4 mins read

How To Not Be The Highest Bidder

If you are reading this post, you already know that it is a sellers’ market for Cybersecurity talent.  Enough said.  In any sellers’ market, it usually follows that price becomes a major, if not the major driver in landing the deal.

Cybersecurity compensation is very important for candidates too.   However, there are many other factors involved beyond compensation that could be the difference between you having success or losing out.  Here are just a few and you undoubtedly could add to this list based on your experience:

  1. All Employers Are Not Equal – Your attractiveness as an employer is relative.  That is, you may or may not possess the cultural attributes that a particular candidate values.  Think of all the differences between working for Google versus a regional Urology group practice for example.  On the one hand, working at Google could involve exposure to bleeding edge technology, mad benefits, brilliant co-workers and in general having a seat on a rocket ship.  This will appeal to many.

    On the other hand, smaller work groups, being a big fish in a small pond, work-life balance, and being able to feel the importance of your cog in the overall mission wheel of the practice may be things the Urology employer could offer that Google could not.

    Understand these differences and seek out employees that might be better aligned with what you can offer.  Don’t waste your time on trying to land a big fish that values things you can (never) offer.  Many employers make this mistake and then make the second mistake of trying to win a bidding war for total compensation.

  2. Toys, toys and more toys – Sometimes he who has the better toys win.  Bank of America spends $1B on cybersecurity.  Yes, with a “B”.  How does that compare with your cybersecurity budget?  What staff, technologies and training opportunities can you offer?   If your target candidate is looking for exposure to these things, no amount of compensation is going to win if you can’t provide that exposure.

  3. Career Alchemy – It is important to notice what career aspirations a candidate has and how your position can contribute to that.  For instance, an intrusion analyst who breaks down pcap files on Wireshark all day, may not be interested in doing the same thing for you – even if you pay more.  Offering that candidate, a way to leverage their Wireshark expertise by becoming a SiLK expert might get some attention.  It gets attention because it may be meaningful to longer-term career aspirations and will potentially light them up intellectually.  Take time to understand how the target candidate fills your void but how you fill their voids – short and long term.  If this is not a 2-way discussion, I am betting you are mostly talking about compensation with the candidate.  (By the way, you would be well-served to take this approach with existing employees too.  Your retention will improve dramatically.  More about that in future posts.)

  4. Policy Matters – Self-examination of your existing cybersecurity policy is a hard thing to do.  However, your policy is visible to others and knowing how you are perceived comes into the mix when trying to attract top talent.  (I can feel the collective hair on the collective neck-backs rising and loud snarls can be heard).  So, take a deep breath as I try and make my point.

    An “A” player candidate can quite simply “know” your cybersecurity policy by the decisions you have made.  One employer I know recently spent $653,000 on new premium breach protection system.  The old one was probably fine.  Moreover, this same employer does not even have a password complexity, password expiration, or MFA policy in place.  So, from the outside, this employer may appear as “all show and no go” when it comes to cybersecurity sanity.  They may be more interested in how a policy looks in the postmortem of a breach than actually preventing the breach.  This can rub your prized candidate the wrong way.  So, take an uncomfortable moment to analysis how you might be perceived from the outside.  Also, spend some time looking at the comments on sites like Glassdoor to see what’s out there in the policy department.  Your candidates certainly do.

    Changing your cyber policy in order to attract a particular candidate is, of course, not doable and indeed not the point.  Rather, understand how your policy is perceived and spend time making sure it is a match with your target candidate.  Again, no amount of compensation is going to overcome a mismatch.  A good match in this department is essential.

  5. Is Money A Long Term Motivator – If you win the bidding war and pay the most for a candidate, what happens next?  While money may be a motivator for winning short term, once the employee banks the money does the motivation remain?  Not usually.  Studies show that money as a motivator wear off very quickly.  Moreover, if an employee was swayed to take a new job predominately for money, chances are the next offer (not yours) will trigger the employee to leave yet again.  Short tenures can leave you worse off than if you never made the hire to begin with.

So, while it is a sellers’ market in cybersecurity talent, it pays to look at more than just total compensation to attract top talent.  If you find yourself in a compensation bidding war, you may be in the wrong position for long term success.  Spend some time quantifying your value proposition and then “sell” those differentiators to get your candidate to the finish line.  It could save you a lot of time and heartache too.

Leave a Reply

Your email address will not be published. Required fields are marked *