{"id":1539,"date":"2025-01-16T06:00:00","date_gmt":"2025-01-16T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1539"},"modified":"2025-01-16T06:00:00","modified_gmt":"2025-01-16T06:00:00","slug":"cybersecurity-hiring-is-deeply-flawed-demoralizing-and-needs-to-be-fixed","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1539","title":{"rendered":"Cybersecurity hiring is deeply flawed, demoralizing, and needs to be fixed"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

When people think about starting a new job, words like \u201cexciting,\u201d \u201cmotivating,\u201d and \u201crewarding\u201d often come to mind. The search for a new role represents an opportunity to embrace fresh challenges, grow professionally, and explore untapped potential. However, for many in cybersecurity, the reality is far from this ideal.<\/p>\n

The job market has become an exhausting and deeply flawed experience. What should be an inspiring journey often turns into a demoralizing maze, leaving candidates, recruiters, and hiring managers frustrated and questioning the system itself. If you\u2019ve ventured into this landscape recently, you\u2019ve likely felt the strain \u2014 clearly, something isn\u2019t working, and it\u2019s time for us to rethink how we approach the process.<\/p>\n

The current economic landscape hasn\u2019t helped. Inflation, high interest rates, and stagnant wages have pushed professionals to seek higher-paying roles, often out of necessity rather than ambition. At the same time, the ease of applying for jobs has reached unprecedented levels.<\/p>\n

Automation hasn\u2019t helped the hiring process<\/h2>\n

Tools such as LinkedIn\u2019s one-click application feature have transformed what was once a thoughtful process into a scattershot approach. Candidates now send out dozens of applications in minutes, overwhelming hiring pipelines with irrelevant or poorly targeted resumes. Andrew Wilder, CSO at Vetcor, captures the frustration: \u201cQualified security professionals are now having to market themselves hard. The ease of applying for jobs creates noise, and that noise drowns out highly qualified candidates.\u201d<\/p>\n

Automation was supposed to alleviate this problem but has instead worsened it. Applicant tracking systems (ATS) were designed to handle large volumes of applications, but they often filter out strong candidates based on rigid keyword matching or superficial criteria.<\/p>\n

These systems, derisively referred to as \u201capplication trashing systems\u201d by many job seekers, eliminate resumes that don\u2019t fit their narrow parameters. Professionals with years of relevant experience are rejected outright for lacking specific buzzwords or certifications. \u201cAutomation is papering over the cracks in a broken system,\u201d Ziff Davis CISO Sai Iyer tells CSO. \u201cATS tools exacerbate the issue, and the result is a cycle where neither companies nor candidates get what they need.\u201d<\/p>\n

Some organizations don\u2019t seem to know what they\u2019re looking for<\/h2>\n

Even when resumes make it past the ATS, they frequently land on the desks of recruiters who may lack the expertise to assess nuanced cybersecurity roles. This is especially problematic in an industry like cybersecurity, where roles often require highly specific skills and experience<\/a>. \u201cWhat one organization calls a CISO is a completely different role elsewhere,\u201d says Lee Mangold, CISO at Fortress Information Security. \u201cCompanies aren\u2019t just struggling to find the right candidates \u2014 they don\u2019t even know what they\u2019re looking for.\u201d<\/p>\n

The frustrations don\u2019t stop there. Cybersecurity professionals often encounter job descriptions that are contradictory or unrealistic, demanding expertise in every conceivable domain of security. This confusion trickles down from hiring managers, who often lack a clear understanding of the role themselves<\/a>.<\/p>\n

Mangold posed a critical question: \u201cWhat, exactly, are you looking for in your CISO role? Do you know? I don\u2019t think most organizations can answer this question, and I don\u2019t think you can just blame that on HR \u2014 there\u2019s a hiring manager somewhere who must tell HR what the job description should include.\u201d<\/p>\n

This lack of clarity extends to the broader recruitment process. Many companies rely on \u201cghost jobs\u201d or \u201cevergreen roles\u201d to give the illusion of growth or activity. These are postings for roles that either don\u2019t exist, have already been filled, or are merely kept live to build a talent pipeline.<\/p>\n

While some see this as a proactive approach, it often backfires \u2014 signaling to candidates that a company struggles to hire or retain talent. Candidates spend hours crafting tailored applications for jobs that were never real to begin with, leading to frustration and eroded trust.<\/p>\n

Ghosting candidates after numerous interviews erodes trust<\/h2>\n

Compounding this issue is the troubling phenomenon of recruiters and hiring managers ghosting candidates after multiple interviews, leaving professionals in the dark about their status and eroding trust in the process. Even when a job is legitimate, the hiring process itself often borders on the absurd.<\/p>\n

