Informatio security hiring canvass from hiring managers' perspective

Here on TE we often hear about problems when it comes to grabbing a good Information security job. There are lots of threads in which job seekers have vented their frustrations as to how hard job search in this industry seems to be.
Since we have lot of Infosec professionals here who are also acting as interviewers or hiring managers so I am wondering if we can hear from them as to how things look from their perspective when it comes to cybersecurty hiring.
For example in major cities, for (Sr.) Security Analyst jobs requiring CISSP, GCIH or Sec+, what are your observations regarding the following:
1. Are you getting dozens of resumes or hundreds?
2. Are most of resumes lacking in certifications like CISSP or do we have an over abundance of applicants with certs?
3. Are most of applicants' resumes reflecting job requirements or are applicants just firing generic resumes?
4. During face to face interviews, are you noticing any major skills gap? If yes your first preference is to wait for next perfect candidate or you are talking to applicants to see if they are willing to learn and/or start at lower salary?

Find more posts tagged with

Comments

UnixGuy

I'm not in the US, but I'll answer..

1) I get dozens not hundreds, but I'm in a smaller market

2) I don't ask for CISSP for technical positions, but some people have it. There is no abundance of certified candidates, most candidates have no certs or just have CCNA

3) Generic resumes, I get a lot of Windows admins wanting to move to security

4) yes, the major skills lacking are foundation skills. Some know how to use Splunk but they lack basic understanding of servers/networks.

Kapital

UnixGuy wrote: »

I'm not in the US, but I'll answer..

1) I get dozens not hundreds, but I'm in a smaller market

2) I don't ask for CISSP for technical positions, but some people have it. There is no abundance of certified candidates, most candidates have no certs or just have CCNA

3) Generic resumes, I get a lot of Windows admins wanting to move to security

4) yes, the major skills lacking are foundation skills. Some know how to use Splunk but they lack basic understanding of servers/networks.

Thank you

cyberguypr

I recently posted an Infosec Engineer role. I got some good resumes.

1. I had the role open for like 3 weeks. Received around 40 resumes. Only thing that struck me as odd is that none were from my industry, which I find strange.
2. We don't require any certs but most, if not all, had at least CISSP. One guy had like 8 GIAC certs. So no shortage of certs.
3. My internal recruiter does initial light screening so not everyone makes it to my inbox. The resumes that made it to me weren't generic per se. They were however not fully tailored to my job posting, except one or two. They could've defnitely done a better job making sure they hit my key points.
4. No major gaps that I noticed. Sure, some people may not have been exposed to our particular toolsets or technologies, but if you have a solid base I can teach you anything so it's not a massive factor for me.

The biggest problem I saw is twofold. First, a lot of people lack passion. I know some here don’t buy into the passion thing but this is something my team cares about deeply. No, this doesn't mean working 60 hours a week. For us part of it is a real desire to get to the bottom of things, innovate and improve tools and processes, being creative, showing desire to grow, etc. For us this is fuel and if you don't have it then it messes up our team dynamic.

The second issue I encountered is expected compensation. I take good pride in the fact that I always keep tabs on the local infosec market. The compensation for my role was certainly in line with the duties for the market. However, I got many people pushing for ridiculous salaries. That plus everyone wanted full work from home, which I can't accomodate right now since 75% of my team is remote and I need people in the office.

Danielm7

1. Are you getting dozens of resumes or hundreds?
2. Are most of resumes lacking in certifications like CISSP or do we have an over abundance of applicants with certs?
3. Are most of applicants' resumes reflecting job requirements or are applicants just firing generic resumes?
4. During face to face interviews, are you noticing any major skills gap? If yes your first preference is to wait for next perfect candidate or you are talking to applicants to see if they are willing to learn and/or start at lower salary?

