Cybersecurity Hiring Manager Handbook

Determine the role and title

Rough outline for this section–please contribute

  1. Determine the role and title (reference BLS statistics in Additional Resources)
    1. Understand your organization’s need
      1. Define 1-year goals for new hire
      2. Define your team’s skill needs
        • Do you really need 1 person who is an expert in everything?
        • Would you be better with a small team?
        • Don’t forget to ask what are we trying to accomplish
        • Minimize skill need to maximize retention so the employee can grow into the company
    2. Is this a long-term role? How to set candidate up for success
    3. Define a progression path for the role
      1. Understand how will the employee will advance in a career path
    4. How to ask for more headcount for your team (best practices)
      1. Make the case
      2. Show value and ROI
      3. List responsibilities and/or projects your new hire would take on
      4. Use data, not emotions
      5. Common pitfalls - not getting buy-in from the org
      6. Can you create a menu of services your department provides, and assign the FTE to the functions your department delivers
    5. What if you can’t get more people?
      1. Automate
      2. Clarify priorities and emphasize work in priority order
      3. Temporary use of external staff
    6. Understand professional seniority levels
      1. Entry-level, mid-level, senior-level, etc.
        • A note on entry-level jobs: there are entry-level tasks in cybersecurity. Not every team can automate away the grunt work. Entry-level jobs have candidates with 0 to 2 or 3 years of experience, not 3 to 5 years
      2. Check with HR to see if there are any organization-specific requirements.
      3. Compensation and other impacts
      4. Using internships
    7. Common cybersecurity job functions and titles, and skill sets (reference BLS statistics in Additional Resources)

This step is vital to ensure you hire the right candidate. In order to know what you are looking for, you have to prepare and be clear on what your needs and wants are. Once you have a direction, ensure HR and recruiting understand those needs too.

  1. Determine the role and title (reference BLS statistics in Additional Resources) you need.
  2. Understand your organization’s current and future needs. Review with other managers/directors in the organization to ensure your understanding of the goals and directions for your team align with direction of the entire organization.
  3. Before you start, prepare and plan. Know where your challenges are and communicate that to senior leadership as soon as you can so the FTEs can be added to the budget. Start the conversation now, before you need the person.
  4. Work with HR and recruiter to ensure they understand what the ideal candidate means to you. Don’t speak lingo and slang. Make sure they truly understand what you are looking for.
  5. Questions to ask them:
    1. What is the current job market trend? Do they even know?
    2. Are there are more jobs than candidates?
    3. How will you attract the right candidate?
    4. What is our company reputation?
      1. If your company has a terrible reputation, work with HR to find ways to turn that around.
    5. Strategize with them, make them your advocate
    6. Note: the hiring manager may have to do this part (a-d) if your recruiter or HR don’t understand or don’t want to put in this kind of effort. If you do the work now, your attrition rate will be lower. This means you won’t have to do this as many times.
    7. Always refer to your goals during the hiring process– what are you trying to accomplish by hiring this person? What are you looking for? Why are you looking for those qualities? Are you being unreasonable in the skill requirements? Don’t look for a unicorn.
  6. Best practice to ask for more headcount:
    1. Make the case
    2. Show value and ROI – metrics: numbers. What is the mean time to respond and mean time to close a ticket? Do you have enough people to work tickets to ensure SLAs are met? If not, show it. Use numbers to show that you need people and where. Use data, not emotions.
      1. Create a menu of services your department provide, what FTE does what and what you are missing. Can also use this to show where you’d assign the new FTE you are asking for.
      2. List responsibilities and/or projects your new hire would take on and how that impacts the org and company positively.
      3. Common pitfalls - not getting buy-in from the org – come up with solid data that get them buy in. What are the impacts of not having enough people?
        1. Burn out
        2. Attrition
        3. Inability to attract talent
        4. Bad reputation
        5. Outages = Customer impacting
  7. What if you can’t get more people?
    1. Communicate and show negative impact to senior leadership
    2. Automate
    3. Clarify priorities and emphasize work in priority order
  8. Understand professional seniority levels
    1. Entry-level, mid-level, senior-level, etc.
      • Note on entry-level jobs: there are entry-level tasks in cybersecurity. Not every team can automate away the grunt work. Also, entry-level analysts need a place to start and room to grow. If you develop them and foster a welcoming environment, they will grow into an asset for you.
    2. What organization-specific requirements are there for the role?
    3. Work with HR to establish a reasonable compensation range for the levels for the market you are in.
    4. Common cybersecurity job functions and titles (reference BLS statistics in Additional Resources).
    5. Write a compelling job description, including salary range if possible if not required by law.
    6. Research other current job descriptions. Don’t reinvent the wheel but don’t just copy/paste from other JDs because it will be obvious. If you don’t put in effort, you won’t attract the right candidate.