Dear Readers, today we would like to introduce to you Marcelo Mansur, CEO at RedBlue Security. We spoke about recruitment in cyber security industry, trends in 2017 and looking for a job in LinkedIn. We hope you will enjoy it! Dive in!
[eForensics Magazine]: Hello Marcelo, how have you been doing? Can you introduce yourself to our readers?
[Marcelo Mansur]: Yep, everything's going well! I'm an infosec recruiter (for my sins) mainly recruiting pentesters, researchers and exploit devs across the US, EMEA and starting to look at APAC as well. I like dark comedy, bad puns and conversations about hacking.
[eFM]: Can you tell us something about your company, RedBlue Security?
[MM]: I started RedBlue with the mindset of being a security consultancy that offers recruitment as its main service rather than a recruitment company that caters to the infosec industry. I'm creating a recruitment firm that is part of the community rather than one that just supplies it.
[eFM]: Did the change in perspective - consultancy rather than recruitment - change anything in how you perceived your work? Did it change how people perceived you and your company?
[MM]:When I started recruiting infosec I came in with that mindset already, it was just that I didn't see it manifest anywhere else. I felt more in common with the hackers I was speaking to on the phone than I did with the recruiters sitting next to me in the office. The thing is, a lot of recruitment firms sell themselves as consultancies but then still have the culture, processes and attitudes of a recruitment firm. That's not like us at all.
[eFM]: Where does the name of the company come from?
[MM]: Red Team and Blue Team. We recruit both. I'm just more focused on the red team side at the moment. To begin with, it was just a working name before I came up with something with more gravitas, but it just stuck. I'm still considering changing it at some point but every day that passes that becomes less and less likely!
[eFM]: What differences and similarities are there between recruiting for Blue and Red teams?
[MM]: Red team is offensive and blue team is defensive. They're each like a half of a horse suit. They both have a different collective of skill sets though I often find some of the most skilled red teamers began on a blue team and vice versa. Some of the best of each have a background in development / engineering as well.
[eFM]: You are a very experienced recruiter. Why have you decided to go towards recruitment in the cyber security industry?
[MM]: I had a lot of friends in the community before I started working in recruitment, but once I realised I could do the job I chose infosec so I could be involved in this world on a full-time basis.
[eFM]: What would you say is the absolute minimum someone has to know about infosec to recruit in the field?
[MM]: Knowledge can be taught. I'm building my team from people who are interested and will always be interested in infosec and who are either from or can easily be part of the community. My first employee didn't have a relevant background at all but she was always fascinated when I would talk about it and asked all the right questions and even read a bit about it and watched some documentaries in her own time so when it was time to grow the company she was my first hire. I have a cipher on my Linkedin profile which is meant for other recruiters, the first part of which anyone should easily be able to decode. Only one recruiter has managed so far though. She starts working for me in January.
[eFM]: How does your agency work? Do you collect resumes and match people with future employers or do you have a base of companies and look for employees on LinkedIn…?
[MM]: I have a base of companies and I hunt for people who fit their requirements. Linkedin is great, but I have other methods too. I go to cons and meet a lot of people, I'm on a few IRC channels and infosec chat groups and a few other places as well. Also if a candidate specifically mentions wanting to work somewhere I'll often act as their talent agent and contact that company about them.
[eFM]: Do you think that LinkedIn is a good source for searching for a perfect candidate?
[MM]: I think it's the best source on the clearnet. Not everyone is on there though, not everyone checks it regularly and nearly everyone has also received loads of messages from recruiters offering them jobs that don't fit their skill set. After enough of these I can't really blame people for lumping all recruiters in one basket and ignoring all messages about jobs.
[eFM]: What are the trends in recruitment at the moment? What do you think will be going on in the industry in 2017?
