How to write a cybersecurity job posting
The shortage of cybersecurity talent is a major problem. According to a Fortinet report, sixty percent of organizations are fighting to hire cybersecurity staff and 52% are fighting to retain qualified people.
“I don’t see a shortage of talent available for entry-level jobs, the problem is in the five- to ten-year experience level,” said Helen Patton, CISO advisor at Cisco and senior member of the Digital Directors faculty. . Net.
Job descriptions only favor the problem, Patton said. Qualified candidates are often deterred from running to a job due to unreasonable job posting requirements. “You have hiring managers who don’t know how to write job descriptions and you have recruiters who don’t understand the role,” he said.
In his book, Browsing the career of cybersecurityPatton offered tips to help security leaders create a security teamincluding how to recruit the right talent with good job offers.
In this excerpt from Chapter 18, Patton suggests tips on how to write a cybersecurity job post. Learn what skills to include, as well as the importance of using inclusive language, and explain how the role will benefit the candidate, not just the organization.
Of all the challenges with security job postings, skills mismatch causes most candidates to skip the post and look elsewhere. The sector lacks skills, but our job offers require too many skills and too many certifications. In addition, it is assumed that the selected candidate must arrive at the new fully trained job to do what is necessary. Before you sit down to write your post, consider the skills that are absolutely required of a new hire, as well as the skills that you are willing to help the candidate develop in the job.
When considering skills, you should also consider what formal education you expect from your candidates. Don’t apply for a four-year degree unless you really believe it’s a necessary requirement. (Most security leaders don’t.) Be careful with the certifications you need; Do they really support the role you are hiring for? Are there equivalences you are willing to consider, such as work experience rather than formal schooling? Should all the training you need be safety specific or can you let candidates demonstrate skills in another way? How do you see self-taught candidates?
Compare with other publications and resources, such as the framework of the US National Initiative for Cybersecurity Education (NICE). Make sure you do not ask a junior candidate to have higher level skills. Make sure the top-level job posting doesn’t require too much technology experience or mastery. Just because you’re a senior position doesn’t mean the role requires an expert level mastery of all skills!
Differentiate between general IT skills (such as programming languages) and security skills (evaluating applications by insecure code) and make sure you’re not labeling a job as “security” just because it’s in your organization. security. It’s perfectly fine for a CISO to hire a generic application developer, project manager, or data analyst without turning them into a “security engineer,” “security manager,” or “security analyst.”
Interestingly, when you talk to hiring managers, it often is no technical skills that are difficult to develop at work: these are professional skills such as empathy, teamwork and communication. When you read the job description, what “necessary skills” come up first? Technical skills! If you think you can train technical skills on the job, but want to hire professional skills, list your professional skills first.
Don’t ask for skills or experience without which you are willing to live. Even putting unnecessary skills in the “optional” or “preferred” section is enough to reject high-quality candidates; so make sure the skills you put into your job postings are the ones you really need.
No job is created in isolation. If you’re hiring someone for a role, it’s because your organization needs that role for some purpose, and that purpose aligns with your security strategy and the organization’s goals and business mission.
So when you create a job offer, let potential candidates know the “why” of the job. Why does this job exist? What purpose does it serve? How does it fit into the company, security equipment, security function? Does the role focus on a single line of business of the company or on the whole company? Will the role be part of a revenue-generating team or a product support team, or will it be an administrative function? What are your core values and how does this position support them? Include a link to important parts of your company’s website so that a candidate can quickly see general information about working for your company.
Don’t just talk about what the job is; talk about how the company will support the development of the candidate. Tell the candidate what they become, as well as what the job may become. Do you invest in training employees on the job, send them to conferences or pay for industry members? Then say it! Let them know that you will help them grow when they join your team, not just by evaluating their work performance. Let them know that the risk they take to apply for your job is worth it.
You should give context to candidates because it allows them to be seen on paper. Candidates want to be excited about a new opportunity. If all you can do is tell them to monitor the vulnerabilities, test an app, or write a policy, you’re not giving them the full picture.
Giving candidates the “why” allows them to fill the role of their imagination and allows them to imagine their success as part of their team.
The context will allow candidates to be better prepared for interviews, ask better questions, and be better prepared to do what you need.
When you create a job offer, you are creating a vision for the candidate. You are telling a story of what the role may be and what your role in it will be. Therefore, like any good narrator, the reader must be placed at the center of the story, not as a passive observer, but as a global point. To do this, you need to use first-person language.
Instead of saying, “The candidate will monitor the systems and follow the playbooks to respond to incidents,” you can choose to say, “You will use your powers of observation to identify anomalies and attacks against your company.”
Instead of saying, “Applicants will be part of the security team,” you could say, “You will be a key member of a highly professional and inclusive group of people that ensures the security of the entire company.”
When writing your job postings, you should be careful to avoid language that is considered gender-biased, biased, or promotes negative stereotypes. Some people want to be “rock stars,” but for others, this is seen as a masculine, highly competitive standard that automatically excludes women or other minorities. Free software is available to check the language you want to use. Search for “bias language applications” to see some options. Please use them. Candidates will not apply for your job if the language you use prevents them from being successful in the position.
If you can, try to avoid using the question and answer filter as a first step in the application process. Companies love to do this: it helps their algorithms “eliminate” unqualified candidates. But security jobs aren’t a cookie cutter, and these algorithms often do more harm than good because they filter out qualified candidates who don’t have exactly the right kind of experience or use the wrong words on their resumes. Our algorithms are not prepared for the lack of structure currently existing in the security profession. If you must use them, ask your recruiter to view the rejection list and selection list. You will be amazed at who is left behind!
About the author
Helen Patton is CISO Advisor at Cisco, where she shares security strategies with the security community. Previously, she spent eight years as a CISO at Ohio State University, where she was awarded the 2018 ISE North American Academic / Public Sector Executive of the Year. Prior to joining Ohio State, he spent 10 years at risk and resilience at JPMorgan Chase. He is a member of the Ohio State CyberOhio Advisory Board, the Manufacturing and Digital USA Cybersecurity Advisory Board, and the Ohio State University Electrical and Computer Engineering Industry Advisory Board. Patton is also a faculty member of the Digital Directors Network and the Educause Leadership Institute.