To set the stage, I have 20-plus years' experience in cybersecurity management and law enforcement, along with a Master's degree in Information Security and a CISSP. I started off by updating my resume, submitting it to a few key recruiters and associates, some job boards and LinkedIn. My first lesson came very quickly in the form of numerous calls from off shore locations offering me a "wonderful opportunity" as a cybersecurity analyst for a three to 12 months, hourly rate contract, anywhere but close to where I live. Cybersecurity analyst being a position I qualified for well over a decade ago and which reports to several of my direct reports.
Initially, I didn't mind being approached about a cybersecurity analyst position, it's an easy mistake for an inexperienced recruiter to make. Some of the traits of a good CISO are shared with a good cybersecurity analyst. After a number of approaches and conversations with cybersecurity recruiters, it became clear that inexperienced recruiters are the norm not the exception.
Many have little knowledge of the market, that goes beyond the ineffectual key word search programs that they use. Worse still many do not have the ability to read a resume and know it is does or does not make sense for a particular position. This being the case, how is a recruiter expected to effectively screen resumes, conduct interviews and provide a quality pool of candidates for consideration? The shotgun approach is the best description for the current recruitment methodology.
Hiring a CISO is no different than hiring any other c-level executive, a well thought out plan should be developed and executed. The mere fact of hiring a CISO will not make a company secure. Hiring the wrong CISO in many cases will have the opposite effect.
As a recent example, I participated in the process for a CISO EMEA position for a well-known cybersecurity vendor. The hiring manager was a first-time CISO, in the position for less than a year. At the end of the process, I was told the position was going to another candidate. The CISO stated that I had done well in the interviews, had good experience and the skills he was looking for; however, he felt I was too focused ongovernance, risk and compliance (GRC).
I was too stunned to respond, and thanked him for his time. GRC is the cornerstone of any well run information security management program. Without GRC, information security management program would be a hodgepodge of security technologies, disjointed policies and ineffectual processes.
The keys to an effective information security recruitment process are:
- A well-defined position description developed through an understanding of how it will participate in implementing the information security management program
- Aligning the amount of experience required with the level of the position
- Aligning the education and certifications required with the level of the position
- Conducting a salary and benefits survey relative to the position and its geographic location
- Timely execution of the recruitment process
- Effective communication with the candidate
- Sharing with the candidate the recruitment process
- Ensuring the recruiters act in a professional manner
- Test the recruitment process
Sign up for Computerworld eNewsletters.