Cybersecurity talent represents one of the biggest challenges in recruiting, across all functions. If you are responsible for your security team, you know the stakes are high — especially if you have a senior-level opening. According to the Ponemon Institute’s “2018 Cost of Data Breach Study,” the global average cost of a data breach was $3.86 million, or $148 per data record last year. Unless you are flush with grade-A security talent and turning away applicants at the door, any opening raises your company’s risk level. There are options to help you hire the best and hire quickly, but how do you know which one is right?
Is Your Internal Team Up To It?
One option, of course, is to hand the search over to your company’s internal human resources team. That team probably includes talented recruiters who have spent years honing their search strengths and crafting their negotiation skills in the business. Some cybersecurity leaders may be wondering why it is, then, that they don’t often seem to land great cybersecurity candidates.
The reality is that most internal recruiters are handling many difficult-to-fill jobs, and cybersecurity is often just one of their many areas of focus. They simply don’t have the bandwidth to create the necessary industry relationships. Rarely are they able to hit the most important conferences, and few have the cybersecurity training necessary to recognize true talent.
Another option is employee referrals, generally one of the most successful avenues for internal recruiting. Members of your organization’s C-suite often sit on boards with the executive talent you’re looking for. Engineers, architects and consultants socialize ideas and challenges with friends in the industry. Your team is not only adept at recognizing technical talent in another expert, but they also know the people they want to work with on a team. The downside to this strategy is that team members have only so many friends in the industry. If they continue to call on the same people over and over again, they risk ruining friendships, and you risk future relationships.
HR teams are often wary of external recruiters, fearing it will be too costly or that outsiders could threaten their “process ownership.” But given the cost of having any seat open plus the multimillion-dollar risk to the company, recruiting fees are a drop in the proverbial bucket.
More importantly, an external specialist in cybersecurity talent offers what your internal generalist recruiters cannot. This is a networking play with a high-touch approach. Cybersecurity professionals tend to be skilled at dismissing the large number of solicitations they receive regularly. System-generated emails won’t get through their personal firewalls. Specialist recruiters, however, have cultivated networks and relationships that are needed to make contact.
The cost of external recruitment will depend on the model you choose and the specifications that you negotiate. In general, expect to be presented with three main options: retained search, contingency and container.
How To Select A Recruiter
You can’t expect to pay Walmart-level prices and get Nordstrom-level service, so you want to ensure you get excellent value for your investment. The cost to your company may be one consideration, but to get the value you deserve, also factor in these elements.
• Ethics: Some of the most highly recognized firms will not sign noncompete agreements. In other words, they may be ushering talent in the front door and escorting them out the back door at the same time. Make sure you know their policy.
• Guarantees: Make sure you are covered if your candidate walks out or is unable to live up to the hype after they’ve been onboarded.
• Chemistry: If a potential recruiter feels smarmy, evasive or bullish to you, chances are good that your targeted talent will feel the same way. If the chemistry isn’t there, find someone else.
• Networks: If a prospective recruiter has 50 LinkedIn connections in the field of home repair, keep looking. Make sure they have spent enough time in the industry to make the right connections.
• Engagement: Once you’ve chosen, give the recruiter feedback on candidates, their process and your experience, especially if they are new to you. Great recruiters learn quickly and appreciate feedback, even when it’s not flattering.
The Bottom Line
Ultimately, you’ll have to decide which options are right for you and your organization. There are pros and cons to each. But don’t underestimate the risks. Most organizations are capable of defending against the daily onslaught of run-of-the-mill malware, brute-force DNS attacks and script-kiddie hacks. However, few organizations are prepared to protect their assets against a nation-state or non-state-actor attack, something the U.S. Director of National Intelligence has said is a stark reality today. It’s only with a complete and competent cybersecurity team that your organization can be truly prepared.