ciso secret weapon

The CISO’s Secret Weapon

By Domini Clark, Founder & CEO, Blackmere Consulting

If you need to hire a customer service rep, place an ad. If you need a CISO with a consumer products background that has led a start-up environment, or a Cloud Security Architect with heavy AWS configuration in a global enterprise, hire a professional.  

Seasoned leaders know the most important aspect of any business is good employees who take care of great customers. For CISO’s, finding cyber-focused talent is difficult, expensive, and seemingly unavailable when you need it most. That’s why the most powerful weapon in a seasoned CISO’s arsenal is – hands down – a well-connected, security-focused executive recruiter. 

For years, the cybersecurity talent gap has burdened even the most savvy leadership experts across the industry. You’ve probably thrown a variety of tools at the problem including internal recruiters, off-shore sourcing teams, job boards, advertising, employee referrals, branding experts, applicant tracking systems, and many more. While these tools may help make your hiring easier, they are unlikely to land you a strategic hire. It takes a trusted, well-connected expert with a reputation for building relationships in the cybersecurity specific field to get you the person you need. 

The Executive Recruitment Difference

With all of the recruiting technology, internal resources, employee referral programs, and other bells and whistles out there, why do you need security-specific recruitment experts?  

A quick look at the state of talent in the industry will tell even the least critical observer that the status quo isn’t cutting it. Worldwide, there is a shortage of cyber talent with some saying we have hit a crisis point in the industry.  Here are some of the highlights the ISACA State of Cybersecurity 2018 report:

  • 81% of study respondents said it is “likely” or “very likely” their organization will experience a cyberattack this year
  • 50% noted their organization experienced an increase in the number of cyberattacks last year
  • 59% stated their organization has unfilled cybersecurity positions
  • 54% percent admitted that filling open cybersecurity positions takes 3+ months

Security IS unique

Security recruiting is different than recruiting in other industries. To begin with, strong security professionals often aren’t active in the market. However, they are being hounded in the market.  According to an (ISC)2 survey, nearly half of cybersecurity professionals are solicited on a weekly basis, yet only 15% are actively seeking a new gig. Most are open to opportunity, but they aren’t cruising job postings because they are far too busy. You can’t spam them through LinkedIn and expect a response. They will not click on the position description link you embedded in your email. They will not “apply online” without a conversation first, and good luck getting them on the phone. 

The best candidates aren’t posting their resumes on every job board. In some cases, you won’t even know who the best ones are because they’re hiding on purpose and only their closest colleagues know how amazing their last project was. Plus, they don’t trust people who don’t have street cred in the community. The irony here is that, as highly technical as cybersecurity professionals are, when it comes to recruiting the only way to succeed is through networking, relationships and personal trust. It’s a full-time job. Seriously.

Teams, tools, and referrals

Maybe your internal recruitment team is filled with amazing recruiters who have spent years honing their search strings and crafting the best negotiation skills in the business. So, why can’t they seem to land you a great candidate? The reality is most internal recruiters are overwhelmed with too many difficult-to-fill jobs, and cybersecurity is often just one of their many areas of focus. They simply don’t have the bandwidth to create the necessary relationships in the industry. Rarely do they have the budget to hit the most important conferences, and many have not been well trained on the ins and outs of cybersecurity to recognize true talent.  

Among recruitment technology, Applicant Tracking Systems (ATS) are great for HR compliance and tracking, but outside of searching existing resumes and making sure you’re not hitting up the same candidate that turned you down last week, they’re not magical cyber hiring machines. To be honest, they are simply looking for key words and often sending out blanket emails to people with those words, even if that person has unrelated skills. One of the many complaints I hear from candidates is that a recruiter sent an automated email from their system and the position wasn’t even related to their skill set.  A mistake like that can cost you the conversation – now and in the future.  

Employee referrals tend to be one of the most successful avenues for internal recruiting. Executives in the C-level often sit on boards with the executive talent you’re looking for. Engineers, architects, and consultants socialize ideas with friends in the industry and often lean on one another to solve challenging problems. The idea here is that it “takes one to know one,” and your team is not only adept at recognizing the technical expertise in another expert, but they know the people they want to work with on a team. Leveraging the experts and empowering them to build their team with the right talent is a great approach. The downside to this strategy is that your team of technical professionals only have so many friends in the industry. If they continue to call on the same people over and over again,  you risk ruining a friendship and a future relationship.

Let’s be selfish

HR teams are often wary of external recruiters, either due to the fear that outside influence could be a threat to their “process ownership,” or external help may be considered too costly. But let’s be selfish, shall we? Are you directly responsible for the success of your security team?  Are you currently flush with Grade-A Security talent to the point where you’re turning them away at the door? If you had to put a dollar amount on a vacancy in a critical role in a risky area, what would that cost be? Is that amount more or less than a recruiting fee? According to The 2017 Cost of Data Breach Study from the Ponemon Institute, the global average cost of a data breach is $3.6 million, or $141 per data record.  In the scheme of things, recruiting fees are a drop in the proverbial bucket.

