Don’t use general recruiters in salary negotiations

In this 3-part series, it is best to hire a recruiter with security ties who knows the market.

In part 1, I wrote of the disparity in information security salaries between what is being offered and the true market rate.

For those in the salary phase of an offer, Andrew Hay has created a handy Salary Negotiation Workbook that can make the often tenuous salary negotiations easier. One of the benefits of using a recruiter is that they can do that for you.

Now that we are dealing with recruiters, companies, who recruit information security professionals often rely on internal recruiters, outsource to RPOs and/or use external recruitment firms. The majority of these recruiters often lack information security recruitment expertise, and in many cases are IT generalists, junior, inexperienced, or have inadequate resources to focus on IT security roles.

[ ALSO ON CSO: CSO salaries expected to sky rocket ]

Generalist IT firms typically recruit for a wide variety of IT spots and security is often new to their portfolio. These staffing firms hire a wide-range of functions, be it in technology, sales, marketing or anything in between.

Although these firms can be very good at what they do, in many cases and far too often, they do not understand the nuances in information security, especially as it relates to cybersecurity, security operations, network security, security architecture, privacy, malware reverse engineering, forensics, and threat analytics; just to name a few.

An organization’s industry reputation, level of services, professionalism (or lack thereof), can also affect recruitment efforts, especially when a recruiter asks “do you have CISSP?” or “are you CISSP?” Also, emails, LinkedIn or position postings that contain spelling mistakes (enmap for nmap, Checkpoints for Check Point, etc.) poor grammar, and errors in security technology/requirements, is also a significant red flag for prospective candidates and industry professionals.

Race for talent

For firms who are serious about hiring qualified information security talent, they would be better served by using a recruiter or search firm with a specific focus on information security. These firms often have a vetted candidate pool, are recognized trusted advisers, and who bring relevant experience to the security community and global hiring space. The cyber security skills gap, coupled with a nearly zero unemployment rate and growing shortage of security talent worldwide, requires competitive offers, attractive opportunities, resources and stakeholder commitment to attract qualified information security professionals.

Tracy Lenzner, founder and CEO of LenznerGroup, has exclusively recruited in information security, cyber defense and risk management for over a decade. She notes that “as a result of the exponential breach landscape, coupled with acceleration of global threats around digital markets, organizations acknowledge the increased complexity surrounding cyber risk”.

The global race for information security talent will be won by organizations that successfully recruit and retain top security professionals. Additionally, as the IoT continues to expand, so will demands on securing businesses, governments, critical infrastructures, and the consumer marketplace. According to Gartner, global spending on cybersecurity by governments and corporations is expected to hit $86 billion by 2016.

Lenzner also noted that with heightened oversight by boards and regulators, companies are required to demonstrate cyber resilience. Like financial markets, the digital economy depends on trust and confidence in the security, sustainability and reputation of an organization’s given product, service, and/or enterprise. Lenzner expects to see a significant rise and continued shift from traditional security roles, to new board and advisory roles, CSO/CISO, Digital Risk Officer, Chief Privacy Officer, Cyber Security Attorney and others, with dotted line relationships with/to numerous corporate executives and business functions.

These practitioners will be required to build robust and diverse programs across physical, cybersecurity, business and digital domains, requiring high visibility, accountability and engagement. Today’s information security leader must have exceptional organizational, strategic, technical and business acumen to effectively translate, advise and champion critical topics to IT and non-IT stakeholders.

As a result, talent will remain highly sought and competitive for these rare individuals and their teams, by organizations worldwide. And you likely won’t be able to find such talent using a generalist recruitment firm.

About the author: Ben Rothke CISSP (@benrothke) is a Senior eGRC consultant with Nettitude, writes the Security Reading Room book review blog and is the author of Computer Security: 20 Things Every Employee Should Know.

Join the CSO newsletter!

Error: Please check your email address.

Tags resumesinternet securityLinkedIn

More about Check PointCSOGartner

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ben Rothke

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place