Recruiting for cybersecurity roles, especially senior ones, involves much more than simply hiring bodies to occupy seats. Transactional hiring is great for high volume roles, but in a world where cybersecurity talent is so scarce, a more strategic, relationship-focused attitude is beneficial. So if you’re looking to hire a top-level cybersecurity professional – maybe even for the first time – read on.
Cybersecurity is a quickly maturing field where losses are often counted in the millions of dollars – IBM found that the average total cost of a data breach in 2022 was USD 4.35 million – an all time high for their figures. And DCMS figures found that 39% of UK businesses identified an attack in 2021, with the most common threat vector being phishing attempts (83%).
With pressures like these, it’s important to get security talent right – yet the tightness of the security talent market comes with its own pressures too. Cybersecurity skills are incredibly in-demand, with cybersecurity specialists being specifically mentioned on the UK Government’s official shortage occupations list. The problem isn’t much better in the US, with 700,000 security roles going unfilled as of November 2021, with little in the way of available talent to fill that gap.
Facing such a massive skills gap, it’s no surprise that headhunting is rife. Not that there’s anything wrong with headhunting per se, but it does leave employers in a precarious position if their top cyber bod suddenly quits for the greener grass elsewhere. But we’ll talk more about continuity planning later.
Though these pressures are felt at all levels of the hierarchical tree, they are felt perhaps most sharply in middle to top management positions. Cybersecurity is such a rapidly growing requirement that we’re going to be playing catchup for a few years – at least while today’s lower-to-middle managers are drawn up the chain of command into C-Suite tech roles.
In order to ease this talent pipeline, something has to give. Yet according to Will Markow, vice president of applied research talent at Emsi Burning Glass (speaking to Fortune) “Employers have been very slow to reduce either credential requirements or education requirements for cybersecurity jobs, despite the hiring difficulty that they have.”
Therefore, employers could consider reviewing hard-to-fill roles around definite skills needed rather than being strictly tied to black and white descriptions of an ideal candidate. Not only can this have diversity benefits, but it can also uncover new, untapped security talent…
Tech employers seem oddly reluctant to think – and look – outside the box, sticking with the “same old same old” talent sources when filling security leader roles. Though finding someone who graduated from a prestigious university with a security-related degree is preferable to many, few consider hiring on essentials like culture and attitude.
In his recent TechCrunch article, George Gerchow of Sumo Logic recounts his efforts to recruit a cool-headed ex-Marine to a senior SOC position. Gerchow looked at the applicant’s resilience under immense pressure and his problem-solving nous rather than his cyber-specific skills. Despite his team’s initial misgivings, the new SOC manager took to the role like a duck to water, and eventually received the company’s highest award for employee achievement.
In order to keep the security labour market flowing freely, further informed hiring like Gerchow’s – which may seem like a gamble to some – will be needed.
In his article, Gerchow advises a few ways to attract the best tech talent. Firstly, prioritise individuals that can handle the considerable pressure of working in security – 51% of security pros are kept up at night by the stresses of work, after all. If you discover someone who relishes a high pressure environment, they may make an ideal security leader.
Additionally, great cyber talent may not have a degree from a leading university (or at all). Look to non-traditional routes to source security leaders like DevOps (a specialism that can easily be trained up to accommodate security) or more left-field roles like compliance or even finance. CISOs need to be able to walk the walk and talk the talk of an exec, all while managing risk, so these fields may be useful to look out for your future tech leaders. If they can hack it, that is… (Pun very much intended.)
The growth of cyber threats has put a lot of stress on cybersecurity execs. In fact, security company Deep Instinct found that 46% of senior and executive-level security pros have considered quitting the industry due to stress levels.
Topics like “the Great Resignation” and “Quiet Quitting” have recently dominated the headlines, and workers from up and down the chain of command have wondered if the grass really is greener on the other side of the fence. Employers who want to retain their best talent need to attack the retention problem head on and remember that compensation for continued, good work should be much more than merely financial.
Firstly, as a recruiter, we hate it when job ads and descriptions describe pay as “competitive”. We frequently see well-matched applications fall at the final hurdle when the applicant finds out that the “competitive” pay that has been budgeted isn’t anywhere near what they had in mind. As we’ll discuss shortly, engaging in a strategic relationship with a recruiter can help you appropriately benchmark your salaries attractively alongside market demand.
However, pay transparency doesn’t end when the new exec is on your books. If possible, consider implementing transparent pay bands and perks throughout your organisation so nobody feels left behind.
One of the occupational hazards of cybersecurity is that attacks and breaches can happen at any time of the day or night. They’re an omnipresent threat. Mentally and even physically, that eventually takes a toll, even on the most resilient individual. You may wish to consider implementing health and mental wellbeing perks throughout your organisation, so if the pressure builds then help is not too far away.
Roles like CISO and CSO sit at the top of the promotion tree, but that doesn’t mean a new C-Suite hire is going to be there forever.
Just as you may implement succession and promotion planning for lower and middle management roles (and if you aren’t, you probably should) you should also consider how you are going to ensure continuity if your top security technologist suddenly gets tempted by an offer elsewhere. Just because they seem content in their role, doesn’t mean they are immune from the lure of being headhunted into a role with better appeal!
