6 tips for effective security job postings (and 6 missteps to avoid)

MongoDB CISO Lena Smart wants to make a good impression on prospective employees.

So she’s attentive to what goes into the ads she posts when seeking to hire.

“I think people forget that these are the first introductions that many candidates have to their companies, and first impressions matter,” she says.

That may matter more today than ever before, given how much movement there is in the labor market overall and, more specifically, how fierce competition is for cybersecurity talent.

Of course, writing a compelling job posting isn’t an exact science, but Smart seems to have a knack for it. Even in this employee-driven market, one of her recent openings attracted 1,000 applicants.

So what’s the trick? Here are some do’s and don’ts of writing the kind of job posting that can bring such results:

6 things to include in security job postings

Do: Detail what the position requires

Smart says she avoids ambiguous comments and sweeping statements in job postings and instead details the responsibilities that each open position has.

“We delve into a lot more specifics than other companies do. We put in the expectations; there’s nothing vague about it,” she says.

Others promote that approach, saying it’s an important strategy for attracting the right candidates.

Michael Gray, CTO of managed services provider Thrive, says he lists examples of the work that the position requires day to day, noting that if candidates “can’t do them, we don’t want them anyway.”

Jason Baum, head of talent acquisition for Strata Identity, has a similar take.

“Not enough information will not attract enough of the right attention and/or typically will deliver far too many who do not have the required experience,” he says. “Since you have specific needs, don’t lead applicants on, confuse them, or use the exact same position description as your competitors. The right job description will allow you to narrow down the perfect candidate from a list of qualified candidates. The wrong job description will bring you confused candidates with varying levels of experience who decide to ‘throw an application out there.’”

Do: Be realistic about how much one person can accomplish

Veteran security leaders say they’ve seen ads listing responsibilities that no one could possibly handle or handle well within the typical workweek. Talented candidates look for red flags like that, says Candy Alexander, CISO for NeuEon and president of the international IS professional association ISSA.

As Alexander notes, “Candidates know there’s a difference between being challenged and being overworked, so be realistic as to what the job is.”

Alexander advises hiring managers to first review whether they’ve got appropriate expectations for the position itself and ensure that they’ve right-sized the position’s duties; they can post the job with a list of expectations and responsibilities once they’ve gone through that exercise. “Allow that person you’re hiring to be successful,” she adds.

Do: Indicate traits that would lead to success

Finding the best candidate for a role means identifying people who will enjoy the work and can handle the position’s idiosyncrasies—whether it’s a repetitious nature or a scripted routine or an unknown challenge every day.

Gray says it’s worth adding an indication about the kind of traits and preferences that would do well in a role to draw a qualified pool of candidates. That could mean writing into job postings questions like Do you like to solve problems? or Are you good at researching? or Are you OK figuring out solutions on your own?

“They’re similar to the questions we’d ask in an interview,” Gray adds. He explains that he has had to hire workers for positions in a highly-structured environment “where every detail has been worked out and all they have to do is complete the task in front of them.” Gray says spelling that out when advertising for the position helps ensure the company and the candidate are well matched.

Do: Be clear about your culture, mission

MongoDB has a clearly articulated mission posted on its website: “MongoDB empowers innovators to create, transform, and disrupt industries by unleashing the power of software and data.”

The company lists its core values online, too: Think Big, Go Far; Build Together; Embrace the Power of Differences; Make it Matter; Be Intellectually Honest; and Own What You Do.”

Smart says she likes to reference those in job postings, too. “Why wouldn’t I? You get people who strive to be part of it,” she says.

She says she also adds information about the company’s culture, such as its no-meeting Wednesdays and how the policy ensures staffers have at least one day of uninterrupted time for heads-down work.

“[That kind of information] helps make sure candidates are going to fit culturally,” she says.

Kyle Lai, president and CISO of KLC Consulting, which provides cybersecurity advice and vCISO services for U.S. defense contractors, agrees.

“Show what is the purpose and what are some of the things we’re trying to achieve,” he says, adding that hiring managers who convey their company’s vision are more likely to attract candidates who feel they can contribute to the organization and help it reach its objectives.

“You want to make sure they can and want to support it, and if they don’t believe in your vision and your mission, then they won’t apply,” he adds.

Do: Sell the position and the organization

The war for talent as well as the shortage of needed cybersecurity professionals are both well-publicized facts. Yet Alex Rice, co-founder and CTO of cybersecurity company HackerOne, says some managers haven’t internalized those realities.

“A lot of times people fail to realize just how much of a supply and demand imbalance there is in the security space. Talented cybersecurity professionals have their pick of jobs, and for any job posting you have, you’d be lucky to have them apply. But too many people write a job description in a way that’s very skewed to the employer. I don’t see anything in those ads that say why [the candidate] should apply for the job,” Rice says.

He adds: “You have to be in sales mode with every security job description you’re writing. Don’t assume anyone wants to work for you. That’s a hard thing for many people to grapple with.”

Rice says hiring managers should highlight what they can offer and use that in postings to attract candidates.

“If you’re a big tech company or you can pay massive benefits, then lean on that. And if you’re not in that bucket, think of what else you have. It could be your mission, that you invest in career growth, your culture,” he says. “You need that if you want to have any hope of filling a role with qualified candidates. And if you don’t know what that is, then you shouldn’t even put that job description up. Anyone who is talented and qualified is going to ask about that during the interview process anyway.”

Do: Be strategic about where you place your posts

Where job posts appear can have as much of an impact on success as the information they contain, Baum says.

“Job descriptions are part of a company’s talent brand. Where the descriptions are posted and the frequencies they are refreshed play a critical role,” he explains. “Use syndication platforms that strategically distribute the job to as many locations as possible for visibility. Posting jobs on Fridays so they are ranked higher during the weekend when potential job seekers are looking for new opportunities can also impact response. Industry or domain-specific sites, blogs or groups will also provide a more focused group of applicants.”

6 missteps to avoid

Don’t: Think of your ad as a wish list

“If you draft a job posting as a catchall, you’re not going to get who you’re looking for,” Rice says. Worse still, you could be signaling to candidates that you don’t know what you want or need. “It could speak to a deeper dysfunction in your cybersecurity [department] and you just broadcast that to the world.”

Don’t: Ask for excessive amounts of experience

If it’s an entry-level position, you shouldn’t be asking for years of experience, Lai says. In fact, he suggests questioning whether it’s even necessary to list a specific number of years of experience. “Do you really need, for example, eight years of experience in pen testing? Or would you be OK with five years, or maybe four? Or can you actually do an exercise with the candidate to find out if they’re qualified for this role?”

Don’t: Ask for excess education, either

“By asking for a set amount of education you might restrict yourself too much,” Lai says, adding that listing required skills rather than specific college degrees may attract the right candidates more quickly.

Don’t: Downgrade positions

Labeling a professional job as “junior” can be off-putting—especially if you’re looking for someone with any level of experience, Smart says. Rename the positions; instead of junior analyst, just go with analyst, for example, and then make the more experienced position in your organization a senior analyst.

Don’t: Use buzzwords or vague catchphrases

“If I’m a prospective candidate and I see buzzwords, it tells me you haven’t been thoughtful about what you need and/or you don’t know what you’re talking about,” Smart says.

Don’t: Outsource the task of writing the job posting

Experts agree that hiring managers (and often CISOs, too) should be heavily involved in writing the job posting to ensure that it accurately reflects their needs and speaks to security professionals on their level. “The hiring manager knows best what they need for that position and therefore the skills and what that position entails,” Alexander says.