Harvard Business School research found that 90% of highly-skilled cyber talent workers are weeded out from jobs because they don’t meet all the requirements in a job posting. Aiello advises companies to make more realistic descriptions in their ads so hiring managers can match job candidates to jobs they can succeed on. (Credit: Getty Images)
Our Country is Facing a Cyber Talent Jobs Crisis
Today, employed cyber professionals are unhappy and overworked, and turnover rates among cyber talent are high.
CISOs last only 18-24 months on the job and 41% of workers in all fields globally are now looking to change jobs.
Despite this job dissatisfaction and so many professionals looking for new opportunities, it still takes an average of eight months to fill an open cyber position. It’s clear that something’s not right with the cybersecurity job search and hiring system. Here are five ways cyber hiring managers can improve the hiring process and more quickly find the talent their company needs:
- Build the job description from scratch.
Most cybersecurity job descriptions are written by copying and pasting prior roles or details and rarely reflect a job’s real tasks and projects. The end results are vague job descriptions that are difficult to understand and unattractive to candidates. Resist the temptation to combine multiple roles into a Frankenstein job. Instead, take the time to draft the job description from scratch, making sure it’s an honest and accurate assessment of the position. Only list the experience that’s absolutely required and avoid a long wish list of skills. In doing so, the company will receive the largest pool of qualified candidates.
This may seem obvious, but make sure to include the salary in the job description, or at least a range. People don’t want to waste their time applying for a job only to find out they are under or overqualified based on compensation, and company hiring managers don’t want to waste their time either.
Highlight the company’s official work-from-home policy. Most cyber professionals worked successfully from home during the pandemic, so remote work has become expected. Take an inventory of all the other advantages and flexible benefits the company has to offer and promote them from the very beginning.
We still have an immature hiring process in the cybersecurity industry. If HR teams don’t understand cybersecurity, they can’t possibly screen potential candidates. As the hiring cyber manager, sit down with the HR team to discuss the open positions and hiring goals. Agree on the specific ways that HR will support the security team, and what the cyber hiring manager will do.
Resumes are still the primary way that people present themselves to prospective employers, but unfortunately resume screening software has become a huge contributor to today’s cybersecurity career problems. This software uses keyword matches and other proprietary formulas to filter job applicants, and it’s often inaccurate. New research by Harvard Business School found that 90% of companies believe highly-skilled prospects are being weeded out because they don’t meet all the criteria listed in their job description. This has become a real challenge, especially for an industry suffering from an extreme skills shortage.
Discuss with HR the search keywords, and minimal experience required. Make sure they understand the language in the job description and how to evaluate the incoming resumes. With a shared understanding of role names and their relation to one another, HR and hiring teams can more effectively communicate and screen new hires for the right skills and industry experience, saving time and money in the process.
Even with the right job description and language, companies still can’t just rely on people finding them. Companies must also make the effort to find people. Take advantage of social networks to seek out professionals whose backgrounds look interesting and discuss available jobs with them. Craft a compelling story and see where it leads, qualified candidates may emerge.
- Get involved in the cyber community.
Networking has become so much easier today. We no longer have to jump in a car, train, or plane to attend events. There are lots of cyber organizations and events throughout the U.S. and abroad. Join the local ISSA or ISC2 chapter. Look into ISACA or InfraGard. Get involved. Every cybersecurity group or event needs help. Getting the CISO to volunteer or speak on a topic they are passionate about will elevate the company’s voice, stature, and credibility, making the company a much more attractive employer. Consider this a way to meet a lot of interesting people and hopefully some potential candidates.
In the cybersecurity job market, we’ve found that retaining cybersecurity talent is actually more difficult than finding good people. Companies don’t want to spend significant time and resources training a new hire only to watch them leave after six months.
To help retain employees at your organization, consider the following best practices: Lay out and define career advancement paths for each position and employee; promote work-life balance including remote working options; embrace inclusivity as part of the company’s culture; empower employees to make their own decisions and share ideas; invest in cyber specific training and allow workers to explore their specific areas of interest; and invest in training (especially EQ skills) for all cyber employees, especially managers.
