for over 18 years, and has founded two previous infosec companies which were both acquired. When it comes to checking their technical expertise, I rely on him for that side of things. We also look for candidates with solid commercial experience and the ability to communicate well. We are often holding our clients hands through their very first security project, so we must be able to communicate at all levels within the business so that what we do technically will have the desired result.
[H9]: On Tiro Security website it is says that you are presenting clients with an original and unique IT Security recruitment partner that has a variety of technical skills. Can you explain? What makes your company so special?
[KR]: There are a handful of recruitment companies that truly specialize in information security and even fewer that have cyber security staff in-house. On top of this, every Tiro Security recruiter is passionate about information security and volunteers time towards non-profits such as the ISSA, Cloud Security Alliance or OWASP. Since we are so knowledgeable, we have developed a reputation for being able to help our clients when no other staffing company has been able to. A great example of that is a client of ours who had been looking to fill an open requirement for 8 months using multiple agencies as well as their own in-house staff. From the day of being engaged, we had the requirement filled and the candidate started within 3 weeks.
[H9]: We keep hearing about talent shortage in cyber security. Do you see it as well? Is it a big problem, as far as you are concerned?
[KR]: Yes, we do also see a talent shortage in cyber security; it is a big problem, as we only see demand increasing as companies build out their teams. I am personally on the advisory board of Cyber Watch West, a nonprofit whose mission is to increase the quantity and quality of the cyber security workforce throughout the western United States. I also am on the advisory board for California State University Fullerton, helping them put together an extended education cyber security program. I think it’s important to do what you can to help when you see an issue in your industry.
[H9]: In your opinion, is education the best place to start fixing this problem?
[KR]: Yes although it won’t fix the problem on its own. We need to encourage students to specialize in the skills that are missing as early as possible. Many great cybersecurity people are self-taught and we need to enable them to be able to do this in a safe environment and then have further education for them to progress on to.
[H9]: What is a “hot job” in cybersecurity?
[KR]: All areas of security are hot right now, if you wanted me to pick one specifically I would say application security is probably the area where we have the most requirements.
[H9]: Your company offers their services mostly in US, can you tell us about cyber security there?
[KR]: I am from the UK originally and I’m not sure it differs hugely, other than perhaps any regulatory requirements. Taking state sponsored attacks aside, the people looking to take advantage of your vulnerabilities really don’t care where in the world you are, they just want to take what they can get.
[H9]: After 16 years in tech recruitment, what is one thing that you think no one expects is true for your job?
[KR]: We are a boutique firm, and when you’re this size, CEO really stands for “Chief Everything Officer.” My job is to do whatever it takes to move the business forward. I think that’s the same for any person running a small business, so I had to initially learn our accounting software, chase clients for payments, write marketing material, and fill in any gaps where we didn’t have the need or budget to bring in expertise.
[H9]: Tiro Security is active among cybersecurity associations. How do you think it helps? Is it just about networking?
[KR]: For recruitment in niche areas like security, it is really important to have a great network, but this isn’t the only reason to get involved with cybersecurity associations. By being part of the community, you keep up with the latest news, you build a reputation, and you establish a level of trust by giving up your spare time to help in the industry. It also builds confidence in your product and ensures you’re ahead of the curve, offering clients services before they realized they needed them.
[H9]: Do you have any thoughts or experiences you would like to share with our audience? Any good advice?
[KR]: If you’re looking to make a move into cybersecurity, my tip is to learn some programming languages (Python, Ruby, etc.). You will be surprised how useful this will be, regardless of the type of cybersecurity job you are looking for. Also, practice your written and verbal communications skills; a great place to do that is at your local cybersecurity associations / meetups. Get a topic you are interested in and put together a presentation.