You’re Not Hiring People, You’re Trying to Solve a Problem

5 years ago, when I was still smarting from being laid off [fired, cough], I found myself back in the job market looking for …something.

After 12+ years in the same organisation, I had worked my way up from ‘Firewall Administrator’ to ‘Director or Delivery’ for EMEA and APAC. Through poor planning and various character flaws I was at a complete loss where to start looking for an equivalent position. My safety-net was non-existent as making connections has never been what I would call a strong suit.

So I did what everyone else does; I called some recruiters. And I got what a lot of other people got by doing so; nowhere and frustrated.

But as much as I have criticised recruiters; Cybersecurity Recruiters, The Gauntlet Is Thrown!, they are doing an almost impossible job. I have even tried to help; How to be a GREAT Cybersecurity Recruiter, but this still leaves them addressing only the symptoms. The root cause of all our woes is, of course, the hiring organisations themselves.

Continue reading

Skills Gap

Cybersecurity Skills Gap? You’re Clearly Looking in the Wrong Place

Like every other independent security consultant out there, I have to ask; “Cybersecurity skills gap? What the Hell are you talking about?”

I’m not even going to quote the plethora of doomsday statistics, but suffice to say the majority of organisations and Governments believe the cybersecurity skills gap is actually a real thing and getting worse. They have no idea that the experts to solve most security issues are out there with dumbfounded expressions thinking; “I’m sitting RIGHT here?!”

How can there be a shortage when I, a cybersecurity professional available for hire, am not overwhelmed with requests for help? How is it that EVERY cybersecurity consulting company in the world isn’t experiencing exponential growth? Why do I see cybersecurity practitioners all but begging for jobs on LinkedIn almost every day?

It can only be because those looking for help are simply looking in the wrong place, and here’s an example;

Continue reading

Recruiter

How to be a GREAT Cybersecurity Recruiter

To be clear, I am not, nor have I ever been a cybersecurity recruiter. I’m not even saying I have what it takes to be one. What I’m saying is that, like cybersecurity itself, being a recruiter is very simple. Bloody difficult, but simple nonetheless. What’s more, cybersecurity recruiting is also about People, Process, and Technology. Always in that order, and luckily the only technology you need to be a great recruiter is a phone and a laptop.

So while I cannot talk directly about the challenges faced by recruiters, I have however been on the other side of the process as both a candidate and a hiring manager. I can say that in almost 20 years I have yet to meet a recruiter for whom I would go out my way to recommend. Not one. In 20  years.

Not. One. *

So if you are a recruiter who has engaged with me in the past, yes, this applies to you, without exception. If you want to know why, read on, and then be honest with yourself. Did you really provide the kind of service I describe below? Do you now?

The most frequent piece of advice I give anyone new to cybersecurity is to take your ego out the equation. That may sound odd coming from me, but even though I know a lot more than my clients about cybersecurity, it’s not about me. Of course I know more than my clients, that’s why they hired me! It’s about using my knowledge for the client’s benefit, not for appreciation, and certainly not for money. Both of those things should take care of themselves if I did my job correctly.

Again, this is no different from what you should be doing as a recruiter.

As a recruiter you have not one client, but 2, regardless of whom you represent; the candidate, and the hiring company. While this makes your task twice as difficult as mine, what you do is no more complicated. Like it or not, you are in the service industry, and neither the candidate nor end customer care what you want. But if that’s all you care about, you will rightly fail. Harsh, yes, but you chose this career.

Anyway, here’s my advice for what it’s worth.

How to be a Great Recruiter.

  1. Know what the hell you’re talking about – No, you don’t have to be an expert in cybersecurity, but there’s a very good chance the hiring company isn’t either. They will ask the wrong questions, it’s your job to give them what they need, not what they asked for. If you’re representing a person, you need to know their skill-set enough to determine a good fit. This means you have know what cybersecurity actually is, and no, not just the buzz-words and acronyms.
    o
  2. Know what the candidate wants – You have a responsibility to your candidates to help grow their career. This is their livelihood, and they trust that the power you have over their success is not misplaced. If all you care about is getting them off your plate and on to the next candidate, you are betraying their trust. If you don’t see your candidates as lifelong relationships, why are you doing this? Go sell used cars instead.
    o
  3. Send CVs that have been PROPERLY vetted – It’s tempting to scattershot all of your ‘cybersecurity expert’ CVs at every cybersecurity related job opening in the hope one sticks. Don’t. Do you homework, and if you don’t have someone that fits, pass. As a hiring manager I dismissed recruiters that consistently wasted my time. Earn the right of first refusal by being totally candid, that’s the most you can ask for with the amount of competition out there.
    o
  4. Provide unvarnished feedback – No matter how bad the feedback, pass it on completely unvarnished. If you don’t have the courage to do that, at least provide SOME feedback. I’ve lost count of the number of times a recruiter was all over me while I was still a viable candidate, then completely disappeared when it fell through. Obviously I didn’t get the job, which was bad enough, but for me to have to work that out by myself over the course of the next few weeks is unconscionable. While you may not be able to help your candidate from screwing up the next time, you’ll at least have a candidate who’ll talk to you again.
    o
  5. STAY in touch – Careers in cybersecurity can change on a dime, if you don’t maintain a relationship with your candidates you will become worthless. I’m not saying call every day, but is once a month too much to ask for a 30 minute catch-up? If it is, again, why are you doing this, you’re supposed to actually like people. Besides, if I trust you, who do you think is going to get all of my referrals?
    o
  6. Be pro-active – As a recruiter, you have unparalleled access to the demands of the market. What possible reason could you have for not feeding that back to your candidates? By steering them into fields of high demand you are helping both them, and yourselves.
    o
  7. Love what you do – No-one wants to work with someone who could not care less about what they do. Love it, or get out.

