4 infosec hiring tips to attract top talent

Businesses are having a tough time hiring security professionals, according to new research from Dice.

Infosec pros ranked third on the company’s list of the most-challenging talent to hire, just below software developers (No. 1) and Java professionals (No. 2). Adding to a shallow talent pool is an increase in demand for qualified professionals: Dice job postings for security engineer positions are up 22 percent, while network security jobs are up 19 percent.

“Gartner predicted that global spending on information security would reach $75.4 billion in 2015,” according to Bob Melk, president at Dice. “With security breaches and information hacks appearing almost daily in the news, it’s clear that companies need to shore up their security practices with the right talent.”

But companies are facing an uphill battle, says Joyce Brocaglia, CEO of recruiting firm Alta Associates. “Another reason these positions are so hard to fill is because they’ve become so much more complex,” she says. “Businesses are looking for candidates with a combination of skills that are difficult to find, and the more senior the role, the more difficult it becomes.”

[ MORE CAREER ADVICE ON CSO: 5 ways to kickstart your infosec job search in 2016 ]

Key to attracting and retaining the best talent, Dice’s report says, is switching the focus from higher salaries to other job satisfaction markers like housing, commute and work/life balance. Brocaglia, echoes that sentiment.

“People will always move for significant salary increases, but that’s not what makes them stay,” she says. “They stay because of their influence in a company, their responsibilities, position in the org chart and the feeling of making a difference,” she says.

Acquiring and retaining the best infosec professionals isn’t always a matter of paying the highest salaries, the experts say. Here’s what businesses need to change to gain a competitive edge in the hunt for talent.

1. Don’t search too narrowly.

Businesses have a penchant for wanting a very specified candidate, which—when qualified resources are scarce already—narrows the talent pool even more. Instead, Brocaglia says, companies should think outside the box and consider candidates who might not be a perfect match.

“Look for people who have a broader experience who can apply that knowledge into the information security organization,” she says. “We are seeing people coming from data analytics and data scientist backgrounds into risk, for example. These people don’t have a very strong technical background, but have the ability to manage projects and to act as a liaison between the technical staff and the business department.”

Blake Angove, director of technology services at recruiting company LaSalle Network, advises against looking for perfection in candidates. “You can’t expect to get 100 percent of your job requirements,” he says. “Look at candidates that meet 75 percent to 80 percent of the criteria, and be willing to invest in that candidate with training and certifications to get then to a place where they can do the job successfully.”

2. Consider your technology portfolio.

Take a look at your company’s technology landscape—are you running antiquated or out-of-date systems? Is it difficult to get the approval for updates or new software? To attract the best talent, your company needs to be one where they can hone their skills and learn new ones, Angove says.

“You really need to have some of the more modern technology in place,” he says. “In order to attract the best talent, they need to know that the environment that they’re walking into will be on the bleeding edge, and a place where they can grow their career.”

[ ALSO: 8 tips for recruiting cybersecurity talent ]

If that doesn’t sound like your company, temper your expectations, he advises. “Unemployment in the security field is less than 1 percent. Everyone is gainfully employed,” he says. “It’s going to take an attractive offer to make them move.”

3. Invest in employees.

While higher salaries might convince top talent to make a move, it’s not what makes them stay, Brocaglia says.

“If companies really want to keep their best talent, you don’t do it with salaries,” she says. “You need to invest in the individual with leadership development and training, by engaging them, advancing them and fulfilling them—through helping them achieve both professional and personal goals. Building that kind of cohesive and loyal team will outstrip anything you can do with salary alone.”

Ensuring that your team feels fulfilled is essential to retention, Angove says. “Security professionals want to know they’re succeeding and making a difference. Make sure you’re giving them consistent feedback, either internally or from clients,” he says.

Other ways to show you care: Pay for continuing education, like certifications. This gives employees the tools they need to move inside the security space, and helps you build talent with the people you already have, he says.

4. Sell the job.

With unemployment in the security space so low, one overlooked opportunity in the war for talent is during the interview process, Brocaglia says. Too many companies focus on grilling candidates rather than selling them on the opportunity.

“Coming from that position of fear doesn’t help the corporation that’s hiring,” Brocaglia says. “You need to sell them on the opportunity—why your company and team is great to work for and what they’ll gain by joining you.”

Be wary, too, of the stakeholders you invite to the interview process. Don’t include too many managers or executives to keep the process moving along, and make sure that the ones involved are on the same page with the job’s roles and responsibilities, she says.