Cybersecurity Recruiting & Hiring Guide 2020
As a 20+ year technical recruitment practitioner, getting to partner and consult with IT and HR teams on some challenging technical positions. Cyber Security professionals are inherently skeptical and resistant to current recruiting tactics.
Top Reasons Sourcing and Recruiting for experienced Cyber Security Candidates is so hard.
- Stranger Danger – Email Viruses and Phishing. Best Way Not To Get Your Email Account Hacked. Never open an email from someone you don’t know.
- Social Engineering – Security Candidates “go dark” from LinkedIn and Facebook. The best way to keep social profiles from being hacked and to keep personal information from being used by identity thieves is not to have one at all.
- Loose Lips Sink Ships – Cyber Security Candidates rarely reveal specific job duties, tech stack, software tools, and procedures in LinkedIn profiles to protect their company.
OJT (On the Job Training) Information Security Recruitment
While supporting the CTOC (Cyber Threat Operations Center) at USAA, it became quickly evident to me that when it comes to sourcing and recruiting InfoSec candidates, the usual cookie-cutter tech hiring tactics will not cut it.
Put yourself in the shoes of someone who works in information security for a moment. One of the goals of any security department is to keep the company safe from incoming threats.
Can you guess some of the common ways company networks get exploited and infected? I’ll give you a hint. Take a look at the last few recruiting outreach emails sent to potential candidates. Now, look at them from the lens of a security professional.
Do I know this person? Nope
Was this email sent from a person or some software tool like a CRM, ATS, souring tool that could mask the actual sender? Yes
Is this person asking me to click on a link or open up an attachment? Yes
Is the email vague and poorly written?
Is this email asking me to share personal information such as phone number, address, additional emails?
Yes. By asking, “please send me an updated resume,” or “the best number to reach you” is super suspicious.
Your emails look exactly like the kind of emails cybersecurity professionals quarantine, delete, and even report as suspicious.
Say goodbye to that candidate.
Best Practices for Recruiting Information Technology Talent
Excerpt comment I left on the topic on a private FB group on this topic.
“Assisted Recall” Sessions InformationSecurity Hiring Team
Partner with the current cybersecurity team (free food helps), and conduct what Netflix or Google, I forget which, call an “Assisted Recall” session.
- Recruiters should help the team identify any security peers they have worked with in the past that may have relevant experience, culture fit, and skills needed.
- Once the recruiter(s) and the hiring team have identified potential candidate leads, the recruiter should share a few example emails to send to these possible matches to make introductions.
- Remember that security professionals don’t like getting emails and messages from strangers. So by enlisting your current team to make the initial introduction will increase your success. The InfoSec community is small and tight, so they won’t want to burn a bridge by not responding to a fellow security colleague. Now, followup and update. The recruiter should host weekly sessions with the hiring manager to over any referrals she or he has received and assist them with the next steps. Depending on the profiles you are sourcing for, these folks try not to leave a social footprint, so referrals and in-person networking are a great way to start.
FYI – Don’t use any Link Shorting tools like Bitly in your outreach (long story), but let’s say trust me on this one.
Tip #2, Bring on a contract or hire a Military Reservist (or spouse) of the 24th AF (AFCYBER), 688 CW (Lackland), 689 CCW (Robins), 624 CW (Lackland), Wing in S.A or 609 out of Hawai (Pearl Harbor). Some of this may have changed due to redistricting, but you would not believe the results.
Also, have someone attend https://www.meetup.com/San-Antonio-Cyber-Security-for…/… several times and take it slow and bring food :).
Sourcing and Boolean Search Strings: Cyber Security and Tech Security
Example of the first layer of what I call a Sourcing Stack. Which is a group of related keywords and phrases that are linked to together with the boolean search operator “OR”.
(Clearance OR Dod OR Government OR Identification OR Poly OR Polygraph OR Sci OR “Sci Clearance” OR “Scope Polygraph” OR Secret OR “Secret Clearance” OR “Security Clearance” OR Ssbi OR Ts)
Add this first search string layer into google to X-ray Linkedin
List of U.S Defense Contractors
|wdt_ID||Rank||Company Name||Defense Revenue (Billions)||% of Total Revenue from Defense|
|Rank||Company Name||Defense Revenue (Billions)||% of Total Revenue from Defense|
Cybersecurity Tags and Keywords
|wdt_ID||Keyword||Min search volume||Max search volume||Competition|
|1||cyber security staffing firm||10||100,00||High|
|2||information security recruitment||10||100,00||Medium|
|3||cyber security recruitment||100||1,00||High|
|4||cyber security hiring||10||100,00||Medium|
|5||cyber security jobs near me||1||10,00||Low|
|6||entry level cyber security jobs near me||100||1,00||Low|
|7||cyber jobs near me||10||100,00||Low|
|8||cyber security analyst jobs near me||10||100,00||Low|
|9||cyber security jobs near me entry level||10||100,00||Low|
|10||cyber security recruitment agencies||10||100,00||High|
|Keyword||Min search volume||Max search volume||Competition|