MongoDB CISO Lena Smart wants to make a good impression on prospective employees.So she\u2019s attentive to what goes into the ads she posts when seeking to hire.\u201cI think people forget that these are the first introductions that many candidates have to their companies, and first impressions matter,\u201d she says.That may matter more today than ever before, given how much movement there is in the labor market overall and, more specifically, how fierce competition is for cybersecurity talent.Of course, writing a compelling job posting isn\u2019t an exact science, but Smart seems to have a knack for it. Even in this employee-driven market, one of her recent openings attracted 1,000 applicants.So what\u2019s the trick? Here are some do\u2019s and don\u2019ts of writing the kind of job posting that can bring such results:6 things to include in security job postingsDo: Detail what the position requiresSmart says she avoids ambiguous comments and sweeping statements in job postings and instead details the responsibilities that each open position has.\u201cWe delve into a lot more specifics than other companies do. We put in the expectations; there\u2019s nothing vague about it,\u201d she says.Others promote that approach, saying it\u2019s an important strategy for attracting the right candidates.Michael Gray, CTO of managed services provider Thrive, says he lists examples of the work that the position requires day to day, noting that if candidates \u201ccan\u2019t do them, we don\u2019t want them anyway.\u201dJason Baum, head of talent acquisition for Strata Identity, has a similar take.\u201cNot enough information will not attract enough of the right attention and\/or typically will deliver far too many who do not have the required experience,\u201d he says. \u201cSince you have specific needs, don't lead applicants on, confuse them, or use the exact same position description as your competitors. The right job description will allow you to narrow down the perfect candidate from a list of qualified candidates. The wrong job description will bring you confused candidates with varying levels of experience who decide to \u2018throw an application out there.\u2019\u201dDo: Be realistic about how much one person can accomplishVeteran security leaders say they\u2019ve seen ads listing responsibilities that no one could possibly handle or handle well within the typical workweek. Talented candidates look for red flags like that, says Candy Alexander, CISO for NeuEon and president of the international IS professional association ISSA.As Alexander notes, \u201cCandidates know there\u2019s a difference between being challenged and being overworked, so be realistic as to what the job is.\u201dAlexander advises hiring managers to first review whether they\u2019ve got appropriate expectations for the position itself and ensure that they\u2019ve right-sized the position\u2019s duties; they can post the job with a list of expectations and responsibilities once they\u2019ve gone through that exercise. \u201cAllow that person you\u2019re hiring to be successful,\u201d she adds.Do: Indicate traits that would lead to successFinding the best candidate for a role means identifying people who will enjoy the work and can handle the position\u2019s idiosyncrasies\u2014whether it\u2019s a repetitious nature or a scripted routine or an unknown challenge every day.Gray says it\u2019s worth adding an indication about the kind of traits and preferences that would do well in a role to draw a qualified pool of candidates. That could mean writing into job postings questions like Do you like to solve problems? or Are you good at researching? or Are you OK figuring out solutions on your own?\u201cThey\u2019re similar to the questions we\u2019d ask in an interview,\u201d Gray adds. He explains that he has had to hire workers for positions in a highly-structured environment \u201cwhere every detail has been worked out and all they have to do is complete the task in front of them.\u201d Gray says spelling that out when advertising for the position helps ensure the company and the candidate are well matched.Do: Be clear about your culture, missionMongoDB has a clearly articulated mission posted on its website: \u201cMongoDB empowers innovators to create, transform, and disrupt industries by unleashing the power of software and data.\u201dThe company lists its core values online, too: Think Big, Go Far; Build Together; Embrace the Power of Differences; Make it Matter; Be Intellectually Honest; and Own What You Do.\u201dSmart says she likes to reference those in job postings, too. \u201cWhy wouldn\u2019t I? You get people who strive to be part of it,\u201d she says.She says she also adds information about the company\u2019s culture, such as its no-meeting Wednesdays and how the policy ensures staffers have at least one day of uninterrupted time for heads-down work.\u201c[That kind of information] helps make sure candidates are going to fit culturally,\u201d she says.Kyle Lai, president and CISO of KLC Consulting, which provides cybersecurity advice and vCISO services for U.S. defense contractors, agrees.