The cyber security job market is hot, and common recruiting mistakes can keep new talent away. Here are some do’s and don’ts for cyber security recruiting.
An unemployment rate of zero, or below zero, is great if you’re looking for a job. Not so great if you’re trying to fill a job.
Which is the current reality in cyber security. There are more jobs available than there are qualified applicants to fill them. As in, a lot more. And it is expected to get worse—for employers. The global shortage, now at an estimated 1.6 million, is projected to swell to 3.5 million in two years.
That supply-and-demand reality means there is intense competition among companies trying to recruit the best and brightest in cyber security. And it flips what seems to be the more typical employment script, in which the pressure is on job hunters. Yes, they have to do the basics—make sure their resumés put their education, experience, accomplishments, and recommendations in the best light.
But they also need to find a way to get noticed—to rise above the “noise” of everybody else doing the same thing.
What’s the employer version of that?
Well, it requires more than the basics too. In a “normal” job market, it might be enough to throw an ad onto your favorite job posting forum and wait for the applications to pour in. But in today’s cyber security job market, in the words of Nina Avery, senior recruiter at Synopsys, that amounts to “post and pray.”
And it is not nearly enough.
That doesn’t mean you don’t need to do it, and do it well. You still need to post—effectively.
It’s not enough to say you’ll pay X dollars for a full-time programmer. Yes, salary and benefits are always important, but what kind of workplace do you offer? What are the opportunities for growth? How do you demonstrate your commitment to diversity? What are your goals? Why are you the best fit for a bright, ambitious candidate?
Specifics are important too. The job search firm Indeed declared on its blog that one reason companies don’t get results from their job postings is because the ads “use confusing and inconsistent language across similar roles and ask for specific programming experience or bachelor’s degrees—neither of which should be required since most necessary skills can be taught on the job.”
Avery, who is involved in talent acquisition full-time, said sometimes it is not that the language is confusing but that it sends the wrong message. It is crucial to understand, she said, that language sends messages, even subliminally, that can help or hurt cyber security recruiting efforts.
Among things to avoid:
RELATED: International Women’s Day and hiring women in tech
On the other side, a job posting should include:
But again, even if an organization does posting well, the “post and pray” method is not enough. With the imbalance of demand exceeding supply, “you can’t be passive,” Avery said. “They’re not just sitting on LinkedIn.”
Which is why Synopsys has a dedicated department for recruiting cyber security professionals. And success requires dedication to several fundamentals:
Recruiting good cyber security talent means going much deeper than a current job title and years of experience. “We read a person’s entire profile,” Avery said. Also, be sure to search online for articles they have written or presentations they have made. That makes for a much more productive introduction.
Building relationships is still one of the best ways to develop the connections that can bring the best talent into an organization. “It takes going to industry events and researching attendees at those events,” Avery said. “It takes years and years of getting to know people and developing a level of trust, where we can pick up the phone with somebody and say, ‘Hey, you worked here, and I know you’re connected to Bob….’”
It’s also important not to burn bridges by “poaching” from other companies—especially client companies. “We have a do-not-call list of more than 400 clients,” she said, “because it could mean losing a contract. But that’s a lot, when you’re trying to hire in certain sectors.”
RELATED: The tech talent challenge: Recruiting in software security
From the start, it’s important that a candidate feel that he or she is not simply one of dozens receiving a mass email. Do your homework on a candidate so you “can personalize every email message, which is different from what a lot of companies do,” Avery said.
Not every contact or interview ends up with a job offer or commitment, of course. But she said it is crucial to leave candidates with a good taste in their mouth—literally. “It comes down to putting cookies in their hotel room and wishing them well,” she said. “We try to make it a personalized, exceptional experience. They might not get the job today, but they might get it tomorrow.”
Don’t be constrained by specific job openings. Be opportunistic. “If you stumble across someone who is really good and you have that shot to hire them, do it before somebody else does,” Avery said, noting that the “sense of urgency in this industry is unreal. Places like Amazon, Google, and Netflix will make offers on the spot. It’s not always about the specific job you’re trying to fill.”
Bottom line: It is not enough to offer a good job at good pay. There are plenty of those out there. But everybody wants to be wanted. A cyber security recruitment effort that does that is likely to rise above the noise.
RELATED: Web AppSec interview questions every company should ask
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.