In this blog - the third in our series addressing the cybersecurity career and hiring crisis - we introduce the CyberSN marketplace, the one-stop destination for all cybersecurity career and staffing needs. To learn more about the cybersecurity career crisis and how to solve it, check out our previous blogs

At CyberSN we recognize that both individuals and organizations need to be matched with the roles and professionals that best fit them, which is why we’ve developed a brand new solution. The CyberSN Marketplace unites confidential public profiles and organizations looking to hire cybersecurity professionals under one platform, providing them with no-cost access to the jobs, tools, information, and professional connections they need.

 

The CyberSN Marketplace: Career and Hiring Center

For Professionals - Career Center

In the Career Center, professionals create a confidential public profile rather than just uploading a resume, with their critical task and project experience as the main focus. Employers can then find them without the need for any individual to share their identity on a public platform. This allows professionals to connect with their choice of best-fit jobs without fear of reprisal or unconscious hiring biases, helping to promote diversity and inclusive behaviors within the hiring process.

Using their confidential public profiles, professionals can search and apply to jobs on the CyberSN platform, share jobs with their network, and ultimately let jobs apply to them. Employers are able to source individuals based on the unique task and project information in their job description, giving them the opportunity to reach out even to passive job seekers.

As well as increasing the chances of finding a best-fit job, the CyberSN profile is an effective way of assessing: skills to develop, past projects worked on, and potential training opportunities. Professionals can streamline their career development by using their profile for performance reviews, mapping which certifications they require, and negotiating salary increases. By empowering individuals to know their worth, CyberSN profiles give professionals more control over their career development. 

The CyberSN Career Center also allows professionals to browse CyberSN’s exclusive Job Taxonomy consisting of ten job categories and 45 functional cybersecurity roles, from executive management to analyst and everything in between. By using this Job Taxonomy, we provide easily searchable access to every cybersecurity job currently posted in the United States (at date of publication, this number was over 65,000 postings), streamlining the job search process for the professional. Our taxonomy also provides us with a common language of role titles to be used across the platform, allowing us to effectively match professionals with roles and streamline communications. 

 

For Hiring Teams - Hiring Center

The CyberSN Marketplace enhances CyberSN’s established agency staffing services. From our free job description builder to our full-service staffing offerings, our Hiring Center provides a better way to find and retain the right professionals for every role.

Tailored toward SEO and applicant tracking systems, our free job description builder uses the same common language as our CyberSN professionals’ profiles, categorized within our 10 role categories and 45 functionals roles to ensure quick and easy matching. Organizations can either create and export job descriptions for free or engage with CyberSN’s pool of engaged professionals by posting their jobs to our Marketplace. Professional profiles are then matched to the job based on the tasks and projects that they have completed and those that the role requires. 

Our Hiring Center is one of the only providers of comparable cybersecurity salary information, offering up-to-date data that helps organizations understand the market, craft better job descriptions, and communicate successfully with new hires. Certification mapping and career pathing provides the professional development tools needed to carry out annual reviews with existing staff and identify skills gaps within teams. By leveraging the Hiring Center’s resources, organizations are equipped to hire staff that love their job, improving retention and inspiring long-term changes to company culture. 

 

Provider Exchange 

The CyberSN Provider Exchange, part of our Marketplace, offers a directory of relevant training, products, and event resources for both cyber professionals and organizations. Products and services featured on the Provider Exchange range from diversity & inclusion solutions to hands-on training, penetration testing, professional services organizations, and more. Our entire community of cybersecurity professionals and organizations can access CyberSN’s Provider Exchange for free, making it a go-to catalog for any and all cybersecurity career needs. 

Joining the Provider Exchange puts your products and services in front of our ecosystem of engaged cybersecurity professionals, allowing us to come together in support of the industry with the resources required to collectively achieve success. You can find more information on joining the provider exchange here

 

The CyberSN Platform

The crown jewel of the new CyberSN Marketplace is the cybersecurity industry’s first ‘Deep Job Platform’. Our platform goes beyond simple job listings, providing products and features that complement all posted jobs and speak the language of cybersecurity. The platform organizes our 66,000+ jobs and 28,000+ professional profiles based on tasks and projects, classifying them into the ten job categories and 45 functional cybersecurity roles that make up our Job Taxonomy.

As well as making our jobs easily searchable and understandable, using the common language of our Job Taxonomy means that communication is smoother and more accessible. This is particularly important within cybersecurity, as it is a complex and ever-changing field. The CyberSN platform matches professionals to jobs based on their confidential public profile, so individuals are matched to roles based on what really matters -  their task and project experience - and nothing else.

 

Join the community

Our Marketplace is now the go-to network for jobs, career expertise, and resources for the cybersecurity industry. We see the cybersecurity hiring crisis as a matter of national security and consider it our mission to fix the broken job searching system that exists today.

With the launch of the Marketplace, CyberSN is providing all the tools and connections that are needed for any type of cyber professional to Pwn Their Career and for hiring firms to build their teams fast and to last. This means matching individuals with organizations effectively, ultimately boosting career satisfaction and improving employee retention. 

Whether you’re a start-up or a Fortune 500 company, cybersecurity consulting is a good way to assess the effectiveness of your cybersecurity operations. Having another set of eyes on your security systems, looking for ways attackers could infiltrate, and creating a strategy for addressing any security gaps can save your business time and the disruption of a security breach.

Cybersecurity consulting has another less well-known feature that is arguably more valuable than identifying potential threats: insights on cybersecurity staffing. A cyber team is only as good as the people within it, so hiring is a crucial aspect of keeping your company and customer data secure. By tapping a cybersecurity consultant, you can gain expert knowledge on the industry, where to find skilled cyber pros, and how to market your company to top talent.

What to Expect From a Cybersecurity Consultant

When vetting cybersecurity consulting firms, here are some qualifications you should be looking for.

Help defining your needs

You may think you know what you need, but a skilled cybersecurity consultant can help you drill down into the specific aspects of your needs. By understanding your objectives, the consultant can identify skills gaps and provide a staffing headcount based on current and future initiatives. For example, your company might be evaluating security information and event management tools. A good cybersecurity consultant can offer advice on the availability of certain product skill sets and their respective labor cost.

Industry insights

A cybersecurity consultant should be someone who is able to provide the latest information about solutions and products especially those that are becoming more popular, those that are new to the market and other trends. This could include career and employee development trends and new training resources available.

Accurate compensation data

You are never going to build or keep a great cybersecurity team if you aren’t offering enough compensation. You need a cybersecurity staffing consultant who will be blunt about your salaries and compensation packages. Your company may not be able to offer the same salary as a larger company, but a cybersecurity staffing consultant can help you develop other types of compensation, such as ample paid time off, work-from-home options, and an inclusive company culture that will attract professionals.

At CyberSN, our cybersecurity staffing consultants see a lot of compensation data because companies and professionals give us this data every day through our job search platform KnowMore. One thing we’ve seen is that it’s not just about the money. Professionals are looking for better work-life balance, especially since the lines between work and home have become so blurred. Training opportunities and the ability to work remotely permanently are two of the top requested perks we’re now seeing.

