How To Not Be The Highest Bidder

If you are reading this post, you already know that it is a sellers’ market for Cybersecurity talent.  Enough said.  In any sellers’ market, it usually follows that price becomes a major, if not the major driver in landing the deal.

Cybersecurity compensation is very important for candidates too.   However, there are many other factors involved beyond compensation that could be the difference between you having success or losing out.  Here are just a few and you undoubtedly could add to this list based on your experience:

  1. All Employers Are Not Equal – Your attractiveness as an employer is relative.  That is, you may or may not possess the cultural attributes that a particular candidate values.  Think of all the differences between working for Google versus a regional Urology group practice for example.  On the one hand, working at Google could involve exposure to bleeding edge technology, mad benefits, brilliant co-workers and in general having a seat on a rocket ship.  This will appeal to many.

    On the other hand, smaller work groups, being a big fish in a small pond, work-life balance, and being able to feel the importance of your cog in the overall mission wheel of the practice may be things the Urology employer could offer that Google could not.

    Understand these differences and seek out employees that might be better aligned with what you can offer.  Don’t waste your time on trying to land a big fish that values things you can (never) offer.  Many employers make this mistake and then make the second mistake of trying to win a bidding war for total compensation.

  2. Toys, toys and more toys – Sometimes he who has the better toys win.  Bank of America spends $1B on cybersecurity.  Yes, with a “B”.  How does that compare with your cybersecurity budget?  What staff, technologies and training opportunities can you offer?   If your target candidate is looking for exposure to these things, no amount of compensation is going to win if you can’t provide that exposure.

  3. Career Alchemy – It is important to notice what career aspirations a candidate has and how your position can contribute to that.  For instance, an intrusion analyst who breaks down pcap files on Wireshark all day, may not be interested in doing the same thing for you – even if you pay more.  Offering that candidate, a way to leverage their Wireshark expertise by becoming a SiLK expert might get some attention.  It gets attention because it may be meaningful to longer-term career aspirations and will potentially light them up intellectually.  Take time to understand how the target candidate fills your void but how you fill their voids – short and long term.  If this is not a 2-way discussion, I am betting you are mostly talking about compensation with the candidate.  (By the way, you would be well-served to take this approach with existing employees too.  Your retention will improve dramatically.  More about that in future posts.)

  4. Policy Matters – Self-examination of your existing cybersecurity policy is a hard thing to do.  However, your policy is visible to others and knowing how you are perceived comes into the mix when trying to attract top talent.  (I can feel the collective hair on the collective neck-backs rising and loud snarls can be heard).  So, take a deep breath as I try and make my point.

    An “A” player candidate can quite simply “know” your cybersecurity policy by the decisions you have made.  One employer I know recently spent $653,000 on new premium breach protection system.  The old one was probably fine.  Moreover, this same employer does not even have a password complexity, password expiration, or MFA policy in place.  So, from the outside, this employer may appear as “all show and no go” when it comes to cybersecurity sanity.  They may be more interested in how a policy looks in the postmortem of a breach than actually preventing the breach.  This can rub your prized candidate the wrong way.  So, take an uncomfortable moment to analysis how you might be perceived from the outside.  Also, spend some time looking at the comments on sites like Glassdoor to see what’s out there in the policy department.  Your candidates certainly do.

    Changing your cyber policy in order to attract a particular candidate is, of course, not doable and indeed not the point.  Rather, understand how your policy is perceived and spend time making sure it is a match with your target candidate.  Again, no amount of compensation is going to overcome a mismatch.  A good match in this department is essential.

  5. Is Money A Long Term Motivator – If you win the bidding war and pay the most for a candidate, what happens next?  While money may be a motivator for winning short term, once the employee banks the money does the motivation remain?  Not usually.  Studies show that money as a motivator wear off very quickly.  Moreover, if an employee was swayed to take a new job predominately for money, chances are the next offer (not yours) will trigger the employee to leave yet again.  Short tenures can leave you worse off than if you never made the hire to begin with.

So, while it is a sellers’ market in cybersecurity talent, it pays to look at more than just total compensation to attract top talent.  If you find yourself in a compensation bidding war, you may be in the wrong position for long term success.  Spend some time quantifying your value proposition and then “sell” those differentiators to get your candidate to the finish line.  It could save you a lot of time and heartache too.

What Is Passive Recruiting?

The truth is,  when it comes to cybersecurity, most businesses struggle to find the perfect candidate. Moreover, most top cyber candidates are not actively looking, which means that those recruiting, and candidates can quite easily miss each other – by a mile.

A Different Approach Is Needed

Job boards mostly represent just the active market, which is a problem.  Further, in this crazy cybersecurity market, those looking may not be the best candidates.  If you are posting on a cybersecurity job board today, it may mean that the candidate has “issues” since finding a new job in cyber happens prior to posting your resume.  Most candidates today get approached and accept new positions without ever needing to leave their tech community or inner circle. Not necessarily true for other job categories but pretty true in cyber.

So, to overcome this problem of missing out on the right candidates and not reaching the perfect audience, we have come up with a passive recruiting method that is proven to work.

A lot of people are passive job seekers. These are people who are currently in employment but are not actively looking for a job, yet if the right job came along then they would consider it. This proves that companies should not only focus on active job seekers but should also target passive job seekers, through a passive recruiting method, as this is where the real talent is hiding.

