Security people sure have it good. The United States Bureau of Labor Statistics tells us that in 2012, self-described information security professionals experienced 0.9% unemployment – a sliver of the roughly 8% national average. The Bureau projects 22% job growth in InfoSec by 2020. Granted, even the BLS admits their numbers aren’t to be taken as gospel, but that’s only because they couldn’t find enough security professionals for a representative sample size. The Pentagon alone plans to add about 4,000 employees to the Defense Department’s Cyber Command. For organizations in the private sector, recruitment of security talent has become such a priority it’s a full-time job. I should know. With this kind of demand for their skills, you’d think security professionals could simply waltz into any company they like, find perfect jobs ideally matching their backgrounds, and write their own checks.
However, a serious disconnect exists between the desperate need for security talent and the hiring behaviors of many organizations. Human resources departments still release job descriptions with little or no information about the actual day-to-day work to be performed. The titles aren’t much better, when a “security analyst” can be anything from a DLP implementation engineer to an application penetration tester. Understaffed and over-utilized hiring managers don’t have time to conduct searches themselves, but routinely express dissatisfaction with the quality of candidate their corporate recruiters find. And it figures: HR isn’t incented to know about ethical hacking, risk assessments or malware reversing, or how to tell the difference between a keyword-rich résumé and the best technical and cultural fit for their security organization.
This disconnect creates fear, uncertainty and doubt, or FUD, on the part of both talent-hungry organizations and those elite individuals who command the best information security jobs. Companies know they must attract security experts; candidates know their skills are in high demand. And yet InfoSec hiring has become a problem of distribution, like world oil supply or food to the needy: the resources are there, but because of FUD, they’re not being intelligently routed to the places they’re needed. Companies fear the risk they assume in remaining short of security staff (and they should), but they’re uncertain about how to better attract talent and doubt they’ll be able to do so. Candidates fear (and loathe) calls from recruiters who don’t understand what they do; vague, incomprehensible and sometimes impossible job postings make them uncertain as to whether to pursue new opportunities, so when they find a role where they’re relatively happy, they doubt they’ll want to leave anytime soon. The process stagnates and the demand isn’t supplied.
Don’t succumb to FUD in your job search or hiring process. If you’re a candidate for a new role, work with recruiters and hiring managers at organizations that duly value candidate experience and finding the ideal match for the job – not just anyone with the right acronym on her résumé. If you’re looking to hire security talent, prioritize best practices in InfoSec hiring. Certainly be aware that you have to move fast, that you’re competing with literally every major organization for talent, and that you cannot afford to treat security talent as a “nice to have” competency in your company. Then realize that streamlining and clarifying your recruitment process will only help you in reducing time-to-hire for the security experts you need. Take a deep breath, smile, and cut the FUD.