Help Building Job Descriptions Cyber Pros Will Notice

Part of the challenge of building out the right cyber team is that job titles, roles, and responsibilities vary from company to company. Having a cyber consultant who knows the industry, terms, and job titles vastly improves the results of your recruiting efforts.

We identified this problem at CyberSN and developed a common cybersecurity language, not just for those in the information security industry, but for those who hire, too. This included identifying different facets of the industry and defining 45 cybersecurity job titles and more than 100 subtitles.

What to Look for in a Cybersecurity Consultant

Here are a few questions you should ask before engaging with a consulting firm on your infosec operations.

What companies have you worked with?

Do they work primarily for large corporations or is this a firm that specializes in start-ups? A firm may claim to be generalists, but cyber needs vary depending on the company’s size and industry, whether that’s e-commerce, banking, or health care. Make sure you hire a consultant that understands your industry.

What kind of access and expertise will you get?

Before working with a firm, it helps to know who you will be working with, their area of expertise, and how many hours they will be available. Are you looking for 24/7 availability or someone to develop a strategy for improving diversity? Whatever your need, ask for specifics about the level of expertise you will be provided.

What is your experience in hiring and training for diversity?

Companies are striving to create inclusive workplaces, especially when race and gender are such a part of the national conversation in the United States. Whatever your cybersecurity needs, diversity is likely to be part of the conversation. When your team is made up of people with different backgrounds and world views, it will help improve your ability to identify threats from around the globe. Discuss diversity training as well as hiring practices to ensure you are creating a welcoming environment for all employees.

As a woman-owned company, diversity and inclusion are important in all we do, which is why more than half of our placements are diversity hires.

Has anyone on your team actually worked in the cybersecurity industry?

This may seem obvious, but if you’re looking for expertise in cybersecurity, make sure the team you get has experience working in the industry and understands both the employer’s and employee’s side of the job.

What’s the end result?

Ask your cybersecurity consulting firm what you’re getting from them and hold them accountable throughout for that deliverable. CyberSN, for example, offers hiring strategies for companies struggling to fill cyber roles. After working with one cybersecurity industry expert and one cybersecurity hiring expert, the company will have a clear strategy for recruiting and hiring cyber pros that fit their needs and within the company.

How to get the most out of your relationship

No one wants to hire another consultant who swoops in, offers unrealistic advice, and is only concerned about the paycheck. Before you sign a contract with a cybersecurity consulting firm, clearly define what you’re looking for from the relationship. Make sure the firm is willing to help set goals and create a realistic strategy that works for your type of company. Finally, hiring a firm that understands that it’s not just about the tech. Developing the human side of a cybersecurity team can help protect your company, as well.

CyberSN and Mindlance Create One-Stop-Shop for Cybersecurity Talent

CyberSN and Mindlance are forming an Exclusive Strategic Partnership to provide a one-stop-shop for all cybersecurity staffing needs, including permanent, contract, contract-to-hire, consulting, and gig work positions.

BOSTONJuly 28, 2020 /PRNewswire/ 

This partnership will expand both firms' services to include extensive coverage across the USA and Canada. Mindlance clients will be able to leverage CyberSN's cybersecurity expertise, specifically their international job and talent matching platform KnowMore, and their security subject matter experts, specialized recruiters, outreach efforts, training events, and diverse talent pool.

In speaking about choosing Mindlance as an exclusive Strategic Partner, CyberSN Founder and CEO Deidre Diamond said, "I searched for a strong IT Contracting Staffing Partner in December of 2019 and I met with numerous large IT staffing agencies. All of these agencies are struggling to provide cybersecurity talent. Choosing Mindlance as a Strategic Partner was an easy decision. Mindlance truly cares about their customers' happiness and for CyberSN this is at the top of the list for partner qualifications. Mindlance is an industry leader in IT contract services and together we will now be the leader in all Cybersecurity services."

Vik Kalra, Co-founder and Managing Director, Mindlance, speaking about the partnership with CyberSN, said, "CyberSN, along with its KnowMore platform, brings a unique solution to the cyber security talent ecosystem. This, coupled with the breadth of Mindlance IT customer and talent reach, will position us together as an industry leader in this space. Our customers and MSP partners have been asking for such depth of knowledge and talent base in niche hard-to-find technologies, and we are excited to be able to serve that need."

The partnership will combine CyberSN's vast and diverse network of cybersecurity professionals with the broad reach of Mindlance's customer base and the thousands of cybersecurity job openings that they represent. This will expose the cybersecurity field to thousands of new workers including Diversity & Inclusion job seekers.

About CyberSN 
Founded in 2014, CyberSN is solely focused on the cybersecurity talent industry serving as a trusted brand across the U.S. Recognized by their unique care and dedication to the cyber community; diversity and inclusion initiatives and KnowMoreTM  their cybersecurity job posting and talent matching platform, CyberSN is the leader in the industry. Learn more about CyberSN services, hiring strategies and the 45 Job Categories of Cybersecurity visit https://www.cybersn.com

About Mindlance
Mindlance was founded in 1999 and is a certified diversity business (MBE) with a wide-ranging service offering portfolio, which first began with contingent staffing. It grew swiftly to offer comprehensive workforce solutions that now include specialized staffing, diverse/under-represented talent-centric upskilling and incubation/acceleration services, along with what can be termed cost management-centric Pay+ services: Direct Sourcing, EoR/Payroll, IC Compliance and AoR.  Mindlance has been recognized as one of the largest US IT staffing firms, one of the consistently best performing partners to industry-leading MSP contingent programs, and has been on SIA's list of Fastest Growing US Staffing Firms for 9 years in a row. The Mindlance journey is about being forward thinking in a continually changing talent landscape while conducting business is a way that is inclusive, authentic and brings a mindful balance to the work ecosystem. To know more, please visit https://www.mindlance.com

View the original release.

Cybersecurity jobs are notoriously difficult to fill. According to a study by Burning Glass Technologies, cybersecurity positions take 20% longer to fill than typical IT roles, at an average of 50 days. For every open position, the study found companies only have an average of two people in the applicant pool to choose from.

Cybersecurity recruiting is challenging for many reasons, but few companies have attempted to get to the root of the problem and find a better solution. It’s what makes CyberSN an outlier in the cybersecurity recruiting industry. We’re the only company that specializes in just cybersecurity and we’re the only company that guarantees filling a job in under 39 days.

How is it that CyberSN is the only game in town? Here’s the story.

Traditional Recruiting Doesn’t Work for Cyber

CyberSN was born from conversations founder and CEO Deidre Diamond was having with her friends in the cybersecurity industry. Some were telling her they were struggling to find jobs. At the same time, she was hearing from others about a shortage of cyber professionals. Diamond saw this disconnect as an opportunity to reach an untapped market—there must be a faster, easier way to match cybersecurity professionals looking for a job upgrade and companies in need of skilled cyber talent.

Since the job search and recruiting process went online, both job seekers and companies have turned to keywords and automation to make the process easier. While this has cut the time required to find a job for most people, the result in specialized industries, like cybersecurity, has been a failure.