Considering this alongside the tightness of the market, it may be worth considering promoting a security leader into a Deputy CISO role alongside your next CISO hire. Not only can they help ease the considerable day-to-day strains of the CISO life, but they can be trained up and primed to jump into action as CISO should your existing hire be tempted away.
You’d be forgiven for thinking that a security recruiter is someone who simply finds willing bodies to occupy desks. However, a skilled, specialist cybersecurity recruiter can help you in many more ways. Before we go on, let’s discuss the three main recruiting strategies that are open to your HR/TA team:
A retained search model is where an employer works solely with a single recruiter on an ongoing, retained basis to help fill their talent needs. The retained recruiter collaborates closely with the employer to understand hiring strategy and to define the profiles of individuals they are looking for.
This is generally a recruiter’s premium service – and one that is largely considered essential for those on the lookout for cybersecurity talent (due to the criticality of the role). In return for an up front fee, the result is an end-to-end service and a guaranteed, well-matched employee for every role.
Under this model, the recruiter provides their service as a dedicated recruitment consultant who liaises with both the applicant(s) and the employer. However, be aware that these relationships are two-way – for all of the assistance the recruitment consultant provides, they will need regular feedback and input about (and directly from) each placed individual until that individual is well and truly bedded in.
A contingency search model is when employers contract with recruiters on an ad-hoc basis as and when new talent is needed. Employers can work with different external recruiters to fill the same role, and recruiters are only remunerated if/when they fill a vacancy.
It’s generally the recruitment model that will be used for lower skilled, higher volume staffing needs. Contingency search is quite a transactional way of working and doesn’t involve anywhere near the same level of involvement as the retained search model.
A container search model is a hybrid of the retained model and the contingency model. It gives the employer strategic access to the recruiter’s expertise and resources, as with retained models, but the up front payment acts more like a refundable deposit.
If the recruiter finds and places a worthy candidate, then this “deposit” is refunded or discounted from their recruitment fee. If the role becomes redundant or talent is found through other means, then the deposit is handed back. Understandably, this puts the onus on the recruiter to place talent!
The container model is a useful stopgap for companies who are used to transactional contingency models who want a taste of how working more strategically with a recruiter can benefit them.
Needless to say, if you are filling a highly skilled role or a top management vacancy, you should generally favour a retained model over other options. The stakes are just too high in finding the right person, and the involvement too low on the part of the recruiter with more contingent approaches.
Specialist recruitment consultants/agencies are far more than just talent-finders. We are highly specialised organisations who intimately understand the demands, rates, and status quo within our markets.
We are able to provide valuable input on what is currently making vacancies attractive within their industry and can even help employers benchmark salaries and perks. Given the amount of headhunting that goes on within the security industry, getting compensation correct from the offset can be crucial for staff retention.
When a recruiter works with an employer on a retained basis, the recruiter has to be au fait with the employer’s recruitment “brand” to the same fluency as though they were an internal party. Also as a security recruitment specialist with a focus on placing top management vacancies, we need to know cybersecurity like the back of our hands to truly understand what will be needed from an employee.
Recruiters can even have a direct relationship with the employees they place – something that we feel should come as standard across the board. A recruiter is an expert in the employment side of their field after all, so the new hire can always reach out to their recruiter with questions that may not be appropriate for their colleagues or higher-ups; such as what do do if they receive a counter-offer from elsewhere – or simply asking “is [situation] normal?”.
There’s just so much tech out there, and so many incredibly varied tech roles out there to suit. Tech recruiters, therefore, usually need to be generalists to some degree.
Though there are countless incredibly skilled tech recruiters out there, the general tech knowledge they need in order to do their job doesn’t always translate well to the highly specialised field of cybersecurity recruitment. That’s why we would encourage employers to seek out specialist cybersecurity recruiters to fill specialist cybersecurity roles.
Diversity is much more than achieving equity across gender, race, disability, or LGBTQIA+ status.
External recruiters are experts in all things hiring and therefore can absolutely be instrumental in helping you enact (and even create) diversity, equity and inclusion recruitment policies. With their unique and highly specialised view of the market, retained recruiters can help you recognise where your current recruitment and employment policies are misaligned with the diversity that is out there in the market, available to you.
Understandably, hiring processes can’t ask about protected characteristics (and rightly so) but there are still elements of many hiring processes that leave a lot to be desired in terms of attracting dyslexic or neurodiverse candidates for example.
Working with diverse recruiters can help employers identify blind spots in their inclusion policies that can only come from lived experience. But chiefly, diverse recruiters can help capture diverse talent.
Conclusion – Not only are recruiters a real asset, even to organisations with in-house HR and recruitment talent, but a specialised recruiter understands the sector-specific challenges. Working with a recruiter on a retainer (or retainer-like) basis is all about trust, something that is essential in a field like cybersecurity. Cyber managers don’t give trust easily (and it’s easy to understand why) but having a trusted person on hand to help with recruitment is one more stress taken off their hands.