10 Tips for Hiring Managers Seeking Information Security Professionals

Hiring experienced security professionals is challenging—expect 45+ days for the process. Outline required technical and non-technical skills, distinguish "must have" from "nice to have," reach out to your extended social network, respond quickly to candidates, and review publicly-available information beyond resumes.

Hiring the right security professional is not easy, despite the depressing news regarding unemployment in some industries and locations. This is especially the case when you are looking to hire an experienced person who needs to balance technical security expertise and “soft” inter-personal or communication skills.

Here are my 10 tips for managers looking to hire experienced security professionals:

Allocate time to the hiring process. Don’t expect the process of finding and hiring the right person to take less than 45 days. In addition to the time to kick off internal HR processes and find the right candidate, you need to set aside a few weeks so that a candidate who is employed can give sufficient notice to their current employer. Further, expect to spent significant time interviewing, meeting and following up with candidates and recruiters.
Outline what technical skills you expect the candidate to have. This might sound obvious, but it’s one thing to know in your mind what the perfect candidate will be like, and another to describe it to colleagues, friends and recruiters. Differentiate between “must have” and “nice to have” skills. Also, decide to what extent you will care about professional certifications and what credentials you may expect the candidate to possess.
Outline what non-technical skills you expect the candidate to have. Try to be more specific than saying you want “strong communication skills.” What type of activities do you expect the person to take on that require “soft” skills? The ability to support sales? A knack for explaining technical concepts to non-techies? Understanding of marketing? Knowledge of specific regulations?
Decide how you will assess the candidate skills. You will probably interview the candidate to determine whether they possess the skills you seek. Write down the questions you will ask in advance. Also outline the answers you expect to receive and how you would rank such answers. Consider non-interview assessment approaches, such as asking the candidate to take an exam, reading articles they may have written or otherwise examining a previous work product
Reach out to your extended social network, in addition to using traditional job-searching sites. Spread the word about the job opening. Share the details about the position, such as locations, expected skills, expected travel, and the reasons why the candidate may want to work for your company and report to you. There are lots of security groups on social networking sites, especially LinkedIn, that you can send a note through.
Engage internal and external recruiters. Firms usually have internal recruiters as part of their HR departments, who can assist with the candidate search. If you are looking for an experienced security professional and are short on time, you’ll probably need to engage an external recruiter who specializes in information security placements. If engaging an external recruiting firm, make sure that the company is on the approved recruiters list of your organization.
Consider how you’ll describe the position and the organization to the candidates. You should outline the facts that make you excited about the opportunity, so that the promising candidate can share your excitement. At the same time, you need to be truthful and accurate in your description, so that the candidates can determine whether it is a good fit for them. Having a person start the job only to find out that it wasn’t what they expected is a frustrating and costly experience for both the candidate and the employer.
Respond quickly to recruiters and candidates. Providing timely feedback to recruiters regarding what you liked or didn’t like about candidates will allow them to improve their search criteria. Responding quickly to candidates that weren’t a good fit for the position will allow them to focus their efforts elsewhere. Staying in regular contact with promising candidates will keep the you and the candidate engaged and will move the process along.
Review the candidate’s resume and relevant publicly-available information. Everyone is busy, and it’s tempting to simply glance at the candidate’s resume a minute before the call in the hopes of quickly gleaning the key tidbits of information. This rarely provides the hiring manager with enough time to learn about how candidates position themselves. At the same time, many resumes are marketing documents designed to get to the first interview. Be sure to look into other public information sources about the candidate, such as any articles they have written, their tweets, blogs, comments and other social networking creds.
Take notes during and after discussions with candidates. A hiring manager will speak with multiple candidates throughout the process of filling the position. Without detailed notes, it will be easy to forget the details of the conversation. The notes should reflect the extent to which the candidate matched the expected skill set, as well as capture the details about the questions asked and answered during the conversation. The notes should also track where the candidate is in the interviewing process.

If you found this useful, take a look at my other posts related to information security and IT careers.

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →