I discovered Jeff Snyder’s Security Recruiter blog the other day via Rothman’s blog, and I read his latest post about what a banking client was looking for in a security candidate. Seems like they want someone with “Risk Management” experience and “a deep understanding of Regulatory Compliance issues.” Makes sense. But wait! There is a caveat!
My client wants a candidate who has worked with regulations that have “Teeth”. In other words, while HIPAA is most definitely a body of regulatory compliance mandates, the argument was that to date, nobody on the call could think of a person who had gone to jail over a HIPAA issue. However, make a crucial privacy mistake in a bank or financial services organization and somebody is in serious trouble and could end up in jail.
So basically, they would not want me because most of my compliance experience lies in HIPAA. At first, that got my hackles up because I feel like I am as good as anyone working on SOX compliance. But then I thought better of that feeling. Because even though I feel like I did a pretty good job at getting my previous employeer compliant, I also know that the more I worked there, the less pressure I felt to get it done because the news stories kept coming down about problems, but no one was getting in trouble!
So, like the title of this post, I understand where Mr. Snyder’s client is coming from. If you ain’t felt the pressure, then you might not have done the best you could. They need someone who can work with that Sword of Damocles hanging over their head.
In general, Jeff Snyder’s blog is an interesting read. There is some good insight into what firms are looking for in a security professional. I suggest taking a look.
Vet
Jeff,
First, I think your blog is in a unique position and will likely gather a large readership if you keep the format as it is now. It is unique and gives insights to what employers are looking for that are hard to find.
Second, I do not think I was being critical of your post in any way, and I was careful to say that the request was coming from your client and not you. I have no problem at all with what you just wrote.
Third, good luck with the blog, and thanks for reading. I hope your “stumble” led you to a blog that you will come back to in the future.
Michael
Michael,
Thank you for sharing your thoughts. On a daily basis, it seems like I am getting more and more calls where the questions are starting to overlap. While I would like to answer each person’s questions directly, there simply aren’t enough hours in the day. So, I was encouraged to try to answer the questions that are rolling in by way of a blog. Tell me how to make my blog better if you have suggestions because I’m a rookie at blogging!
Not knowing what a blog should really contain, I’m taking my best crack at sharing information that is shared with me as I work with some of the best security and risk management people in the nation on a daily basis.
When you read my blog, please understand that there is a fine line between my opinions and those of my clients. With regard to the blog that you found, it really was a client’s point of view that some regulations have teeth and others do not. I’m just the messenger in this case.
Specifically addressing a bank CISO retained search I am working on right now, maybe this perspective on regulatory issues might help you to understand the executive team’s point of view. The CIO has asked me to find someone who can run the information security department while at the same time this person is also responsible for moving the bank’s technology risk program forward. This person is also the bank’s pont person for outside regulatory agencies. (A huge responsibility)
In this search, I have had to reach out to Officer and “C” level security in the banking industry. Yes, candidates have to understand regulatory pressures from the FDIC, Federal Reserve Board, OCC, SEC and others but as I started to interview candidates, I quickly understood my client’s point of view more deeply.
Understanding a laundry list of regulations is not enough. The appropriate candidate will have been another bank’s point person when it comes to who stands in front of the outside regulators. The point person (if they’re good) will have a somewhat intangible skill set of knowing what to say, when to say, what not to say and to whom to say. This skill set can only be developed by having prior experience working with outside regulators.
I stumbled across your comments to my recent blog so I hope you don’t mind the response. If I can be more helpful, let me know. Also, I recently created a resume template for technology risk management professionals. No, I don’t have the last word in resumes or anything else for that matter. I simply sit in a position where I see some if the industry’s best resumes.
I take information from the best, sanatize it and then piece it together with other best of breed resumes and provide data to help others in the technology risk management space to do a better job of marketing their skills.
Finally, I already admitted that I don’t really know how to write a blog so don’t hit too hard if you don’t like what I just wrote. If you go to what I wrote today, you’ll see that I am building a partnership with a group out of Washington DC that is made up of several of the strongest Risk Managment professionals I’ve encountered anywhere in the industry. I’m really excited about where this relationship is headed.
As time goes on, I should have some really good information to build into a blog. I’ll be learning from the best of the best in areas such as Bioterrorism, Anti-Money Laundering, Identity Theft, Fraud, Bank Secrecy Act, Executive Protection, Maritime and Port Security and much more.
Jeff Snyder
SecurityRecruiter.com
877-417-6830