Advice from Cybersecurity Recruiters

Cybersecurity hiring is tough. But the need for cybersecurity professionals to be employed in a wide range of roles is constantly growing-- from the security operations center to the red team, from incident response specialists to malware researchers. I asked some top cybersecurity recruiters for their tips. Their advice can be useful, whether you’re hiring for a position or looking to enter the industry.

Kayla Moss, Senior Associate, GQR

What are some popular misconceptions about hiring for cybersecurity roles?

One of the top misconceptions about cybersecurity hiring is that money is everything. Since the start of the pandemic that notion has become quite the opposite. I am finding candidates to be more interested in remote work and a better work life balance even if that means a bit of a pay cut.  

Another misconception is that breaking into a career in cybersecurity is too difficult… False. No, you won’t jump into being an industry expert overnight however, entering the industry is much easier than some believe. Obtaining a degree in cybersecurity or computer science can easily get you into an entry level or even a security development rotational program at many organizations. Often many organizations will even pay for you to get certifications in specific field areas. Take advantage of these opportunities to find your niche, acquire and hone your skills.

Recommended read: Is a cybersecurity certification worth it? (Here's how to find out)

Is cybersecurity recruiting easier or more difficult than it was a few years ago?

Cybersecurity recruiting has become more difficult over the past few years. The industry needs and demand is growing rapidly and there are not enough cyber security professionals to fill the need thus making industry fast paced and highly competitive.

If someone who has never worked in cybersecurity would like to enter the industry, what's your advice?

Cybersecurity is growing at such a rapid pace and is in high demand, but what we see is a huge skill gap.  My advice for someone starting out in the industry would be to not give up too soon. My two key points of advice would be to submerge yourself in the industry and the cybersecurity community and to continuously be learning and developing your skills. This can all be done by joining cyber bootcamps and training, obtaining certifications, attending industry and networking events and building relationships.  Also, soft skills are crucial in pursuing a successful career in cyber.

What are some things you've learned from your expertise as a cybersecurity recruiter?

Networking and relationship building is key. Having open communication and transparency with candidates and clients is the key to strong long-term relationships.

Ricki Burke, Director, CyberSec People

What are some popular misconceptions about hiring for cybersecurity roles? 

There are several misconceptions and journeys that both people and organizations learn. For example, not every organization knows what they are looking for when hiring. They have the right intention of making a security hire, but this is tricky if it's the first hire in security, it's one of the reasons why we end up with unicorn looking job descriptions. We do a lot of consulting work advising customers on job titles, job descriptions, salaries and what is achievable compared to their requirements. 

I'm sorry to share bad news for the students out there, but there are very few actual entry-level jobs. Also, entry-level positions are not always entry-level. 

Is cybersecurity recruiting easier or more difficult than it was a few years ago?

Both. There have never been as many people in the industry as there are today, but there have never been as many vacancies either. It's great to see because globally, the level of maturity in security is increasing. It's not just the larger enterprises with huge budgets, but we now see smaller companies hiring their first security person or building a team. 

If someone who has never worked in cybersecurity would like to enter the industry, what's your advice?

Play to your strengths and experience. Also, you don't need a job title with "cyber" to be adding value in security. For example, someone who worked at a call center for 10 years would have an excellent understanding of how the business of a call centre operates, better than an outsider. If you added a deeper understanding of risks and then increased awareness of cybersecurity and made recommendations to the organization, you could become the de facto "cybersecurity person." You can then add this to your LinkedIn profile and resume. Those additional responsibilities you added to your role will help you bridge the gap between theory and real-world experience and could land you a full-time cybersecurity role. 

Also, network, network and network. The more people you get to know, the more likelihood you have of someone referring you to their boss. That is how many jobs materialize in cybersecurity. 

What are some things you've learned from your expertise as a cybersecurity recruiter?

It is a very small world. But, once you build relationships and get to know people in the community, it becomes a place with many friendships and fun, especially when it comes to cons and meetups. The industry is moving rapidly, and it's so exciting with new roles being created and so many companies building out their security environments. The future is so exciting!

Kathleen Smith, Chief Marketing Officer, ClearedJobs.Net

What's your advice for someone who has never worked in cybersecurity that would like to enter the industry?

I get this question a lot and I am saddened that there are so many candidates that want to be in cybersecurity simply because of the glamor of iRobot or because they hear of the high paying salaries that they are going to get. If you don’t have a passion for cybersecurity, please don’t pursue a career in this field. Find a career that does ignite your passion.

If you are someone who loves to solve problems, work out the kinks in a program, or can see puzzles in a different way, give cybersecurity a try. And realize that there are so many career paths that you can follow, from policy to hands-on technical, supporting non-profits, or working to support national security. You have endless possibilities, but please be sure you have the passion for it.

What have you learned from your expertise as a cybersecurity recruiter?

There is so much I have learned from the community and I cannot thank everyone enough for all that they have taught me. I am a “boots on the ground” learner and when I saw all the statistics on the open cybersecurity positions, I wanted to find the answer.

After being on Twitter for a while I saw that BSidesLV was having a career village, so I asked for a Press Pass and hopped on a plane to Vegas. I had never been to a hacker con, and knew only one person out of the entire Vegas masse who was in attendance for Hacker Summer Camp. I asked a lot of people about their careers. Down to every single person I talked to, everyone was frustrated that they couldn’t find the job they wanted. They didn’t understand the process and why there were so many open positions but many were still unemployed.

Thus, I knew I had a calling to share that job search and recruiting are learnable skills, but there needed to be some instruction provided by a trusted individual. I wanted to become that person. I have been embraced by BSides, DEFCON, and many other cons since.

There is a lot of bad advice out there about resumes, job search strategies, and salary negotiation. While your friends want to support you, they are not the best people to give you job search advice. You need a recruiter that you trust to provide you with honest feedback about your job search.

Your network is your best advantage to finding a job, or a candidate, and you have to be constantly expanding and supporting your network.

Always be kind, respectful, and nice. If you don’t, this will come back to bite you—you know where.

Please keep resumes simple. Remember the KISS principle. No fancy fonts, colors, or graphs.

As a recruiter, sit down with cybersecurity staff in your company and learn what they do and how someone can be successful in that position. Build your candidate archetype from there.

Also as a recruiter, give back to the community first and foremost, before you even look at recruiting in this community. There is a lot that recruiters need to do to elevate the position of a recruiter in the eyes of the community.

Recruiting and finding a job are people processes. You have to connect with people and support your relationships with them to support your career progression– be it as a recruiter or as a candidate.

Hire or get hired through Hack The Box

Hack The Box has services for both employers and jobseekers that can help you recruit, or land your first cybersecurity job!

Read about our Talent Search service for business on our blog.

Check out Talent Search for your business, we can help you find great job applicants!

And if you’re looking for cybersecurity employment and you have a Hack The Box account, check out our cybersecurity jobs portal.