Recruiters in every field have a horrible time fighting against their negative image. An image they have earned as a profession from being so filled with dross. Unfortunately cybersecurity is getting that way thanks to ambulance chasing vendors. Now combine the two; cybersecurity recruiter. The odds are against you, but it strikes me that anyone encompassing the above would be a beacon in an otherwise dismal landscape.

For those who have the temerity to ask for exclusive deals up front, try earning it instead. Given the state of recruiting these days it should not be that difficult.

Finally, at the end of my blog; Cybersecurity Recruiters, The Gauntlet Is Thrown! I stated my ultimate purpose was to find the great recruiters I know are out there.

I’m still looking.

[If you liked this article, please share! Want more like it, subscribe!]

I have in fact met one since, but they quit! 🙂

No More Job Titles, Just Function Based Roles

The only established job title I agree with, is ‘Consultant’. They can:

  1. say without fear of repercussion; “I have no idea, but I know someone who does.” They are enablers, not [necessarily] SMEs;
  2. add new projects / functions / experiences to their CVs/resumes because their entire role isn’t defined by a single job description; and
  3. stop someone asking questions about what they do, because the answer; “I’m a consultant.” fulfilled the societal obligation.

Every other title out there tells you what that person does, and to an uncomfortably large [judgemental] degree, WHO they are. Ever taken an instant dislike to someone who told you they were a traffic warden? But how many people really think of themselves as defined by their job? Nurses perhaps, charity workers, priests? Do you really think of yourself as an ‘actuary’, or a ‘receptionist’?

While there are many jobs out there where your personality shines through, most of us are not doing them. We’re working in the information age where we our entire output can easily point to nothing tangible. We’ve ‘made’ nothing, yet we still want to believe that we are making a positive difference, don’t we? How can we possibly put the age old corporate strictures around something so fundamentally different as today’s job market?

Doctors don’t prescribe leaches and bleeding for every illness, banks don’t process every transaction on paper (though I think Lloyds might), so why do we maintain the centuries old concept of pigeon-holing everyone into a job title? Would it not make more sense to describe all the FUNCTIONS or TASKS a business requires, then let the right individual(s) perform them?

How often does the best person to perform a task actually get to do it? They may be in the wrong department, the wrong ‘grade’, or have the wrong boss, but the effect is the same; the person who is paid to perform the task as part of their defined job description does it, and possibly nowhere near as well as the person best suited.

There is a very good chance that no-one even KNEW there was someone who could do it better. Usually this is a combination of two things; 1) no-one bothered to find out, and 2) no-one volunteered the knowledge. This is not just about employers not providing an environment that embraces change, it’s also about employees that don’t WANT change. Either be the agent for change, or don’t complain about the status quo.

How many times have you had an idea for a process change, and new profit line, a morale booster etc, then had it shot down for one or more of the following reasons:

  • It’s not your job, go back to doing what you’re PAID to do;
  • It’s not the right time – with no indication of when it MIGHT be the right time;
  • We’ve always done it this way – try not to punch this person in the face; and/or
  • It simply won’t work – with no indication as to why.

…or a thousand other reasons that all amount to the same thing; You have your day job, leave it at that. You may even have been made to feel bad about suggesting it in the first place, which means you’ll never do it again.

The reasons for this are as infinite as the excuses. A few are:

  • Your boss has no idea what he/she is doing and you’re humiliating them;
  • Your organisation is led by someone with no imagination, or ability to inspire; and
  • They simply don’t understand the concept.

YOU can be just as much to blame however:

  • You spend all your time at work working on things that you are not being paid for, and your real work suffers;
  • You have put no real thought into the idea, or formalised your plan; and
  • Your idea is crap.

But these examples don’t change the fact that most organisations hire people to fulfil a specific task without taking the individual’s full skill-set into account. They are then either marginalised, or actively held back from developing additional skills, or expanding their function beyond a very limited scope (usually departmental).

Nature doesn’t label, it just is. The strongest in the pack is Alpha, the best hunters lead the hunt, and every living thing just gets on with doing what they were born to do. Not humans. We have to label, compartmentalise, pigeon-hole, classify – I mistyped that as ‘calcify’ which is amazingly appropriate – in order to understand. We have good-vs-evil, up-vs-down, in-vs-out, just so we can explain things to ourselves.

In the workplace, the larger a business becomes, the more disconnected it becomes. There is no room for the individual, let alone the individual’s unique set of talents and skills, but I believe this is exactly where we need to go. It may well be that the guy in accounts payable is a wizard at data analytics, so have him help out in Marketing. The girl working in Research & Development has an uncanny ability to relate to people and “talk their language”, so take her out to close the more complex deals.

Once you know the individuals, titles are irrelevant. People just KNOW who they are. The two people above are “the data guru’ and ‘the closer’ respectively, and are happy because they get to do what they’re good at! Who knows, they even get appreciation for it, and the organisation is happy because they have a competitive advantage.

Even hiring becomes easier. You don’t hire against a job title, you hire against a required skill-set, which is MUCH easier to interview for. Then when you ask that person what title they would like, they can be creative / unique enough never to feel as though they are just another cog in the wheel.

Of course, to the outside world you will still need to give them known titles. Until this catches on anyway. And some people WANT to go to work 9-5, be anonymous, and that’s OK, every business can’t be full of entrepreneurs and go-getters.

[If you liked this article, please share! Want more like it, subscribe!]