Write a compelling job description
Job Descriptions for Intermediate and Advanced People
- Research other current job descriptions. Don’t reinvent the wheel. (but don’t just copy/paste from other JDs)
- Cybersecurity job description “must haves”
- Manage to outcomes as much as possible (Key Result Areas, KRA)
- Check with HR to see if there are any organization-specific requirements
- Reconsider the need for college degrees/security certifications
- Include work culture information passively or actively
- Unbiased job description
Job Descriptions for Entry Level People
The way most entry-level job descriptions are written is contributing to the talent shortage in our industry. There are just too many requirements listed for qualification into these entry-level roles.
Creating a great entry-level job description can be straight-forward and easy. But first, I want to tell you about four things that you should NOT put on your entry-level job descriptions.
First, don’t ask for any number of years of work experience. A true entry-level candidate won’t have any work experience in the industry. Remember, the saying, “Cybersecurity requires years of experience.” is a myth.
There are plenty of entry-level tasks that don’t require years of experience. Besides, someone with years of experience won’t want to do a job that they’re overqualified for anyway. Instead, ask for zero years of experience. Then mentor and train the people that you hire.
Second, don’t ask your candidates to have knowledge in specific technologies and tools. Those things can be taught, and more importantly, learned. Instead, look for characteristics and qualities that are harder to teach. Qualities like motivation, curiosity, and critical thinking. Soft skills, like emotional intelligence, empathy, initiative, and resiliency - qualities in a person that are more difficult to teach than technologies or tools.
Third, stop asking for degrees in engineering, computer science, or information systems. Technology changes so quickly, that even if a candidate has a college degree in a technical field, it doesn’t mean that they know the latest and greatest techniques and tools. Instead, look for people who are constantly learning, because constant learning is critical for success in our profession.
Finally, stop requiring advanced security certifications like the CISSP for entry-level roles. The CISSP requires 5 years of full-time professional cybersecurity experience before you’re even eligible for the cert, so requiring it just doesn’t make any sense.
Think about some entry-level job descriptions you’ve seen recently. Did they include any of these four things? If they did, now you understand what the next generation is up against. There are simply too many unnecessary gates keeping out the very same folks that we need by our side as defenders.
What Great Candidates Look For
If you’re still struggling to find great candidates for your team, consider what the most great candidates look for in a company and in a job description.
Great candidates want to understand the role, the company, and their expectations.
- To Understand the role - they want to know things like - What would their direct responsibilities be? And What would their day-to-day look like?
- To Understand the company - they’ll research your industry, growth opportunities within your company, and company health.
- To Understand their expectations - What is the success criteria for this role? And What is expected from them the first 30, 60, 90 days on the job?
Remember, great candidates need to see themselves working for you and your company. Great candidates will always do their own research about the companies they apply to.They will proactively reach out to talk to people at your company. They’ll want to know what you’re like as a manager, and what their future teammates are like.
Once you understand what great candidates are looking for, writing a job description that will attract great candidates is easy.
- Make sure you define the expectations and what success looks like. Outline what is expected from them in their first 30, 60, and 90 days on the job. Clearly define what the objective criteria for success is.
- You also need to define the role and responsibilities. Clearly define direct responsibilities, outcomes, and goals of the role. It might be tempting to list 20 or 30 responsibilities, but don’t do that. Limit the responsibilities list to 5-7 instead. This will help you clearly define what this person will be doing for you.
- Define the personality traits (aka “soft skills”) of a successful team member. Clearly describe what type of person you’re looking for in terms of “people skills”, like adaptability, ability to learn quickly and thoroughly, resiliency, and empathy. Use your company’s core values to help guide your hiring decisions. Don’t compromise on soft skills!
Finally, remember that interviewing is a 2-way street. Great candidates want to be sold ON the job, just as much as they want to sell themselves FOR the job. So stay positive, curious, and humble when speaking with candidates. Treat them as your equal, because they are.
Reflection: Review Your Most Recent Job Description
Now that you know what a good job description looks like, let’s review yours. Let’s see if they are written in a way that will attract great candidates. For this exercise, start with any open position on your team, regardless of seniority level, or your own.
Here’s a rubric. Compare each section within your job description with the scoring table. Give each a grade from 0 to 4, 4 being the best. Again, be objective with the scoring.