For too long, employers have been focused on only those who show an active interest in finding a new job. However, there is an entire population of passive job seekers out there who are waiting for the right job to come along. When the cybersecurity workforce consists predominately of passive job seekers, how can employers ignore them?

How Do We Do It?

The short answer is: Data, Expertise, Relationships and Reputation. Our candidate data is exceptional – that is all we focus on – cybersecurity.  We are not just recruiters but credentials cyber professionals.  We hold certificates like the GCIA and others so we actually can speak your language.  Our relationships are deep and we take them serious.  And, we have the reputation for finding the right candidate working with an actual human throughout the process. Chances are we already have your candidate in our database and he probably is not looking for a job currently.  By the way, this is a plus in our book and the candidate is graded positively (among 37 other attributes).  We are constantly harvesting candidates and enriching our database perpetually.

How Does it Work?

Employers come to us and provide us with the job or jobs that they require. We match these jobs with our candidates and we present you with a our top picks.  We can prescreen them, gather references or work with your HR department as necessary to fill the position.

A Simplified and Efficient Application Process

We streamline the entire application process for both candidates and employers. 

Look at Recruiting in a Different Way

The truth is, cybersecurity recruitment is very different from other tech jobs.. Employers are missing out on the best talent because they are choosing to use tried and tested methods that no longer achieve the right results.

Why not get some help from Vijilant?

Finding Top Cybersecurity Talent in 2022

If you have found your way to this blog you probably already know the situation.  Probably a million cyber jobs needed.  The record number of cyberattacks show no signs of slowing. And as these threats evolve, so will the need for advanced cyber defenses.   To implement, monitor and analyze the data of these services will require an influx of talent. 

 It’s not an overnight transformation, but takes years of analysis, learning different systems, and understanding how malware, phishing scams, and various threats evolve.  So, building new skills for existing employees is vital, but sadly, it won’t be enough and can’t be done fast enough to meet existing threats.  Moreover, while organizations may be dealing with any number of threats in real-time, they also need to look ahead to future needs. Building a diverse pipeline of talent will bring in new perspectives and make the security team stronger.  

Today’s culture of security will only be as strong as tomorrow’s talent. And as the talent gap continues, companies need to get creative about how and where they find the next cyber expert. This could be achieved by partnering with local schools and funding more science, technology, engineering, and mathematics (STEM) programs, creating more internship or apprenticeship opportunities for early talent, or launching a robust upskilling or retraining initiative internally.

More proactive students or early career practitioners may seek out online courses to learn more about cybersecurity career paths. The SAP Cybersecurity Virtual Internship Program offers modules to dig in to password security, identify and target phishing attempts, and analysis of systems and identity as one example. Courses like this can give job seekers a taste of what a career in cybersecurity may look like. 

Cyber Recruiting Is Different

Of course, hiring new employees from the outside has to be the most urgent priority while these longer term programs gain traction.  This route is also fraught with pitfalls too.  For instance:

  • How do you show up? – All IT tech jobs are challenging because there is always high demand.  However, finding cybersecurity talent is much harder.  The demand (as you already know) is in uncharted territory and may be  responsible for the most IT jobs of this type in history.  It is a sellers market and trying to get the attention of top cyber talent is sometimes nearly impossible.  Further, if you are Netflix or Bank of America, you may be fine.  If you are a law firm or a food distributor (for example) you may not be able to “show up” amongst a sea of employers.
  • Job Boards probably won’t work.  The talent on job boards should make you question why they are on a job board.  There are so many jobs for good cybersecurity talent that resorting to job boards seems suspicious.  This is not always true, of course, but you should be wonder why at the very least and drill down on that aspect during pre-screening.  Are they damaged somehow?  Do they have performance problems?  Are there ethical concerns?  Are they in over their head technically?  Are they difficult to work with in teams?  There may be perfectly good explanations but in my experience there is probably some sort of problem.  This applies to cyber jobs and not is universally true for other job categories.
  • Probably not currently looking.  The best talent is not looking for a job.  They are heads down trying to defeat the cyber bad guys and probably at their physical and mental limits – many working more than 60 hours per week.  If they are looking there may very well be a reason that you do not want to inherit.
  • Usually not about the money. Contrary to what you have been lead to believe, it is not about the money.  Whether your cyber talent is happy and likely to stay with you for a while depends on: 1) What technologies they are able to get exposure with, 2) What is the quality of other cyber talent in your organization and can they learn and be challenged by these employees, and 3) The quality of the cybersecurity policy your organization pursues.  Said plainly, are you pursuing goals that look good to the uninformed (top brass and Board members) or goals that rationally protect the organization.  Top talent can plainly see the difference so policy, capital investment, and the other talent you hire says volumes that speak louder than just dollars.
  • Recruiter Not A Dirty Word.  Many organizations do not use recruiters due to the expense associated with them placing top talent.  Make an exception for cybersecurity jobs and do it now.  Moreover, don’t waste time with recruiters that don’t know the technologies and the language.  You will end up spinning your wheels and having to over-explain things that should be obvious.  Speed in getting top talent in place is by far the most valuable resource at play.  The fee is worth with in this cybersecurity talent market.  You will end up spending more than the amount of the fee in your time and interviewing candidates that don’t have the qualifications you need.

Five years from now, what we currently know as cybersecurity could completely change. As organizations continue to digitally transform and migrate networks and services to the cloud at rapid speed, there will be entirely new security challenges that don’t exist today. Navigating these challenges and architecting new solutions will likely be the legacy of the next phase of security talent – but only if they are set up for success now with the talent you need.