\u201cShow what is the purpose and what are some of the things we\u2019re trying to achieve,\u201d he says, adding that hiring managers who convey their company\u2019s vision are more likely to attract candidates who feel they can contribute to the organization and help it reach its objectives.\u201cYou want to make sure they can and want to support it, and if they don\u2019t believe in your vision and your mission, then they won\u2019t apply,\u201d he adds.Do: Sell the position and the organization The war for talent as well as the shortage of needed cybersecurity professionals are both well-publicized facts. Yet Alex Rice, co-founder and CTO of cybersecurity company HackerOne, says some managers haven\u2019t internalized those realities.\u201cA lot of times people fail to realize just how much of a supply and demand imbalance there is in the security space. Talented cybersecurity professionals have their pick of jobs, and for any job posting you have, you\u2019d be lucky to have them apply. But too many people write a job description in a way that\u2019s very skewed to the employer. I don\u2019t see anything in those ads that say why [the candidate] should apply for the job,\u201d Rice says.He adds: \u201cYou have to be in sales mode with every security job description you\u2019re writing. Don\u2019t assume anyone wants to work for you. That\u2019s a hard thing for many people to grapple with.\u201dRice says hiring managers should highlight what they can offer and use that in postings to attract candidates.\u201cIf you\u2019re a big tech company or you can pay massive benefits, then lean on that. And if you\u2019re not in that bucket, think of what else you have. It could be your mission, that you invest in career growth, your culture,\u201d he says. \u201cYou need that if you want to have any hope of filling a role with qualified candidates. And if you don\u2019t know what that is, then you shouldn\u2019t even put that job description up. Anyone who is talented and qualified is going to ask about that during the interview process anyway.\u201dDo: Be strategic about where you place your postsWhere job posts appear can have as much of an impact on success as the information they contain, Baum says.\u201cJob descriptions are part of a company\u2019s talent brand. Where the descriptions are posted and the frequencies they are refreshed play a critical role,\u201d he explains. \u201cUse syndication platforms that strategically distribute the job to as many locations as possible for visibility. Posting jobs on Fridays so they are ranked higher during the weekend when potential job seekers are looking for new opportunities can also impact response. Industry or domain-specific sites, blogs or groups will also provide a more focused group of applicants.\u201d6 missteps to avoidDon\u2019t: Think of your ad as a wish list\u201cIf you draft a job posting as a catchall, you\u2019re not going to get who you\u2019re looking for,\u201d Rice says. Worse still, you could be signaling to candidates that you don\u2019t know what you want or need. \u201cIt could speak to a deeper dysfunction in your cybersecurity [department] and you just broadcast that to the world.\u201dDon\u2019t: Ask for excessive amounts of experienceIf it\u2019s an entry-level position, you shouldn\u2019t be asking for years of experience, Lai says. In fact, he suggests questioning whether it\u2019s even necessary to list a specific number of years of experience. \u201cDo you really need, for example, eight years of experience in pen testing? Or would you be OK with five years, or maybe four? Or can you actually do an exercise with the candidate to find out if they\u2019re qualified for this role?\u201dDon\u2019t: Ask for excess education, either\u201cBy asking for a set amount of education you might restrict yourself too much,\u201d Lai says, adding that listing required skills rather than specific college degrees may attract the right candidates more quickly.Don\u2019t: Downgrade positionsLabeling a professional job as \u201cjunior\u201d can be off-putting\u2014especially if you\u2019re looking for someone with any level of experience, Smart says. Rename the positions; instead of junior analyst, just go with analyst, for example, and then make the more experienced position in your organization a senior analyst.Don\u2019t: Use buzzwords or vague catchphrases\u201cIf I\u2019m a prospective candidate and I see buzzwords, it tells me you haven\u2019t been thoughtful about what you need and\/or you don\u2019t know what you\u2019re talking about,\u201d Smart says.Don\u2019t: Outsource the task of writing the job postingExperts agree that hiring managers (and often CISOs, too) should be heavily involved in writing the job posting to ensure that it accurately reflects their needs and speaks to security professionals on their level. \u201cThe hiring manager knows best what they need for that position and therefore the skills and what that position entails,\u201d Alexander says.