![The Edge Logo The Edge Logo](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt530eb1f4e672eb44/653a71690e92cc040a3e9d6d/Dark_Reading_Logo_TheEdge_0.png?width=700&auto=webp&quality=80&disable=upscale)
Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
6 Ways to Rewrite the Impossible Job Description
It's hard enough to fill a cybersecurity position given the talent shortage. But you may be making it harder with a poor job description that turns off would-be candidates.
![Help wanted job ad from a newspaper. Help wanted job ad from a newspaper.](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltb8d7d853243df103/64f15055465245804ffb4f75/HelpWanted-B5PCWW.jpg?width=700&auto=webp&quality=80&disable=upscale)
Source: Eric Carr via Alamy Stock Photo
There’s much lamenting and hand-wringing over the cybersecurity talent shortage. But posting job openings and descriptions with impossible-to-meet criteria certainly isn't helping anyone fill positions, either.
“There is no excuse for asking for 10 years of experience for a technology that has existed only two years. It tells the kind of people that you want to hire that you are clueless and likely won't be any fun to work for,” says Tracy Reed, CISSP and a senior cybersecurity consultant who teaches cybersecurity classes at UCSD Extension. "Security people and technology people, in general, are sensitive to this sort of thing. So get input from those who know to validate your requirements."
Smaller errors, such as use of improper terminology in job descriptions, are red flags, too.
“This is why most of these [cybersecurity] pros will gravitate toward those jobs with clear and concise expectations and properly formulated descriptions,” says Isla Sibanda, an ethical hacker and cybersecurity specialist at PrivacyAustralia.
Whether small or glaring, mistakes in a job description may also signal a dismal future for potential hires. After all, if the organization doesn’t know what it's talking about, it isn’t likely to recognize or reward good future performance either.
Following are some ways hiring managers can adjust their advertised job descriptions to score more cybersecurity hires.
An overly narrow job description diminishes your odds of finding the right candidate.
“One of the hardest parts of designing a cybersecurity job description is the reality that the market is extremely competitive and the perfect candidate is probably not going to be out there — at least not for the budget and experience level you foresee when initially designing the role,” says Heath Anderson, VP of information security and technology at LogicGate.
The better plan is to be prepared to augment the skills of imperfect candidates.
“Unless the job is very narrow and the technology very common, you are going to have to be willing to train," consultant Reed says. "Understand that you cut the pool of applicants by 80% for each hard requirement you add to the job description. And there aren't all that many candidates out there.”
Improve your odds by considering imperfect candidates with transferrable skills they can build on.
"Employers need to stop focusing on certifications, degrees, and specific technologies when they write requirements," says Alyssa Miller, BISO for S&P Global Ratings, an American credit rating agency. "Instead, they need to focus on what in reality is the more accurate measure of a potential candidate's success, core transferable skills. Those skills that transcend a specific role or even specific industries."
Cybersecurity is specialized these days, so avoid writing a catchall job description. Instead, name the precise position you want to fill. Avoid cutesy, company specific titles, too. No one knows what those mean.
"With so many subcategories under the cybersecurity umbrella, knowing what skills you need not only saves time but also shows your understanding and makes you more appealing to candidates in the market," Nigel Frank's Morris says. "Look at other companies like your own and see what titles they are giving similar roles. What responsibilities do these roles have? Does your team really need all those 'must-haves,' or can you be more flexible?”
An accurate job description matters, too. In other words, don’t advertise for a rock star when the day-to-day work is more fitting for a roadie or skilled fan.
“To reel in more candidates, we need to be more upfront and clear about the day-to-day responsibilities of the job and articulate a path for career growth,” says Fredrick "Flee" Lee, CSO of Gusto, a payroll and benefits provider.
And don't hide the money, either. Spell out the pay and benefits.
“You'll want to keep things concise and to be unambiguous about your salary and benefits. This is a field that has a lot more demand than supply, so you're not going to get the best applicants by being coy,” says Dragos Badea, CEO at Yarooms, a hybrid workplace software provider.
A post with a poor job description will get trashed in a hurry. But HR pros can’t be expected to know the intricacies of the many job roles in the fast-changing cybersecurity realm. Fortunately, a little teamwork can go a long way in fixing this problem.
“I can't tell you the number of times I've seen advertisements for specialist roles that were written by someone who clearly only had a cursory idea of what they were talking about," says Yarooms' Badea. "They can look over the language, but the bulk of the requirements should come from an expert, preferably the person to whom the new hire will be reporting with the help of a boots-on-the-ground techie."
Also those lines, ditch the templates and ads you’re using. Create an ad that invites conversation rather than one that dictates an impossible mandate. You’ll learn more about what candidates can bring to the table.
