Alex Holden has a problem that plagues most other CISOs: he\u2019s almost always short staffed and looking to hire.Holden, CISO at Hold Security LLC, says he\u2019s typically looking to fill several positions, due to openings created by both expansion and regular turnover; late last year, he was hiring for eight slots.\u201cI don\u2019t remember a time when we weren\u2019t looking for information security professionals; looking for talent is an ongoing activity,\u201d Holden says.Although many CISOs resist using recruiters due to costs and other concerns, Holden says he often turns to recruiters to help him find top candidates. He says recruiters are particularly valuable resources when he\u2019s looking for highly specialized talent or skills that are in exceedingly high demand.\u201cUnless you\u2019re promoting from within, it\u2019s very difficult to find those people, so we look to recruiters who have connections and more access to the market to bring in those candidates,\u201d Holden says.The 2019 State of Cybersecurity report from ISACA, an IT governance organization, quantifies the degree of difficulty that many CISOs have hiring, with 58% of respondents saying their organizations have unfilled cybersecurity positions. A third of respondents say it takes six months or more to fill those open positions. Meanwhile, ISACA in its Tech Workforce 2020 Survey that 70% of tech pros would consider changing jobs within the next two years and are considered \u201cin play\u201d for being recruited.The exceedingly tight market for cybersecurity talent is forcing many CISOs to put more effort into hiring, which is part of what pushes Holden to work with recruiters. Holden, however, says recruiters can offer more value than compiling resumes. He says recruiters, when treated like partners, can help maximize the returns on the investment that he and his company make in hiring while also providing insights into market trends.Others offer the same observation, but they, like Holden, say CISOs need to cultivate that partnership to get that best value from their recruiters. Here\u2019s what they say it takes to make the most out of working with recruiters.Know when to use a recruiterEvan Wheeler is a veteran cybersecurity executive with plenty of hiring experience, and now, as CISO at Edelman Financial Engines, he knows when to reach out to recruiters \u2013 and when he and his firm\u2019s HR team can handle the hiring needs. He recently hired a program manager to join his team, and while he spent a few months working through the process, he didn\u2019t believe the position was specialized enough to warrant the cost of working with a recruiter. However, Wheeler says he would have trouble filling higher-level and specialized positions, such as analysts and security architects, if he didn\u2019t work with a recruiter from the start. \u201cThose are really challenging to find off the street or in your own professional network,\u201d he says, adding that the recruiter costs are often less than the cost of a failed search done on his own.Vet your recruitersRecruiters are like any other vendor in some respects, with each one offering different strengths in different areas, says Candy Alexander, president and CISO of ISSA International, a nonprofit international association for information security professionals. CISOs should evaluate which recruiter is best for which type of hire. They should also have a roster of recruiters available so they can best match the organizational need with the qualified vendor.Like any selection process, Alexander says CISOs should vet potential recruiters by determining the scope of services they offer, their expertise and costs. Some recruiters might simply collect resumes and rely on keyword searches to identify candidates, while others cultivate long-term relationships with candidates and can thus often identify top workers who might not otherwise be looking for a new job. Some are specialized, others have wider expertise and geographical reach. CISOs should develop a list of key questions to ask recruiters based on their needs, such as how long it takes on average for them to identify candidates, how wide ranging is their geographical reach, and how long on average do the candidates they place stay in their jobs.Know what you get for your moneyRecruiters fees vary but so do the services they offer, Alexander says, so CISOs should be clear on what work their recruiters will do at what costs, just as they would for any vendor. But be mindful, too, that some benefits that a recruiter provides may be hard to quantify but are nonetheless valuable. As an HR executive with years of experience bringing on tech talent, Amy deCastro, vice President of North American operations at Schneider Electric, says recruiters can often open doors and get introductions to high-demand candidates not actively in the job market. It\u2019s hard to calculate the ROI on that, she says, but it\u2019s still a real return.Clearly articulate what you want and where you want to goCISOs should be prepared to offer much more information than the open position's title and responsibilities, Alexander says. \u201cThe CISO has to articulate specifically what they want in an ideal candidate, not just the skills but the characteristics and attributes,\u201d she says. For example, CISOs can\u2019t just say they want someone \u201cpassionate\u201d and expect the recruiters to know what they mean; instead, they need to explain how that term applies to the open role. Rams\u00e9s Gallego, the security, risk and governance international director for software company Micro Focus and former ISACA international vice president, also advises CISOs to share with recruiters their strategic roadmaps so they can find candidates who can grow with the roles and the organization. \u201cIf your recruiter is a partner, your partner deserves to know where you want to go. That way the recruiter can find the right talent beyond the resume,\u201d says Gallego.Establish real relationshipsGallego challenges CISOs to think of recruiters not as an outsourced HR function but rather a partner. As a partnership, CISOs (or their designees) and recruiters need to invest time into the relationship to develop an understanding of each other and what makes them tick. That means meetings and conversations, sharing industry insights and making introductions \u2013 all of which can benefit both sides over time. Holden says he builds long-term relationships with his recruiters, viewing that as an investment in his own organization. He says taking this partnership approach has helped recruiters better understand the types of candidates who will be successful in his organization \u2013 which produces better search results more consistently. \u201cIf there\u2019s no partnership but just a contractual relationship between the CISO, HR and the recruiter, then we could be just a dumping ground for candidates who aren\u2019t good fits,\u201d he says.Get the recruiter familiar with your workplaceIf a recruiter wants to make a successful match, the candidate must like the new company as much as the hiring manager likes the candidate. \u201cSo, you want the recruiter to find a person who will be happy working in your organization,\u201d says Phyllis G. Hartman, president and founder of PGHR Consulting Inc. and a presenter with the Society for Human Resource Management. The recruiter can only do that well if he or she knows the work environment \u2013 what a typical day entails, how the department is structured, what the company values, how good work is rewarded, how are employees promoted, how teams are built, etc.Loop in the in-house HR teamSome CISOs say they seek out recruiters who specialize in placing cybersecurity professionals because recruiters better understand the skills they need and the complexity of the roles they\u2019re trying to fill than do their own HR teams. But veteran IT leaders say CISOs should not sell their HR teams short and in fact should include them in building partnerships with recruiters and strategizing how those partnerships fit into the security team\u2019s larger staffing strategy. \u201cAt the end of the day, in-house people know your company, so working with the in-house HR department is very important to understanding what skills and talents you already have, how to nurture them and train them, how to work on education and put some money on the table to promote your own people,\u201d Gallego said.Plan post-mortemsThe work shouldn\u2019t stop once a candidate has accepted a position. Rather, CISOs should expect recruiters to check in with the candidate, the hiring manager, the HR team and, if needed, the CISO as well to see how the match is working out. They should also all meet to discuss how the search went \u2013 what worked, what didn\u2019t, where improvements could be made. \u201cThese relationships are rooted in how successful you are in these searches, so it\u2019s important to see what you can learn from them,\u201d deCastro says. She says that her company\u2019s recruiters do indeed have routine check-ins about new hires, adding that the process at least once identified a match who needed additional support to adjust to his new role \u2013 a catch that helped retain the candidate and chalk up a win for all involved.