How (NOT!) to recruit Infosec staff

Although I’m happily semi-retired, acting as a part-time CISO for a small number of exciting (and, admittedly, some not so exciting) companies, when a recruiter for a certain tech behemoth reached out, I thought that it might be an interesting learning experience. It was. For all the wrong reasons.

Let’s take a step back for a moment. Ostensibly, the purpose of a hiring event is to encourage qualified individuals to apply. Given that the current unemployment rate in information security is 0 per cent if not lower, (at least among those even semi-qualified), obviously this is a lot more difficult than your run-of-the-mill cattle call. Which means almost all of the people attending (a) will already be employed (and therefore not desperate), and (b) will need a compelling reason to quit their current job and risk a jump into the (relatively) unknown.

Our unnamed megacorp, however, appeared to believe the magnificence of their success was more than anyone needed to know in order to throw caution to the wind and apply. The event involved a recruiter who kicked things off with apparently no preparation, pointed to a brochure that listed the available positions (a list that turned out to be so high-level and nebulous as to give almost no idea of the actual jobs waiting for the gathered hopeful), and then introduced a handful of managers. They were equally unprepared, said a few words about the projects they were working on — all of the explanations assumed the attendees had intimate knowledge of said megacorp’s entire product line so no further details other than product names were necessary to fully comprehend the nature of the work.

After a short Q&A period (which did elicit some information that ought to have been in the original presentations if the presenters had given a moment’s forethought to what they were trying to communicate), we were left to mingle. Oh, and the manager who provided the most articulate and compelling answers to some of the questions appeared to take a call on his phone and then disappeared for the remainder of the event (or at least the remainder I stayed for).

Needless to say, if a company cannot run a coherent and informative hiring event, one has to wonder what chaos awaits the successful job applicant. Relying entirely on your company’s brand (or at least your own perspective of that brand) is a lazy and presumptuous approach, and one that is certainly going to bias the applications towards the shallow end of the pool.

So in the interests of not wasting the time of any infosec professionals in the future, let me lay out a plan for a hiring event that is not an embarrassment.

Step 1 — Do your homework. Well before the event, when your recruiters are working their network (and abusing their LinkedIn Recruiter account), try to build a relationship with attendees before they step through the door. Look at their LinkedIn profile (or, in the unlikely event they haven’t one, ask them about their background). Figure out which of the jobs you are trying to fill might be a fit and check with the prospect (e.g. “Here are some of the positions I think might fit your skills, do any of these sound interesting?”). Make sure your invitation is reasonably specific about what you are looking for. If, like our nameless megacorp, you are only looking for product security people, don’t invite any and all information security people. Infosec is a big field and inviting network security engineers to a recruiting event for appsec people wastes everyone’s time.

Also do not hesitate to ask your contacts to forward the invitation (which, of course, must have an RSVP requirement so you can contact them in advance of the event) to their colleagues. Doesn’t hurt to ask.

Objective — For each position you are trying to fill, have a list of attendees who are most likely to be a fit. Put colour-coded dots on their name tags so that the managers who will be casting their nets during the event know which fish to target.

Step 2 — Prepare and rehearse your presentations. If your company has a cultural aversion to PowerPoint, then figure out how you are going to get your message across to those who are visual and not aural learners.

Take a lesson from the real estate industry — they well know that the key to successfully selling a house is staging it so that home hunters can easily imagine themselves living in the house. Your job as a recruiter is to paint a picture that enables your attendees to envision themselves working for you — not just envision, but to dream of working for you.

This means putting yourself (and having your managers put themselves) in the position of an attendee (and an attendee who has never heard of your company or its products). Explain what you do and why you do it. Explain why you love working for your company and why you think others would prefer working for you rather than their current employer, or indeed any of the thousands of other companies desperate for information security help. And do it in a logical methodical manner. Merely uttering random thoughts as they pop into your mind, no matter how compelling and interesting you may think they are, will only tell your prospects that your company may be even less organized than their current employer.

Objective — Give your attendees both rational and emotional reasons to want to work for you, in a manner that makes it easy for them not just to imagine themselves coming to work at your company, but also wanting to. You have to win over both the heart and the mind. To do this you not only need a rock-solid structured presentation on all the good reasons (remember, these people are mostly engineers after all), but a couple of passionate speakers who can convey why they love coming to work.

Step 3 — Release your sharks. Having done your homework you have a good idea of which attendees you really want working for you, and which are a good fit for your positions. You have briefed your managers on the specific candidates they are to seek out and chat up. You have used colour-coding on the name tags to make it easy for your managers to find their targets, and then let them loose.

Objective — You want each of your managers to spend at least three minutes (but no more than five) with at least ten candidates whom you have targeted. But since you will have taught your managers to ensure their body language does not signal they are having a private conversation, others will frequently listen in, and by the questions they ask, potentially identify themselves as attractive candidates. It is entirely appropriate for your managers to take notes (so they can brief you, the recruiter, after).

Step 4 — Follow up. No sales person in any industry make a sales presentation and then just waits for the orders to roll in. Continue working the relationships you developed in Step 1. Have your managers pick up the threads with the most desirable candidates and consider inviting them in for individual meetings with their future co-workers. Ask for feedback on how they thought the event went. For those who brush you off, try to learn why. Obviously you aren’t going to get an application from every attendee you’d like to see working for your company, but you will learn as much from your failures to recruit as your successes, if not more — but you won’t learn if you do not ask.

Objective — You spent a lot of time and money to start the relationship, don’t drop the ball now. For each attendee your success criteria are either (a) to get an application, or (b) to understand why not.

Things that go without saying: having a good selection of snack and beverages, having some swag to give away and raffle off, holding the event somewhere convenient to transit at a time that does not eat into the working day (at least too much), and making it relatively easy to participate. If your company security policy requires all attendees to sign an NDA before they can set foot in the building, turn over government ID for the duration, and be escorted through multiple turnstiles — consider holding the event offsite.

In summary, the market for quality information security people is so competitive that merely mixing your managers with a group of infosec people and hoping hiring opportunities will magically arise is not just naive, it is disrespectful of the time your attendees have volunteered to listen to your story, a story you implicitly promised to deliver but, through lack of preparation and thought, you have failed to deliver. If you cannot deliver on that promise, why should job hunters believe you can deliver on any of your other promises?

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada
George Pajari
George Pajari
George Pajari is a “CISO-for-hire”, providing cybersecurity leadership to SaaS cloud startups. He was previously the Chief Information Security Officer (CISO) of Hootsuite, the most widely used social media management platform with over 15 million users including more than 800 of the Fortune 1000 companies. He was responsible for information security, IS risk management, and IT general controls. Prior to that he was the Security Architect at Hootsuite, and before that, Manager of Network Operations for Glentel's national digital radio service. He is a member of the BC Government's Provincial Security Advisory Council, a member of the Vancouver (ISC)² Chapter executive, and one of the organisers of the Vancouver BSides and BC AWARE Day security conferences. He was invited by the (ISC)² to write the Security Architecture and Engineering section for the next edition of the Official (ISC)² Guide to the CISSP CBK (Common Body of Knowledge), to be published by John Wiley in 2019. George's professional certifications include the CISSP-ISSAP, CISM, and CIPP/E. He is learning to play the bagpipes and his paper on a new device for improving piping skills will appear in a forthcoming issue of Piping Times.

Featured Download

IT World Canada in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Latest Blogs

Senior Contributor Spotlight