Don’t use general recruiters in salary negotiations

In this 3-part series, it is best to hire a recruiter with security ties who knows the market.

standing out
Sawtooth (Creative Commons BY or BY-SA)

In part 1, I wrote of the disparity in information security salaries between what is being offered and the true market rate.

For those in the salary phase of an offer, Andrew Hay has created a handy Salary Negotiation Workbook that can make the often tenuous salary negotiations easier. One of the benefits of using a recruiter is that they can do that for you.

Now that we are dealing with recruiters, companies, who recruit information security professionals often rely on internal recruiters, outsource to RPOs and/or use external recruitment firms. The majority of these recruiters often lack information security recruitment expertise, and in many cases are IT generalists, junior, inexperienced, or have inadequate resources to focus on IT security roles.

[ ALSO ON CSO: CSO salaries expected to sky rocket ]

Generalist IT firms typically recruit for a wide variety of IT spots and security is often new to their portfolio. These staffing firms hire a wide-range of functions, be it in technology, sales, marketing or anything in between.

Although these firms can be very good at what they do, in many cases and far too often, they do not understand the nuances in information security, especially as it relates to cybersecurity, security operations, network security, security architecture, privacy, malware reverse engineering, forensics, and threat analytics; just to name a few.

An organization’s industry reputation, level of services, professionalism (or lack thereof), can also affect recruitment efforts, especially when a recruiter asks “do you have CISSP?” or “are you CISSP?” Also, emails, LinkedIn or position postings that contain spelling mistakes (enmap for nmap, Checkpoints for Check Point, etc.) poor grammar, and errors in security technology/requirements, is also a significant red flag for prospective candidates and industry professionals.

Race for talent

For firms who are serious about hiring qualified information security talent, they would be better served by using a recruiter or search firm with a specific focus on information security. These firms often have a vetted candidate pool, are recognized trusted advisers, and who bring relevant experience to the security community and global hiring space. The cyber security skills gap, coupled with a nearly zero unemployment rate and growing shortage of security talent worldwide, requires competitive offers, attractive opportunities, resources and stakeholder commitment to attract qualified information security professionals.

Tracy Lenzner, founder and CEO of LenznerGroup, has exclusively recruited in information security, cyber defense and risk management for over a decade. She notes that “as a result of the exponential breach landscape, coupled with acceleration of global threats around digital markets, organizations acknowledge the increased complexity surrounding cyber risk”.

The global race for information security talent will be won by organizations that successfully recruit and retain top security professionals. Additionally, as the IoT continues to expand, so will demands on securing businesses, governments, critical infrastructures, and the consumer marketplace. According to Gartner, global spending on cybersecurity by governments and corporations is expected to hit $86 billion by 2016.

Lenzner also noted that with heightened oversight by boards and regulators, companies are required to demonstrate cyber resilience. Like financial markets, the digital economy depends on trust and confidence in the security, sustainability and reputation of an organization’s given product, service, and/or enterprise. Lenzner expects to see a significant rise and continued shift from traditional security roles, to new board and advisory roles, CSO/CISO, Digital Risk Officer, Chief Privacy Officer, Cyber Security Attorney and others, with dotted line relationships with/to numerous corporate executives and business functions.

These practitioners will be required to build robust and diverse programs across physical, cybersecurity, business and digital domains, requiring high visibility, accountability and engagement. Today’s information security leader must have exceptional organizational, strategic, technical and business acumen to effectively translate, advise and champion critical topics to IT and non-IT stakeholders.

As a result, talent will remain highly sought and competitive for these rare individuals and their teams, by organizations worldwide. And you likely won’t be able to find such talent using a generalist recruitment firm.

About the author: Ben Rothke CISSP (@benrothke) is a Senior eGRC consultant with Nettitude, writes the Security Reading Room book review blog and is the author of Computer Security: 20 Things Every Employee Should Know.

Copyright © 2015 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.