Diamond found some companies were cutting and pasting attributes from past job descriptions, regardless of what’s needed, to create nonsensical franken-jobs that savvy, experienced cyber pros see through immediately.

“These are highly wanted professionals,” said Diamond. “They’re not going to read that!”

Then there were the HR recruiters who don't understand what a job description means, making it hard to seek out skilled people for the job. Add to that cybersecurity professionals who are serious about their privacy online and stay away from LinkedIn and it was a wonder companies and cyber pros ever found each other.

“What hit me square in the face is that when content became free, it also became meaningless,” said Diamond. “Job descriptions became meaningless and resumes were always meaningless—you can put anything on a resume.”

With bad job descriptions and bad resumes, “It’s matching garbage content to garbage content,” she said. Plus, there’s the enormous cost companies must incur just to hire, and the mental energy it takes to apply, prepare, and interview for a job.

“There is an element of job searching that’s so bad it's causing mental distress. It’s amazing that in the year 2020 we can’t match people.”

Diamond wanted to know, how do you fix it?

Finding a Better Way

Sometimes solving a problem takes coming at it from the outside. Diamond didn’t come up through the cybersecurity industry, but instead in sales and management in the tech industry. After graduating with a degree in criminal justice, Diamond considered a career in law or in social work, but after seeking career advice, took an entry-level position with Motion Recruitment, a tech recruiting firm headed by two serial entrepreneurs. There, she was on a professional growth track that would take her into senior leadership. After 13 years in tech recruiting and helping take the company from $2 million to $89 million in sales as the vice president of sales, she became vice president of sales at the security software company Rapid 7, and then on to serve as CEO at Percussion Software.

Having led a company, Deidre began thinking about building her own company and took some time away to develop her ideas. It was during this time Diamond was at Black Hat, running into people she knew and hearing from just about everyone that they were looking for something new—cybersecurity professionals who were looking for a career change and companies looking to hire.

“You talk to cybersecurity professionals and they’d say, ‘I can’t get an interview that's the correct interview for me,’” said Diamond. Others said they wanted a new job but were working so much they didn’t have the time to look.

Diamond launched CyberSN in 2014 as the solution to this pervasive staffing problem. Tapping her industry connections in tech hubs on the East and West Coast, Diamond grew her staff from one to a full, professional team specializing in matching skilled talent to jobs they love.

Cyber Recruiting Is About Building Connections

What cybersecurity recruiting quickly taught Diamond is that the current model for recruiting cyber talent was broken too. Working on contingency when filling cyber roles was not practical and difficult to scale based on the 90- to 100-day timeframe it took to fill some roles. If CyberSN could speed up this process, she could make it more profitable, Diamond thought.

“I am used to growing and I wanted to build an army,” said Diamond. “I was willing to invest and take a risk.”

First she started with her connections in the industry. She and her team had more direct access to cyber professionals who are very private and often hard to track down online. Then she took a hard look at the job descriptions companies were writing and realized that needed to be streamlined too.

The most substantial lead the company made was in 2016 when she brought in a team with vast experience in the cybersecurity industry to build a platform that would help CyberSN’s cybersecurity recruiters fill positions faster. The proprietary platform that would eventually be launched to the public as KnowMore gave CyberSN an advantage no other company had—a way to more efficiently match skills and experience with a company’s needs by using a common task-based language.

“That’s when we really changed the game in terms of cost of sale,” said Diamond “We were able to make matches in 30 days instead of 100 days.”

A Focus on Diversity

As a woman in the tech industry, she understands the challenges many women face, from hostile work environments to a lack of investment from venture capitalists. For Diamond, diversity is key to addressing these issues. CyberSN is not just about filling jobs, but helping companies to develop women and diverse talent. She also founded Secure Diversity, a nonprofit which aims to empower all genders, and specifically women, to find career opportunities in cybersecurity. As a result, companies come to CyberSN because they know they will have access to a diverse pool of talented cybersecurity professionals.

“The people who come to us really care about getting better at hiring and want to see a more diverse workforce,” said Diamond.

A Bright Future for Cybersecurity Recruiting

Diamond said she and all of CyberSN are committed to continuing to transform the job searching and matching landscape. Whether it’s finding more efficiencies or creating strategic partnerships, the company plans to grow and build on their reputation for being number one in the industry for identifying and placing diverse cyber professionals.

To learn more about CyberSN and the menu of services they offer for finding, matching, and hiring cybersecurity professionals, contact us today.≥

Friends,

In continuing to share up-to-date information about the state of the cybersecurity job market, I am happy to say our profession is proving to be very, very resilient. Companies are still hiring to fill cybersecurity jobs. Unfortunately, we’ve also recorded cybersecurity layoffs over the last two weeks in industries that were affected by Covid-19.

(If you’d like to read my previous “State of the Cybersecurity” reports you can view the last one here.)

Where the Layoffs Are Focused

Companies that focus on gig workers, transportation, and hospitality have recently been hit hard and in turn reduced their security teams. We are seeing the layoffs at these companies concentrated in IR, SOC and Corp/IT Security. We are not seeing layoffs at these same firms for product security or application security. From seeing this data, I can’t help but think that while it seems smarter to let go of your hunters vs your product security professionals, how does one even make that decision?

“Cybersecurity threats and privacy risks do not just disappear during the COVID-19 downturn in business. Incidents and breaches will continue,” said Dom Glavach, CyberSN’s Chief Security Officer. “Cyber criminals and adversaries are leveraging all aspects of the pandemic to land and launch attacks, insider threats generally increase with employee reduction actions, and privacy compliance does not have a pandemic waiver.”

The Impacts of Layoffs and Furloughs

The economic reality at these companies and the opportunistic nature of cyber attackers are creating a perfect storm. Business leaders have to find a way to weather the crisis, and that has played out in leaner budgets and layoffs. Right now, this means that cybersecurity professionals are doing more than just cyber operations, and in some cases, layoffs have created disgruntled employees. Worse yet, phishing attacks are up 37 times since January 2020.

Effective cybersecurity is a triad of people, process, and technology, with each dependent on another. Processes will fatigue and technology atrophy will occur without enough people, or the right people, in place. All of this gives the advantage to the attacker.

Cybersecurity Layoffs Can Be Risky

Besides the risk of employee burnout and increased attacks, cyber layoffs have other risks to consider.

  1. Contract compliance — Client contracts have security requirements that you must stick to or risk high fiscal costs.
  2. Cyber insurance — Does the layoff create a coverage gap in the current insurance policy? Unless you’re holding up your end of the agreement you may not be covered.
  3. Reputation — It’s not just the company reputation suffering after a breach, but it could also leave a bad impression with consumers when cyber layoffs hit the front page.
  4. Return to normal — Eventually things will get better. Cybersecurity professionals will move on to another company. How long will it take to get back to the staffing you need after layoffs?
  5. Business halting attacks — Cyber solutions and technology maintain a certain level of protection, but cannot necessarily prevent data seizure from new ransomware or DoS. Big game hunting and human-operated attacks require a specific kind of cyber professional to fight them off.

