Alex Holden has a problem that plagues most other CISOs: he’s almost always short staffed and looking to hire.
Holden, CISO at Hold Security LLC, says he’s typically looking to fill several positions, due to openings created by both expansion and regular turnover; late last year, he was hiring for eight slots.
“I don’t remember a time when we weren’t looking for information security professionals; looking for talent is an ongoing activity,” Holden says.
Although many CISOs resist using recruiters due to costs and other concerns, Holden says he often turns to recruiters to help him find top candidates. He says recruiters are particularly valuable resources when he’s looking for highly specialized talent or skills that are in exceedingly high demand.
“Unless you’re promoting from within, it’s very difficult to find those people, so we look to recruiters who have connections and more access to the market to bring in those candidates,” Holden says.
The 2019 State of Cybersecurity report from ISACA, an IT governance organization, quantifies the degree of difficulty that many CISOs have hiring, with 58% of respondents saying their organizations have unfilled cybersecurity positions. A third of respondents say it takes six months or more to fill those open positions. Meanwhile, ISACA in its Tech Workforce 2020 Survey that 70% of tech pros would consider changing jobs within the next two years and are considered “in play” for being recruited.
The exceedingly tight market for cybersecurity talent is forcing many CISOs to put more effort into hiring, which is part of what pushes Holden to work with recruiters. Holden, however, says recruiters can offer more value than compiling resumes. He says recruiters, when treated like partners, can help maximize the returns on the investment that he and his company make in hiring while also providing insights into market trends.
Others offer the same observation, but they, like Holden, say CISOs need to cultivate that partnership to get that best value from their recruiters. Here’s what they say it takes to make the most out of working with recruiters.
Know when to use a recruiter
Evan Wheeler is a veteran cybersecurity executive with plenty of hiring experience, and now, as CISO at Edelman Financial Engines, he knows when to reach out to recruiters – and when he and his firm’s HR team can handle the hiring needs. He recently hired a program manager to join his team, and while he spent a few months working through the process, he didn’t believe the position was specialized enough to warrant the cost of working with a recruiter. However, Wheeler says he would have trouble filling higher-level and specialized positions, such as analysts and security architects, if he didn’t work with a recruiter from the start. “Those are really challenging to find off the street or in your own professional network,” he says, adding that the recruiter costs are often less than the cost of a failed search done on his own.
Vet your recruiters
Recruiters are like any other vendor in some respects, with each one offering different strengths in different areas, says Candy Alexander, president and CISO of ISSA International, a nonprofit international association for information security professionals. CISOs should evaluate which recruiter is best for which type of hire. They should also have a roster of recruiters available so they can best match the organizational need with the qualified vendor.
Like any selection process, Alexander says CISOs should vet potential recruiters by determining the scope of services they offer, their expertise and costs. Some recruiters might simply collect resumes and rely on keyword searches to identify candidates, while others cultivate long-term relationships with candidates and can thus often identify top workers who might not otherwise be looking for a new job. Some are specialized, others have wider expertise and geographical reach. CISOs should develop a list of key questions to ask recruiters based on their needs, such as how long it takes on average for them to identify candidates, how wide ranging is their geographical reach, and how long on average do the candidates they place stay in their jobs.
Know what you get for your money
Recruiters fees vary but so do the services they offer, Alexander says, so CISOs should be clear on what work their recruiters will do at what costs, just as they would for any vendor. But be mindful, too, that some benefits that a recruiter provides may be hard to quantify but are nonetheless valuable. As an HR executive with years of experience bringing on tech talent, Amy deCastro, vice President of North American operations at Schneider Electric, says recruiters can often open doors and get introductions to high-demand candidates not actively in the job market. It’s hard to calculate the ROI on that, she says, but it’s still a real return.
Clearly articulate what you want and where you want to go
CISOs should be prepared to offer much more information than the open position's title and responsibilities, Alexander says. “The CISO has to articulate specifically what they want in an ideal candidate, not just the skills but the characteristics and attributes,” she says. For example, CISOs can’t just say they want someone “passionate” and expect the recruiters to know what they mean; instead, they need to explain how that term applies to the open role. Ramsés Gallego, the security, risk and governance international director for software company Micro Focus and former ISACA international vice president, also advises CISOs to share with recruiters their strategic roadmaps so they can find candidates who can grow with the roles and the organization. “If your recruiter is a partner, your partner deserves to know where you want to go. That way the recruiter can find the right talent beyond the resume,” says Gallego.
Establish real relationships
Gallego challenges CISOs to think of recruiters not as an outsourced HR function but rather a partner. As a partnership, CISOs (or their designees) and recruiters need to invest time into the relationship to develop an understanding of each other and what makes them tick. That means meetings and conversations, sharing industry insights and making introductions – all of which can benefit both sides over time. Holden says he builds long-term relationships with his recruiters, viewing that as an investment in his own organization. He says taking this partnership approach has helped recruiters better understand the types of candidates who will be successful in his organization – which produces better search results more consistently. “If there’s no partnership but just a contractual relationship between the CISO, HR and the recruiter, then we could be just a dumping ground for candidates who aren’t good fits,” he says.
Get the recruiter familiar with your workplace
If a recruiter wants to make a successful match, the candidate must like the new company as much as the hiring manager likes the candidate. “So, you want the recruiter to find a person who will be happy working in your organization,” says Phyllis G. Hartman, president and founder of PGHR Consulting Inc. and a presenter with the Society for Human Resource Management. The recruiter can only do that well if he or she knows the work environment – what a typical day entails, how the department is structured, what the company values, how good work is rewarded, how are employees promoted, how teams are built, etc.
Loop in the in-house HR team
Some CISOs say they seek out recruiters who specialize in placing cybersecurity professionals because recruiters better understand the skills they need and the complexity of the roles they’re trying to fill than do their own HR teams. But veteran IT leaders say CISOs should not sell their HR teams short and in fact should include them in building partnerships with recruiters and strategizing how those partnerships fit into the security team’s larger staffing strategy. “At the end of the day, in-house people know your company, so working with the in-house HR department is very important to understanding what skills and talents you already have, how to nurture them and train them, how to work on education and put some money on the table to promote your own people,” Gallego said.
Plan post-mortems
The work shouldn’t stop once a candidate has accepted a position. Rather, CISOs should expect recruiters to check in with the candidate, the hiring manager, the HR team and, if needed, the CISO as well to see how the match is working out. They should also all meet to discuss how the search went – what worked, what didn’t, where improvements could be made. “These relationships are rooted in how successful you are in these searches, so it’s important to see what you can learn from them,” deCastro says. She says that her company’s recruiters do indeed have routine check-ins about new hires, adding that the process at least once identified a match who needed additional support to adjust to his new role – a catch that helped retain the candidate and chalk up a win for all involved.