There is no question that hiring a capable Chief Information Security Officer and a strong team of qualified cyber security professionals is a daunting task. The odds are definitely stacked against you, given both the scarcity of talent and the competition.
And while it may be difficult now, it is unlikely to become any easier in the future. The demand for cyber security professionals is only increasing, and the rate that our universities can produce qualified talent is not keeping up with the market.
Have no fear. No matter what you are protecting, where you are located, and the extent of your budget, you can be successful in hiring information security professionals. However, to do so, you have to be willing to think differently and make adjustments to your standard talent acquisition strategies. This problem is unique enough to require exceptions, and anyone responsible for addressing this has to be willing to take some chances.
Normally, this would be the time for a sales pitch, telling you that hiring our firm, BGSF, and the LJ Kushner team, are the way to complete this task successfully. But not yet.
How to Level the Playing Field in Five Simple Steps
What I will be sharing is a handful of strategies that any organization can take to increase its chances of successfully hiring capable information security talent. None of these strategies are foolproof unto themselves, but deploying a combination of them should help you better achieve your goal.
1. Determine “How You Win”
Given that you are competing for talent, the first thing that you need to determine is “How You Win” in a competitive situation. Understanding why your role is attractive to information security professionals is one of the most important factors in gaining the interest of qualified candidates. When figuring this out, you have to think like an information security professional and be able to answer some of these questions:
- What are we protecting?
- Why is Information Security important to the business?
- Where does Cyber Security report in the organization?
- What is the technology stack?
- Why does this function/role matter?
As you are answering these questions, you need to keep in mind that the responses from information security professionals are going to be different than what other professionals are looking for.
For example, if you are a leading research hospital, the value proposition that you offer for doctors is likely both clear and attractive. For information security professionals, the value proposition may lie in the data that they are protecting and the impact that the loss of data may have on health and safety.
From the beginning, understanding your appeal to your audience, and communicating it, becomes the foundation for your search process.
2. Determine and Clearly Define Your Compensation Budget
Let’s get one thing straight, there is no such thing as “Open Compensation.” “Open Compensation” is a copout. The concept of “Open Compensation” has led to more wasted time and misalignment of expectations in recruiting, and when it comes to the recruitment of information security professionals, this is magnified.
Clearly defining the compensation you can offer for a position determines the candidate pool for the position. By providing exact ranges for salary, bonus, and equity, you give the market a clear understanding of the candidate’s capabilities and experience level that you are searching for. This clarity eliminates candidates who are attracted to the position but ultimately require greater compensation than what has been budgeted for the role.
The compensation that you are able to offer for the role will directly impact the contents of the Job Description.
3. Write the Job Description
The job description is your marketing document. It needs to read like a narrative, versus a laundry list of requirements of responsibilities.
A cleverly written job description will paint an accurate picture of the opportunity, the organization, and the importance of Information Security. Ideally, the job description will speak directly to the target audience for the position in a language that information security professionals will both understand and appreciate. It should stand out, it should be unique, and it should clearly send the message that you would like it to convey.
Understanding that there is close to zero percent (0%) voluntary unemployment amongst information security professionals, the job description needs to create inertia that will pique interest. It’s important to understand that your desired candidate is likely gainfully employed and appreciated by their current employer. If information security professionals view a job description as too similar to the job that they are currently performing, or if the role that is described does not excite them, they will likely choose to stay in their current role.
As it relates to compensation, the job description will need to map directly to the defined compensation for the position. To write a job description for a person who you cannot afford and who you are unable to attract is a fool’s errand. If you combine too many technical disciplines or are too specific about years of experience, you are likely to create a candidate pool that is very well compensated and difficult to extract from their current position.
The requirements included in the job description need to be specific enough to address the essential skills and experience required to perform the position, but flexible enough to attract candidates who may see this role as an opportunity to advance their careers.
4. Invert the Interview Process
In most interview processes, the first step is with someone in talent acquisition, human resources, or some technical screen. While all these people and their input are valuable, they do not hold the gravitas that the hiring manager will have to the candidate.
The hiring manager and the responsible party often hold the clearest picture of the role and the requirements since they are ultimately accountable for the function and the hire. The hiring manager can bring the most consistency to the interview process, which is often critical to both gain the candidate’s interest and to determine if the candidate has the skills and experience necessary to be successful in the role.
If this initial conversation goes well, it makes it clear that the role is both important and that there is “executive sponsorship.” If the candidate has any questions about commitment, the leader’s personal involvement quickly addresses this. If the conversation goes poorly, the candidate’s interview process can be quickly terminated, feedback can be provided for improvement, and time can be maximized – as no other interviewer’s time will need to be wasted.
5. Use a Specialized Search Partner
(Here comes the sales pitch…well, sort of) There are many external search firms and staffing agencies out there that claim to have Information Security and Cyber Security recruitment expertise, but that is often not the case. Given how “hot” the Cyber Security market is, it has naturally attracted many new recruitment firms, as they view this as an opportunity for them to grow their revenue.
While that is commendable, recruiting information security and cyber security professionals is very different. Cyber security professionals have a different ethos than other professions. Many methods used to engage other professionals simply do not work with them. Most cyber security professionals will only work with search partners whom they view as “trusted” and who have invested their time and resources to understand the nuances of the Information Security community.
Given the fluidity of the market, a dedicated Information Security search partner can serve in a capacity of a “trusted advisor,” providing a company with both the necessary guidance and access to fill these Information Security positions in an efficient manner. By engaging them, they create a level of “transitive trust” between the candidate, the employer, and the search firm. This will generally enable searches to be completed with a structure and methodology that allows the hiring firm to make contextual choices where they have the luxury of comparing candidates and where they can select the best match.
To be clear, these specialized search firms are more costly than general search firms and charge greater fees. Most specialized Cyber and Information Security search firms only offer their services on a retained basis, given the amount of demand, there is for their service. At the same time, the delta of retaining a capable Cyber Security search partner, versus the cost of a generalist firm, should pay for itself in terms of efficiency and accuracy.
While hiring information security professionals is not easy, it is possible if you think a bit differently about the approach that you take. By following some fairly simple steps, altering some standard approaches, and strategically deploying your resources, any company can level the playing field and successfully compete for top information security talent capable of protecting their organization.