The generalist hiring manager: “We just need good security engineers”What? On LinkedIn there are 214,794 candidates with the title security engineer. As a hiring manager you should know just how broad security is. Cloud Security? Network Security? Application Security? Be very clear about what area of security this candidate is coming in to focus on. Bringing it to the table later in the hiring process is only going to increase time to hire.
The 'scatter-gun' hiring manager: “I want a security professional who understands Risk Management, can set up our IAM, has DevSecOps experience, can set up Threat Intelligence playbooks from scratch, has Security Operations experience and will manage incident response. Oh and if they can do the penetration testing too that would be a big plus”Right, that’s about 3 or 4 jobs. We get that if a candidate has a lot of strings on their bow it’s clearly beneficial, particularly in more agile environments, but is one employee coming in and spending 10-15% of their time on each particular facet of security going to be enough to keep your environment secure? And what’s the old saying again? Jack of all trades, master of none? Focus on bringing experts who are at the top of their game in certain areas.
The optimistic hiring manager: “We need a Cloud Security Engineer with 5 Years’ Experience based in New York, and we only want to pay $100k”
I would love a brand-new Ferrari out of the showroom for $10,000. But guess what, it doesn’t exist. And if someone offers it to me, the alarm bells are ringing. Security professionals are expensive. There’s a net 0% unemployment rate. Know what the market is paying before you hit the market. Again, our Cyber Security in Focus research provides a good first step in understanding salary benchmarks for key roles but my advice would be if you’re in doubt leverage your network (people like me) and get some clarity.
These are just a few examples of things recruiters, both internal and external, hear from hiring managers on a daily basis. I think it’s important that we focus in on anecdotes just like these because whilst throwing around high level stats about the cyber security skills shortage is interesting, to make real progress we need to concentrate on eliminating the self-inflicted wounds. The earlier you define your requirements and budget, the more streamline the process will be in terms of bringing on talent.