Stay proactive and talk about these opportunities during the interview. Describe how the candidate can take advantage of these opportunities to learn and advance in their career. Get them to visualize long term growth and success with your company, and then work hard to make that a reality once they come onboard.
With a lack of qualified professionals to address unfilled positions, many organizations make poor hiring decisions out of desperation. Don’t let that happen. Communicate clearly and take advantage of all the company’s resources both inside and outside the company. It’s not easy, but talented people are out there looking for the right opportunity.
This article first appeared in SC Media on October 21, 2021
Hiring cybersecurity professionals is as challenging now as ever. With a shortage of people actively looking, cyber pros can be picky about where they work and the compensation they earn. Not every company can afford to pay the same level of salary as Google, but that doesn’t mean they don’t offer a rewarding opportunity for cyber professionals.
Fortunately, there are things hiring managers and HR professionals can do to find talented people for those hard to fill cybersecurity jobs, even when the salary you’re offering might be lagging.
Move Quickly
Once someone makes a decision to seek a new opportunity, they’ve mentally left their current employer. When this happens it’s like turning on their radar and they become receptive to the outreach that comes their way, both cold and warm. We know that the average cyber pro receives two job inquiries a day. Every day spent debating a potential hire risks that they’ll speak with a firm willing to pay a lot more money than you. The faster you move someone through your hiring process, the less likely other companies will beat you to making an offer.
Take Stock of Your Stock (and Benefits)
When your salary is low, take inventory of everything else that you offer. Do you have stock options? How about an amazing health care plan? Retirement plans? How about flexible work environments and unlimited PTO? Open door policies or an accelerated career path? We see cybersecurity professionals taking less money when evaluating multiple offers because the compensation package as a whole makes the offer very competitive. Prepare a one-pager that explains all that you offer and make sure that everyone in the process is capable of discussing it with the candidate.
Be Friendly and Sell to the Candidate
You already know your salary offer will most likely be low. Make sure your attitude is high. Seems like common sense, right? Nope. Anecdotally, I estimate that 25% of all first interviews are rejected by the candidate because they didn’t leave with a good feeling. Make sure your words and actions convey that you’re an open and welcoming person and company. Remember that cybersecurity professionals are no different than any other human. They want to work for people who are nice and who value them. Let them know they’ll be valued if they come to work for you.
Send Thank You Notes After the Interview
What? Why should I send a thank you note? They should be sending one to me! Well, hopefully they do send one to you and you should always send one to them. It is a small gesture that makes an enormous statement about who you and your company are. I suggest you go on Amazon where you can buy a pack of 50 cards for $9.99. A thank you card is much more effective than a follow-up email. And there is nothing wrong with doing both. It will have a huge impact on the cybersecurity professional and most likely the first time it has ever happened to them.
Try a Resume Service
Resume services are nothing new, but can be surprisingly effective for relatively little money. We created our Resume Service, which we call Talent Scout, to serve clients who can’t afford a full search placement and that have the internal talent acquisition team who can interview and extend an offer.
Talent Scout takes one of the most difficult stages in the hiring process off your plate by identifying five candidates who are qualified and interested in your opportunity. We make sure each cybersecurity professional’s resume that we send is someone who is qualified and interested in what your company offers. We take the laborious process of identifying interesting candidates away from you and present cyber professionals for you to interview and close.
If your company keeps losing cybersecurity talent to bigger, better funded companies, you still have options. There are many cybersecurity professionals who seek smaller companies, close-knit work environments, and feeling like an important member of the team, not just a number. To secure qualified cyber pros, focus on the unique benefits your company offers, both financial and culturally. And don’t be afraid to ask for help when important cyber roles are going unfilled. The cost of securing some help today could save you the major cost of a data breach down the road.
If you’re looking for more tips on how to find skilled cyber pros, make sure to subscribe to our blog, or reach out to us. We’re happy to answer your cybersecurity hiring questions.