1. Just opened up another position for a security engineer, so the resumes haven't started yet, but from my last one it was more on the dozens side than hundreds.
2. Certs were all over the place, lots of "CISSP qualified" or other vague BS, I don't require any certs but they're on the nice to have area. I didn't notice much in the way of skills difference between the cert holders vs not.
3. Fairly generic
4. I found soft skills to be a huge gap that most people don't want to talk about. I don't work in a tech company, you don't get to sit in a little silo, face down and just work, you have to interface with people, in meetings, nicely. I had a few people who might have been technically solid but they rubbed me the wrong way and I didn't trust them in the least, pass.

As with cyberguypr, I had some people ask for 100% remote when it wasn't mentioned at all in the job listing or brought up at all during the interview. They got near the end and basically demanded that they be 100% remote even though they lived 10 minutes away. The funny part is remote work is my choice for people I manage, up to a point, so I have people who do up to 3 days a week at home, but I can't advertise that as per HR. Had they not been such pricks about it during the interview I could have probably made them a good deal.

Kapital

Danielm7, cyberguypr
It is interesting to note that your observations are similar. SO it does look like that gainfully employed are looking to make the switch to even more lucrative posts, hence the problem to retain talent.

jaguaar

cyberguypr wrote: »

I recently posted an Infosec Engineer role. I got some good resumes.
The biggest problem I saw is twofold. First, a lot of people lack passion. I know some here don’t buy into the passion thing but this is something my team cares about deeply. No, this doesn't mean working 60 hours a week. For us part of it is a real desire to get to the bottom of things, innovate and improve tools and processes, being creative, showing desire to grow, etc. For us this is fuel and if you don't have it then it messes up our team dynamic.
The second issue I encountered is expected compensation. I take good pride in the fact that I always keep tabs on the local infosec market. The compensation for my role was certainly in line with the duties for the market. However, I got many people pushing for ridiculous salaries. That plus everyone wanted full work from home, which I can't accomodate right now since 75% of my team is remote and I need people in the office.

Hi cyberguypr - Could it be that both the above issues stem from same problem? The problem of cyber security industry placing too much emphasis on trained applicants rather than offer a chance to untrained ones?
As an employer I might spend six months looking for perfect worker. The problem is that when I find such worker often he is looking for a perfect employer and jumps ship very fast

E Double U

Might be a bit off topic, but this thread made me wonder about something.

How do hiring managers feel when they are contacted directly by a potential candidate instead of going through the normal process of submitting an application? I ask this because I like to reach out to organizations that I find interesting even if there is no position that has been posted. My goal is to arrange an informal conversation to learn more about the team and sort of interview them. I also like getting direct feedback from a team manager about my skills instead of getting stuck at HR or an internal recruiter.

When I applied for my current role, my application was rejected for not speaking the local language. I requested to have my resume forwarded to the hiring manager anyway and even emailed someone from the organization that I looked up online. My resume made it to the hiring manager and the rest is history.

LionelTeo

1) Dozens
2) CISSP is useless in technical work. Certs are good but doesnt represents a candidate thats good. I had worked with colleagues who rejected candidates with certs before.
3) You probably get a few good ones but most are just random fires.
4) Usually candidates wrote stuff they know on their resume but dont know how to answer when asked with a scenario on it. Candidates cant explain the details, multiple considerations and steps taken when given a scenario question. While we are looking for candidates who can consider multiple consideration and look at multiple perspective to solve a problem, most are just expecting a process to follow.

paul78

E Double U wrote: »

How do hiring managers feel when they are contacted directly by a potential candidate instead of going through the normal process of submitting an application?

If the contact came through a mutual relationship, I'll always take a call or trade an email with the candidate. I always accept a referral because I believe it's good professional courtesy. If it's a cold contact, I would respond - again because I believe it's the courteous thing to do - but I may not necessarily take a call with that candidate. I do feel that anyone that would make the extra effort deserves the courtesy of a response - especially if they were able to find my email address.

To the OP's questions - depending on the role and if we were self sourcing or using a recruiter, in the past when I was building security teams, I could get anywhere from dozens to hundreds of applications. I don't look for certs in a resume but if a candidate has a cert and makes it into an interview - then topics covered in the cert become fair game for technical questions.