Hiring in security is tough, we know that. Our Cyber Security in Focus research suggests that 79% of hiring managers take more than 8 weeks to source mid-senior security professionals. It’s not easy. There are plenty of landmines in the process from getting the brief right with talent acquisition, accessing the right volume of resumes and getting employment offers accepted to name just a few. That’s why it’s essential that you start the journey with a clear picture of what ‘good’ looks like. Hiring in security gets a whole load tougher when you don’t know or aren’t realistic about what you want. Here are just a few things that the team and I hear a lot when engaging with hiring managers:
The generalist hiring manager: “We just need good security engineers”
The 'scatter-gun' hiring manager: “I want a security professional who understands Risk Management, can set up our IAM, has DevSecOps experience, can set up Threat Intelligence playbooks from scratch, has Security Operations experience and will manage incident response. Oh and if they can do the penetration testing too that would be a big plus”
The optimistic hiring manager: “We need a Cloud Security Engineer with 5 Years’ Experience based in New York, and we only want to pay $100k”
I would love a brand-new Ferrari out of the showroom for $10,000. But guess what, it doesn’t exist. And if someone offers it to me, the alarm bells are ringing. Security professionals are expensive. There’s a net 0% unemployment rate. Know what the market is paying before you hit the market. Again, our Cyber Security in Focus research provides a good first step in understanding salary benchmarks for key roles but my advice would be if you’re in doubt leverage your network (people like me) and get some clarity.
These are just a few examples of things recruiters, both internal and external, hear from hiring managers on a daily basis. I think it’s important that we focus in on anecdotes just like these because whilst throwing around high level stats about the cyber security skills shortage is interesting, to make real progress we need to concentrate on eliminating the self-inflicted wounds. The earlier you define your requirements and budget, the more streamline the process will be in terms of bringing on talent.