The economic impact of COVID has been felt first and foremost in the employment market. Although security remains relatively resilient, the sector is not without its casualties. There is an increased number of applicants on the market, applying for fewer positions.

Consequently, scrutiny of the quality of job specifications and their suitability to the applicants they are trying to attract, is becoming the norm. A growing number of job seekers are becoming more vocal in their critique on various social and business platforms. This critique is often warranted and comprises a combination of the following complaints:

  • This job spec asks for everything
  • It doesn’t tell me much. It could have been pulled from Wikipedia
  • Why is this or that qualification necessary for this role?
  • This is the same job spec from 6 months ago – is it the same role?

Writing a fit for purpose job spec can be overlooked. In many cases, inadequate specs are recycled repeatedly. From both qualitative and quantitative responses, we offer the following advice to firms.

Our tips are written with Security and Risk roles in mind and are inspired by conversations with candidates and hiring managers in both fields. Most of the suggestions are universal and can be applied to many professional positions.

Job Title

What’s in a name? Well, that depends on the bearer of that name. Some applicants view a job title as a reflection of seniority while to others, it is a relatively minor detail, coming secondary to other more pressing information. However, a large enough proportion of applicants give value to a job title for it to be addressed.

Approach bespoke titles with caution: applicants actively search for roles based on job titles. So while “Identity and Access Management Guru” is catchy, it’s not likely to yield the most effective search results and will likely restrict exposure of the vacancy from your relevant audience. “Information Security Consultant” may seem bland, but you can liven up the vacancy in the spec’s actual content.

Be cautious of overemphasising levels such as VP. Such titles are not universally synonymous. They may put off prospects based on their seniority assumptions or lack of, particularly if salary is not listed.

Must have a Degree

Companies often list ‘degree educated’ as a default. “We’ve always done it that way” sounds familiar to many in security. For years there has been a big push for security divisions to be business enablers with a pragmatic view of helping businesses manage their risk. We would urge the same pragmatism when considering applicants without degrees where possible. In many security roles, an astute technical understanding is necessary. It can be demonstrated in Degrees and Masters, the same for non-technical roles that require a mastery of legislation or governance. However, a large percentage of positions do not actually need this for the day to day aspects of the role. This is evidenced by the fact that a list of acceptable degree subjects is usually not specified.

Career progression and growth

Too few job specs address the career trajectory the successful candidate will have access to. It is unnecessary to go into extensive detail, but knowledge that from the first day of joining, there is a career path, is powerful. The secret to this is choice. If you are in a technical position, an avenue to move to a strategic advisory capacity is attractive, and vice versa. Yes, this is dependent on the size and scope of the organisation. Still, in an industry where staff turnover is high, research shows that remuneration is not the foremost reason security specialists move roles. Career projection, work-life balance, and technology stack grade higher.


If your spec is bland and focuses purely on the employee’s responsibilities, it is fair to assume that readers may very well feel this is a reflection of the firm. Ideally, your marketing team should be involved in selling the features of joining your organisation. Yes, it is a sell.

Overall, fintech’s and agile technology firms get this right. It appears contradictory to sell your services to consumers and yet have a copy and paste bland, generic job spec. It can portray the impression of a customer-first approach rather than a people-first approach.

Discriminatory language

Yes, this still happens. It’s not nefarious, but in most cases, unconscious and careless. From “he must have” to masculine language such as “dominant.” To avoid this, we recommend using gender decoding tools that assess if the language you use is gender bias. There are several free and paid tools on the market. Statistics show that the language used in job specifications is more likely to dissuade female applicants from applying. Only 25% of companies set gender diversity targets when recruiting, and the efforts to recruit a diverse workforce begins with the spec, not the interview.


A few years ago, it would suffice to stipulate: “relevant security qualifications” as a criteria. This approach was often critiqued as not being specific enough. There is no shortage of qualifications and certifications listed today in security positions; however, due diligence must be exercised when listing qualifications. There have been cases where firms advertise an entry-level position and have included CISSP and CISM as necessary qualifications.

Such companies run the risk of becoming security memes and with good cause. Think carefully about the required stipulations to complete the certifications you seek and if they are genuinely relevant to the position. If in doubt, there is no harm with having a flexible approach to certificates.

We are an ‘Equal Opportunities Employer’

Think carefully about promoting yourself as an “Equal opportunities employer” if there is no diversity within your senior team. One firm, aware of their undiversified management, wrote in their job spec. “We are an Equal opportunities recruiter and are striving to make improvements in this every day.” This disclaimer seems genuine and challenges the assumption that “equality status” is a badge of honour rather than a discovery and journey towards improvement.

We understand from conversations with applicants of a diverse background that they are likely to judge this Equal opportunities employer statement on a firm’s Leadership Team website page and Linked In information rather than take this on face value. With recent attention on firms’ socio-economic and racial makeup, there is also further scrutiny on the genuineness of such claims vs. the reality of board diversity.

Promote culture and values

An effective way to promote your company culture is via your mission statement, to place this at the beginning of your spec is compelling and sets the right tone. You can immediately eliminate a large proportion of applicants who do not adhere to such values. If teamwork and comradery forms part of your fundamental values, shout this from the hilltops. Mavericks may have the technical capabilities but may be harmful in the long run. A bad hire costs a firm, on average, three times the offered salary, not to mention the reputational risk involved. A mission statement becomes even more potent if staff have actively contributed to its formation.

Keep it real

Remember, a job spec forms the basis of an Employment Contract. It is publicly available information indicating to a prospect whether she or he is suitable for the opportunity based on capabilities, cultural fit, and life circumstances. Suppose your job spec states that the advertised position is remotely based, and the employment contract upon offer expresses twice a week in the office. In that case, it can be interpreted as misleading. Even if the wrinkles are ironed out, it is not an ideal way to start a relationship, and seeds of mistrust are already sewn. As an employer, don’t feel pressured about having all of the answers straight away; things can be taken on a case by case basis. The phrases “To be determined” or “flexible” can be used and can convey a versatile approach, although use such terms sparingly. There can be a thin line between flexibility and indecisiveness.

We know that creating a job specification should not be an automated process. The spec should be as individual as the employees themselves. Bestman Solutions offer spec creation as a Service, to enable business leaders to increase their chances of attracting the right talent for the right role.

Your job specification is an advertisement for your organisation and your team. Not everything should be recycled. Reach out to discuss our service

Back to Publications

More Publications

The Business Skills Security Leaders Need and How to Build Them

Read more

Were you aware of these Cybersecurity awareness days?

Read more

5 People-Focused Ways to Build a Robust Cybersecurity Culture

Read more