Your cyber security department has some big hurdles when it comes to hiring. In IT, 10% of all job postings are in cyber, and the growth rate is 2x faster than other IT jobs. There will be 1.5–2 million unfilled cyber jobs by 2019. Currently, cyber job postings take 24% longer to fill than other IT jobs and 35% longer to fill than all job postings. Regardless, you can win the right candidates by executing on these tips.Your Security Department Should Own the Recruiting Process. Hiring an accountant is a walk in the park compared to what you are trying to accomplish. Security positions are highly specialized, somewhat new, and oftentimes exceeds the network and time restraints of internal HR/Talent. Plus, security programs are notoriously tribal. You know your culture, so you are responsible for finding the right personality and skills set. It’s important for you to have done the research on your competitive landscape, salaries, and what you can get for your money.Promote Your Job Openings Where Talent Is Likely to See Them. Oftentimes, there is a battle going on inside your company between departments for recruiting resources, and you can make a great argument that your department needs focus. Ask for special recruiting sections on your company’s website, and especially on LinkedIn. Also, Google Adwords buys can be a focused and inexpensive method to owning keyword searches.Invest Time in The Perfect Job Description. Do this right and competent candidates will immediately know that you get it. A job description should read more like a story than a checklist of demands. Remember: this is a buyers’ market! You have to sell. Don’t lose a great candidate in the reading of a job description just because you copied and pasted the requirements from your competitor.Cast A Wide Net and Be Willing to Teach. As a security department, you know that the top qualifications you’re seeking are passion and an innovative mindset, so try not to constrain the role too much with an exhaustive laundry list of certifications and pie-in-the-sky experience expectations. If you do this well, you might interview a candidate that’s not right for the immediate posting but would be a great fit elsewhere. Or you might interview a candidate that is almost there but not quite. Maybe the team loves him/her and agrees that the added knowledge wouldn’t be hard to teach. Put yourself in a position of turning a close-to-great candidate into exactly what you need.Optimize Your Interview Process. Seventy-seven percent of candidates believe the interview process is important and speaks to the values of a company. You can use this to your advantage. First, to win in security, you must interview with speed. If you find a good candidate or two but it takes a week to line up the right interviewers, you will suffer the consequences. A well-defined and speedy interview process wins!Most company interviews lack structure and metrics, making it difficult for the team to score and the candidate to feel like the right topics were given appropriate time. Yes, you need time to assess a candidate’s personality and vibe with the team, but that’s pointless if the candidate doesn’t have the required skill set for the position. The best assessments are provided when a candidate pool for a job meets with the same person or team and is asked the same questions. Also, it’s important that a candidate’s first touch is with a positive “yes” person. The guy most likely to make a colleague feel like an idiot for opening a dangerous spam email should not conduct the first interview! The goal is to ratchet up the expectations in an interview process, not nuke your candidate base early.Navigate the Job Offer and Negotiation Stage. With security talent, the job offer stage can be more freewheeling than in other professions. Pay scales within security positions are harder to define because they are based on three factors: current salary (which can have more moving parts in the way of bonuses), what the competition is willing to pay, and your company’s pay structure. When approaching offer stage, a company must be quick, decisive, and as armed as possible with the knowledge of what that can make a deal go bad. I believe that any successful negotiation results when both parties don’t get exactly what they want. It sounds negative, but if your interview process is strong, candidates understand that there is give and take in every situation. Be open to the negotiation and close quickly.Respect All Candidates – Not Just the Ones You Choose. One of the best ways to build a good reputation is to treat rejected candidates with respect. Always call the candidate to give a no, thank them, and provide clear and truthful feedback. The candidate may disagree, but they will appreciate it because that experience will be different and will set you apart. Plus, the candidate might be a prime target for you in a few years and a good experience will keep the door open.Hire Your Headhunter Carefully. An outside recruiter can be worth the money if they check several boxes. First, the potential recruiter must know your market and focus exclusively in security. You are paying for speed. Second, a good recruiter can save a ton of grief when it’s time to close. At offer stage, a good recruiter has been working to bring both sides together, which eliminates unwelcome surprises at the altar. Third, a good recruiter knows that an accepted job offer is never a done deal. Candidates, especially security candidates should be hand-held through the process of resigning his/her current position through on-boarding and the first critical months at the new job.For many cybersecurity departments, implementing the above recommendations can feel a little overwhelming. But you are in a battle for talent. Hiring and retaining the right people is an antidote to the demands and expectations facing your security program. If you execute these ideas, you will stand out and attract the candidates that can have a big impact on your security department and your company.
About the Author: Chance Hoag owns Talon Placement, a nationwide recruiting firm headquartered in Nashville, TN which is focused exclusively on cybersecurity, risk, privacy, and compliance. You can follow him on LinkedIn and Twitter.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.