This article can also be found in the Premium Editorial Download "Information Security magazine: An insider look at the Windows Vista security review."
Download it now to read this article plus other related content.
In contrast to an environment of high unemployment and difficult economic times, the information security industry has flourished. While companies have focused their efforts on productivity and profitability by eliminating jobs across standard business functions, information security’s visibility and importance has increased. A business climate consisting of well-publicized data breaches, lucrative criminal activity, socially driven hacktivism, government regulations and new technology development has created challenging and well-compensated career opportunities for information security professionals.
The initial assumption would be these roles would be easy to fill due to their importance and level of compensation, however, that is not the case. In many cases, information security professionals who are capable of filling these positions are well compensated, well thought of, and are content and secure in their current positions. This makes them difficult to recruit. Therefore, if information security leaders want to succeed in their roles, it is essential they learn to become effective
Considering the information security leader will serve as the ultimate authority in the hiring process, it’s critical he or she treats the talent acquisition process with a similar level of significance as solving information security issues. The three most important elements of becoming a good recruiter are the development of sensible job descriptions, use of your network, and the need to “trade places” with your potential employee.
First things first: An effective job description
Once head count is approved, information security leaders are responsible for the creation of a job description. An effective job description will produce a candidate pool that is affordable and qualified. Most information security departments are understaffed, so it is the primary reaction of many information security leaders to create a job description that includes a list of all the possible skills an ideal candidate would possess. Many times these lists are excessive and create skill combinations that are not necessarily found within the same individual (i.e. application penetration testers and policy writers), and could create a candidate pool your organization is unable to afford.
When creating your job descriptions, it’s key to highlight only the skills and experience that are essential to the role. If you would like to create a section of the job description that lists desired skills, that could be a way to attract candidates who have additional skills, without eliminating candidates who possess only the essential ones. It is always important to remember the more complete the candidate’s skills set is, the greater compensation you will need to attract them to your opportunity.
Be smart about using peer networks to recruit
The second key element in being a good security recruiter is to utilize your network and understand the resources at your disposal. The most important person in any information security leader’s network is the member of their internal recruitment team and human resources function. The internal recruitment team will have a full understanding of the processes, procedures and methods the company uses in their recruitment strategy. This can include the company’s internal talent acquisition tools, the company’s social media strategy, and the approval process necessary for utilizing external recruitment vendors. In addition to your internal recruitment partner, it’s important to get the word out that you are hiring. These methods can include contacting your industry peers, reaching out to past employees, contacting product or services vendors whom you have worked with in the past, and leveraging your own social network. Keep in mind, when contacting your network it is important to exhibit some control. If you broadcast to the world you are hiring, you will be inundated with candidates, both qualified and unqualified, and this could be a management nightmare. It is better to only share your opening with people whom you trust, and who will help you target the right person, as opposed to creating an open casting call.
Think like a job candidate
The most effective recruitment tool is the one of perspective. Since you are the one with the talent need, it’s easy to view the recruitment process from your point of view, however, information security leaders who are effective recruiters have the ability to view the recruitment process from the candidate’s perspective. Take time to remember the last time you were recruited for a position. You should think about components of your most successful recruitment process: What were your motivations; why was the company and opportunity appealing to you; your impressions of the interview process; and how were you treated and communicated with. In addition, you should think about the elements of your most painful recruitment process and what you did not like about it. In the end, you should try your best to create a recruitment process that is reflective of how you will treat the person once they become a member of your information security team.
Having information security positions remain open for extended periods of time is a key cause of organizational stress to the information security leader and the team members who have to work additional hours. Learning to become an effective information security recruiter is a key element in both the development and the maintenance of a successful information security organization, and in the execution of your information security program’s goals.
Lee Kushner is the president of LJ Kushner and Associates, an information security recruitment firm, and co-founder of InfoSecLeaders.com, an information security career content website.
Mike Murray has spent his entire career in information security and currently leads the delivery arm of MAD Security. He is co-founder of InfoSecLeaders.com where he writes and talks about the skills and strategies for building a long-term career in information security.
This was first published in November 2011