| Job Description Element | Rating | Rating | Rating | Rating | Rating |
|---|---|---|---|---|---|
| 4 - Exemplary | 3 - Above Average | 2 - Acceptable | 1 - Weak | 0 - Not asked | |
| Job Title | Job title is listed in the NIST Cybersecurity Workforce Framework. | Job title is listed in the NIST Cybersecurity Workforce Framework. | Job title cannot be found in the NIST Cybersecurity Workforce Framework. | Job title cannot be found in the NIST Cybersecurity Workforce Framework. | Job title is not listed |
| Job title is accurate for amount of responsibility required of the position. | Job title is accurate for amount of responsibility required of the position. | Job title is accurate for amount of responsibility required of the position. | Job title is inaccurate for amount of responsibility required of the position. | ||
| Job title is common in the security industry (i.e. no “custom” job titles). | Job title is common in the security industry (i.e. no “custom” job titles). | Job title is common in the security industry (i.e. no “custom” job titles). | Job title is not common in the security industry or is confusing (i.e. uses “custom” job titles). | ||
| Job title uses standard terms for seniority, like Senior, Engineer, and Analyst. | Job title uses standard terms for seniority, like Senior, Engineer, and Analyst. | Job title uses standard terms for seniority, like Senior, Engineer, and Analyst. | Job title does not use standard terms for seniority, like Senior, Engineer, and Analyst. | ||
| Job title does not use internal grading or scaling terms, like “IV”. | Job title uses internal grading or scaling terms, like “IV”. | Job title uses internal grading or scaling terms, like “IV”. | Job title uses internal grading or scaling terms, like “IV”. | ||
| 4 - Exemplary | 3 - Above Average | 2 - Acceptable | 1 - Weak | 0 - Not asked | |
| Summary Section | Summary immediately grabs the attention of the reader using a one or two sentence “hook” | Summary is attention grabbing, but could be rewritten for brevity. | Summary does not grab the attention of the reader. | Summary does not grab the attention of the reader. | Summary not listed. |
| Summary includes company mision and values. | Summary includes company mision and values. | Summary includes basic information about the company. | Summary does not include information about the company. | ||
| Summary provides a short description of the job responsibilities and expectations for the role. | Summary provides a short description of the job responsibilities and expectations for the role. | Summary provides a long description of the job responsibilities and expectations for the role. | Summary provides a long description of the job responsibilities and expectations for the role. | ||
| Summary provides possible growth opportunities for the role. | Summary provides possible growth opportunities for the role. | Growth opportunities for the role are not mentioned. | Growth opportunities for the role are not mentioned. | ||
| 4 - Exemplary | 3 - Above Average | 2 - Acceptable | 1 - Weak | 0 - Not asked | |
| Key Responsibilities | Key responsibilities list only the core duties of the position. | Key responsibilities list the core duties of the position as well as some non-core duties. | Key responsibilities list the core duties of the position as well as some non-core duties. | Key responsibilities list all possible job duties and tasks. | Key Responsibilities not listed. |
| The list of skills & qualifications is short, between 5-7 bullets points. | The list of skills & qualifications is 5-7 bullets points. | The list of skills & qualifications is 5-7 bullets points. | The list of skills & qualifications is 10+ bullets points. | ||
| Key responsibilities clearly specify who the position reports to and the other roles and departments within the organization the position will work with. | Key responsibilities clearly specify who the position reports to and the other roles and departments within the organization the position will work with. | Key responsibilities do not specify who the position reports to or which other roles within the organization the position will work with. | Key responsibilities do not specify who the position reports to or which other roles within the organization the position will work with. | ||
| 4 - Exemplary | 3 - Above Average | 2 - Acceptable | 1 - Weak | 0 - Not asked | |
| Skills & Qualifications | Skills & Qualifications include only the must-have requirements in order to perform the core duties of the position. | Skills & Qualifications include more than the must-have requirements in order to perform the core duties of the position. | Skills & Qualifications include requirements needed in order to perform more than the core duties of the position. | Skills & Qualifications include requirements needed in order to perform more than the core duties of the position. | Skills & Qualifications not listed. |
| Nice-to-have skills are clearly specified as preferred. | Nice-to-have or optional skills are not clearly specified as preferred. | Nice-to-have or optional skills are not clearly specified as preferred. | Nice-to-have or optional skills are not clearly specified as preferred. | ||
| Previous work experience is not measured in years, but rather in proven competencies and historical success. | Previous work experience is not measured in years, but rather in proven competencies and historical success. | Previous work experience is measured in years, not by proven competencies or historical success. | A certain number of years’ experience is required. | ||
| Soft skills, such as critical thinking and teamwork, are clearly specified. | Soft skills, such as critical thinking and teamwork, are clearly specified. | Soft skills, such as critical thinking and teamwork, are not clearly specified. | Soft skills, such as critical thinking and teamwork, are not incuded. | ||
| The list of skills & qualifications is short, between 7-10 bullet points. | The list of skills & qualifications is short, between 7-10 bullet points. | The list of skills & qualifications is 10+ bullets points. | The list of skills & qualifications is 10+ bullets points. | ||
| 4 - Exemplary | 3 - Above Average | 2 - Acceptable | 1 - Weak | 0 - Not asked | |
| Company Overview & Benefits | Salary range is clearly listed. | No salary range is given. | No salary range is given. | No salary range is given. | Company Overview & Benefits not listed. |
| Company Overview & Benefits section includes a brief history of your company, its mission, value proposition, and top-selling products or services. | Company Overview & Benefits section includes a brief history of your company, its mission, value proposition, and top-selling products or services. | Company Overview & Benefits section includes a brief history of your company, its mission, value proposition, and top-selling products or services. | Either company overview or benefits are not listed. | ||
| This section lists your company’s standard benefits package, including information on health insurance, vacation policy, retirement savings contribution, holidays, and bonus structure. | This section lists your company’s standard benefits package, including information on health insurance, vacation policy, retirement savings contribution, holidays, and bonus structure. | This section lists your company’s standard benefits package, including information on health insurance, vacation policy, retirement savings contribution, holidays, and bonus structure. | This section does not list information on your company’s standard benefits package. | ||
| All other non-standard perks are also listed, such as training reimbursement, ancillary lines of insurance, and charitable work. No salary range is given. | All other non-standard perks are also listed, such as training reimbursement, ancillary lines of insurance, and charitable work. | No other non-standard perks are listed, such as training reimbursement, ancillary lines of insurance, and charitable work. | No other non-standard perks are listed, such as training reimbursement, ancillary lines of insurance, and charitable work. | ||
Once you’re done rating all of the sections, tally up and average the scores.
- If your average is 3 or higher, your job description is solid. Ask a peer to grade you as well, and see if their scores agree with yours.
- If your average is between 2 and 3, you’ve got room to improve. Work on getting your lowest scoring section or sections above your average score.
- Finally, if your average is lower than 2, here’s an opportunity. Consult with your HR team or a trusted mentor to improve. Use this grading rubric as a guide to reword your sections.
Poorly written JDs can impact your ability to attract and retain talent. You want to review the JDs of your team regularly, and across seniority levels.
Remember, you want to hire the best! So don’t let a bad job description be the reason why you don’t attract great candidates.