While the scramble to recruit and retain smart cybersecurity professionals is universal, some companies struggle more than others. If you ever wonder how some competitors managed to perennially field solid cybersecurity teams while your organization can hardly even find enough candidates for your open jobs, it might be time to evaluate the way you market to and interact with cyber job seekers. CyberSN recently spoke with a number of recent applicants and employers on what engages employees most effectively. Things like a decent compensation package are table stakes for drawing great candidates. However, there are often other simple touches that can make all the difference. Here are five tips for attracting cybersecurity professionals to your roles.
It should go without saying, common courtesy can go a long way towards keeping the lines of communication open with good candidates. For example, if you’re recruiting currently employed candidates, try to be flexible about scheduling interviews. And whatever you do, minimize cancelations on your end.
“Meeting during the day is already a challenge because you have to find a way to schedule time off from your current job,” said a Security Engineer who wishes to remain anonymous. “It’s particularly difficult when a potential employer cancels at the last minute, which happens anywhere from 25% to 40% of the time in my experience. For a couple of companies, this happened with, I just declined to reschedule.”
If you’re a hiring manager working with a company with a lot of bureaucracy and red tape to jump through during the interview process, consider either personally reaching out or having a recruiter reach out to prep candidates for what to expect.
“Having insights about the company from the recruiter made a difference,” Robert Burns, Sr. Consultant at Booz Allen Hamilton explained. “Just a little bit of information about who I was meeting with ahead of time, so I could prepare and have a better understanding of what I’d be talking about with different individuals.”
Compensation is obviously important, and so are work-life balance benefits like flex time. But so are relocation benefits. It might seem obvious that the best way to open up a bigger pool of candidates is to widen geographic boundaries. Surprisingly, few companies actually do this. We’re not talking about a huge investment – just $10-15k will make a huge impact.
“Even though there’s a huge gap in the field, it’s very difficult to find organizations that will pay you or give you the flexibility to cross from coast to coast,” says Burns, who worked with CyberSN to get him relocated to a work location that worked for him.
When interviewing, you can’t get hung up on years of experience or even certifications. You need to learn to find candidates who have the right raw materials for training by asking the right interview questions. Make sure you are interviewing for someone’s ability to do the job. Find out what they have been doing and not how for how many years they have been doing it. Years do not equate to capability. Also, make sure your posting avoids using any red flags for job seekers!
“In interviews, we would ask questions around curiosity. Trying to hone in on how an individual thinks can be important,” says Dan Garcia, Sr. Security Engineer at Datto. “Asking questions like, ‘What is the last thing you took apart and why?’ Just trying to get at their intellect. From that, we found some pretty great candidates that had the right mindset.”
Finally, look for ways to be creative in your outreach. Cybersecurity is a creative field, and smart candidates respond to clever employers. Run or participate in events like capture the flag and tabletop exercises. Go to the same places that cyber pros go.
“Datto once took out a billboard where we Base64 encoded the career site URL, and we had a candidate apply to be a software engineer from that,” says Ryan Weeks, Chief Information Security Officer. “He now leads our application security pen-testing team.”
Listening closely to the experience of candidates and gathering feedback from employers gives insight into what mistakes are being made that are easily addressed. What’s working (and not working) in your cybersecurity talent experiences? Did we forget any tips for attracting cyber professionals?