Do you want a top-notch security operations center team like the one at the Pacific Northwest National Laboratory? Today’s columnist, security and privacy expert Lysa Myers, offers five tips for recruiting the best-qualified cybersecurity people. (Credit: Creative Commons CC BY-NC-SA 2.0)

With the huge number of recent layoffs in tech, there’s never been a better time to fill the company’s open security headcount. But this doesn’t mean companies can pick up a six-pack of senior security pros for a song. Here are some ways hiring managers can put their best foot forward and prepare to retain new hires.

  • Create a compelling experience.

Far too many companies treat recruiting as “survival of the fittest” rather than an opportunity to find hidden gems. They set up countless hurdles like dreary and security jargon-laden job listings, obnoxiously time-consuming and hard-to-use online application websites, and interactions with applicants that range from adversarial to downright hostile. In this scenario, the candidate who gets the job often winds up being the one who was most willing to be put through the wringer, not the one most excited to help the company. Candidates who have the experience needed for senior positions or fast-paced security roles such as in a SOC group will go to companies that treat them like the valuable resources they are.

  • Answer frequent questions.

Companies go off the mark when they give as little pertinent information as possible about the parameters of their open position. Hiring managers know before the job’s even listed that there are certain aspects about the position that are non-negotiable and some that are flexible. Most companies also probably know whether they hope to find someone entry-level versus a security practitioner who can step into a highly technical role and be effective very quickly, and yet few job listings accurately describe this.

By being cagey about salary range or travel expectations, companies can give the impression that they are trying to hide negative job traits from the candidates. And not disclosing that the company’s open to remote candidates will keep people who might be an ideal fit from applying.

The best job ads include a few basic checklist items that most of us would want to know about a new job. A general description of salary, benefits and a description of day-to-day activities or goals for the position is a great place to start. If the hiring company has a favored set of security software or programming languages, or if the threat research group has a preferred reverse-engineering platform, that’s also good to know. It’s also helpful for a candidate to know whether it’s a new team or position, or a backfill. Is the position on-site in a specific location, or remote-friendly? Will the company offer a relocation allowance? And what’s the percentage of travel?

  • Find good recruiters.

I was recently contacted by four different recruiters from four separate recruiting companies asking me about my interest in one position at a single security software company. Aside from the part where that’s a spectacular waste of time and resources, it gave me a fascinating view of how different recruiters will market the same item. Each recruiter had the same company contact, and the same job description, but the way they approached me with this information varied significantly.

Some recruiters came out with all the pertinent information from the outset. Some asked about my history and listened patiently to my career goals. One tried to browbeat me into being more flexible about my personal limits. Another simply vanished mid-conversation when it started to look like this position was not a good mutual fit.

Recruiters are representatives for the hiring company, whether or not they’re also acting as a representative for the candidate. If I had only been approached by one of the first two, I would be quite enthusiastic to connect with the organization. Had I only been approached by one of the last two, I would have been very reluctant to interact with them again.

Security recruiting has specific challenges that most other industries would never consider. A lot of well-known security experts are very reluctant to use social media and are very protective of their privacy. It’s crucial for recruiters to know how to use secure communication methods.

  • Develop your employees.

Companies should have an active interest in the staff’s career goals, even to the point of preparing them to find a new position at another company if they go as far as they reasonably can within the organization. This may seem counterintuitive, but companies will develop loyal and productive employees with this kind of culture.

The more companies train their employees, the more valuable they will be to the organization. Then, if the point in their career arrives where they need to seek a position elsewhere, help them make that transition gracefully. The good word they’ll share about their experiences may very well help the organization fill future open positions.

  • Remember that employees are humans.

Most importantly, recognize that employees are valuable contributors who devote almost half of their waking hours to helping the business, rather than as disposable commodities. At this point in time, we’re all going through a lot at work as well as at home, and employers need to keep this front-of-mind.

Finally, companies should pay staff a fair market rate, or at least offer benefits that bring them as close as possible to that level. Make sure employees feel supported within their group, as well as within the company, to do what they need to do both at work and home. Healthcare and paid sick leave benefits are more important than ever. Make sure employees have bought into the corporate culture so they are enthusiastic about making a positive difference in their work.

Lysa Myers, security and privacy expert