Candidates are subjected to drawn-out interview cycles with 10 or more rounds spread over several months, often including requirements to produce detailed deliverables such as cybersecurity strategies, 90-day plans, or mock board presentations. This exhausting approach not only depletes candidates\u2019 time and energy but also represents a staggering resource drain for companies, creating inefficiencies that benefit no one.<\/p>\n

On top of these systemic issues, the cybersecurity employment market<\/a> itself is shifting. Regulatory changes, such as the SEC\u2019s new cyber disclosure rules, have led some companies to view cybersecurity as just another business risk to be managed, often through insurance rather than robust security leadership.<\/p>\n

\u201cMany firms have shifted their focus from hiring CISOs to simply managing risk through insurance and standardized disclosures,\u201d veteran CISO Rich Ronston tells CSO. \u201cThis evolution, while cost-effective in the short term, undervalues the strategic importance of cybersecurity leadership and leaves companies exposed in ways they may not yet realize.\u201d<\/p>\n

Improving the hiring process should start with hiring managers<\/h2>\n

So, how do we fix this mess? For starters, companies need to redefine their approach to hiring and crafting job descriptions. Roles must be clearly articulated with specific expectations, responsibilities, and outcomes. This clarity would help recruiters and candidates alike, reducing mismatches and wasted effort.<\/p>\n

Hiring managers must take ownership of this process rather than leave it entirely to HR or recruiters. Wilder also suggested that recruiters should experience the systems they enforce on others: \u201cEvery recruiter should have to apply for a job using their own job application system before making others use it.\u201d This step would likely expose inefficiencies and drive improvements in user experience.<\/p>\n

Companies must also address the inefficiencies of prolonged hiring cycles. Setting strict timelines for interviews and decision-making would not only improve the candidate experience but also reflect well on the organization. For high-level roles like CISOs, Wilder proposed a creative solution: establish pre-arranged contracts with external recruiters, akin to incident response retainers. This would enable companies to quickly scale recruitment efforts when internal teams are overwhelmed.<\/p>\n

Finally, trust must be restored to the system. Ghost jobs need to disappear, and companies must provide transparent communication at every stage of the hiring process. AI tools are beginning to play a role here, offering solutions to improve communication by keeping candidates updated on their status, answering basic questions, and even providing recruiters and hiring managers with insights on their progress toward time-to-hire goals.<\/p>\n

Building a cybersecurity job market that works for everyone<\/h2>\n

While these tools hold promise, they should complement, not replace, human engagement to ensure candidates feel valued throughout the process. Feedback should be mandatory for every interview, regardless of the outcome, creating a closed-loop system that respects candidates\u2019 time and effort while fostering trust.<\/p>\n

\u201cFeedback isn\u2019t just a courtesy; it\u2019s a vital pillar of\u00a0trust,\u201d says Gianna Driver, former CHRO of cybersecurity firm Exabeam. \u201cWhen delivered clearly and promptly, feedback transforms the hiring process, turning even a rejection into a moment of growth and respect for the candidate.\u201d<\/p>\n

The improving economic outlook presents an opportunity for change. With signs of recovery on the horizon, companies have a chance to revamp their hiring practices and eliminate inefficiencies that have long frustrated candidates and recruiters alike. The cybersecurity market is too critical to remain trapped in outdated approaches.<\/p>\n

\u00a0\u201cThe act of going from employed CISO to unemployed CISO decreases your value immediately,\u201d Wilder says. \u201cCompanies need to rethink their approach to hiring if they want to attract and retain the best talent.\u201d<\/p>\n

The current system presents challenges for candidates, recruiters, and employers; however, it also offers a significant opportunity for improvement. By working together, we can transform hiring into a more efficient, transparent, and rewarding process.<\/p>\n

Candidates can focus on crafting thoughtful applications and leveraging networks. Recruiters can embrace tools and training to enhance their ability to identify top talent while hiring managers can take ownership of defining roles and streamlining processes. Each step forward contributes to a better system; one that values effort, fosters trust, and matches talent with opportunity. Positive change is within reach, and with intentional action, we can build a job market that works for everyone.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

When people think about starting a new job, words like \u201cexciting,\u201d \u201cmotivating,\u201d and \u201crewarding\u201d often come to mind. The search for a new role represents an opportunity to embrace fresh challenges, grow professionally, and explore untapped potential. However, for many in cybersecurity, the reality is far from this ideal. The job market has become an […]<\/p>\n","protected":false},"author":0,"featured_media":1540,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1539","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1539"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1539"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1539\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1540"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1539"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1539"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1539"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}