Firms struggling to recruit quality cybersecurity candidates may be a little too quick to blame the security skills gap without looking in the mirror first. In many cases, companies take themselves out of the running for the best available candidates the day the job is posted.
Experienced cybersecurity professionals run away far and fast the second they see poorly conceived job descriptions and requirements. Poorly written job requirements are a dead giveaway that an employer that doesn’t know much about security. A bad job posting can signal any number of bad omens for good candidates, such as:
- This is a firm that doesn’t know what they need from this security position
- This is a firm that will overwork me and my security colleagues
- This is a firm that is compliance driven and not committed to security
For most candidates, these are indicators that lead to immediate disqualification.
“Just like a resume tips the hand of a job seeker, job requirements tip the hand of an employer,” explains a Red Team PenTester placed by CyberSN.
There are a number of ways that job postings turn off cybersecurity candidates.
Let’s dive deeper into the following 3 red flags when it comes job postings.
Red Flag #1: Job Requirements Make No Sense
When job requirements don’t track to the title, or to broad cybersecurity responsibilities, candidates will start giving the employer side-eye. In many cases this is the product of someone who knows very little about cybersecurity. Most likely this is from someone copying job requirements from other cybersecurity job listings.
“It seemed likely that a lot of employers were looking at other job listings and probably copying and pasting those job responsibilities, which I think is typical for companies, because they know that they need cybersecurity to protect their assets, but they don’t necessarily know what that means,” says a Security Engineer, placed by CyberSN, explaining his experiences when running into requirements that weren’t “structured in an organized or sensible manner.”
Red Flag #2: Two Or More Jobs In One Description
Another common problem are listings that rattle off job requirements which clearly show that the person will be asked to do two or more jobs. When candidates hear that an employer wants them to be an appsec guru, a security architect, and a SOC analyst all in one, they’re highly unlikely to put their hats into the ring for consideration.
Red Flag #3: Experience Requirements Don’t Match Job Level
Another common red flag for candidates is when the experience requirements asked of them in no way match up with the level of job being advertised. When entry-level positions (with entry-level wages) require 5-10 years of experience, it’s clear that there are a lot of things wrong with the organization’s expectations and, potentially, company culture. Another corollary to this is when the experience requirements ask for many years of background in brand new technology.
To be sure, for employers seeking to build out a brand-new security team, it can be tough to craft the perfect job requirements. When they’re on the hunt for the first or second security hire for the organization, they often really do need a renaissance man or woman who can ‘do it all’ until they can scale up the team after a period of time.
This was the exact experience of one client, a Security Engineer from a mid-sized SaaS company, who eventually came to CyberSN for recruiting help.
“I didn’t know how to craft the messaging internally. For a company that has never had good security, telling them you need someone to do disaster recovery, you need someone to do compliance, you need someone to do platform security, application security, security operations, maybe network security and someone to lead all of it, they didn’t really believe me,” this Engineer said. “As a result, I suggested to start with just one. But how do you put together the job posting that says, ‘You’ll be our first security hire, AND you’ll have to do all of it?”
Many of the candidates we work with are passive. Meaning they are not overtly looking but willing to make a switch for the right opportunity. Poorly written job postings will NEVER attract these candidates. A well-crafted job posting will. In a passive job seeker market like the one we are in, this makes all the difference.
It’s a tough situation, and one in which employers need to look to the experts to help them carefully and thoughtfully craft a job description that makes sense. Otherwise, they risk hearing crickets after posting their security jobs. At CyberSN we take great care when assisting our clients draft a job description. We encourage them to take a deliberate approach and circulate it among their network for input before posting.