While I share all of this, I also know that capitalism makes these risk decisions unbearable and impossible. I feel for those making these decisions and for those who are affected by them; the good news is for all the talented professionals who are laid off, there are wonderful people looking to hire you. Stay strong. Stay kind. Stay inclusive. Seek to learn always. Love will prevail.

Sincerely,

Deidre

Today’s cybersecurity teams need all the help they can get to keep up with a breakneck pace of work. Threat Actors barrage corporate systems with new and inventive attacks by the minute. And Cybersecurity professionals are committed to protecting information, privacy, and maintaining regulatory compliance. Unfortunately, security hiring managers struggle to hire talent fast enough to fill their needs.

Some claim that it’s a market shortage of security skills that is keeping companies from filling positions in a timely manner. But there’s actually a lot more going on than a simple constraint of skilled labor that’s contributing to today’s cybersecurity staffing crisis.

The uncomfortable truth is that cybersecurity

recruiting today is very broken.

A disconnect exists where even as hiring managers are complaining that there aren’t enough skilled security professionals to go around, the veteran cybersecurity job recruits that are out there are unable to land great jobs in eight months or less. That doesn’t make logical sense from a pure supply-and-demand perspective.

It’s happening because there are a lot of dysfunctional dynamics at play in the security job market today.

As a longtime cybersecurity staffing specialist, I see every stakeholder in the cybersecurity ecosystem contributing to the problem. Here are the many broken faces of the cybersecurity job market.

broken-market

Security Hiring Managers

recent study from Enterprise Strategy Group found that some 53 percent of security hiring managers today report experiencing a ‘problematic shortage of cybersecurity skills.’

And yet if you dig deeper into the issue you’ll find that many of these same hiring managers are doing very little to proactively develop those skills in-house.

They’re not hiring creatively at the entry level or near entry level.  They’re not bringing in new blood with great problem-solving skills or relevant technical skills that can be built upon with the right mix of on-the-job training and professional development classes. That’s probably because they’re also not sending staff to conferences or paying for training to help them learn new skills—or even just to keep up with the latest trends and technologies. Furthermore, they’re not pairing junior staffers with senior staffers, or doing any kind of strategic succession planning.

Instead, they seek to hit the lottery by trying to attract unicorn candidates. They look for impossible candidates who possess an unrealistic combination and depth of experience who’d also be willing to do the work of multiple specialists for a single person’s salary.  They tentatively post these nightmare jobs to ‘see what happens’ in lieu of putting a comprehensive team-building strategy in place. Meantime the backlog builds and the overworked staffers already on the team grow more frustrated and discontented by the day.

In-House HR

Now, I don’t want to beat up on security hiring managers too much because their actions (or failure to act) are often a reflection of circumstances completely out of their control. For example, in many larger organizations corporate policy dictates that human resources will take it upon themselves to write job descriptions and market the open role to available candidates.

The trouble is that they don’t ‘speak’ cybersecurity and they’re often intimidated by the technical elements of the job.

So they resort to cutting and pasting job descriptions from ill-advised sources. Completely disconnected from cybersecurity culture or knowledge, HR may do some cursory investigation and utilize vague skills keywords that may mean different things to different organizations or candidates. Or they’ll overly rely on requiring certifications requirements with only passing relevance to the job at hand. Similarly, they might take a wish list of technical competencies from a hiring manager and translate it into an iron-clad requirements checklist for which every box needs to be ticked to even consider someone for an interview

What companies get out of the process is job descriptions and candidate requirements that are unreasonable and inflexible. These are the types of openings that throw up all sorts of red flags to longtime security pros. And so the rock star candidates keep walking, never throwing their hat in the ring.

On top of all of this, overloaded HR departments typically don’t have many resources to actively recruit and even when they do they don’t have deep ties into the very insular cybersecurity community. Most organizations are passively seeking to fill roles in a specialized job market where candidates don’t always openly market themselves (more on that in a moment.)

C-Level Executives

Disconcertingly, some of the most systemic problems that are causing today’s cybersecurity staffing crisis come from the very top of the corporate food chain. True, many in the C-suite would tout to regulators and customers that they’ve made the commitment to open up a plethora of new security roles in order to bolster their cyber capabilities. What they don’t say is that they’re not providing the necessary support or logistics to reasonably fill those roles.

Hiring managers frequently don’t offer training, can’t send people to conferences, don’t offer flexible work schedules or dress codes, and can’t budge on salary caps because the C-suite won’t approve those necessary enticements.  What’s more, neither will the top brass approve outside recruiting support as a matter of course. In many instances I run across organizations where a position must remain open a minimum of six months before they even allow an outside agency to help fill it.

Recruiters and Staffing Agencies

Even when companies do turn to technical recruiters and staffing agencies, many a pitfall lies ahead. Too many organizations rely on general purpose technical recruiters with very little expertise in the cybersecurity market. As a result, even though they’re more aggressive about going out to find potential candidates they still have a difficult time effectively matching the right skilled candidates to the appropriate role. These generalists often run a volume game, and will do anything to bring in anybody that breathes to consider an interview in order to make their numbers—sometimes to the point of outright dishonesty to job candidates. What’s more, these generalists are usually still armed with poorly written job descriptions that are still based on free text writing and keywords, never really controlled with the taxonomy or structured language that breaks down specific cybersecurity professional tasks or projects and matches them to candidates with those experiences. And so there’s lots of room for misinterpretation during the recruitment process.

Job Seekers

The final difficulty is not necessarily the fault of job seekers, but just a byproduct of the cybersecurity profession. It’s the fact that by necessity and experience, security people are skeptical about sharing information about themselves that can be used against them by cybercriminals. As a result, there’s only a small percentage of security pros that are on LinkedIn and many of them are leery of putting themselves out there for passive job searching. Thus, when they’re let go due to an unexpected layoff or merger or some other event like that they’re left flat-footed—even though there are plenty of companies that would love to have their expertise to fill an open role.

All of these factors contribute to a broken security job market. Organizations are not able to effectively match up with the talent they need. Skilled security job seekers have no visibility into the opportunities afforded to them. And teams are left outgunned and overworked as a result.

There’s no magic wand that will fix all of these dysfunctional dynamics, but my team at CyberSN has been working hard to help bridge some of the gaps that currently exist. In particular, we’re working on rolling out the structured platform we use internally to match recruits to job openings. Both passive and active job seekers will be able to anonymously create and update profiles using a standardized taxonomy of skills and experiences that hiring companies can use to match candidates to their jobs.  If you are curious about how we are solving the cybersecurity hiring crisis, check out KnowMore at www.CyberSN.com.  KnowMore is drastically altering the way cybersecurity professionals and employers find each other.

I know – this question makes us uncomfortable. But when job seeking, you will get asked this question. So be prepared with your answer; it’s not hard to do. In fact, it’s a very logical win/win conversation, and one that I will role-play below. Using this discussion model, both the job seeker and hiring manager will get great interviewing results. Here’s how it should go:

Interviewer: How much money are you looking for?

