So, how can organizations make the hiring process less painful and more fruitful?
Need talent? Widen the search
Steve Velasco, a senior cybersecurity recruiter at NinjaJobs, a community of information technology veterans devoted to helping companies find vetted, experienced cybersecurity professionals, says that while there certainly seems to be shortage in cyber talent, that shortage is usually tied to geography – and especially so when it comes to incident response, DevSecOps, threat intelligence and penetration testing.
“Geographically there seem to be holes where no or little talent can be found. Once those same positions open up to a full-remote option the talent usually comes flooding in,” he told Help Net Security.
“For example, it’s been difficult to find threat intelligence specialists in Ohio, but once the position allowed for full-remote work, a dozen candidates were identified within 48 hours.”
He says it’s a fairly common pattern across the board with all clients/positions. The good news is that they are seeing more companies adapting to the remote workforce paradigm as the demand for skilled cybersecurity professionals continues to rise.
Ricki Burke, Director at CyberSec People, a specialized recruitment outfit based in Melbourne, Australia, says that organizations often have trouble finding viable candidates for cybersecurity positions because they can be too narrow in their search.
“In an industry filled with very similar and sometimes confusing jobs titles, you need to dig below the surface to see what a person really does and what their skills are. For example, you could be searching for a security architect or security engineer but within each of these titles there are different types of expertise, so you cannot just go by the title itself.”
CISOs who need to expand their cybersecurity team are advised to critically assess the essential requirements, think about what a candidate could learn on the job and about how they can give themselves more options. For example, they can look for people that aren’t currently in a purely security-related role.
“Many talented people can work in security, such as the developer who enjoys playing CTF tournaments and is studying for the OSCP certification in their spare time, or the network engineer who is studying to be an AWS Certified Solutions Architect and has a good understanding of the security principles in the cloud. Look for passionate people who spend their own time and money to increase their knowledge and skills in security because they want, not because they’re getting paid to do so,” Burke advised.
Finally, he says, if the organization relies just on job adverts to attract candidates, they will be able to assess only a small percentage of the industry. “In a candidate short market, the best people do not have to apply to jobs,” he pointed out.
Feedback and giving back is crucial
Burke advises companies to always reply to candidates who respond to a job advert, as not doing so can put the candidates off from applying for future job openings.
“Security people like businesses who give back, those that invest time and energy into building their brand in niche communities by attending or sponsoring events/conferences or have their people share security research which can increase awareness of that business. If someone is approached by/on behalf of that company or sees a job for that business, they will be more interested,” he added.
The advantages of using a cybersecurity recruiter
Using a cybersecurity recruiter to fill a cybersecurity position comes with many advantages.
“A specialist recruiter who is deep in the security community will understand your situation and will be able to offer advice as well as solutions. They can tell you what other companies are doing and how they have overcome similar challenges. They understand the requirements and introduce the right people to organizations in need. Managers save time by interviewing fewer people and get meet people they didn’t know were open to a new job,” Burke explained.
Velasco notes that, in most cases, recruiters can present a candidate directly to the person making the hiring decision, and that working directly with the decision makers also allows them to find out about requisitions before they are usually posted publicly, which gives candidates a head start in the interview process.
Many of those who think about using a cybersecurity recruiter to find them a job believe that recruiters can make it work even if the position is not a good match for them.
That’s simply not true, says Juliana Riahi, President at STT International, a recruitment company that specializes in finding and placing executives and other top talent in various industries, including cybersecurity and IT.
“Candidates apply for jobs that are not even a close match for their qualifications. They might have broad qualifications, but not actual experience in the specific areas of, for example, software, market space, industry expertise to include customer base,” she told Help Net Security.
Another misconception is that recruiters are usually involved in negotiations regarding salary, benefits or the work/life balance. Riahi says that even though they at STT try to do that for as many of their clients as possible, most recruiters don’t do it as they don’t have the capability or the authority.
She also notes that not all recruiters are the same and that not all are good at understanding what the employer is really looking for, opening all involved to the risk of wasting valuable time.
“If you are not matched with a professional cybersecurity recruiter, not only could they misrepresent you, they could do your career path long term damage,” she warned.
Security roles most in demand
According to Velasco, the top three information security areas organizations are currently recruiting from are threat hunting, incident response, and sales (TAM, Customer Success, Pre-Sales and Post Sales).
Riahi notes that given that the CISO role has evolved to one of major significance in the continual challenge of finding balance between allowing access to data and overseeing, maintaining and protecting the data from theft, malicious use and destruction, high profile CISOs who want to change jobs are definitely sitting in the catbird seat in regards to new opportunities.
Advice for CISOs
Her advice for a CISO that’s on his/her game and wishes to transition to a new role is to first engage a top PR firm to maintain and ensure the consistency and accuracy of their profile and get more access to a broad network of credible media outlets.
Aside from that, choosing the direction in which their career will go should depend on their strengths and desires.
If they are good communicator and can create interest and focus in an audience that needs to understand the value of technology security measures, explained in simple terms, a contract with a major news agency could be an option, she says.
Getting on the board of an up and coming, well managed, well run startup can lead to stocks and a big payday. For those looking for less stress, more free time and the luxury of detachment, shooting for the position of a high level consultant with a major consulting firm could be the way to go.
In the meantime and after, they could be of service while also picking up money-making hobbies. “Write a connect-the-dots book, look into becoming a visiting professor for a major university, write a course and a coursebook, share the knowledge!”