Hiring for the role of security analyst\u2014that workhorse of security operations\u2014could get even harder.Demand for the position is expected to grow, with the U.S. Bureau of Labor Statistics predicting organizations to add tens of thousands of positions through the decade, with employment for security analysts expected to grow by 33% from 2020 to 2030\u2014much faster than the average for all occupations.That makes the security analyst role among the top 20 fastest-growing jobs in the nation.Such news comes at a time when CISOs and other enterprise security managers already report challenges in finding people to fill the post.That\u2019s making it harder for CISOs to secure their organizations. The 2022 CISOs Report from security vendor SpyCloud found that CISOs cited the lack of skilled personnel as the top issue when asked what inhibits their ability to establish effective cybersecurity defenses. And the 2022 Voice of the CISO Report from security vendor Proofpoint found that half of surveyed CISOs report believe that the recent spike in employee transitions make protecting data more challenging.Given such dire numbers, CISOs should take care not to stack the odds against themselves with job postings that scare off applicants. Think that\u2019s not you? To be sure, check out these red flags that veteran security leaders say make hiring harder:1. No description of the actual responsibilitiesOne red flag identified by sources centers on the use of security analyst itself. True, it\u2019s one of the most common titles\/positions in the cybersecurity profession. But sources say that its prevalence coupled with the fact that the cybersecurity field and cybersecurity departments are still evolving and maturing have given the role a generic quality.\u201cA security analyst could be doing different things from one company to another,\u201d says Vincent Nestler, an associate professor of Information & Decision Sciences at California State University, San Bernardino and director of the CSUSB Cybersecurity Center.As a result, there are variations in responsibilities. So just using the title alone leaves job candidates wondering what the job actually entails.\u201cAt its most basic, the analyst is supposed to analyze the company\u2019s infrastructure, its tech stack, and based on that analysis make recommendations. But at a larger enterprise company you might find analysts whose only job is to analyze and at smaller companies they might do that but also implement part or all of the [security] solutions,\u201d says Nick Kolakowski, senior editor at Dice Insights, part of the tech career website Dice.As such, he and others advise security managers be specific\u2014in their job descriptions, actual job postings and in the information provided during interviews\u2014about what their security analyst position actually does day-to-day so candidates know exactly what\u2019s expected of them in the role.2. Unrealistic experience requirementsThe security analyst position is an early-career role and often the first position that workers take when entering the cybersecurity profession, yet job descriptions often ask for years of experience or certifications that require years of experience to earn.\u201cRight there that\u2019s a challenge for a candidate. They\u2019re going to say, \u2018I\u2019m not qualified\u2019 and they\u2019re not going to apply for the job,\u201d says Tara Wisniewski, executive vice president for Advocacy, Global Markets and Member Engagement at (ISC)\u00b2, a training and certification organization.For example, Wisniewski says she often sees job postings for this position require (ISC)\u00b2\u2019s CISSP as a required or preferred certification, which itself requires a minimum of five years cumulative paid work experience.The organization\u2019s own Cybersecurity Hiring Managers Guide calls out this problem, adding that \u201cunrealistic entry-level job description continues to be derided as a major cause of organizations\u2019 cybersecurity staffing challenges.\u201dIt goes on to suggest that \u201cmore collaboration between hiring managers and HR is the solution.\u201d3. Overemphasizing the tech\u2014especially if it\u2019s oldInformation security analysts must, of course, understand the technology needed to do the job, but sources say job listings that require experience or knowledge with specific technologies or vendors could be off-putting to candidates who otherwise would be great hires.Nestler says rather than ask if a candidate has experience with a specific vendor it\u2019s more productive to seek applicants who understand how to use a class of technology, noting that a professional skilled in one vendor\u2019s tool can easily pick up how to use another vendor\u2019s tool.\u201cThe question is whether they have the right foundational knowledge,\u201d he adds, and not necessarily a history with a specific brand.Others caution that job descriptions listing experience on legacy technologies can also be a red flag to candidates, signifying that the security organization is behind the times.