Interviewee:  Great question. Today my compensation looks like this:  my base salary is X, my bonus is X amount, paid X times a year, and my next raise is going to be X amount on X date. My stock is X and my vacation days are X. I receive X in health benefits for X amount of people to be insured in my family, I have X for 401k, (name any/all retirement plans worth if you stay), and state X for everything and anything else that your current employer spends on you…

The details behind your “total compensation” are critical in a salary conversation for both the job seeker and the hiring organization in order to not waste time. You, the job seeker, need to know your own compensation situation, not just your base salary number, and you must be able to speak to the details. The hiring organization must understand the details of your “total compensation” in order to have productive compensation conversations and not waste your time. Making sure to speak about “total compensation” is important, as opposed to just talking about base salary. We all know that a technologist today will almost never have to take less money when moving jobs, so “total compensation” is the place to start when talking money.  I have witnessed many people waste many hours of their time making sure the job and culture is a fit, only to fail at sealing the deal because of the “total compensation” package! Okay, back to the modeled conversation.

Interviewee (continued): …Until I understand your total compensation, I won’t be able to quote a salary number that I am looking for.

And that’s it. Stop talking. Either the person you are talking to will understand and engage around what they have to offer by way of total compensation, or they will not be listening, and ask you the same question again…

Interviewer: Okay, thanks for that information. So what are you looking for?

Stay cool when they ask again. Repeat the model.  Meaning, repeat what you just said.  If you have this exchange more than three times, let them know that they aren’t listening and consider not talking to this person anymore. Get them to listen if you can. Don’t cheat yourself or them by giving a number that you don’t know you will accept for sure. By the way, this advice applies for all money conversations, from the pre-interview all the way to the offer.

Let’s communicate powerfully and think in terms of win/win while in a conversation.  Full transparency on a topic makes for good business; job searching and hiring can be easier with win/win communication.  I hope this helps you all—I have witnessed the positive power of this model hundreds of times

Deidre, CEO/Founder

At CyberSN, helping executive and cybersecurity leadership build their security and sales teams is all we do. We’ve created an exceptional reputation for serving the cybersecurity community, and have earned the respect of hiring organizations and job seekers by delivering results that exceed their wildest expectations.

Cybersecurity professionals are not responding to job postings. Companies who are hiring in this area need a trusted expert to engage and attract high value candidates to your opportunity. It’s nothing personal to IT Generalist firms and internal

Talent Acquisition teams – they simply don’t have the network, expertise, or bandwidth to engage, attract, and secure passive security talent that a specialized niche expert has. It’s not possible!

Niche cybersecurity recruiting firms already have existing relationships in place with the talent you want to hire. And if we are not a 1st level connection to the candidate who is a dead ringer for you job, we almost always know someone who is! As an example, if I go to any Cybersecurity professional’s LinkedIn page, we generally have anywhere between 20-500 connections in common. This means that there is never a time where we are not able to get a personal introduction to, and have a live conversation with, anyone who is a potential fit for a hiring organization’s opening. Even if that person is not looking or hiring, at some point they will be, so there is value in them taking the time to build a relationship with us.

cybersecurity-jobs-remain-open

As we know, not all security professionals have a LinkedIn profile or care to be on social media, so our Founder and CEO, Deidre Diamond, has invested significant time, money, and resources to build a credible, high integrity brand in order to build the largest network of security professionals worldwide. As we scale our CyberSN organization and our vast Recruiting Partner Channel, we are building an army of talented search professionals dedicated all day, every day, to building real relationships, one person at a time, with security pros.

We are 100% dedicated to disrupting our antiquated recruiting profession, seeking to add immense value to the cybersecurity community, and changing the rules of our industry. Here are some ways we are serving the cybersecurity community:

  • We built JobBuilder™ a proprietary software product, created by security SME’s. This “job description creation and posting service” allows hiring managers and HR professionals to “speak the language of cybersecurity” when creating their job ads. This results in more candidates to each job, faster search cycles, and more accepted offers.
  • We have created strategic partnerships with all the major cybersecurity professional associations. CyberSN is a Certified (ISC)2 CPE provider and has partnered with ISSA, OWASP, ISACA, EC-Council, SANS, and many others for events and education.
  • Our company leadership is constantly speaking at industry events including: RSAC, (ISC)2 Security Congress, ISSA International, SecureWorld (several cities), AppSec USA, Cyber Security Summit USA events, IoT Symposiums, Women in Cybersecurity (WiCys), Hacker Halted, and various BSides chapters, along with many regional and local events.
  • We continue to create research studies and white papers that speak to the critical challenges in our industry, such as our 2017 study “The Cybersecurity Hiring Crisis: A Research Study”
  • We are developing a real-time salary calculator tool that will be available to the community in 2019!
  • We contribute to leading cybersecurity industry publications like: ITSP Magazine, Dark Reading, CISOMag, CXO Magazine, as well as other books, blogs, and publications.
  • We participate in countless security podcasts and webinars.
  • Deidre has established the non-profit, #brainbabe, to address the shortage of women in cybersecurity and the number of open jobs in our industry. #brainbabe also organizes events like the Day of Shecurity Conference series, and provide services to the community such as the STEAM-Conference Connection, which staffed booths with student at RSAC.

By continually investing in ways to bring value to the cybersecurity community, passive candidates reach out to us so they are on our radar when that “ideal” position comes up, and because we take the time to get to know them in advance and actually understand that that means to them, we can do exactly that!

Based on Chenxi Wang’s “The Cybersecurity Hiring Crisis: A Research Study”, the average length of time a job remains open before engaging an external firm is between 4-9 months. CyberSN’s average time to fill from intake to offer is 1.5 months. Thus, my next article will explore the question “How much money are you saving by not engaging an expert?!”

Hi friends,

A new year is upon us and many people have been asking for my insight into the 2019 cybersecurity job market. Unfortunately, talent acquisition and retention statistics did not improve in 2018 and I do not see them improving in 2019. Job searching is broken and our industry lacks succession planning. We will not see these statistics change until these two problems are solved. 2019 will bring significant uptick in the types of roles detailed below. Remember to put agency staffing dollars in your budgets, you will not find these people on your own.

  1. AI will influence Threat Intelligence roles – AI utilization is increasing by defenders and attackers. Attackers are leveraging AI for targeted attack reconnaissance, exploit discovery, attack automation and potentially attacking AI defense. Defenders are utilizing AI simulated attacks and data to better understand environments, attack avenues and threat profiles. Threat Intelligence roles will play a significant part in the AI intelligence validation, threat discovery iterations and risk management measures.
  2. IAM roles will have significant impact to organizations – The continuation of high-profile, data-rich breaches in 2018 exposed over 22 million user credentials. Two-factor authentication and enhanced authentication mechanisms are the default configuration in 2019. Managing Identity and Access to accelerate business operations in the hybrid on-prem/cloud data, services and application model will be business critical role in 2019.
  3. IoT and OT roles are becoming more critical – The number of IoT and OT technologies in enterprises is likely to outnumber traditional IT assets. Insert the adoption of 5G capable IoT/OT in the workplace increases attack surface, data volume and privacy issues. Roles focusing on IoT/OT DevSecOps, security architectures and threat detection will be an in demand expertise in all critical infrastructures.
  4. Increase in Managed Detection and Response (MDR) and Endpoint Detection and Response (EDR) continues to grow in 2019 – Organizations are lacking the resources to provide the necessary prevention, detection, analysis, response and complete security hygiene for the endpoint. The gap in cyber endpoint expertise is needed in the across all industries and by the managed service providers companies are turning to for 24/7 cybersecurity coverage.
  5. Existing cybersecurity regulations will have impact, new regulations and legislative activity are on the horizon – 2018 marked the effective date for the EU’s GDPR and served as a final push for compliance at many companies or the beginning of a compliance journey for others. 2019 will increase the focus on regulatory compliance as industries and C-level executives react to GDPR penalties resulting from complaints filed in 2018, the California Consumer Privacy Act becomes effective in 2020, and the introduction of a senate bill titled Consumer Data Protection Act includes strong penalties if privacy violations occur.

