Security roles stay open for 45+ days, often because the hiring manager hasn't done the preparation that separates a good hire from a fast one. Most of that work happens before the first interview.

Hiring the right security professional isn’t easy, despite the depressing news about unemployment in some industries and locations. That’s especially the case when you’re looking to hire an experienced person who needs to balance technical security expertise and “soft” interpersonal or communication skills.

Here are my 10 tips for managers looking to hire experienced security professionals:

  • Allocate time to the hiring process. Don’t expect the process of finding and hiring the right person to take less than 45 days. In addition to the time to kick off internal HR processes and find the right candidate, you need to set aside a few weeks so that an employed candidate can give sufficient notice to their current employer. Further, expect to spend significant time interviewing, meeting, and following up with candidates and recruiters.
  • Outline what technical skills you expect the candidate to have. This might sound obvious, but it’s one thing to know in your mind what the perfect candidate will be like, and another to describe it to colleagues, friends, and recruiters. Differentiate between “must have” and “nice to have” skills. Also, decide to what extent you’ll care about professional certifications and what credentials you may expect the candidate to possess.
  • Outline what non-technical skills you expect the candidate to have. Try to be more specific than saying you want “strong communication skills.” What type of activities do you expect the person to take on that require “soft” skills? The ability to support sales? A knack for explaining technical concepts to non-techies? Understanding of marketing? Knowledge of specific regulations?
  • Decide how you’ll assess the candidate’s skills. You’ll probably interview the candidate to determine whether they possess the skills you seek. Write down the questions you’ll ask in advance. Also outline the answers you expect to receive and how you’d rank such answers. Consider non-interview assessment approaches, such as asking the candidate to take an exam, reading articles they may have written, or otherwise examining a previous work product.
  • Reach out to your extended network, in addition to using traditional job-searching sites. Spread the word about the job opening. Share the details about the position, such as location, expected skills, expected travel, and the reasons why the candidate may want to work for your company and report to you. Post the opening through LinkedIn and other professional communities where security practitioners gather.
  • Engage internal and external recruiters. Firms usually have internal recruiters as part of their HR departments, who can assist with the candidate search. If you’re looking for an experienced security professional and are short on time, you’ll probably need to engage an external recruiter who specializes in cybersecurity placements. If engaging an external recruiting firm, make sure that the company is on the approved recruiters list of your organization.
  • Consider how you’ll describe the position and the organization to the candidates. You should outline the facts that make you excited about the opportunity, so that a promising candidate can share your excitement. At the same time, you need to be truthful and accurate in your description, so that candidates can determine whether it’s a good fit for them. Having a person start the job only to find out that it wasn’t what they expected is a frustrating and costly experience for both the candidate and the employer.
  • Respond quickly to recruiters and candidates. Providing timely feedback to recruiters regarding what you liked or didn’t like about candidates will allow them to improve their search criteria. Responding quickly to candidates who weren’t a good fit for the position will allow them to focus their efforts elsewhere. Staying in regular contact with promising candidates will keep you and the candidate engaged and will move the process along.
  • Review the candidate’s resume and relevant publicly available information. Everyone is busy, and it’s tempting to simply glance at the candidate’s resume a minute before the call in the hopes of quickly gleaning the key tidbits of information. This rarely provides the hiring manager with enough time to learn about how candidates position themselves. At the same time, many resumes are marketing documents designed to get to the first interview. Be sure to look into other public information sources about the candidate, such as articles they’ve written, their posts on LinkedIn or elsewhere, public comments, and their professional profiles.
  • Take notes during and after discussions with candidates. A hiring manager will speak with multiple candidates throughout the process of filling the position. Without detailed notes, it’ll be easy to forget the details of the conversation. The notes should reflect the extent to which the candidate matched the expected skill set, as well as capture the details about the questions asked and answered during the conversation. The notes should also track where the candidate is in the interviewing process.

Hiring well takes preparation more than luck. The managers who consistently fill security roles with the right candidate do most of this work before the job is even posted.

Related Articles

What Being a CISO Taught Me About Security LeadershipMy Story So Far and Your Own Career Journey

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. He has built security products and programs from early stage to enterprise scale. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.