What’s it gonna cost?

Remember a moment ago when we were talking about value? You can’t expect to pay Walmart prices and get Nordstrom service. So when you hire an expert, do so mindfully and with full knowledge that your investment will be well spent and will result in the right hire. There are many ways to structure a relationship with a recruiting firm, but the three main avenues most firms utilize include:

Retained Search:  Retained search recruiters are often considered the best, and there is an excellent reason why—they are 100% focused on your search. Often used for C-level and executive searches, this model has become more common in other areas in the cybersecurity industry due to the critical need. Think of your Cloud Security Expert responsible for driving the global cloud strategy, or your Embedded Cyber Researcher in product development responsible for ensuring your product isn’t vulnerable. In some organizations, these positions are even more critical than executive leadership. Most retained search firms charge a percentage of the annual compensation (base + bonus) for the candidate selected (often between 20-30%) with 1/3 of the payment due at the inception of the search, 1/3 paid at the time of interview, and the remaining due at the time of offer. 

Retained search is a consulting partnership model where you work carefully with an expert in the field to scope out the position, explore business goals, and set search strategy. The search consultant will work with you on aligning your wish list with reality, provide title and function insights, point out potential internal barriers, and offer compensation guidelines that will keep you market-ready. Be prepared to take an active role in this sort of relationship. This is not a “post and pray” experience. You will get the best results working alongside your retained recruiter to ensure they are successful in understanding the ideal fit for your organization through your feedback and participation in the process. Remember, you have significant “skin in the game” with this model and you are paying for a dedicated search consultant. Use the resource wisely.  

Contingency Search:  Unlike retained search, when working with a contingency firm you are only charged if you hire the person they deliver. This is a great option if you just want to get your feet wet with a new recruiting firm or if you think your internal team has great options and you simply need a second set of eyes on the search. As with retained search, fees are based on a percentage of the annual compensation for the selected candidate and can range from 15-30 percent.

Be aware that with contingency search a firm will need to work multiple other searches to ensure they are paid by someone, which takes some of the focus off of your search. With this model, you won’t get a search expert’s full attention. While there is a temptation to hire multiple recruiters to combat this issue, it will backfire. The knowledge that your chosen recruiter is out in the market talking to the same 30 qualified candidates as five other firms can be frustrating to the recruiter you’re creating a relationship with, and it’s also a huge turn off for the select group of candidates you’re targeting. Top tier candidates become annoyed and disinterested quickly if they are approached by multiple recruiters hiring for the same position. 

Container Search:  Container search is a hybrid between retained and contingency where a payment is negotiated at the inception of the search, and the remainder of the fee is up for grabs at the time of offer. This is a great approach to ensure both sides (recruiter and client) have a vested interest in the success of the search. Everybody has a stake in the outcome. It also serves to solidify the partnership, and still ensures that you’re not paying a full fee if the right candidate isn’t delivered. Fees are similar to retained and contingency searches with the up-front ranging from a small “get started” bonus to 50% of the anticipated total fee for hire.   

When you select a recruiter

The old adage that you get what you pay for applies to professional recruiters, but there are things to watch out for including:

  • Ethics. Some of the best-recognized firms will not sign a non-compete agreement. In other words, they may be ushering talent in the front door and escorting them out the back door at the same time. Make sure you know their policy.
  • Guarantees are important. Make sure you are covered if your candidate walks out or is unable to live up to the hype after the interview.
  • Chemistry matters. If you get a yucky feeling when talking to your recruiter (they are smarmy, evasive, bullish, etc.) your targeted talent will feel the same way. The recruiter you choose represents you to the outside world. If you don’t have chemistry, find someone else.
  • Stay engaged. Especially as you work with a recruiter new to you or new to your company, make sure you are giving them feedback on candidates, their process and your experience. This is a relationship with long-term potential. Great recruiters learn quickly and appreciate feedback even when it’s not flattering.  
  • Prioritize their network. If your chosen recruiter has 50 LinkedIn connections in the field of home repair, they may be able to do a bang-up job on your basement remodel, but will struggle with your CISO search.  Make sure they have spent enough time in the industry to make the right connections.

The Bottom Line

The threat of a cyber attack on your business is ever present. Most organizations have grown accustom to defending against the daily onslaught of run-of-the-mill malware, brute-force DNS attacks, and script-kiddie hacks. But, fewer organizations are as prepared to protect their assets again a nation-state or non-state actor attack, something the U.S. Director of National Intelligence has said is a stark reality today. Superior cybersecurity talent is essential to protecting and defending your network. You either pay now to hire the right team, or pay later to cleanup a painful, post-attack mess. Only one of these scenarios comes with a guarantee and up-front pricing. 

Leave a Reply

Your email address will not be published. Required fields are marked *