“What we have in this industry isn’t a skills shortage. It’s a creativity problem in hiring,” says Gusto's Lee.
Consider both hard and soft skills, as well as any technical proficiencies. Be precise about those you seek.
“What technologies are you using? What technologies do you want to use? Or, even better, will this person be responsible for picking those technologies? That's always fun,” consultant Reed says.
Technical skills are important, but specific technologies change fast, so you need to know whether candidates are open to change and continuously sharpening their skills, too. Further, you need to know whether they can carry out related duties.
“What soft skills are you looking for? Do you need someone who can tactfully but clearly explain why your programmer's code has a critical vulnerability that must be patched before disaster happens?" Reed asks. "Or do you just need someone who enters the technical details into the ticket-system fire-and-forget with minimal interpersonal interaction?”
This is not a futile exercise: Your ability to recruit and hire is dependent on how well you know what you need and what to ask for from job candidates.
"As an employer, knowing what your company needs, and being clear on what it doesn't, is vital when competing for talent in such a niche market," says Zoë Morris, president of Nigel Frank International, which specializes in Microsoft recruitment.
Leave room for the candidate to show you their true abilities. If you wait until the interview for the candidate to speak, you’ve already lost out on potential rock stars.
"Much of the skills required do not translate well on a resume or CV,” says Jennifer Tisdale, senior principal of cyber-physical systems security at GRIMM. "Instead, conducting a technical assessment and having a conversation on how a candidate may approach a problem may be more practical ways to identify talent."
Odds are that any given candidate is going to be new to one or more technologies. Most candidates want to learn new skills and advance their careers, too. Be clear about what training your company is willing to provide.
“It comes down to realistic expectations on skills coming into the role and being clear on what training the company is capable of providing,” says Dustin Hutchinson, VP of services and CISO at Pondurance, an Indiana-based managed detection and response (MDR) solution provider. "Aiming for a percentage match from a skillset standpoint makes more sense. Waiting for the perfect candidate makes the company miss someone that is good enough. The idea of mapping a job description to specific criteria, such as NIST's NICE, can help, but a company has to look at the whole person and their willingness to fill their knowledge and experience gaps."
The image people have of what a security professional looks like is hurting the industry and shrinking the talent pool.
“That 'shadowy figures in hoodies' reputation as an exclusive, elite club has allowed hiring across the board to become homogeneous," says Gusto's Lee. "In job postings, cybersecurity needs to drop its ‘dark-arts’ attitude and make job descriptions more accessible and widely understood."
When the job description uses inclusive language and describes the role in a very clear manner, it expands the pool of applicants who may consider applying. Security isn't mysterious or magical, and there is no reason to perpetuate that myth.
"The more we step out of the shadows and make cybersecurity more approachable, the easier it is for people to understand what a career in cybersecurity actually entails — which, in turn, enables them to see themselves working in our industry,” says Lee.
The image people have of what a security professional looks like is hurting the industry and shrinking the talent pool.
“That 'shadowy figures in hoodies' reputation as an exclusive, elite club has allowed hiring across the board to become homogeneous," says Gusto's Lee. "In job postings, cybersecurity needs to drop its ‘dark-arts’ attitude and make job descriptions more accessible and widely understood."
When the job description uses inclusive language and describes the role in a very clear manner, it expands the pool of applicants who may consider applying. Security isn't mysterious or magical, and there is no reason to perpetuate that myth.
"The more we step out of the shadows and make cybersecurity more approachable, the easier it is for people to understand what a career in cybersecurity actually entails — which, in turn, enables them to see themselves working in our industry,” says Lee.
There’s much lamenting and hand-wringing over the cybersecurity talent shortage. But posting job openings and descriptions with impossible-to-meet criteria certainly isn't helping anyone fill positions, either.
“There is no excuse for asking for 10 years of experience for a technology that has existed only two years. It tells the kind of people that you want to hire that you are clueless and likely won't be any fun to work for,” says Tracy Reed, CISSP and a senior cybersecurity consultant who teaches cybersecurity classes at UCSD Extension. "Security people and technology people, in general, are sensitive to this sort of thing. So get input from those who know to validate your requirements."
Smaller errors, such as use of improper terminology in job descriptions, are red flags, too.
“This is why most of these [cybersecurity] pros will gravitate toward those jobs with clear and concise expectations and properly formulated descriptions,” says Isla Sibanda, an ethical hacker and cybersecurity specialist at PrivacyAustralia.
Whether small or glaring, mistakes in a job description may also signal a dismal future for potential hires. After all, if the organization doesn’t know what it's talking about, it isn’t likely to recognize or reward good future performance either.
Following are some ways hiring managers can adjust their advertised job descriptions to score more cybersecurity hires.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024