Cybersecurity Recruiters: Your Failures Explained

Each time I think I’m getting to the heart of the challenges faced by those on all sides of cybersecurity recruiting, a further complexity raises its ugly head.

While I still think that job titles are horribly limiting, that job descriptions completely miss the point, and that the cybersecurity skill-gap misconception is mostly the fault of the organisations asking for help, there’s no getting away from the fact that cybersecurity recruiters are doing themselves no favours.

Many organisations don’t know what to ask for, and recruiters, while not really in the position to contradict them, do little to provide them what they actually need. Mostly because they don’t even KNOW what they need (they aren’t security people themselves), but they are never going to find out unless they have the right conversations.

No one is having the right conversations.

Let’s, for the sake of argument, assume that I am right in my assumptions, and that all of the following are not only the right way of doing things, they are actually in place:

  1. Job titles are replaced with functional descriptors and people are no longer pigeon-holed into a position defined by a name;
  2. Hiring job descriptions are replaced with a description of the functionality gaps that need filling; and
  3. There are a ton of people out there looking to fill cybersecurity positions.

What’s missing? Why would we still fail? Why wouldn’t organisations get decent candidates? Why would recruiters still fumble around trying to force square pegs into round holes, and why would it be so damned difficult for security folks to get a job they love?

I think the ‘root cause’ is that without robust risk management processes, there is simply no way an organisation can ever know what its ‘people gaps’ are.

I have written numerous times that it’s the risk assessment (RA) / business impact analysis (BIA) process followed by a security controls gap analysis that determines the functional gaps that need to be filled with adjustments to people, process, and/or technology. But how can organisations without existing qualified resources run the RA/BIA process in the first place?

If you’re like most organisations out there, you have; no security governance, limited to no security policies and standards, limited to no in-house security expertise, and limited to no senior leadership buy-in. Therefore your risk management capability is minimal (if it exists at all) and you have no one who can set the necessary process in motion.

I’m certainly not saying that a person who can do these things should be your first hire, because this a consulting gig. One that, if properly defined, will have a skill-set gap analysis as its final deliverable.

Without all of the following in place, it’s very unlikely you’ll ever hire the right people:

  1. SOME form of governance so that the business’s goals can be built into the operational security practices;
  2. A decent policy and standard set so that all business requirements can be translated into standardised baselines;
  3. Risk management process(es) that ensure security controls are in place to appropriately manage the existing people, process and technologies;
  4. A gap analysis process that determines what’s missing in terms of; 1) functional skill-set (people), 2) documented procedures (process), and 3) security control functionality (technology);
  5. A willingness to stop doing the things the way they have always been done.

So let’s say a consultant comes in and delivers 1. – 4. above, now what? Can they take these deliverables to a recruiting company and have them find a candidate? No, and why not? Because the recruiters have, themselves, asked their candidates all of the wrong questions:

  1. They have not asked the organisation for their desired deliverables from the candidate(s), nor do they have any idea of what the operational functions they will be fulfilling are – at a level low enough to matter anyway;
  2. They have made no effort to determine how much the delivery of the functions / deliverables is worth to the organisation – i.e. junior or senior resources?;
  3. Few recruiters ask what candidates can do, they ask what they’ve done – that’s what a CV is, your historical accomplishments, not your plans to improve yourself;
  4. Few recruiters ask candidates what they want, they ask where they’ve been – a CV is designed to find you more of the same, not [necessarily] what you’re looking for;
  5. Almost every recruiter treats both jobs posts and candidates as commodities, and not the unique entities they are – a good recruiter could/should be a career-long partner, not a used car salesman.

…and the lists go on.

It’s not the recruiters fault that organisations are the majority root cause of all of their mutual woes; How can they possibly fill a position when the requesting organisation has no idea of the required deliverables, or of the functions necessary to achieve them?

But I’ve yet to see a recruiter try to do something about it. They lament the difficulties and do nothing but work on the symptoms. They do the same thing day-in day-out and never ask the experts for help.

Most organisations are prepared to pay 10 – 15% of a position’s annual salary to a recruiter to find good candidates. But instead, why not:

  1. hire a security expert / consultant to perform a risk assessment and controls gap analysis;
  2. agree projects to bring the security program up to appropriate standards;
  3. perform a second gap analysis to determine the functional skill-set necessary to stabilise the ‘new’ security program;
  4. work with a consultant to operationalise the security program;
  5. as a final deliverable to the contract, have the consultant write a functional job description for a permanent employee or outsourced staff augmentation.

Organisations are already prepared to spend money on a recruiter and on a full-time employee, why don’t they spend that money on much more experienced experts who will fully define the needs now, and for the future.

