close search bar

Sorry, not available in this language yet

close language selection

Tips for recruiting top cyber security talent (and mistakes to avoid)

The cyber security job market is hot, and common recruiting mistakes can keep new talent away. Here are some do’s and don’ts for cyber security recruiting.

Cyber security recruiting tips and mistakes

An unemployment rate of zero, or below zero, is great if you’re looking for a job. Not so great if you’re trying to fill a job.

Which is the current reality in cyber security. There are more jobs available than there are qualified applicants to fill them. As in, a lot more. And it is expected to get worse—for employers. The global shortage, now at an estimated 1.6 million, is projected to swell to 3.5 million in two years.

How to rise above the noise in a crowded market

That supply-and-demand reality means there is intense competition among companies trying to recruit the best and brightest in cyber security. And it flips what seems to be the more typical employment script, in which the pressure is on job hunters. Yes, they have to do the basics—make sure their resumés put their education, experience, accomplishments, and recommendations in the best light.

But they also need to find a way to get noticed—to rise above the “noise” of everybody else doing the same thing.

Gartner Magic Quadrant AST | Synopsys

What’s the employer version of that?

Well, it requires more than the basics too. In a “normal” job market, it might be enough to throw an ad onto your favorite job posting forum and wait for the applications to pour in. But in today’s cyber security job market, in the words of Nina Avery, senior recruiter at Synopsys, that amounts to “post and pray.”

And it is not nearly enough.

Do’s and don’ts for cyber security recruiting

Do’s and don’ts for cyber security recruiting

That doesn’t mean you don’t need to do it, and do it well. You still need to post—effectively.

It’s not enough to say you’ll pay X dollars for a full-time programmer. Yes, salary and benefits are always important, but what kind of workplace do you offer? What are the opportunities for growth? How do you demonstrate your commitment to diversity? What are your goals? Why are you the best fit for a bright, ambitious candidate?

Specifics are important too. The job search firm Indeed declared on its blog that one reason companies don’t get results from their job postings is because the ads “use confusing and inconsistent language across similar roles and ask for specific programming experience or bachelor’s degrees—neither of which should be required since most necessary skills can be taught on the job.”

Avery, who is involved in talent acquisition full-time, said sometimes it is not that the language is confusing but that it sends the wrong message. It is crucial to understand, she said, that language sends messages, even subliminally, that can help or hurt cyber security recruiting efforts.

How to create the most attractive job posting

Don’t make these recruiting mistakes

Among things to avoid:

  • Posting salary ranges. “It’s tacky, and you’re setting yourself up,” Avery said. Besides, salary ranges for just about every job title are widely available online.
  • Pitching party-oriented perks. These include things like free food, gaming, beer—anything that portrays the work environment as a frat house or boys’ club. In a world where good talent is scarce, you don’t want to drive away women or anybody else who isn’t a party animal.
  • Using aggressive or athletic language. “Remove things like that and focus on team, compatibility, and collaboration,” she said. “Make it gender neutral, not male-centric—a friendly work environment.”

RELATED: International Women’s Day and hiring women in tech

Do make your cyber security job posting more attractive

On the other side, a job posting should include:

  • Job specifics. The Indeed blog reported that the terms that got the most responses included “full-time,” “information technology,” “engineer,” “security,” “entry-level,” and “government.” To that list, Avery said she would add “secure software development” and “application security.”
  • Career development and mentoring. “That’s essential,” Avery said. “We do a lot to encourage our senior tech talent to mentor other employees.”
  • Work-life balance. Applicants want to know if they will ever be able to see their families.
  • Transparency about travel. While some applicants are looking for the opportunity to travel, others may be starting a family and looking to cut back on it.
  • Technical successes. These include awards a company has received, such as Synopsys’ recent placement at the top of the Gartner Magic Quadrant for Application Security Testing. Success draws people who want to succeed.
  • Executive contribution and giving back. “What does it do for the world?” Avery said. “People want to be involved in something that makes a difference.”

4 tips for recruiting top-notch talent

4 tips for recruiting top-notch cyber security talent

But again, even if an organization does posting well, the “post and pray” method is not enough. With the imbalance of demand exceeding supply, “you can’t be passive,” Avery said. “They’re not just sitting on LinkedIn.”

Which is why Synopsys has a dedicated department for recruiting cyber security professionals. And success requires dedication to several fundamentals:

Do your homework

Recruiting good cyber security talent means going much deeper than a current job title and years of experience. “We read a person’s entire profile,” Avery said. Also, be sure to search online for articles they have written or presentations they have made. That makes for a much more productive introduction.


Building relationships is still one of the best ways to develop the connections that can bring the best talent into an organization. “It takes going to industry events and researching attendees at those events,” Avery said. “It takes years and years of getting to know people and developing a level of trust, where we can pick up the phone with somebody and say, ‘Hey, you worked here, and I know you’re connected to Bob….’”

It’s also important not to burn bridges by “poaching” from other companies—especially client companies. “We have a do-not-call list of more than 400 clients,” she said, “because it could mean losing a contract. But that’s a lot, when you’re trying to hire in certain sectors.”

RELATED: The tech talent challenge: Recruiting in software security

Networking is one of the best ways to bring the best talent into an organization.

Get personal

From the start, it’s important that a candidate feel that he or she is not simply one of dozens receiving a mass email. Do your homework on a candidate so you “can personalize every email message, which is different from what a lot of companies do,” Avery said.

Not every contact or interview ends up with a job offer or commitment, of course. But she said it is crucial to leave candidates with a good taste in their mouth—literally. “It comes down to putting cookies in their hotel room and wishing them well,” she said. “We try to make it a personalized, exceptional experience. They might not get the job today, but they might get it tomorrow.”

Think outside the box

Don’t be constrained by specific job openings. Be opportunistic. “If you stumble across someone who is really good and you have that shot to hire them, do it before somebody else does,” Avery said, noting that the “sense of urgency in this industry is unreal. Places like Amazon, Google, and Netflix will make offers on the spot. It’s not always about the specific job you’re trying to fill.”

Bottom line: It is not enough to offer a good job at good pay. There are plenty of those out there. But everybody wants to be wanted. A cyber security recruitment effort that does that is likely to rise above the noise.

RELATED: Web AppSec interview questions every company should ask

Taylor Armerding

Posted by

Taylor Armerding

Taylor Armerding

Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.

More from Security news and research