Happy New Year and thanks you for all your love and support,

Deidre Diamond aka The Wise Owl

While demand for top flight cyber talent is hotter than ever, top line recruitment is often hindered by outdated and uninspired compensation planning. Let’s go inside the latest report findings from cybersecurity search firm CyberSN.

-This story was featured on HuntScanlon.com on January 3, 2018 –

Authors: Scott A. Scanlon Editor-in-Chief; Dale M. Zupsansky, Managing Editor; Stephen Sawicki, Managing Editor; and Will Schatz, Managing Editor – Hunt Scanlon Media with contributions from Deidre Diamond, Founder and CEO of CyberSN.com and #brainbabe and Veronica Mollica, VP of Cyber Staffing at CyberSN

In order to protect their companies, and in the bigger picture the nation’s national security, organizations must rethink – and raise – salary caps to hire top flight cybersecurity talent, according to a new report just released by CyberSN, a leading search firm in the field. Heightening the issue is an ever-growing threat of security breaches combined with a dearth of information about compensation for cyber roles, the firm reported in ‘The Cybersecurity Hiring Crisis.’

“What many organizations are failing to realize is that by not investing properly in cyber professionals, they’re sending the message that cybersecurity is not a priority,” said Deidre Diamond, founder and CEO of the international cybersecurity recruitment firm. This creates a retention and attrition problem that nearly eclipses the recruiting challenges faced by many companies seeking cyber talent.

“Organizations must be willing to invest in the critical roles that will keep their organizations up and running as the cyber industry continues to evolve,” said Ms. Diamond. “The best way to do this in a highly competitive market is to offer top compensation and benefits to attract and retain talent.”

As cyber threats change and become more complex, cybersecurity professionals are playing an increasingly vital role in their organizations. Their jobs, once considered optional, are now a mandatory part of ensuring that their companies’ critical data and processes are properly protected. Demand for such positions is at a record high – and keeping recruiters across the field loaded up with business. But talent supply lines have failed to keep up. There is, in fact, a projected workforce gap of 1.8 million cybersecurity positions, said CyberSN citing a recent (ISC)2 report.

For their study, CyberSN gathered information from across 53 organizations and 83 cybersecurity positions. The firm also conducted in-depth interviews with chief information security officers (CIOSs) and hiring managers responsible for recruiting cyber professionals into their organizations.

A Lack of Transparent Data

“Many of those we interviewed echoed a common theme – namely, there’s a gaping lack of security talent,” said Ms. Diamond. And, it is a problem that becomes more pronounced when organizations look to recruit more senior talent. “Now, more than ever,” said the report, “companies are competing against the likes of Netflix, Google and Facebook for high quality candidates.” The lack of transparent data around salaries is simply making it more difficult to compete with them. “In order to recruit more effectively for cybersecurity industry positions, there’s a clear demand for accurate information that includes real-time, market-driven compensation data,” according to the report.

A central issue is that many organizations equate cyber jobs to IT positions when it comes to compensation and benefits. Yet the roles are completely different. “Organizations look at cyber like they look at IT, yet cyber salaries are higher based on supply and demand,” said Veronica Mollica, vice president of cybersecurity staffing for CyberSN.

Veronica Mollica, vice president of cybersecurity staffing for CyberSN.

“Oftentimes, IT doesn’t want cyber making more because it becomes an uncomfortable conversation about why one person is worth more than another.” The result is a round and round discussion and no change in the status quo, she said. “The position can then sit open for six months or more before a search firm is engaged to help,” said Ms. Mollica.

In the end, according to CyberSN’s report, more than 50 percent of the companies polled had to increase their initial salary cap in order to hire cybersecurity talent.

Nor does it help that much of the information that companies use about cyber salaries is inaccurate or out of date. “Salaries change every day and HR leaders have had trouble staying current,” said Ms. Mollica. “We see quite often that cyber leaders don’t feel supported when they sit down to have these salary conversations with HR. It’s not a welcoming environment.”

Salary Matters

Critical cybersecurity roles, meanwhile, go unfilled for too long. Organizations are reluctant to pay more and candidates tend to refuse to switch jobs for lateral compensation, let alone a lesser amount. “What we see happen is a job goes unfilled over a $10,000 difference,” said Ms. Diamond.

The truth is that money very much matters with these in-demand roles. Few companies outside of Google and Amazon can convince prospects to take a smaller salary by offering enticements like stock options, said Ms. Diamond. Most companies have no interest in paying up, but by denying that it’s a candidate’s market businesses are only hurting themselves, she said. “Why would you want to nickel and dime for the best talent?” she asked. “If candidates are interviewing with you, they are interviewing other places too.”

The cybersecurity salary cap issue is the result of both growth and the departure of employees, said Ms. Mollica, but less about what the previous person in a role was earning. “When somebody is in the seat, it’s a lot easier to get the cap raised by looking at similar roles in the organization,” she said, “but the people in the current positions aren’t earning market value. That’s a huge issue because HR sets salary by comparing the role to somebody who is being paid below market. Yet this is security.”

The Value of Breaches

Bad experiences, Ms. Diamond said, will ultimately be the key to change. More intrusions. More money lost. More corporate reputations damaged or destroyed. Sooner or later, businesses will learn that it is more cost effective to take preventive action than to suffer the consequences of a breach or a regulatory fine. “When I think about where we are today, it’s only the breaches that have gotten us the budgets,” she said.

Hunt Scanlon Media recently sat down with Ms. Diamond to talk about the challenges that her firm and its clients face in filling cybersecurity roles.

CyberSN CEO and Founder, Deidre Diamond

Deidre, why is recruiting cybersecurity executives so difficult?

Cybersecurity experts are incredibly busy. Not only are their departments frequently understaffed, but their jobs are mission-critical to the success or failure of their organizations. Their roles can often be more similar to that of an emergency first-responder than an IT professional. Because of the fast-paced and high-profile nature of their work, they don’t even have time to spare for recruiters. And that’s an important issue because we have found that HR generalists simply are not equipped to oversee the hiring process for such specialized, in-demand, hard-to-find talent.

“Cybersecurity is no longer just a technology issue. It is a business enabler, and cybersecurity professionals are the key to success.”