You quite literally have nothing to lose.

[If you liked this article, please share! Want more like it, subscribe!]

6 thoughts on “Cybersecurity Recruiters: Your Failures Explained

  1. Sigh. Where to begin?

    As an experienced cybersecurity person struggling to find a new position, I have been totally frustrated with the whole thing.

    You already touched on a lot of issues I’ve seen. Job titles/descriptions that don’t match. Sometimes badly. One company was looking for a security engineer, but decided to call it an “information security officer”, so I wasted my time interviewing for the position. Or companies calling a lead security engineer a security manager, etc.

    Recruiters are a problem. To many, even after reading my LinkedIn profile (which matches my resume), still come to me with positions that don’t fit me. Too often being a hands-on role when I’m a manager/consultant, or entry level roles. I spent a frustrating amount of time with one person explaining why an “information security manager” is NOT the same thing as an “information security program manager” (program manager as in projects…)

    Hiring managers aren’t always better. Too many have turned me away or down because they felt I was “too much/not enough” of something. I’m not f*ing porridge. I’m pretty selfcritical of myself. If I think the position is beyond my abilities/skills, I won’t even apply. Also sucks is after having what I thought was a great interview, to learn I’m not moving to the next level.

    And sometimes when I see who does get the positions I want (LinkedIn is a real help here), I have to scratch my head and wonder at times. I guess some people are better at selling themselves then I am. [while I don’t like not getting certain jobs, when I see the person who got it is as good or even better, I can’t be too upset.]

  2. My Brothers – I was just about to write a post on precisely the same topic. I now just spend 10 minutes max on background checks. Flaky IP addresses, virtual redirects to burner phones, addresses in ludicrously expensive districts, suspect past careers (the latest was top salesman at a banana factory in Tanzania), he has lived in Bedford for the last 7 years so I am not sure when he dashed off to sell bananas. The list goes on and on. I thought I was one of a few getting incredible offers that fit my profile perfectly – I made the active switch to search for full time employment as I think
    I need a tasty enterprise challenge. I was deep in a research project which I never want to experience again and am unable to even mention in a post or blog. I started out with a ton of great options but still no final deal. I do not hand out my number or CV (I even wrote my last post on the subject – how recruiters should be secure on LinkedIn!!) hilarious… so I am very frustrated and luckily have direct connections at AWS etc. but that is NOT the point. I got a fake message from someone who said they were from AWS – she sent me a perfect job. I have worked with AWS for many years – I know the servers, mail lists etc…the mail bounced of course but I was asked to send the headers in a forwarded mail. And on and on it goes. I even now have been advised by the powers that be to send data etc.. why should we do their dirty work? Screw that. I wrote a scathing post about Facebooks horribly unprofessional management of customer data and was told to remove it. You also made an excellent point about people not really knowing what we do – it all seems so trendy and exciting- I have also had similar experiences with potential employers- I try and explain the finer aspects but when I start warning them of what might be at the end of some paths I have the feeling they have not really investigated how dangerous this work is in some special cases. No one wants to take responsibility for major breaches and I for one have decided to step out of this branch before my hands get badly burnt. Curiosity killed the cat. I prefer to be the smart dog that barks and wags his tail. I am returning to game production and AR entertainment – my son wants me to work on Minecraft AR… lets see. But first some fun and laughter.

  3. I run a security staffing firm. Here is my take.

    More often than not, here are the problems we see with cybersecurity recruiting in general:

    1) Recruiters tasked with hiring security people are recruiting generalists, not specialized in security, so they don’t understand the terminology and don’t understand the right questions to ask of candidates.

    2) Hiring managers are so busy they don’t have (or take) the time to interview candidates quickly. Security candidates are in high-demand and if the hiring process takes too long, a company’s competitors will snatch those candidates up.

    3) There is often a fundamental mismatch between job responsibilities, required experienced, and salaries.

    4) Job descriptions have too many requirements and are too inflexible. If your “must have” section of a job description is longer than 5-10 lines, chances are you’re asking for too much.

    5) Recruiters don’t understand there is a difference between recruiting security candidates and the closest thing, which would probably be IT candidates. Security candidates don’t put their resumes/CVs on job boards for the most part, so you need to have a unique approach to reach these people. When every candidate is a passive candidate, there are certain steps you need to take to reach these folks.

    -Pete Strouse, InfoSec Hires

    • Agree with everything you said. Your points are spot on and what I see and have said with others.

      On #4, I usually say that “must haves” should be no more than 2, 3 tops. Everything else should be “nice to haves”. I hate doing an interview with them pulling something up as a ‘must have item’ that wasn’t even noted as such.

      Frankly I wish I could find a recruiter like you here in my area.

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.