Micro Focus is now part of OpenText. Learn more >

You are here

You are here

5 ways to attract the best information security pros

Deidre Diamond Founder and CEO, Cyber Security Network, #brainbabe

RSA Conference 2020 was focused on the human element for the first time, and thankfully so. While this is great progress, we still have lots of work to do if we're going to meet our workforce needs.

With a shortfall of nearly 500,000 skilled information security professionals in the US, recruiting talent can be challenging, but it doesn't have to be. Surveys have found that 89% of the market doesn't love where they work, and 70% of employed infosec professionals say they're open to a change, even though they have no plans to look for a new job.

Add to that the many forms of human burnout occurring—more than two-thirds (68%) of infosec pros believe a career in their chosen field can be taxing on the balance between their personal and professional life—and you have a recruiting environment that's ripe for exploitation. Recruiting today, though, requires a different mindset—an EQ mindset.

EQ—emotional quotient—is the measurement of a person's emotional intelligence, their ability to understand their own feelings and the feelings of others. Low EQ in an organization translates into low retention. Just look at three major reasons infosec pros leave their jobs:

  • Lack of growth and opportunity. There's no investment in the employee's career. There's no training. There's no career path.
  • Failure to take security seriously. CISOs struggle with this the most, which is why their average tenure is 18 months. When CISOs are hired, they're often told, "Our organization is gung-ho on security," when in reality, it's only interested in compliance.
  • Disrespectful work environment. Language plays a big role in creating or undermining respect in the workplace. For example, using the word "but" when appraising a worker's performance can send mixed signals. If a manager expresses appreciation for the work an employee did on a project, then adds "but" and a critique of the work, the lasting impression is often that the manager didn't like the work at all.

Organizations with an EQ mindset can exploit dissatisfaction in the market and land the talent they need. Here are five tips on how to do that.

Adjust your security budget

Recruiting has to be part of the infosec budget plan, just as everything from risk to tabletop exercises are planned and budgeted for. Responsibility for hiring can't be turned over to human resources in the hope that hires will happen.

Although HR can be a pain point for both hiring managers and candidates alike, and its need to check all the boxes can slow the process so much that candidates may be left wondering if your company is really serious about filling a position at all, HR still has a role to play. However, cyber leaders need to take charge. You wouldn't shift the responsibility for replacing a failed security device and hope for the best. Why do it with hiring?

Make your job offering hot

A job is "hot" when it's structured in a way that addresses the reasons people want to leave their old job in the first place. That means a job where people know they're going to be taken care of. There's career and succession planning. Budgets contain money for training and conferences. Flexible hours, or work-from-home options, are available, if needed.

There are also financial carrots, like stock options, bonuses, and a larger salary. And, of course, an opportunity to work with great people. People want to love where they're working. They want to look forward to getting up in the morning.

Know where to look

Chances are the best and brightest in infosec are already working at another company. It’s why most security professionals will tell you they are contacted by recruiters on a near daily basis. To find the right candidate for your post, you will have to be more aggressive than managers hiring in other fields.

Where might those candidates be? Companies that have announced benefits cuts or layoffs are good targets. So are businesses that miss revenue goals or have undergone a merger or acquisition. In fact, any business turmoil can be an opportunity to find new talent.

Old-fashioned networking still works, too. Are you attending local industry meetups? Do you know what local infosec professionals are reading? Where are they chatting online?

If this seems like a lot of work, it is. But for many companies it's also an opportunity to increase diversity. Breaking outside of your regular recruiting network can introduce you to candidates from different backgrounds who are likely to bring balance to your company’s experience set.

Look for skills, not just the degree

One of the biggest mistakes companies make when it comes to infosec hiring is immediately eliminating candidates without a required degree. Any hiring manager will tell you that a great candidate has much more than the required college degree, yet we see plenty of companies getting hung up on the idea that a degree is necessary. Fortunately, some companies are finding that experience, trustworthiness, and a range of skills are more important.

Focusing on candidates with an eagerness to learn and develop will open a new pool of great talent that’s likely to be more interested in your company if it offers them the opportunity to grow, which it will if it has adopted an EQ approach to career development. Highlighting professional development opportunities and the value of growth as part of the company culture will entice motivated and talented job seekers to not only apply, but once hired, be likely to stay longer too.

Know when to ask for help—and whom to ask

Sometimes, you just don’t have the bandwidth to hunt down quality talent. Making connections and attending networking events takes time. Hiring a recruiter who can invest the resources into finding the right candidates can save your company time in the long run. Look for a recruiting firm that specializes in infosec.

Recruiters who don’t speak the language of security and aren’t well-versed in the skill set you’re looking for won’t yield the same results that an infosec recruitment firm will.

Another way to shift your search into high gear is by using KnowMore. This talent-matching platform is a resource for both job seekers and employers, allowing you to browse candidates, search by role, and even start a conversation directly with the candidate.

You've only just begun

Acing security recruitment begins with acknowledging that it’s different from filling other jobs. The specialized skill set and high level of trust required make finding the right talent more difficult. By adopting these approaches, however, you can start to attract better talent faster.

Remember, however, that hiring candidates is just the beginning of your role with them, especially if they're going to be reporting to you. You're responsible for your reports' success. People are going to fail, but if you take your role seriously, most people will succeed, because no one comes to work to fail.

Keep learning

Read more articles about: SecurityInformation Security