Many of the challenges firms face when filling cybersecurity positions can be traced back to the job description. Cybersecurity job descriptions are notoriously difficult to write, yet they’re often the first impression a potential hire has of what it’s like to work for your company. With a lack of industry-accepted terms for jobs and roles, writing a clear and comprehensive job description can feel like stumbling in the dark.
The tight cybersecurity job market and well-publicized skills gap certainly make cybersecurity hiring more difficult, however, there are small steps companies can make to improve job descriptions and hiring success.
1. Get the Right Title
Say for instance your company is looking for a security engineer. Here are some of the subcategories that land within that title.
- Cloud Security Engineer
- Embedded Security Engineer
- Identity Access Management Engineer
- Information Security Engineer
- Network Security Engineer
- SecOps Engineer
- Security Consultant Intrusion Detection Analyst
- Threat Hunter
You can see the difficult situation many managers and HR departments find themselves in when crafting a cybersecurity job description. If you can’t settle on whether you need a security architect, cloud security architect, or information security architect how are you going to find a candidate?
When deciding on a job title, do some research within the local cyber community. What other titles are companies using for similar jobs and responsibilities? Is your company committed to having unique job titles? It might be time to compromise and use a job title that more accurately portrays the role.
2. Communicate a Realistic Understanding of the Role
Ascribing to a common language is the foundation of all human relationships. To reach the best candidates and easily communicate your position requires you use the language people within the cyber community are speaking. You’d be surprised how many HR recruiters and hiring managers have no idea what some of the terms in their cybersecurity job descriptions mean, even though they wrote them!
Experienced cyber professionals also know enough to steer clear of poorly conceived job descriptions, especially those in which job requirements don’t track to the title or are a laundry list of job requirements, clearly indicating the new hire will be asked to do two or more jobs. Knowing what you are asking for and having an understanding of the terms being used in the job description will elevate your cybersecurity job description and show your company is serious about cyber.
3. Emphasize the Benefits
With so many open positions in today’s job market, the best candidates are oftentimes people who are already employed, but open to a change in employment. These passive job seekers are skilled, but also savvy. If they are going to make the effort to change jobs, there must be benefits, such as higher pay, more remote work from home, or a shorter commute. Here are some ways you can quickly communicate why your job is better than theirs.
- Pay: Make sure any salary band listed in the job description is in line with the marketplace.
- Work-Life Balance: Highlight remote work options, flex hours, pet-friendly offices, and parental leave benefits.
- Culture: Job descriptions that use keywords like love, happy, fun, team, respectful, flexible, and considerate are more attractive to candidates.
- Professional Development: Your company wants cyber personnel who are eager to learn and adapt. Mention any training opportunities, conferences they will attend, or other professional development available.
4. Don’t Go It Alone
We get it. It’s not always easy to ask for help, but when a position has gone unfilled for six, seven, eight months on end, the problem might require outside expertise.
Staffing agencies are a common solution for companies who need to fill a position fast, but this has its drawbacks. Recruiters may return a list of candidates we would categorize as “warm bodies.” Instead of truly talented cybersecurity personnel, they show you resumes from people who are under-qualified or work in an unrelated area of cyber. Many staffing agencies are generalists and have a lack of understanding of the industry. Using a firm without expertise in cybersecurity won’t get you good candidates either.
Look for a history of experience filling cybersecurity positions in your industry. These agencies not only understand the language, but also have developed connections that allow them to locate talented passive job seekers. Understanding the current cybersecurity landscape, which companies are flourishing, who’s happy and who is not is essential.
Another advantage agencies that specialize in cybersecurity bring are tools that help HR personnel and hiring managers find the right match without a recruiter. Programs like CyberSN’s cybersecurity jobs platform offer tools and templates to build job descriptions specifically targeted toward people in the cybersecurity industry for free.
Bottom line: an agency that has expertise in cyber can communicate your job more effectively, resulting in a better slate of candidates and ultimately filling that position faster.