[MM]: You mean as far as security goes? Exponential growth provided there isn't another stock market correction. Everything will expand, partially helped by blossoming private equity interest in infosec. If you want particulars I think especially IoT, the exploit market, automotive, blockchain tech, SCADA critical infrastructure and hypervisor research. I think the targets will be the same as this year, only more so – there'll be further growth in hiring from governments, banks and IT firms that have a big footprint in the medical industry. I'm curious to see what will happen with the pentesting market in the UK. With a couple of firms massively undercutting their competitors’ fees just to acquire a bigger market share, most of the smaller firms have been acquired by blue chips, for better or for worse. Generally for worse as they usually try to implement a blue chip corporate infrastructure, and however gradual this is, it normally has the effect of making the employees run for the hills. Also very skilled pentesters are in short supply and high demand. A lot of companies are unwilling to pay “above market rates” for these candidates meaning the candidates end up contracting and are able to undercut virtually every firm on the market, since they'll get 100% of the proceeds rather than being on a salary. Something's got to give.
[eFM]: What would have to change to better the situation?
[MM]: I think general awareness about how necessary infosec teams are and to give security departments all over the UK bigger budgets so they wouldn't need to choose the cheapest options. Then security firms would be able to charge more for their services, pay their employees more and invest more in training their staff which would then improve the standard of work and would make their clients more secure. The US has a better understanding of this than the UK and parts of Europe.
[eFM]: Is there any particular feature/skill companies look for in the candidates?
[MM]: Depends a lot on the company but in a candidate-driven market it's companies that need to think about what they can do to attract the best candidates. Interesting projects, the possibility for remote work, low travel requirements, time for personal projects and other cool benefits are a good way to do this. A lot of companies think that having a great culture and a work-hard-play-hard atmosphere is a unique selling point. It's not, that's pretty standard in infosec.
[eFM]: What do you think is the biggest challenge the industry is facing at the moment?
[MM]: Hiring is naturally what I have the most exposure to but I'd be shocked if it wasn't in every company's top three pain points. You don't need to be a recruiter to know there's a huge skills shortage in infosec. Clients (companies to hire for) are easy to come by when you have a good reputation. It's finding the right people for them that is rather more difficult. Aside from that I'd say growing attack sophistication and training layer 8 are probably the other two.
[eFM]:You have experience in wine and spirits… is it still your passion?
[MM]: Haha - “wine specialist” at Waitrose meant spending 90% of my time putting bottles of wine on shelves. I actually enjoy wine and spirits far more now than I did then. I was 18 when I started that job. My introduction to wine came from an ex-girlfriend's father who had his own cellar. On hearing that I didn't like wine he said, “Marcelo, wine is as varied and diverse as music; there are some vintages you just won't get on with, no matter how famous or popular they are, but you'll always find something you like.” Anyone who's ever drunk wine with me will probably be rolling their eyes right now. I've quoted that a lot.
[eFM]: What are your plans for the future?
[MM]: Set up an HQ in the US and build a larger team. The visa process takes a while though. At one point I was planning on taking a year out, doing some intensive computer science and technical infosec training, getting myself up to a decent standard and then opening a pentesting arm to my company but I've since decided against that. As fun and interesting as it would be, I don't have a natural flair for technology so it's best to stick to what I'm good at. There are a couple of other areas in infosec I'm getting involved in but that's all I'll say about that for the moment. I've also set my sights on speaking at some of the other cons in the world. I've done DEF CON, HackMiami and Bsides – I'd like to speak at them again and a few more Bsides, but also DerbyCon, CanSecWest, Black Hat, InfoSec Europe, HITB, ShmooCon, ToorCon, 44Con and a few others.
[eFM]: Any piece of advice for our readers?
[MM]: Make sure you love the work you do. Passion and enthusiasm transcend education and qualifications.
Marcelo Mansur is one of the world's most skillful and knowledgeable headhunters specialising in placing penetration testers, offensive security engineers, vulnerability researchers and exploit developers. He is the Founder & CEO of RedBlue Security, an international recruitment agency that shares the culture and interests of a security consultancy. He is heavily embedded in the hacker community and travels regularly speaking at conferences and attending local security meetups.
LinkedIn: Marcelo Mansur