Set needs analysis call

Focus: How to Hire Top Cyber Security Talent.

The Story:

We had an immediate staffing need.  The CISO communicated to our Managing Partner.  He told us, “They said we need a DIACAP Specialist.” They failed a recent audit. I need a Security Architect, Security Program Manager, and Security experienced Systems Admins. The architect and program manager will lead point. The admins will focus on hardening the systems.  They said that it’s really simple once you understand the NIST 800-53 series. The STIG’s… Put out for DOD compliance from a security standpoint. The client had failed as many organization does from time to time. Failing to keep their patching up to date is what was flag by the review.  They had to get it to fix quickly so it was all hands on deck.  Their next audit was coming up in 8 months so they needed everything to pass with flying colors.  The penalties for a finding and any subsequent legal fees can be stifling.
So puzzled we ask him, “whats Uh, a NIST and what a stig? is it STIGS. He was too prideful to look embarrassed and green about security to ask deeper probing questions. We started researching over the next week. In total over a 6 week period, we filled all 8 security roles including a couple additional in Disaster Recovery.  In a less than ideal location in the middle of the winter.  It was a small team coming together to take the organization to the next level.  We had several one-off deals but nothing this substantial for so long.  Coming up with other security frameworks and terminology we filled the project. At any one given point, there were 7-10 professionals on the team depending upon the need for a particular project. It was a large portion of business for a small business.  Later on, we worked with an organization that was held to really strict guidelines.  Each professional was required to have a security clearance.  Narrowing down a limited supply even further depending upon what information they would have access to.  The background checks can be 6+ month process.
Identifying the need for an organization that strictly focuses on the space led to the launch of Henning Staffing Inc.  We are here to serve our clients and candidates to the best of our ability based upon our experience.

The Problem:

The cyber security profession has had zero percent unemployment for several years. Currently, there are 498,000 unfilled roles in North America alone. This shortage leaves businesses competing for the same small yet experienced talent pool. This is creating a war for cyber security talent. An estimated 3.5 million cyber security jobs will go unfilled by 2021, making plans to attract, interview, and hire cyber security professionals very important.

Many organizations fail to plan their cyber security hiring processes. This impacts the candidate experience, time to fill the position, and the quality of hire. Failing to set the number of interviews and who needs to take part are two main issues. It becomes difficult to manage candidates expectations, providing a poor candidate experience. It extends the time to fill while the best candidates take other opportunities. As a result, organizations hire the “leftover” candidates, reducing the quality of hire.

Besides not have a hiring plan, many cyber security leaders lack a personal brand strategy. They restrict their recruiting efforts to their internal talent acquisition teams. These teams often rely on an ineffective “post-and-pray” tactic because they’re spread so thin. They end up dictating the quality of candidates based on the employer’s brand.

Lastly, cyber security leaders have a traditional mindset when it comes to interviewing. They only focus on what the candidate can do for them, not what the role and their leadership skills can do for the candidate’s career. Lack of empathy and tact can also negatively impact the interview. Treating the candidates as replaceable parts to a machine versus human beings. As a result, they lose the interest of the best candidates who can solve their challenges. This translates to frustration for leaders, candidates, and recruiters.

The Solution:

As with any war, it is not the largest army that always wins, rather the ones with the best strategy. Organizations must have an effective plan to hire the best cyber security talent. Here, we will discuss 3 ways to improve your businesses cyber security hiring process:

  • First, start by planning out the entire hiring process. We do this with our clients at the beginning of every engagement. Planning out the process improves the candidate experience. The process also stays as organized and streamlined as possible.
  • Second, cyber security leaders can improve their personal branding to attract better talent. Small changes to their social presence improve the quality of candidates they attract. Just as a positive article about a company can boost the public’s view of their product or service, a clean and professional presence will increase the quality of candidates.
  • Third, start selling the opportunity during the interviews. While the candidate is already interested in the opportunity, it’s important to convey the role in an engaging way. The interview process is equal parts selling and figuring out the best fit for the role.

What to do:

Plan your hiring processes:

A detailed hiring process plan improves the candidate experience, time to fill, and quality of hire. The importance of a positive candidate experience is well documented. Also, having a plan creates efficiency, which shortens the time to fill the position. Quality of hire improves as top candidates are on the market for a short period of time.The reasons are clear on why you should first plan your hiring process.

The plan should include the number of interviews and who will be participating. For example, you may plan to have a phone interview, two onsite interviews, and then make a decision. The hiring authority will conduct phone interviews. Then the rest of the team participates in the onsite interviews. As a result, you will have an interview road map on the front end to manage candidate expectations. 82% of candidates expect potential employers to provide a clear timeline for the hiring process and to keep them informed throughout the process. With a plan, the candidates know where they are in the hiring process and when to expect feedback. Maintain the interest of the candidates while you conduct other interviews by having this plan of action in place.

Next, plan out the interview structure for each step in the hiring process. The interview structure will vary depending on whether it’s a phone or onsite interview. Plan the must-ask questions for each round. Begin the interviews by sharing the structure with candidates to manage expectations. Again, providing them with the best candidate experience possible. Structuring your interviews makes the decision making the process easier as well. In our previous post, we detailed How to Structure a Cyber Security Interview.

Personal Branding Strategy:

Beyond the employer brand, cyber security leaders should improve their personal branding. Crafting a personal brand will help you attract and hire better talent. The most talented professionals seek to work with thought leaders to learn from.

There are a couple of steps to take that can aid in personal branding efforts. Steps like tweaking your LinkedIn profile summary. For example, share your leadership style and the type of professionals you seek to lead. Also, you should highlight examples of how you’ve mentored team members. If you have coached someone who has become a peer, you should ask for a recommendation. Usually, candidates doing proper research view LinkedIn profiles of the leadership team when considering an opportunity.

Above all, have a consistent presence in cyber security communities and networks. Attend industry conferences and local cyber security associations events. Become a keynote speaker or take part in a cyber security podcast. Write white papers to show your expertise. As a result of these efforts you will improve the quality of candidates that you attract to your open positions.

Create a WIIFY Mindset:

To hire the best cyber security talent you must create compelling reasons to join your team. Do this by creating WIIFY statements. An easy to remember abbreviation standing for “What’s in it for you?” Frame these statements from a value and benefits perspective. For example, what value will the role provide the candidate? What is the long term career benefit to them in taking the position?

Interviewing is a two-way street! You’re determining if the candidate is a good fit for your role and the organization. Similarly, the candidates are deciding if your opportunity advances the career. So even though your role is in cyber security, you’re also in a sales position. You’re selling the opportunity for them to join your team and organization.

Be empathetic by putting yourself in their shoes when you were at their point of your career. Think about what was most important to you when your career first began. What sort of leadership style did you respond to? What sort of workplace culture did you expect? Reflecting on the questions will help you to create a meaningful candidate interview experience.


Properly structuring interviews improves the interview experience for both interviewers and interviewees alike. We have previously demonstrated the importance of the candidate experience and how to structure your cyber security interviews.  Coupled with these 3 tips, you will not only gain an edge in the cyber security war for talent but continually attract top cyber security talent.

As always please share, like, or comment below if you found this beneficial. If you disagree that’s great too! We’re always open to learning and enjoy discussing these topics with others.

If you’re currently seeking cyber security talent, looking to secure talent long term through a great candidate experience and proven results then we are the right boutique firm for you. Please set a needs analysis meeting.  Also, if you’re interested in learning more about our career coaching and interview preparation services. Please contact us by sending an email to

Be secure, safe and happy!

Share This