Filling roles in cyber security can be tough, particularly when dealing with HR or business personnel with minimal understanding of a role and thus the right candidate for the job. So how should you prepare as a recruiter in the cyber security space?
It’s Who you Know
Talk to professionals in the cyber security industry. Networking is key and the hope is that you would have developed relationships with senior stakeholders, influencers and subject matter experts in the cyber security domain. Using those connections to understand the trends and tools headlining in the Infosec space will enable you to stay current with the types of skillsets currently in demand. Furthermore, understanding those people’s previous experience, and if they align with that required of the role you’re hoping to fill, will give you greater insight into what’s expected of the ideal candidate.
Find out what kind of people your contacts are targeting for specific roles, which skills may be transferable and ultimately which skillsets have longevity to be relevant in the future.
Think Outside the Box
As far as transferable skills, it pays to be innovative when looking for candidates. Those with less conventional profiles might just prove to be perfect for the role.
Engage with your target audience. It is a candidate short market, find out the methods of communication candidates are using and get on their wavelength.
Work the Angles
Technology is often the name of the game in cyber security jobs but try taking the role in question from different angles when it comes to working out who may be right for the role.
Sign yourself up with professional user groups and attend relevant conferences as they are a valuable source of information and offer a great way to network with candidates and SMEs in the cyber space.
Reiterating the importance of keeping abreast with the latest trends and technology developments, save relevant Google updates, register with networking forums and sign up to information from third party vendors. As a recruiter you’ve got to be a sponge for information.
As far as preparing your candidates, whether it’s an inappropriate wardrobe choice or lack of thought about who exactly they’re facing at interview, we’ve identified some key areas where candidates typically fall down and how to help them avoid future interview fails.
If your candidate is at senior level…
People at the peak of their cyber career applying to roles including Chief Information Security Officer (CISO) and Senior Security Architect, typically third or fourth line of support roles, face a more complex interview process. “They’ll most likely be preparing a presentation around their work in security policy and procedure,” says IT head-hunter Ross Riddleston. “These case study interviews are where we see a lot people fall down and the most common point is at the start because they haven’t read the question properly.”
Tell your candidate that understanding what they have to deliver is key to passing the interview. “Tailor your presentation to the audience,” adds Ross, “that’s a key thing people miss, read through it, read it again and make sure you’re covering off every deliverable on there.”
Candidates sometimes also fail to read between the lines and forget that the presentation is only a jumping off point for interviewers to get to know them. They will ask them about their presentation. They’ll want to see the how and why and your candidate needs to be ready to answer those questions. “There’s not necessarily a right or wrong answer but they [the interviewers] want to see the thought process,” says Ross, whose tip is to have a couple of explanatory slides ready.
Tell you candidate to think about their audience. Typically they will be facing an SME in security along with someone from the business with minimal security knowledge. Advise your candidate to make sure they are addressing them all in the right manner. Don’t be afraid to ask the interviewers if they want you to go into technical detail or to give a high level answer. It pays to ask for clarification. Ross advises that a way to align the conversation is to outline your assumptions from the start of the presentation which clarifies things for everyone in the room. This will help the candidate to lead the discussion and hopefully direct the interviewers to ask questions in line with their assumptions.
“When it comes to candidates at senior level, companies want to see individuals who are comfortable doing it their way,” says Ross, “ not throwing deliverables out the window, but simply taking charge of the situation.”
If your candidate is at mid-level…
Candidates at the mid-level managerial stage of their career will be looking at the second and third line of support roles such as Security Architects, Security Engineers and Senior IT Security Consultants.
A mistake many people make at this level is to enter the interview room ready with a list of their achievements and not much else. “They don’t talk about failures and challenges which is one of the big things competency-based interviews focus on,” says Ross. Interviews for mid-level cyber security and Infosec roles are all about those open-ended questions that push candidates for examples of when they've had a problem and overcome it, or when they’ve had to deal with a troublesome stakeholder, or how well they engaged with their project team, or how would their team respond to them in a crisis?
Your candidate won’t need an encyclopedia of examples but they will need to be prepared to talk about 3 or 4 problem scenarios or clients from across their career.
“At managerial level the interviewers want to understand how candidates deal with people, how they engage with them, how they manage them, and how they manage stakeholders; so talking about those problematic examples in their career enables candidates to show their experience and demonstrate how well they do their job,” explains Ross.
If your candidate is at junior or entry-level…
The Cyber Security Analysts, Information Assurance Analysts and Security Systems Administrators are typically those you find at first and second line of support within the Infosec hierarchy. At the start of their career, one of the main problems recruiters get in interview feedback comes from the fact that people haven’t had experience in a certain area.
“Typically candidates with only 1-5 years’ experience go in wanting to please,” says Ross. “They want to have an answer for everything at interview so they end up talking a lot of nonsense or making things up.”
As a security professional, your candidate will have likely touched on areas like ethical hacking, Infosec, web security, network security, and infrastructure security but they won’t have experienced it all or used all the tools. ‘I don’t know’ isn’t going to impress so advise them to try relating questions about areas they don't have experience with to something similar they might have had experience with in the same space. The aim is to use technical experience to demonstrate that they could easily pick up other tools and systems.
To Sum Up
Advise your candidates to avoid talking about money or level, research the company thoroughly, make a strong first impression, don’t rush into an answer and keep it real, the interviewers want to hear about the mundane as well as the successes!
You may also be interested in the below articles: