To all you Recruiters...
And no, I didn’t write the word ‘recruitment’ only because I know that if I want my post to become viral on LinkedIn, it has to be about recruitment. Of course, it should also feature some made-up, successful recruitment anecdotes told in first person that demonstrate the twist of faith, kindness, wisdom, and impeccable instinct. This article is about security recruitment, and no, it will not feature any anecdotes.
We all agree that making a right hiring decision requires knowledge and skill. Lack of knowledge is actually the most common mistake in the hiring process for expert functions, especially security. The hiring criteria for the security function are often determined by the business leadership of the company, the search is performed by a general placement contractor, and the process is finalized by Human Resources. Typically, the functions that run the hiring process from beginning to end know absolutely nothing about setting the requirements for the security function and how to really make an educated hiring decision.
Many times, the accent when hiring a security professional is put on education. Actually, formal education is often presented as the unit of measure. For instance - one formal degree equals 10 years of practical experience. However, in security, nothing can replace practical experience. Sometimes, the requirement is in not even a relevant degree but basically any formal degree, to provide evidence that a candidate had the commitment and discipline to spend three or more years studying and has successfully overcome challenges to gain a degree. Basically, it appears that spending three years studying Visual Arts is as relevant and as convincing as spending 10 years in the military. In theory, it will demonstrate the same level of discipline, personal commitment and success in overcoming challenges and is equally relevant for the position. I do however agree that a matching degree should be regarded as valuable addition that rounds-up actual experience.
Second, in my opinion (which will certainly not help me win any popularity contest), professional society issued certifications are often given a bit more weight than they actually deserve in the overall calculus of a hiring decision. Instead of being regarded as a valuable advantage they are usually viewed as the main criteria and the ultimate proof of knowledge, skill and abilities, and assurance of performance. Certificates that are based on self-study and successfully answering a certain percentage of multiple-choice questions will tell us a lot about candidates’ proficiency with technical details but will tell us absolutely nothing about their actual understanding of basics, personality factors, experience, convictions, routines, logic, strategic mindset, tactical approach to decision making, speed of reaction, practical use of concepts, simplicity when solving complex issues, etc. Basically, it will not give us any value other than what you can anyway find online.
Certainly, apart from making sure that a candidate possesses relevant knowledge and experience, we want to hire people that are well connected to the industry and have access to best practices and do not only rely on their own creativity. Also, one of the most important tools of security is the ability to effectively communicate. The language capabilities, understanding and appropriately responding to the unique combination of cultural variables, and fitting in the demographic structure of the company are vital for the overall success of the security function in any commercial organization. Simply, if security people are likely to privately socialize with others, they will work better together and produce better results. Finally, security needs to use business acumen when designing security strategies and must be able to understand and speak the language of the business in order to communicate them and defend them. Security is about bonding, not about James Bonding. Surprisingly, strong communication skills and business acumen are often just copy-paste buzz phrases that are instinctively listed in job descriptions but are rarely an actual requirement.
Probably the biggest misunderstanding when it comes to hiring and utilizing the expertise of security professionals is the linguistic confusion between Information Security and more traditional fields of Security. Now that Information Security has completely adopted the traditional security vocabulary, it is in many cases impossible to determine if job postings are intended for ICT security professionals or for their physical counterparts. It is quite common that job postings for ICT security roles contain expressions like “Guerrilla,” “Special Forces,” “Combat,” “Soldier,” “Hostile Environment Security Operative,” “SWAT,” and even “Border Control.” Recruiters and ICT professionals are actually racing to find innovative combat-like (or game-like) names and descriptions for Information security roles which only contribute to the overall confusion that already exists. In many cases, even after thoroughly and repeatedly reading a job ad, I still have troubles understanding who the position is actually intended for.
Finally, I have witnessed many cases of detailed, well assembled job postings that describe a paranormal, multi talented superhuman who will in practice, when hired, end-up being not more than a guard commander.
So...
Know what you need and what you need it for!
Do not look for the competences that you want but for those that you need!
Search for skills that you will actually use!
Make sure that you are really able to assess the candidates!
Make it clear to both yourself and the candidates who you are looking for!