Top Strategies for Engaging Cybersecurity Talent
Lots of companies are competing for these professionals. How do you stand out amidst the noise?
By Domini Clark and Tom Brennan
When it comes to cyber-attacks on your company, it isn't a matter of if, but of when. Cyber-attacks are on the rise. According to PwC's Global State of Information Security Survey 2016, there were 38-percent more security incidents in 2015 than in 2014, across all industries.
It doesn't just happen to giant corporations like Yahoo!, Sony and T-Mobile. SmallBizTrends.com estimates that 43 percent of attacks target small businesses. Large or small, it can cost you plenty. The average cost of a single data breach is $7 million -- up from $5.4 million in 2013 -- according to the 2016 Ponemon Cost of Data Breach Study. More than half of these costs are related to lost business due to customer churn.
Since the best approach is to prevent the hacks, attacks and breeches from occurring in the first place, cybersecurity needs to be part of your IT program. However, as you are aware, talented cybersecurity professionals are in serious short supply. They're a bit of a unique beast, so you'll need a recruitment approach that's different from the ones you're using with other positions -- even other IT positions.
A Breed Apart
The best cybersecurity professionals think like the criminals they oppose. That enables them to anticipate what hackers might try, and to identify weak points in system defenses. The joke in the industry is that superstars have an "evil bit" (as in bits and bytes) in the code of their personalities. With this mind-set, they won't have a high-profile online presence. "Paranoid" is too strong a word, but they tend to be hyper-cautious, and some take pride in operating under the radar.
You likely won't find their résumé on CareerBuilder or LinkedIn, so you'll need to leverage your best networking skills and hardcore power-searching techniques. If your quarries think like a criminal, you have to think like Sherlock Holmes to track them down. Don't email them a link to apply as they won't click on a link from an unknown source (and neither should you). Send them a PDF with instructions for connecting with you.
It's Not a Posting, It's a Pitch
The demand for these professionals means they're constantly hearing from recruiters. InformationWeek's DarkReading.com cites new research by Enterprise Strategy Group and the Information Systems Security Association indicating that about half of cybersecurity professionals are contacted by a recruiter at least once a week. If you post a standard HR job description of duties and requirements, it will wash out among all the other background noise.
In today's market you have to court talent, and that is especially true of cybersecurity professionals. Don't think of it as a job posting, think of it as a sales pitch. Resist the ingrained habit of listing what your company needs, and focus instead on what will engage the interest of your target audience.
Appeal to the Hot Buttons
In general, cybersecurity professionals want to:
*Take on intriguing work that is varied and unique. Let them use their devious creativity to your company's advantage.
*Try new tools and techniques to keep up with the ever-evolving threat landscape. If you've got the coolest technology, your pitch should highlight that.
* Do more than just scratch the surface -- offer them opportunities not only to look under the hood, but also to take some deep dives into your systems and code.
* Have the option to work remotely. Your organization may cling to traditional models, but if virtual options give you an edge in the talent war, then it's time to loosen up.
* Feel appreciated and valued for their contributions -- just like other employees in your company. If you don't have a proactive recognition and rewards program in place, now's the time.
Keep Your Social-Media Buzz Fresh
This is good general recruiting advice, but definitely important for this group. The content doesn't have to be about job openings (although you should push those out, too). Instead, think of social media as digital pheromones that make your company attractive. Blogs and tweets help establish your company as a thought leader, enhancing your brand. They also increase the likelihood that hard-to-find candidates will stumble across your company.
Share great insights and ideas your team has, and be sure some of your efforts target the cybersecurity community -- it's not ALL underground. Join cybersecurity forums and discussion groups, for example. Encourage your existing cybersecurity talent and ranking IT leaders to write blog posts and white papers on the topic. Spray those pheromones where they'll get the best results.
There are definite qualities to look for in cybersecurity candidates, but you can't run an effective search if you focus only on screening people out. The pool's just too small. It may be hard to convince hiring managers to loosen up, but you can point out that, given that security threats are constantly evolving, a degree probably isn't as important as current experience. Or consider recruiting recent graduates by offering the opportunity to gain valuable hands-on experience. Another tactic: Instead of asking for five to seven years of experience, ask for three to five and highlight the opportunity for career growth.
You can try retraining existing IT staff, but keep in mind that success in cybersecurity takes a certain mind-set. Ideally, you have a system administrator who can channel her inner hacker and ask, "What would I do if I wanted to get past our own security measures?"
Hopefully you weren't expecting fast and easy tips for recruiting cybersecurity talent. You'll have to invest time and money, but you can think of it as insurance against multimillion-dollar losses.
Domini Clark is director of strategy at InfoSec Connect and senior recruiter at Decision Toolbox. Tom Brennan is master writer at Decision Toolbox.