How can the search process be improved?

Executives in search of cyber talent need to use specialized cybersecurity staffing agents. Job seekers are looking for companies committed to a cyber budget, who value career growth and share in their cyber passion. Retention is just as important to hiring and if organizations don’t meet these needs, statistics show that cyber professionals will not hesitate to vote with their feet and change jobs.

Why is the cyber function so important?

Cybersecurity is no longer just a technology issue. It is a business enabler, and cybersecurity professionals are the key to success. Companies are depending on their cyber resources to detect, protect, innovate, automate and meet compliance standards. Security breaches have significant impact to a company’s reputation, customer confidence and sometimes unpredictable financial impacts. Companies with great hiring and retention plans attract and retain talented and passionate cyber professionals.

Hence the need to pay up for these professionals?

Yes. Our research and experience show us that companies underestimate what it takes to get the right talent in the door. In our research study, over 80 percent of the companies we looked at had to raise their salary cap in order to make the right hire. HR and staffing resources do not have real time salary data available and so they are often not prepared to pay what it takes to hire talent in this market. One thing we are beginning to see is that many companies are getting more creative with their total compensation packages. Equity, paid benefits, telecommuting, relocation assistance and other perks are often included to make offers more attractive to these highly sought after professionals. Often, that outside-the-box thinking pays off!

Quibbling over dollars leaves jobs unfilled and companies at risk

Originally published on Medium [story no longer exists], this interview was conducted in November 2017 to explore the “CyberSN Research Study: The Cyber Security Hiring Crisis” in more detail. Read on to learn more about our findings on if salary caps threaten national security.

Author – Kacy Zurkus, Freelance Writer – @KSZ714

In today’s data-driven world, it seems impossible to imagine that among all the information that’s been collected and aggregated there is no repository with real-time cybersecurity salary data.

Yet, in cybersecurity — one of the fastest growing industries in the world — the compensation data across all positions is unreliable or inaccurate according to recently released research from CyberSN.

Analyzing information across 52 organizations and 83 cybersecurity positions, The Cyber Security Hiring Crisis: A Cyber SN Research Study, reveals that the majority of companies needed to raise their salary caps to hire cyber security talent.

Click here to read the full report

For most companies, though, salary caps aren’t getting lifted and positions remain open because “Current HR practices around salary reviews and adjustments fail to meet industry requirements.”

These research results beg lots of questions, particularly if security is a real concern rather than a checkbox for compliance.

In order to better understand how salary caps can be something that stands in the way of enterprise security, I spoke with CyberSN founder and CEODeidre Diamond who offered insightful answers to my questions.

Q: With the growing jobs gap looming over the industry, why is salary caps one of the top issues in recruiting cybersecurity talent?

A: Organizations look at cyber like they look at IT, but cyber salaries are higher based on supply and demand. Often times, IT doesn’t want cyber making more than IT because it becomes an uncomfortable conversation about why one person is worth more than another.

As a result, it becomes this round and round discussion that results in nobody wanting to do anything, so the salary caps remain. The position then sits open for an average of six months while they continue to search for someone to fit within their salary cap.

The reality is that even if the data they are using is a month old, it’s old data. Salaries change every day and HR can’t stay current.

We see quite often that cyber leaders don’t feel supported when they go to have these salary conversations with HR. It’s not a welcoming environment.

Q: So is the issue that the data is unreliable data because it is old, or is the data non-existent?

A: For those people who are using old school bureaus, the data is definitely old. Those reports come out once a year, and a lot of times, security as a role isn’t necessarily in that data. The Department of Labor doesn’t even have cyber as a job listing.

If there is cyber, it is usually one role around information security. But, there are 45 different job categories in cyber, and most security people are doing three jobs in one even though the person is paid based on a title. That isn’t going to work.

The data they are using is not concise, but most often the people in HR think it’s legitimate and helpful. The reality is, the cyber industry is so different from IT and software.

Q: Are the salary caps a recruiting issue depending on job level?

A: It’s across the board. It doesn’t matter. Everybody wants to pay what people are already making, but the candidates aren’t going to take the risk of moving based on a lateral compensation.

We don’t see entry level positions. People don’t hire entry level because they are already understaffed. Among the masses, nobody has the budget to take an entry level person and train them. They don’t want to do it, but how do we bridge the gap?

Only 20% of the marketplace is picking up entry level people to train because the majority can’t afford it.

What we see happen is a job goes unfilled over a $10,000 difference. So often they don’t hire a person because internally companies see raising the cap — even $10,000-as a bad move.

Changes to the Equal Pay Act are going to change all of this. We can’t ask for information about somebody’s base salary. So, will people then be guessing at the offers? Right now they start with base salary and go from there, but the EPA changes are going to create more churn.

Q: What are some creative tactics companies are using to make the full compensation package more attractive?

A: Total compensation absolutely matters, and it is a part of the entire conversation. But who wants to take less money? In our four years of being in business, we have only see two people take a lesser salary for an opportunity.

Most people won’t even move for lateral compensation. Very few companies can pull off a lesser salary by offering a better total compensation package. If you are Google or Amazon, you can maybe get away with replacing the base salary with stock options, but people aren’t leaving because of money.

So why would you want to nickel and dime? If they are interviewing with you, they are interviewing other places too. Put your best offer out there because you don’t want to end up in a place where they didn’t take the position and you could’ve done more.

Click here to read the full report

Q: Are the salary caps the result of growth or is it that people are leaving? If it’s turnover, is the salary capped at what the previous person was earning?

A: It’s 50/50 replacement and growth, but less about what the person was previously making. When somebody is in the seat, it’s a lot easier to get the cap raised by looking at similar roles in the organization, but the people in the current positions aren’t earning market value.

That’s a huge issue because HR gets sets salary by comparing the role to somebody who is being paid below market. Yet this is security.

Q: Are salary caps an issue across all sectors? Which silos are willing to raise the caps in order to hire talent?

A: We offer sales staffing for security companies, and the issue is the exact opposite. You never run into this issue of salary. For most cyber roles, it’s six months before they decide to outsource. In sales, it’s day one. Companies don’t care about security, they care about revenue.

Yet, the number one reason people want to leave is because the company doesn’t really care about security. What’s heartbreaking in that these people are problem solvers — protectors who really understand how everything works, but they are under utilized which makes the job satisfaction minimal.

The best salaries come from software companies, particularly for positions in sales and anything to do with the customer success process. Then consulting firms — managed service providers. Anyone that’s closest to revenue.

Q: Companies are starting to invest in cybersecurity insurance. Looking at the reasons we have talked about, why do they need to raise caps if they can get away with security as a check box and buy insurance coverage?

A: As a CEO, I can answer that for myself. When we talk about these insurance companies, we don’t know the future of what the policies will look like. The reality is that no breach costs the same for any one company. There’s so much that is unknown. Policies are going to be basic, so it really Isn’t a way to avoid investing in security.

It comes down to the question, “How much risk are people willing to take?” I’m seeing that people’s risk tolerance is still pretty high.

Q: What will be the impetus for change?