\u201cIf you\u2019re looking at the bulk of the job population, they want to work with the latest and greatest stuff,\u201d says Ben Johnson, CTO and co-founder of software company Obsidian Security.Some top-notch candidates may still apply if the CISO is advertising a transformational effort to shed that old technology, Johnson says, but most applicants will likely be wary.4. Kitchen-sink requirementsAnother major red flag: an impossibly long list of preferred or required skills, experiences, and educational achievements. Security leaders cited this as a problem over and over, often joking that companies like to include even the kitchen sink as one of the items they want to see in security professionals.\u201cThat\u2019s one of the underlying issues here: unrealistic expectations and qualifications. Hiring managers tend to put in an unsurmountable list of requirements for the job that they think is necessary. But candidates will look at that and say, \u2018That\u2019s not me,\u2019\u201d says Jason Rebholz, CISO of Corvus Insurance.Lucia Milic\u0103, global resident CISO at Proofpoint, agrees, saying that too many security leaders list their dream applicant rather than describe what they actually need from an individual to be successful in the role. \u201cThat\u2019s going to dissuade many good qualified candidates from applying,\u201d she adds.Milic\u0103 says that\u2019s particularly problematic for companies looking to create gender equity in their ranks, pointing to research that has shown women generally apply to jobs only when they have all or most of the listed qualifications while men will do so if they have about half.\u201cSo start with the must-haves, those five bullet points, vs. tossing in everything under the sun,\u201d she adds.Jon Check, executive director of Cyber Protection Solutions at Raytheon Intelligence & Space, says he stays away from words like \u201cmust\u201d and \u201cshall\u201d to keep good candidates from self-selecting out.\u201cDoes someone really have to have all those things? Instead, you have to convey that everyone is welcome,\u201d including those who might not have what has been traditionally considered the \u201cright\u201d certifications or the \u201cdesired\u201d pedigree,\u201d he says. \u201cAnd then set up a training plan for the skills they don\u2019t have.\u201d5. Unrealistic job demandsOn a similar note, some information security analyst jobs do seem to need an expansive list of skills because the position itself covers so much ground, Milic\u0103 says.She says she has seen security analyst jobs that also included responsibilities for governance, risk and compliance. GRC, however, requires a different set of skills than an analyst position with enough work to usually keep someone busy full time and thus should be a completely different roleAs such, candidates often balk at seeing an extensive list of responsibilities in a job description, Milic\u0103 adds.Others agree, saying that putting too many responsibilities that cut across different disciplines under the analyst position indicates that security managers have assigned the role an untenably high workload. They say it also indicates that managers may be doing so because the department itself is understaffed, under-resourced, not valued, poorly run, or all of those things.Another red flag that could indicate such issues: Any language that sounds like workers must be always available. Granted, the job may need all hands on deck during an incident and require on-call hours and extra shifts, but job descriptions shouldn\u2019t make it seem like security is constantly on call\u2014and the department shouldn\u2019t be structured that way either.\u201cTypically security people want to be there because they want to make a difference, but they don\u2019t want to work 24\/7,\u201d Johnson says.6. No details on what the company can do for the candidateAnother potential red flag: No details about the opportunities that come with the security analyst job, including information about how to move up and out of the position.\u201cThe security analyst role is in a constant firefighting mode and you can burn out. It is a grind, so you want to know how you can grow and advance as a professional,\u201d Rebholz says.Rebholz and others say it\u2019s particularly important for managers to offer training and professional development to their security teams to both recruit and retain talent. As such, CISOs and their leadership team should be sharing and promoting how they help their own staff learn and succeed.\u201cIt might not be a red flag if it\u2019s not in the job description itself, but if it\u2019s not being brought up at all during conversations, that is an issue because you [as a candidate] do want to see the company proactively talking about those things,\u201d Rebholz says.