Cybersecurity headhunter shares 10 secrets from Black Hat 2017

A security industry job recruiter goes undercover at the Black Hat 2017 Conference, and lives to tell about it. Here are 10 things he learned.

geralt (CC0)

Recruiting cybersecurity talent has never been more difficult. Cybersecurity Ventures predicts there will be 3.5 million unfilled cybersecurity jobs by 2021, and the unemployment rate is holding steady at zero percent

An unrelenting cybercrime epidemic has employers searching for the proverbial needle in a haystack when it comes to hiring experienced cybersecurity candidates. 

Thousands of security-minded professionals gathered under one roof at the popular Black Hat USA 2017 Conference last week in Las Vegas. Recruiters from executive search firms, large organizations, and technology vendors were busy networking with the hacker crowd. 

What happens in Vegas, stays in Vegas. Especially when it comes to cyber criminals who hang out in the dark web and cyber defenders who pursue them. 

One security industry headhunter who attended Black Hat—speaking on the condition of anonymity—divulged some of the goings-on and his observations taken away from the exhibit hall and private rooms.

10 cybersecurity hiring insights from Black Hat

What the white hats, black hats and employers were whispering to each other last week: 

  • It's a candidate's market, and experienced cyber pros are holding out for pay packages that are 15 to 20 percent more than what most employers are offering. 
  • Ex-cyber military experts are in hot demand by large commercial enterprises, but they're more inclined to join firms led by other military men and women. 
  • Colleges and universities are not turning out enough cybersecurity graduates to make a dent in the current openings for information security analysts and other entry-level jobs in our field. 
  • Newbies to cybersecurity crossing over from IT positions are having a difficult time transitioning into their new roles due to a lack of real-world experience and subject matter expertise. This is leading to unexpected turnover at some organizations that have high threat levels. 
  • Some large corporations are publicly stating they won't hire black hat hackers, but privately they say they're open to “rehabilitated” bad cyber guys and gals turned good. 
  • Hospitals and healthcare providers are struggling to attract top cybersecurity experts—and money isn't the only problem. Outdated systems don't offer the cutting-edge platforms that ambitious pros want to learn and defend. 
  • Banks and large financial services houses are the hottest and pickiest employers, and they can afford to be. Their modern cloud infrastructures and pay platforms are a calling card for corporate recruiters. This is one of the few areas where there's real competition between candidates.
  • Some HR and search firm recruiters are so desperate, they are resorting to exploding job offers—and it's backfiring on them. Candidates have become more savvy and won't be forced to make a decision before they are ready. 
  • Employers continue to use job boards over search firms in their quest to reduce hiring costs, but it's not working. The best candidates are more likely to confidentially engage with a professional recruiter, compared to the HR people who post jobs online.
  • A LOT of cybersecurity pros are "looking" at possible new career opportunities and are open to making a change, but they are still satisfied in their current position. The best way to recruit these people is networking with them at hackathons and niche events.

Cybercrime damages are predicted to cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. The world is expected to spend more than $1 trillion cumulatively over the next five years on cybersecurity products and services aimed at combating hacks and breaches. 

HR chiefs would be wise to add one more line item to their budgets to help cyber defend their enterprises: sending recruiters to security conferences. 

Visit SteveOnCyber.com to read all of my blogs and articles covering cybersecurity. 

Follow me on Twitter @CybersecuritySF, or connect with me on LinkedIn. Send story tips, feedback and suggestions to me here.