Cybersecurity Hiring Manager Handbook

Working with Recruiters

Most Hiring Managers are uncertain how to work with Recruiters. So how can you get the most out of your staffing partners? Your relationships internally and externally will be crucial to your success.

Internal Recruiters

69% of cyber security professionals don’t believe that their HR department understands their hiring needs. – ISACA State of Security 2021 report.

It’s essential to understand how your Internal Recruitment (Talent Acquisition) team works – Every company is different.

Here are a few questions you should ask to help understand their strengths and weaknesses:

Common issues you may find include:

Your goal is to get your roles prioritized over any others. However, most Internal Recruiters will focus on easier-to-find positions or roles that are needed in volume, such as helpdesk staff. Additionally, functions that are core to the company’s operations, like claims adjusters at an insurance company, will be more prioritized. It is common to have targets based on the number of hires they find, compared to those filled via external agencies.

A great Internal Recruiter can be a tremendous asset, even if you use a third-party recruiter. The internal team will usually assist with the hiring process, and they must be bought into working with your third party. If not, they can be a bottleneck (or an active blocker) and quickly spoil any relationship, whereas a good Internal Recruiter can help speed things up and save you time.

Third-Party Recruiters

Create relationships with Cybersecurity Specialist Recruiters as soon as possible, as a great External Recruiter can add value even if you don’t currently have an opening. Having a trusted source will be crucial to building your teams in the future.

A Specialist External Recruiter can help you even before you engage them, and they will be able to tell you about typical backgrounds, competitors, and compensation. Salary surveys are notoriously inaccurate and rarely are up to date, so ask a specialist if you want to know the current salary ranges for your position.

Where do you find your Specialist External Recruiter?

TIP: Looking at job postings similar to your role was always a common way to find them, but advertising is such a poor way to find candidates in this market that this is no longer valuable. Many of the best candidates do not respond to advertising, and so the best staffing companies aren’t the ones with the most advertisements.

How to Choose an External Recruiter

You’re going to build a relationship, and there is a lot of trust required, so don’t ignore your intuition because recruiters work harder for people they don’t want to let down. Still, it’s essential to ensure that the facts back up your gut feeling, so here are a few questions that should help:

TIP: Check out their website. It’s common for generalist IT agencies to fake their expertise.

TIP: Incentivizing your recruiter (internal or external) is the key to getting the most from your relationship. Remember, your goals are almost entirely aligned.

You both want to fill this position as soon as possible with the minimum amount of time invested.

That leaves you to focus on everything else you need to do, and the recruiter can focus on finding you a great candidate.

Common mistakes that lead to misalignment are mostly communication breakdowns.

Everyday things often seen are:

How a good External Recruiter will prioritize the roles to fill for you

  1. Manager buy-in – You are the most important person on the client-side of this process. If you are not 100% bought into recruiting and willing/able to give the time to hire, the whole approach will fail. Here are a couple of real-world examples of success and failure:

    FAILURE: A Hiring Manager (HM) passes the intake call to his Talent Acquisition (TA) / Internal recruitment team. He said he was too busy for a call and that the TA already had all the answers. The External Recruiter should speak with the TA team if we have other questions. The External Recruiter advised the team that they would not be working on the role. Hiring is not a priority if you are too busy to take 30 minutes with the External Recruiter you are bringing in.

    SUCCESS: The role was open for nine months with no success. The External Recruiter, HM and TA all got on a phone call and went through the tech details of the position. TA had already covered the hiring/interview process and compensation to save the manager’s time. TA set up a standing weekly conference call for the HM, TA, and External Recruiter to run through a detailed resume and later interview feedback. HM still gave feedback to ensure they didn’t lose momentum on new candidates. The client had the successful candidate’s resume within a week, and the role was accepted within three weeks.

  2. Hiring Process – Firstly, be honest with yourself and your External Recruiter about your process. A good External Recruiter can manage a poor or slow process if they know about it. A quick way to downgrade the focus on your position is for the process to turn out not to be what was promised. A slow process loses candidates and means a recruiter may have to do 2 or 3 times the work on your position because of this.

  3. Volume / Number of roles – If you hire multiple positions of the same type, your External Recruiter will have a higher chance of placing each candidate. Most External Recruiters are commission-based, so more placements mean more commission. Many commissions increase with more volume, like many sales roles. Commissions can be calculated monthly or quarterly, so getting a position filled within specific timeframes can be very important to the recruiter. As the Hiring Manager, you can utilize it to get more traction on your role.

  4. Fees – Most companies want to spend as little as possible, and an external agency (third-party recruiter) wants their fee to be as high as possible, but remember, if the above three are all great, you will get a much better deal. Do remember that cybersecurity is mostly low volume recruitment, so don’t expect to pay the same price that you pay a general recruiter who can fill multiple IT roles with your company. Also, realize that if you get a low fee, you may find your position getting a very low priority, which will not achieve your goal.

Define Recruiter Filters

KIS. Keep It Simple. – Figure out what your absolute essential requirements are.

Why a maximum of 5?

This allows the External Recruiter to start with a large pool and then use your desirables plus ongoing feedback to qualify the candidates to give you the best options. Typically, Hiring Managers should give 2 or 3 absolute essential skills or areas of experience. Hiring Managers with more than 5 are usually the same ones looking for candidates that do not exist.

Technical Testing:

REMEMBER: A Specialist Cybersecurity Recruiter is an expert in cybersecurity recruiting, not in cybersecurity. If you want your candidates technically tested by the recruiter, you will need to invest some time. There are two options:

  1. Put together a multiple-choice Q&A that the External Recruiter can ask candidates on the phone – This is the better option.
  2. Find an online test that works for your specific position. Be sure and take it to ensure it’s relevant to your particular job – This is not recommended in a candidate-driven market as most will not follow through as too many of your competitors do not require this.

Soft Skills:

Define what you are looking for specifically and what demonstrates that attribute. Then give your External Recruiter a list of questions to ask.

Question to ask if looking for “Passion for Cybersecurity”:

How to enable your External Recruiter

If you have done all the above, the External Recruiter now has the tools to use their network and find qualified candidates for you. Your goal is to ensure you do whatever is in your power to enable them to do their best job.

For example, can you give them a list of candidates you have already seen and ruled out to save duplicate applications and keep the recruiter spending time with candidates new to you?

Expect some tuning will be required during the initial period of the search. This will become obvious as you give feedback on the resumes and interviews. You may even end up making changes to the job description. The more detailed your feedback, the better qualified the follow-up candidates will be.

If your Talent Acquisition team or HR will be the External Recruiter’s point of contact, please ensure they understand the priority of these resumes. If a specific process is involved, i.e., uploading to an ATS, ensure this is followed but consider adding an additional step such as sending the resume directly to the hiring manager via email (TA can be CCed).

Many suitable candidates have gotten lost in an ATS because the line manager hadn’t been alerted to the resume or resumes have been marked either by the system or by TA as unsuitable or rejected without a Hiring Manager seeing it. If you have a Specialist Recruitment Partner that only focuses on cybersecurity, then only the Hiring Manager should reject candidates.

Remember, the best outcome is the product of detailed feedback to ensure continuous improvement.