Cybersecurity Hiring Guide 2018
As a 20+ year technical recruitment practitioner, getting to partner and consult with IT and HR teams on some challenging technical positions. Cyber Security professionals are inherently skeptical and resistance to the current recruiting tactics.
Recruiting and hiring experienced information security professionals is one of the most challenging tech categories to tackle for the talent acquisition teams and bix box technical staffing firms.
Top Reasons Sourcing and Recruiting for experienced Cyber Security Candidates is so hard.
- Stranger Danger – Email Viruses and Phishing. Best Way Not To Get Your Email Account Hacked. Never open an email from someone you don’t know.
- Social Engineering – Security Candidates Go Dark from LinkedIn and Facebook. The best way to keep social profiles from being hacked and to keep personal information from being used by identity thieves is not to have one at all.
- Loose Lips Sink Ships – If IT Security candidates reveal detailed job duties, procedures, and identify cybersecurity tools and techniques used to do their job, they will be telling the fundamental security infrastructure of a company and internal information security team uses.
OJT (On the Job Training) Information Security Recruitment
While supporting the CTOC (Cyber Threat Operations Center) at USAA, it became quickly evident to me that when it comes to sourcing and recruiting InfoSec candidates, the usual cookie cutter tech hiring tactics will not cut it.
Put yourself in the shoes of someone who works in information security for a moment. One of the goals of any security department is to keep the company safe from incoming threats. Can you guess some of the common ways company networks get exploited and infected?
Employees who open up attachments or clicking on links from emails. Hackers use “social engineering” to gather as much personal information from customers, vendors, employees as possible. Then, using the collected information about a person so that a hacker can look and sound credible enough to make contact with the customer support team and trick the customer service rep into giving even more critical intel or making changes to the information that will help hackers take control of victims account.
Hopefully, you will be a little more patient with the customer service rep makes you verify your identity before they share any info with you.
Now, let’s switch places for a moment with a technical recruiter. For those of you who have never been a professional recruiter, make me shed some light on some of the “what” and “why’s” of the recruiting process.
In most situations, the recruiters who work in your HR department have been assigned too many open jobs to work than is advised by industry standards. So, let’s say that she doesn’t usually have the time or resources to research the Information Security Industry, Network Security technology tools, and the job structure and duties.
Long story short, she probably doesn’t know what she is talking about and her emails and phone messages will probably sound, well, a little sketchy.
Ok, now back to our CyberSecurity person. Keep in mind, that security analysts spend all day looking at “phishing emails” and dodgy phone calls transcriptions, and message invites from hackers using fake or hijacked social media accounts.
So when a Cybersecurity Threat Analyst’s get emails and messages from recruiters that use security terms out of context, are asking for personal information (the best number to reach you, a good email, or an updated resume), and of course being asked to “click here” with a shortened link (which disguises the real url link), just about every red flag is alerted. Say goodbye to that candidate.
Best Practices for Recruiting Information Technology Talent
Excerpt comment I left on the topic on a private FB group on this topic.
“Assisted Recall” Sessions InformationSecurity Hiring Team
Partner with current cybersecurity team (free food helps), and conduct what Netflix or Google, I forget which, call an “Assisted Recall” session.
- Recruiters should help the team identify any security peers they have worked with in the past that may have relevant experience, culture fit, and skills needed.
Once the recruiter(s) and the hiring team have identified potential candidate leads, the recruiter should share a few example emails to send to these possible matches in order make introductions.
- Remeber, that security professionals don’t like getting emails and messages from strangers. So by enlisting your current team to make the initial introduction will increase your success. The InfoSec community is a small and tight community, so they won’t want to burn a bridge by not responding to a fellow security colleague.
Now, followup and update. The recruiter should host weekly sessions with the hiring manager to over any referrals she or he has received and assist them with next steps. Depending on the profiles you are sourcing for, these folks try not to leave a social footprint, so referrals and in-person networking are a great way to start.
- FYI – Don’t use any Link Shorting tools like Bitly in your outreach (long story) but let’s say trust me on this one. Tip #2, contract or hire a Reservist (or spouse) of the 24th AF (AFCYBER), 688 CW (Lackland), 689 CCW (Robins), 624 CW (Lackland), Wing in S.A or 609 out of Hawai (Pearl Harbor). Some of this may have changed due to redistricting, but you would not believe the results. Also, have someone attend https://www.meetup.com/San-Antonio-Cyber-Security-for…/… several times and take it slow and bring food :).