I have seen CISO descriptions requiring upwards of 10 years' experience as a CISO. This makes little sense as the vast majority of CISO positions have been created within the last five years. Making sure that a CISO has the management experience makes sense; however, if one is stuck on a title, the search will be unnecessarily difficult.
The experience issue is true of many of the advanced cybersecurity certifications. It makes little sense to advertise for an entry-level position and require a CISSP, CISA or CISM. All three of these certifications require five years of experience.
As an example, the CISSP requires a minimum of five years cumulative paid full-time work experience in two or more of the eight domains of the (ISC)² CISSP CBK. Requiring an entry-level position to be an Associate of (ISC)², is within scope. The Associate of (ISC)² program allows entry level information security personnel to demonstrate their competence by passing the CISSP (ISC)² certification exam. They then maintain their continuing professional education (CPE) requirements while working toward attaining the experience required to become fully certified as a CISSP.
Timely execution of the recruitment process, effective communication with candidates and sharing the recruitment process with candidates are all facets of a professional recruitment process. Cybersecurity skills are a seller's market. If the recruitment process takes three months or longer, the company will lose a large number of candidates to companies with a faster, more efficient process. It is rare that a candidate will turn down an offer for the possibility of working at another company.
While they may want to work for you, desire doesn't pay the bills. The most unprofessional behavior I have witnessed in recruitment, centers around communication with the candidate. Regardless of the reason, if a recruiter takes weeks or months to return a candidate's e-mail or call, candidates will move on. Keep candidates informed. Let candidates know the recruitment process, set reasonable expectations and execute.
Recruitment is a business process, treat it with the professionalism one would expect of any business process. On occasion, test the recruitment process. Write an ideal candidate resume and see if it makes it into the process. How long did it take to get the resume? Was the resume altered? Interview successful and unsuccessful candidates about the recruitment process.
Of the processes that I have been through, I have only been surveyed by one company about their recruitment process. They communicated with me regularly, were on time, well organized, open, honest and provided useable feedback in an expedient manner. Not unsurprisingly, Vodafone has had by far the most professional recruitment process I have ever experienced. Unfortunately, I didn't get the position but the professionalism that Vodafone displayed made me eager to work with them. Their recruitment and hiring process should be used as a model.
Sign up for Computerworld eNewsletters.