It can be easy to think of cyber-attacks as something that only happens to other companies. Unfortunately, a more realistic view is not whether it will happen, but when it will happen to your organization. Cyber-attacks are on the rise. PwC’s Global State of Information Security Survey 2016 stated that, across all industries, there were 38% more security incidents in 2015 than in 2014.
It doesn’t just happen to giant corporations like Yahoo!, Sony and T-Mobile. SmallBizTrends.com claims that 43% of attacks on businesses target small business. Large or small, it can cost you plenty. The average total cost of a single data breach was $7 million — up from $5.4 million in 2013 — according to the 2016 Ponemon Cost of Data Breach Study. More than half of these costs are related to lost business due to customer churn.
The best approach to cyber security is to prevent the hacks, attacks and breaches. However, as you probably are aware, there simply aren’t enough talented IT security professionals available to do this work. In the first two parts of this three-part blog I’ll provide some tips for optimizing your efforts to recruit cybersecurity talent right now, as well as some longer-term suggestions for attracting more people to this field. In part three I’ll explore some ways of promoting inclusion and integration of including women and other underrepresented groups — well over half the working population — into the profession.
Making Contact: “I’ll Be the One with the Red Carnation”
The best cybersecurity professionals think like criminals. The joke in the industry is that superstars have an “evil bit” (as in bits and bytes) in the code of their personalities. They know better than to have a high-profile online presence. “Paranoid” is too strong a word, but they tend to be hyper-cautious, and some take pride in operating in “stealth mode.”
You won’t find their résumé on CareerBuilder or LinkedIn, so you’ll need to leverage your best networking skills and hardcore power searching techniques. If your quarry thinks like a criminal, you have to think like Sherlock Holmes to track them down. Don’t email them a link to apply — they won’t click on a link from an unknown source (and neither should you). Send them a PDF with instructions for connecting with you.
They’ve Heard it All Before
The demand for these professionals means that they are constantly hearing from recruiters. InformationWeek’s DarkReading.com cites new research by Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) indicating that about half of cybersecurity professionals are contacted by a recruiter at least once a week. If you post a standard HR job description of duties and requirements, it will wash out among all the other background noise.
In today’s talent market you have to court talent, and that is triply true of cybersecurity professionals. Don’t think of it as a job posting, think of it as a sales pitch. Resist the ingrained habit of listing what your company needs, and focus instead on what will engage the interest of your target audience.
What They Want and When They Want It
Your pitch should appeal to this group’s common hot buttons:
- They want to do intriguing work that is varied and unique — let them use their devious creativity to your company’s advantage.
- They want to try new tools and techniques to keep up with the ever-evolving threat landscape. If you’ve got the coolest technology, your pitch should highlight that.
- They want to do more than just scratch the surface . . . offer them opportunities not only to look under the hood, but also to take some deep dives into your systems and code.
- They want the option to work remotely. Your organization may cling to traditional models, but if virtual options give you an edge in the talent war, it’s time to loosen up.
- They want to know that the organization appreciates and values their contribution — like other employee in your company. If you don’t have a proactive recognition and rewards program in place, now’s the time.
In Part Two I’ll share more recruitment tactics and strategies, as well as some ideas about building a longer-term talent pipeline, including attracting more women and underrepresented groups to the cybersecurity profession.