A: More breaches. When I think about where we are at today, it’s only the breaches that have gotten us the budgets. More and more people need to feel the pain through breaches or penalties, and we are seeing more regulations coming out.

It’s highly unfair that according to the PCI standards, companies can be fined by the bank for not securing customer data, but how about Equifax getting my personal information stolen? There’s no consequence.

PCI was the first time we saw fines and that’s when we saw changes, then HIPAA. When we see regulations that fine people, we start to see cyber budgets.

The Equifax breach had no consequences, but the laws are now being put in place.

Companies that are not investing in recruiting and retaining for cyber security jobs will pay with a breach.

Click here to read the full report

———————————————————————————————————-

We love you, cybersecurity community. Please reach out if we can help you with your search or hiring needs! Email us: info@cybersn.com

Deidre

View our research study

Friends, our lack of real-time salary data and our poor hiring practices are causing unnecessary stress and productivity breakdown. The cybersecurity talent shortage is not an excuse for unfilled positions. CyberSN has performed thousands of searches and compiled valuable data that shows why jobs go unfilled for reasons beyond the talent shortage. We commissioned a research study focused on hiring challenges in cybersecurity, conducted by Dr. Chenxi Wang, PhD. of the The Jane Bond Project.

For over 20 years, I have worked side-by-side with technologists and cybersecurity professionals. I have consistently felt the pain that occurs when a team is overworked and understaffed. I commissioned this study to empower organizations that want to hire and retain cyber talent regardless of the talent shortage.

Spread the word: you and your teams no longer have to suffer!

View our research study

When Gary Hayslip, the CISO for Webroot, Co-Author of The CISO Desk Reference Guide, and a highly valued and trusted leader in the security industry asked for my input on his article, I told him I would be more than happy to share my thoughts. I have a lot to say on this subject after 19 years in the recruiting profession, 14 of those years running my own firm, and the last 2.5 years exclusively focused on cyber! No one has this type of time on their hands, so I will break this down into several articles over the next couple of months!

There are so many moving parts to this issue, and as Bill Bonney, Gary’s Co-Author of the CISO Desk Reference Guide, so eloquently and accurately breaks down in his response to Gary’s piece, How We Want Recruiting and Hiring Managers to Behave, this is a problem that needs to be addressed by recruiters, hiring organizations and all the stakeholders involved in the hiring process, and job seekers together.

Albert-Einstein-Quotes-15

I appreciate Gary and Bill recognizing CyberSN as a company that is dedicated to solving the challenges associated with hiring security professionals and the frustrations they experience on the job search front. We are on a mission to dramatically decrease the frustration, time, and cost associated with job searching for IT Security and Cyber Sales professionals. You can read more about our Founder & CEO, Deidre Diamond’s Mission and Vision here.

Deidre and I met at the RSA Conference in 2015 when I was still running Indigo Partners, and we connected instantly. Rather than seeing each other as competitors in this small cyber recruiting niche, we bonded in discovering how perplexed and disheartened we each were by our very own recruiting profession and the bad, but deserving rap, that our industry has earned as a result of the very behavior Gary discusses in his article, which is what led us to found our own firms in the first place, and ultimately unite

The commoditized, keyword search approach to recruiting, that I believe emerged in recruiting in the ‘90s as a result of the job boards’ arrivals, was already a problem when we were each placing IT and software professionals; it’s just further exacerbated in InfoSec as Gary, Bill, and so many of you have experienced in this noisy marketplace.

This is unfortunate for the job seekers who get bombarded by LinkedIn requests, emails, and calls about unrelated, mismatched jobs. It wastes their time and leads them no closer to identifying their next opportunity. It’s bad for the hiring organization, who engages several agencies expecting candidates to be properly vetted, but ends up creating more work for themselves by fielding untargeted, sub-par resumes from multiple sources that don’t get them any closer to filling their jobs. It’s a colossal waste of money, time, and energy that companies are expecting to avoid by turning to an external firm in the first place.

Contingency search is an outdated, broken model that needs to be re-examined by both hiring companies and recruiting agencies to determine the true cost of doing business this way for both parties. You can read an article I wrote about the lunacy of contingent search “Would You Work for Free?” here.

On the surface contingency search seems to make sense, most especially for the hiring organization. Give the open position to several agencies and may the best man or woman win. There is perceived little risk to the company, who only pays a fee to the recruiter if their candidate gets hired.

The hiring organization thinks more is better, meaning, they believe they are maximizing coverage of their job and increasing the probability of a successful hire, when in reality, it’s the exact opposite. The more agencies a hiring organization gives the opening to, the less the contingent recruiter works on it because of the inherent risk involved, thus the unskilled, low-cost provider behavior that ensues. The feeding frenzy (or as my security friend Chris Olive calls it, “The Hunger Games of Recruiting”) kicks in as soon as they receive the job order. The risk and cost is too high for most contingent firms to invest the time, energy and resources to conduct a search the way a hiring organization truly needs it to be executed.

While the contingent recruiter is often competing against other agencies that vary widely in skill, process and integrity, they are also competing against their internal recruiters, hiring managers’ networks, employee referrals, company website job posting, and external paid job board postings. This is all in the hopes they will beat the odds that are stacked against them to “earn” their fee and get paid for the quite hard and time consuming work involved with sourcing, engaging attracting, and securing exceptional talent, WHEN it’s done properly.

And the ultimate hope, of course, is that the company will NOT end up not having to pay a fee due to their own sourcing efforts, even though they really appreciate the efforts of the “good” contingent recruiters who actually do due their due diligence and do the job the way it’s meant to be done.

It puts both the “good” and “bad” recruiters in a position of assuming all the risk and working literally for free with companies while demanding that the specialized, experienced and adept recruiters lower their fees to the same below-market fees that the aforementioned under-skilled, under-performing and sometimes unethical recruiters agree to!

Contingency search doesn’t make sense for the highly-skilled, professional, seasoned recruiters who have spent their entire careers building genuine long-term relationships with their clients and candidates making true matches. All recruiters are not created equally, as we have all experienced, and companies have to stop lumping them into the same bucket, expecting to pay the same price across the board for their services. The old adage, you get what you pay for, certainly applies here.

Just because the recruiting industry and hiring organizations have always done things a certain way doesn’t mean that’s the most efficient or effective way to do business, as we have all painfully experienced over the years. A paradigm shift is required for how companies go about securing security talent and how recruiting firms operate in order to remain profitable and relevant, and we at CyberSN are in the process of breaking the rules of our industry in order to fix what’s broken and make job search simpler.

In my next post, I will share how our “Engaged Model” is a no-brainer if you have a critical opening that needs to be filled quickly and efficiently and the budget to pay an external niche recruiter. If you are mentally and physically prepared to pay an agency fee, then engaging one firm who specializes in the area you are hiring for just makes good business sense.

“The real cost of your jobs remaining open” series on the subject of cyber staffing and recruiting challenges is also forthcoming. We will peek behind the curtain to see how companies create their own roadblocks with their current recruiting strategies and how to remove the barriers that are getting in the way of hiring the best security talent. Hint: It is not based on the cyber talent shortage!