There are hundreds, if not thousands, of recruiters and search firms out there who want to recruit cybersecurity professionals for you. You probably receive multiple calls and emails per week looking for security “job orders” to work on.
Although I’ve been recruiting in the technology space for over 15 years and now in the cybersecurity space for about 3 years, I have found there are critical differences between the two areas. Therefore as a security leader, if you don’t qualify firms up front, you can waste a tremendous amount of your time and may not result in hiring the security expert you need on your staff.
As you know finding the right security talent is not an easy task. There are a lot of ‘wannabe security folks” out there who do not know their stuff and would require significant training which you may not have the time or resources to complete.
Therefore, here are some questions you should be asking any recruiter or search firm before you hire them to work on critical security roles:
- How many security engineers/architect placements have you made in the past 6 months? If this is a larger staffing firm, ask who would be assigned to your recruiting effort and how many security placements has that person made? Just because a national firm has made security placements, does not mean the person assigned to you will know the security domain. Ask for references of their clients and the security professionals they have placed.
- Are they active members of any security organizations such as ISSA, ISACA, Infraguard, etc.? Sr. Security professionals often avoid posting their details to LinkedIn, job boards, and social networks. In fact, I would be leary of those security professionals who post too many details on the internet. To find the highly desired, embedded candidates, a search firm must actively participate and build trust within the security community.
- Do they attend cybersecurity conferences? Again, security professionals work with people they trust and know. They are inherently suspicious (otherwise they wouldn’t be good at what they do). A search firm who is a trusted insider will be able to attract the passive candidates and leverage a strong referral network within the community.
- How do they qualify security candidates? Ask the recruiter what qualification questions they would ask for a variety of security disciplines. If they say they need to get back to you, you know they are scrambling or Googling for those questions. Qualifying firewall engineers vs. threat analysts vs. SIEM developers is very different. Recruiters who can’t speak the language or properly qualify the talent will waste your time and not be able to attract the talent you want to hire.
- How many current security positions are you recruiting now? Are they a “wannabe” security recruiter? Do they have a current queue of security professional they are working with or will this search start from scratch? Their website job postings will tell the real story. Review their existing posted positions. Are they a generalist or a do they really work on security roles?
Recruiting security experts is a very different process than hiring IT support or development personnel. Most recruiters rely heavily on LinkedIn and job boards such as Monster and Career Builder. Whereas, most good security professionals despise those platforms. Plus they will rarely ever respond to job postings. They know they are in high demand. If they want a new position, they most often leverage their security network.
Therefore, to be successful in a security search, recruiters much know this domain well and go back to ‘head hunting’ where they build long term trusted relationships and referral networks. Then when an appropriate role comes along, it is much easier to get a security professionals to raise their hand in interest. As I tell our recruiting team, “It’s not who’s looking for us, it’s who we are looking for.” That’s what leads to successful searches.
Tim Howard is the founder of Fortify Experts which helps companies find exceptional cybersecurity talent through executive search, permanent placement and project consultants. Howard has been leading technology staffing teams for over 15 years and is the founder of three other technology and staffing firms. He has degrees from Texas A&M University in Industrial Distribution and Marketing.