Creative recruitment more effective for hiring security talent

Innovative strategies can sieve cybersecurity talent and identify candidates with skills and mindset suited for changing security landscape, recruiters say.

Recruiters that adopt out-of-the-box methods will be better able to identify the right skillsets and mindset needed in the ever-changing security landscape, say market observers. But they note that companies should not "row the boat too far" or completely replace traditional interviewing and testing techniques.

Last month, British intelligence agency GCHQ launched a code-cracking competition as part of efforts to attract cybersecurity talent, calling for potential applicants to solve a code posted online. Individuals who were able to crack the code were given a keyword in a form field and redirected to the agency's recruitment Web site.

Other than puzzles, another "creative" recruitment method is challenging the candidate to find a security breach in the company's own network or attempt to break the current security policies, Roman Foeckl, CEO and founder of CoSoSyS, said in an e-mail interview.

Paul Ducklin, Asia-Pacific head of technology of Sophos, added that companies that assess prospective employees by inviting them to solve "hacker-type challenges" are more interesting than organizations that choose the traditional route of asking for a CV and regular interview questions such as "tell us why you would be an asset to company".

Using creativity to recruit cybersecurity talents helps candidates who may be interested in a specialized cybersecurity role decide if the position suits them, Ducklin said. If the person does not enjoy the puzzle, or is not interested in learning how to solve it, the job is definitely not for him, he noted.

Joseph Steinberg, CEO of Green Armor Solutions, added that compared to such creative methods of recruitment, standard testing methods often overlook general brilliance and creativity which are more valuable in the long term, than a specific skillset, that an employee can bring to a job.

He added that cybersecurity threats and technologies will change dramatically over a person's career, but a person's wisdom and a keen mind will always remain valuable.

Furthermore, Foeckl said security companies that employ creative strategies not only challenge their candidates but can also use these tests to check their own security policies. He cited that it might lead to companies becoming aware of threats they would not have otherwise known about.

Don't go overboard
Organizations that plan to issue challenges as part of a creative recruitment strategy must remember not to "row the boat out too far" by creating tests that encourage or appear to tolerate, unlawful, or unethical cybersecurity behavior, Ducklin warned. The Sophos executive noted that such challenges should be kept "clean and legal".

The reverse is also true for people who are trying to solve hacker-type challenges to impress a prospective employer, he added.

In addition, companies should be careful not to "expose themselves so much", Foeckl said. He explained that these creative methods may backfire and companies can become a target of cyberattacks, especially if the interview goes wrong for a candidate.

The background of the tested candidate should always be checked as a precaution, he advised.

Steinberg also warned that creative recruitment techniques should not replace classic interviewing and testing techniques. Even if the candidate's ability to solve puzzles is an indicator of appropriate skill, he may be a cultural misfit for the organization.

Likewise, if a position requires technical knowledge and experience, or good communication skills, no test for general smartness or creativity is going to ensure these needs are met, he added.

"The greatest puzzle solver may be a terrible hire," Steinberg remarked.