For chief information security officers (CISOs), finding cybersecurity talent is difficult and expensive. It can seem like the greater the need, the less available the talent is. That’s why I believe the most powerful weapon in a seasoned CISO’s arsenal is, hands down, a security-focused recruiter.
So Much At Stake
Even with all of the recruiting technology, internal resources, employee referral programs and other bells and whistles out there, you may truly need security-specific recruitment experts. A quick look at the state of the industry reveals a worldwide shortage of cyber talent, with some saying we have hit a crisis point. Highlights from ISACA's 2018 "State of Cybersecurity Study," which surveyed over 2,300 individuals across various industries, clearly explain today's landscape:
• 80% of study respondents said it was “likely” or “very likely” their organization would experience a cyberattack this year.
• 50% noted their organization experienced an increase in the number of cyberattacks last year.
• 59% stated their organization had unfilled cybersecurity positions.
• 54% admitted that filling open cybersecurity positions took three-plus months, longer than other areas of IT and much longer than just about any other functional area.
Security Recruiting Is Unique
To begin with, one thing I've found through my work in executive recruiting for this industry is that strong security professionals often aren’t active in the market, but they are being hounded. According to an (ISC)2survey, nearly half of cybersecurity professionals are solicited on a weekly basis, yet only 14% are actively seeking a new gig. You can’t spam them through LinkedIn and expect a response. They will not click on a link embedded in your email, nor will they “apply online” without a conversation first — and good luck getting them on the phone.
The best candidates don't post their resumes everywhere. The best ones are hiding on purpose; only their closest colleagues know how amazing their last project was. They don’t trust people who don’t have street cred in the community, and ironically, technical recruiting tools aren't effective at finding these technical experts. The only way to succeed is through networking, relationships and personal trust. It’s a full-time job.
Chances are, your internal HR/recruitment team is already overwhelmed and is made up of generalists rather than specialists. In fact, they'll probably agree that outsourcing is the way to go to find top cybersecurity talent. There are many ways to structure a relationship with a recruiting firm, but there are three main models your organization may choose from.
Retained Search: This model often is considered the most effective, and for good reason: A retained recruiter is 100% focused on your search. Traditionally associated with C-level and executive searches, it has become more common in cybersecurity due to the critical need. A good retained search provider will act as a consultant, helping you scope out the position, explore business goals, and set search strategy. On a tactical level they should set expectations, provide position and title insights, identify potential roadblocks, and provide compensation information. Be prepared to take an active role in this sort of relationship, including providing regular and frank feedback. Most retained search firms charge a percentage of the annual compensation (base plus bonus) for the candidate selected (often 20-30%).
Contingency Search: In this model you are only charged if you hire the candidate the contingency firm delivers. This is a great option if you want to give a new recruiting firm a trial run, or if your internal team simply needs additional resources. However, be aware that a contingency recruiter needs to work multiple other simultaneous searches to ensure revenue, and you won’t get a search expert’s full attention. As with retained search, fees are based on a percentage of the annual compensation for the selected candidate and can range from 15-30%.
Container/Engaged Search: This is a hybrid between retained and contingency where a payment is negotiated at the inception of the search, and the remainder of the fee is up for grabs at the time of offer. This is a great approach to ensure both sides (recruiter and hiring organization) have vested interests in the success of the search. The downside here is the same as with the contingency model: Container recruiters divide their time and attention among multiple searches.
By the way, while it may be tempting to hire multiple recruiters for a single search, it's likely to backfire. Everyone working on a search probably will talk with the same 30 qualified candidates, which can be frustrating for each recruiter. In addition, top-tier candidates become annoyed quickly if they are approached by multiple recruiters regarding the same position.
Superior cybersecurity talent is essential to protecting and defending your corporation and your reputation. The right relationship with your external recruiting partner is essential to engaging superior talent.
