Hiring security gurus: 3 strategies to find scarce talent

The battle for security talent rages on: Are you looking at too small a pool of candidates?
695 readers like this.
CIO Magnifying Glass

Within the broader tech skills race there’s a particular type of talent that can be especially difficult to find: Security pros.

By most analyst estimates, demand for security talent far outstrips supply. Frost & Sullivan predicts that there will be 1.5 million unfilled cybersecurity jobs worldwide in 2020. A different report from Cybersecurity Ventures projects an even greater gap: 3.5 million unfilled cybersecurity positions by 2021.

It’s not like IT leaders can run and hide from the bad guys; the threats are real, and they’re continuous. Moreover, yesteryear’s security playbook no longer suffices; the era of hybrid cloud, containers, and other modern technologies demands evolving traditional approaches and processes, as well as a healthy security culture.

[ Read DevSecOps: 7 habits of strong security organizations ]

Unless you can back up a Brinks truck and pay security talent whatever they want (must be nice,) you’ll need to be more creative in your talent identification, recruiting, and hiring.

You’ll also have to remind your whole hiring team that security talent is sometimes cut from a slightly different cloth than other IT pros. In fact, let’s start right there as we dive into several strategies for finding security talent in a hyper-competitive market.

[ Are you speaking the wrong language? See How to talk to normal people about security. ]

1. Get boots on the ground in your talent identification 

So much of the initial phases of recruiting and hiring happens online these days that you could almost forget: You’re looking for actual people, not just resumes or online profiles. That’s not to bash the web: Sites like LinkedIn, GitHub, and plenty others can be very useful for recruiters and hiring managers – and job-seekers, of course – and the digital age has made it easier than ever to cast a wide net for talent.

But if this is your go-to sourcing strategy for security talent, your net has some holes in it.

"Security talent isn’t as likely to post a resume online or utilize online job boards."

“Unlike other professionals, security talent isn’t as likely to post a resume online or utilize online job boards,” Jim Halpin, lead technical recruiter at LaSalle Network. “Many don’t have LinkedIn profiles either, so it’s really important [that] companies are networking and meeting these people in-person or through their connections.”

Halpin notes that good security people are commonly active within the IT community and regulars at local meet-ups, conferences, and other industry events. If you (or someone on your team) isn’t there, too, you’re missing out.

“Research conferences or meetups in your area specific to technology or security and make sure your company has a presence in order to meet potential candidates,” Halpin advises.

2. Get the word out that your company pays for training

If you invest in your people’s skills and careers in the form of company-paid training or education – and there are plenty of reasons you should –  make sure you and your team make that known in the broader security community.

“One uncommon way to get the word out about your company is to send team members out for training and have them share the news that your company cares about training,” says Brian Wilson, CISO at SAS. “We often run across candidates who haven’t had the benefit of company-paid training, and we use this as a selling point for new hires at SAS. Don’t underestimate the power of word-of-mouth messages that are shared by colleagues face-to-face and through social media.”


Kevin Casey writes about technology and business for a variety of publications. He won an Azbee Award, given by the American Society of Business Publication Editors, for his InformationWeek.com story, "Are You Too Old For IT?" He's a former community choice honoree in the Small Business Influencer Awards.