As a generalist technology executive search firm owner for almost 15 years and now having run a specialized cybersecurity search firm for the past 5 years, I have found there are critical differences between the two areas. I hope to shed some light on those differences here.

As a hiring manager or talent acquisition leader, it is essential to properly qualify search firms upfront, otherwise, search firms can waste a tremendous amount of your time, and it may result in a mishire of a security expert which can be extremely painful and costly to replace. Plus, it could put your company and your company’s data at risk.

As you may know, finding the right security talent is not easy. There are a lot of ‘wannabe security folks” out there who try to pass themselves off as security experts. They know common buzzwords that can trick many recruiters who are not intimately familiar with security. Most often, when a search firm is engaged, you are looking to hire a person with existing skills who can “hit the ground running.” A security-focused recruiter can dig deeper to uncover if candidates have the appropriate practical and proven experience for that specific position.

“It’s not who’s looking for you, it’s who you are looking for.”

Therefore, here are some questions you should be asking any search firm before you hire them to work on critical security roles:

1. How many security engineers, architects or executives have they placed in the past 6 months?  If this is a larger search or staffing firm, ask who would be assigned to your recruiting effort and then ask how many security professionals has that person placed? Just because a national firm has placed security professionals, it does not mean the person assigned to you will know anything about the security domains which are important to your company. Also, ask for references from their clients and talk to the security professionals they have placed. Did the candidate and the client enjoy the experience? How responsive was the firm? Did they help elevate the reputation of the hiring company during the search?
2. Are they active members of any security organizations such as ISSA, ISACA, InfraGard, CSA, etc.?  Security professionals often avoid posting their details to LinkedIn, job boards, and social networks. In fact, I would be leary of those security professionals who post too many details on the internet. To find the highly desired, embedded security candidates, a search firm must actively participate and build trust within the security community.
3. Is the search firm actively involved in making a difference within the cybersecurity community?  Security professionals are inherently suspicious, otherwise, they wouldn’t be good at what they do. They work with people whom they know and trust. A search firm that is recognized, influential, and a trusted insider will be able to attract those passive or embedded candidates and leverage a strong referral network within the community. Does the firm host events such as CISO Forums? Are they publishing useful security-related content? Are they improving the industry by leading efforts such as diversity initiatives (i.e. Cybersecurity DIVAS) or hack-a-thons.
4. Do they recruit off of a job description, or do they take the time to understand the gap which needs to be filled? When interviewing a search firm, listen to the questions they ask. Are they only interested in the ‘skills’ they can search on, or do they understand the functions of the role?  Are they asking probing questions about how a new hire can make a bigger impact on the team?  Whether it be a SOC Analyst or a Cloud Security Architect, knowing the normal day to day challenges within that role allows a search executive to evaluate the candidates more thoroughly and accurately.
5. How do they qualify security candidates? Ask the search firm or recruiter what qualification questions they would ask for a variety of security domains. If they say they need to get back to you, you know they are scrambling or Googling for those questions. Qualifying firewall engineers, threat analysts, SIEM developers, and Cloud Security Architects is very different. Evaluating a CISO across all the 12 main security domains can be very challenging. A search executive who can’t speak the language or properly qualify the talent will waste your time and not be able to attract the talent you want to hire.
6. How many current security positions are they recruiting for now? Are they a “wannabe” security recruiter? Do they have a current queue of security professionals they are working with or will they start this search from scratch?  Their website job postings will tell the real story. Review their existing posted positions. Are they a generalist or are they really focused on security roles?

As described, recruiting security experts is a very different process than hiring IT support or development personnel. Most recruiters rely heavily on in bound candidates from job postings listed on LinkedIn, Monster, Career Builder, Indeed, ZipRecruiter, etc. It is extremely rare for great security candidates to come in through job postings.

Case in Point: Over a one year period, our firm received over 10,000 resumes from one of those above sources (out of respect I won’t name which one). We only placed one “inbound” candidate after reviewing those 10,000 resumes and that person was released in under three months which was a blemish on our reputation. This is why our motto continues to be, “It’s not who’s looking for you, it’s who you are looking for.”

Security candidates who do have extensive LinkedIn profiles will continue to be pursued heavily even after they are hired.

Really good cybersecurity professionals don’t need to respond to a job posting. They often receive 10-20 recruiting calls and emails every day. Rarely will they respond to an unknown recruiter as they know they are in extremely high demand. If they want a new position, they most often leverage their trusted security network.

More and more security professionals are reducing their social footprint on LinkedIn and other social platforms. Security candidates who do have extensive LinkedIn profiles will continue to be pursued heavily even after they are hired. This leads to a higher turnover rate, salary demand, and a lower return on investment. Therefore, those professionals may not be the ones you want to target. This is why it may be a big advantage to hire a firm who has already built a deep and trusted network within the industry.

To conduct a successful security search, search professionals must know this domain well, leverage trusted relationships, and be influential in the industry to be able to attract those highly valuable embedded candidates.

About Tim Howard

Tim Howard is the founder of Energy Sourcing (www.energysourcing.com) and Fortify Experts (www.fortifyexperts.com) which helps companies hire and deploy exceptional “Embedded” talent through executive search perm placement and expert consulting. 

In addition, he has a passion for helping companies develop Higher Performing Teams by working with them to increase effective communications, improve non-productive behaviors and on-board faster by providing clients with “Employee Operating Manuals“.

He has teamed up with Lyndrel Downs to launch www.CybersecurityDIVAS.com to help promote the most influential women in cybersecurity and provide a mentoring program to help increase encourage and support more diversity within the industry.

He has been leading technology staffing teams for over 15 years and is the founder of three other technology firms. He has degrees from Texas A&M University in Industrial Distribution and Marketing.  

Invite me to connect:  www.linkedin.com/in/timhoward