Thursday, May 09, 2013

Recruiting IT Talent is Different than Recruiting Information Security Talent

Information Security Talent is Difficult to Recruit

A CISO reached out to me today based on a referral from one of his trusted peers to me.  At the outset of the call, the CISO of this Fortune 200 company told me that for the past 6 to 8 months, in attempting to fill information security jobs in his organization, his internal recruiting team has made the assumption that security recruiting can be done the same way they approach the task of recruiting a Java Developer or an Oracle DBA.  

This company has a huge brand name and they’re used to having large talent pools to pick from when they attempt to fill most of the company’s jobs.  Filling information security jobs is different and the CISO needs help.

The CISO went on to tell me that his positions are still open after 8 months and he has no hope in sight of getting his jobs filled.  This of course was music to my ears because I’ve wanted to do business with this company for over a decade.  To their credit, this company doesn't normally have to pay search fees because they have large candidate pools to pick from for most of their open positions. 

IT Recruiting is Different from Security Recruiting

Many companies that I’ve run into treat information security as if it is just like IT.  My recruiting career started out in 1990 focused on IT recruiting.  While security recruiting might seem like a subset of general IT recruiting, I’ve encountered many companies that have figured out that filling security jobs requires a unique understanding of where technology, interpersonal traits and business needs intersect that doesn't necessarily apply to IT in general.

Knowing The Right Questions to Ask is Key

On many occasions I’ve filled CISO jobs that were open for 6 to 18 months once I was given access to key stakeholder decision makers.  

  • Knowing the questions that need to be asked at the outset of a CISO search requires a unique skill set.  
  • Knowing how to align stakeholder decision makers expectations around a CISO hire requires a unique skill set.  
  • Understanding how to write a CISO job description that accurately captures the needs of a company and displays what’s in it for the candidate information requires a unique skill set.
  • Understanding how to build an interview process to evaluate a prospective CISO's fit with a company's business culture and a company's unique risk culture requires a unique skill set.

When your company has strategic cyber security jobs or information security jobs to fill, don’t make the mistake that the Fortune 200 Company that the CISO called me from has made.  

Recruiting information security talent is different than recruiting IT talent.'s Security Recruiter Blog