Cybersecurity recruitment in crisis

Globally cybersecurity is in crisis not solely from a lack of skilled personnel, but also from a lack of strategic direction and companies inability to hire staff in an expedient, effective and efficient manner.

ISSA, (ISC)², ISACA, Cisco, and PwC have all released major studies showing the cybersecurity skills gap has reached a crisis point worldwide. The number of positions to be filled vary widely from each study, but the majority of them put the gap at over a million positions by the end of the decade. One might go so far as to call it a cybersecurity skills gulf. This is not a new challenge, but one that has been developing over time.

Industry and educational institutions have moved to address the critical shortage of cybersecurity skills. Universities have launched bachelors, masters and PhD programs with cybersecurity concentrations. My alma mater, Royal Holloway, University of London launched one of the world’s first master’s degree programs in 1992, graduating over 2,000 students to date.

Cybersecurity professionals have responded with the creation of cybersecurity skills certifications such as the now venerable (ISC)² CISSP, started in 1994, with more than 100,000 holders worldwide. Law makers and governments have sought to address this issue with legislation and funding.

A significant aspect of cybersecurity that has not been addressed, to the point of neglect, is the recruitment process. Cybersecurity has been identified as one of the highest growth, high salary careers over the next decade. With the proliferation of high paying, secure jobs come a flood of job seekers into every aspect of the cybersecurity market including recruitment.

I have always been fortunate in hiring good quality candidates over the course of my career. Happily, there has never been a need to fire someone that I hired. That is not a testament to me, but to the quality of the people I have hired. On occasion, I use recruiters for hiring, but the number of recruiters that I use is very small and select. Fly by night recruiters are almost as dangerous to a company as cybercriminals. For the most part, I use my own professional network and that of a few trusted colleagues to look for qualified candidates. A CISO should have a personal stake in the recruitment of his or her own staff.

[ RELATED: Don’t use general recruiters in salary negotiations ]

My company is in the process of shutting down and I am looking for my next CISO or cybersecurity thought leadership role. I am therefor intimately familiar with the current cybersecurity job market and its idiosyncrasies. I knew my journey would be an interesting one as I haven’t had to actually look for a job for over a decade, having been head hunted into my previous posts.

To set the stage, I have 20-plus years’ experience in cybersecurity management and law enforcement, along with a Master’s degree in Information Security and a CISSP. I started off by updating my resume, submitting it to a few key recruiters and associates, some job boards and LinkedIn. My first lesson came very quickly in the form of numerous calls from off shore locations offering me a “wonderful opportunity” as a cybersecurity analyst for a three to 12 months, hourly rate contract, anywhere but close to where I live. Cybersecurity analyst being a position I qualified for well over a decade ago and which reports to several of my direct reports.

Initially, I didn’t mind being approached about a cybersecurity analyst position, it’s an easy mistake for an inexperienced recruiter to make. Some of the traits of a good CISO are shared with a good cybersecurity analyst. After a number of approaches and conversations with cybersecurity recruiters, it became clear that inexperienced recruiters are the norm not the exception.

Many have little knowledge of the market, that goes beyond the ineffectual key word search programs that they use. Worse still many do not have the ability to read a resume and know it is does or does not make sense for a particular position. This being the case, how is a recruiter expected to effectively screen resumes, conduct interviews and provide a quality pool of candidates for consideration? The shotgun approach is the best description for the current recruitment methodology.

Hiring a CISO is no different than hiring any other c-level executive, a well thought out plan should be developed and executed. The mere fact of hiring a CISO will not make a company secure. Hiring the wrong CISO in many cases will have the opposite effect.

As a recent example, I participated in the process for a CISO EMEA position for a well-known cybersecurity vendor. The hiring manager was a first-time CISO, in the position for less than a year. At the end of the process, I was told the position was going to another candidate. The CISO stated that I had done well in the interviews, had good experience and the skills he was looking for; however, he felt I was too focused on governance, risk and compliance (GRC).

I was too stunned to respond, and thanked him for his time. GRC is the cornerstone of any well run information security management program. Without GRC, information security management program would be a hodgepodge of security technologies, disjointed policies and ineffectual processes.

The keys to an effective information security recruitment process are:

• A well-defined position description developed through an understanding of how it will participate in implementing the information security management program
• Aligning the amount of experience required with the level of the position
• Aligning the education and certifications required with the level of the position
• Conducting a salary and benefits survey relative to the position and its geographic location
• Timely execution of the recruitment process
• Effective communication with the candidate
• Sharing with the candidate the recruitment process
• Ensuring the recruiters act in a professional manner
• Test the recruitment process

I have seen CISO descriptions requiring upwards of 10 years’ experience as a CISO. This makes little sense as the vast majority of CISO positions have been created within the last five years. Making sure that a CISO has the management experience makes sense; however, if one is stuck on a title, the search will be unnecessarily difficult.

The experience issue is true of many of the advanced cybersecurity certifications. It makes little sense to advertise for an entry-level position and require a CISSP, CISA or CISM. All three of these certifications require five years of experience.

As an example, the CISSP requires a minimum of five years cumulative paid full-time work experience in two or more of the eight domains of the (ISC)² CISSP CBK. Requiring an entry-level position to be an Associate of (ISC)², is within scope. The Associate of (ISC)² program allows entry level information security personnel to demonstrate their competence by passing the CISSP (ISC)² certification exam. They then maintain their continuing professional education (CPE) requirements while working toward attaining the experience required to become fully certified as a CISSP.

Timely execution of the recruitment process, effective communication with candidates and sharing the recruitment process with candidates are all facets of a professional recruitment process. Cybersecurity skills are a seller’s market. If the recruitment process takes three months or longer, the company will lose a large number of candidates to companies with a faster, more efficient process. It is rare that a candidate will turn down an offer for the possibility of working at another company.

While they may want to work for you, desire doesn’t pay the bills. The most unprofessional behavior I have witnessed in recruitment, centers around communication with the candidate. Regardless of the reason, if a recruiter takes weeks or months to return a candidate’s e-mail or call, candidates will move on. Keep candidates informed. Let candidates know the recruitment process, set reasonable expectations and execute.

Recruitment is a business process, treat it with the professionalism one would expect of any business process. On occasion, test the recruitment process. Write an ideal candidate resume and see if it makes it into the process. How long did it take to get the resume? Was the resume altered? Interview successful and unsuccessful candidates about the recruitment process.

Of the processes that I have been through, I have only been surveyed by one company about their recruitment process. They communicated with me regularly, were on time, well organized, open, honest and provided useable feedback in an expedient manner. Not unsurprisingly, Vodafone has had by far the most professional recruitment process I have ever experienced. Unfortunately, I didn’t get the position but the professionalism that Vodafone displayed made me eager to work with them. Their recruitment and hiring process should be used as a model.

Good quality candidates in the cybersecurity profession are looking for a career in a process- and people-driven culture. How does a company wish to have their culture represented? The recruitment process will be the candidate’s first introduction to a company and color their perception. That is doubly true for candidates who are not hired. How will they remember your company when you are pitching your goods or services to them as a potential customer?

Having an available pool of cybersecurity talent will do a company little good without an effective and well executed recruitment strategy.