A CISO Hiring Guide for Prescreening and Shortlisting Job Candidates

By Editorial Team | July 23, 2019

Sorting Through Job Applications

Even in very tight employment markets, such as the one prevailing in the cybersecurity field, a job opportunity posting can attract 40, 60, 80, or even 100 candidate applications. Sifting through all of the applications and resumes that can pile up quickly can be a very time-consuming process. There is certainly a lot of “chaff” in all of the applicant submissions: half of all job applications contain inaccurate information, while another half fail to meet the basic requirements spelled out in the job ad.

Security leaders are very busy, and spending time interviewing candidates who fail to match what they need in terms of experience and qualifications can have a big impact on their productivity. In addition, having a position open for a lengthy amount of time can become a real challenge for a cybersecurity organization—and a tangible pain point for a CISO. The reality is that cyber criminals don’t relent evolving their exploits and propagating their attacks while you’re short on headcount.

Why Prescreening and Shortlisting Candidates Is Important

To keep a recruiting process on track, both in terms of timing and identification of strong candidates for further consideration, CISOs and their hiring organizations need to develop rational, decisive, and repeatable processes to screen and shortlist the most promising candidates for interviews.

For CISOs whose organizations are struggling to recruit top-quality talent, there are a number of things that you can do to build and nurture a high-performing security team. This is why we created the CISO Hiring Guide Series, to provide security leaders with a checklist of things they can do to become more effective and efficient at recruiting, hiring, and onboarding workers.

This is the third installment of a six-part series addressing how CISOs and their HR recruiting partners can pare down the list of applicants to those that matter using screening and shortlisting ("Prescreening and Shortlisting Strong Candidates for Interview”).

Typically, due to the sheer number of candidates at this early phase of the recruiting process, hiring organizations typically delegate screening to human resources personnel supporting the hiring process. Nonetheless, as cybersecurity is a very technical function, security leaders often find that they are presented candidates who don’t match their experience and qualification requirements. Further, for certain cybersecurity roles, hiring leaders are discovering that soft skills matter just as much as hard (technical skills).

In order to ensure the right candidates are scheduled for interviews, CISOs need to work with their HR recruiting partners to develop screening and shortlisting strategies and tools that help pinpoint the best candidates while weeding out those that are subpar—qualifications and experience through the lens of soft and hard skills.

What Criteria to Use in Screening and Shortlisting

Points where hiring organizations and HR staffs need to align when developing criteria for screening and shortlisting candidates include:

1. Previous Roles/Experience. With a severe shortage of skills in certain cybersecurity functions, hiring leaders need to look beyond traditional role and experience alignment. This is where a deeper look at soft skills, which translate into the skills many businesses are seeking for senior cybersecurity leaders, is valuable. Screening questions that probe into those in greater detail can help HR recruiting professionals and security hiring managers to pinpoint some candidates who may not initially look like the best fits due to prior experience.

2. Career History. Not every winning candidate possesses a career tenure of successive promotions and a steady rise up the corporate ladder. Sometimes, candidates with diverse experiences and roles are better fits.  

3. Education. Cybersecurity didn’t exist as part of a university curriculum a few years ago. And many still lack degree tracks for cybersecurity professionals. Thus, the educational degrees possessed by security professionals aren’t near as uniform as is the case with many other job occupations. Here, security leaders and their HR recruiting counterparts would do well to access the educational degrees held by security professionals who perform at a high level and have seen progressive career advancement—within their organization and outside of it.

4. Certifications. Cybersecurity is a certification-intense field. Analysis conducted in conjunction with Datalere as part of a broader cybersecurity skills and demographics series of studies, reveals that employers place less emphasis on certifications than jobseekers. For certain roles, those certifications are less important to the success of the worker than in other security roles. In these instances, security hiring leaders need to coordinate with their HR recruiting partner to identify those certifications that are of primary and secondary importance for the role in question. Further, certain certifications are more relevant for certain roles than others—and vice versa.

5. Intangibles and Cultural Fit. How and what candidates say—or don’t say—in their applications and resumes can reveal a lot about them. Recent research shows that intangible qualities play a critical role in the success of a new hire. Much of this needs to be determined during the interview process. But organizations can also use screening and shortlisting to help make this determination.

Hiring leaders cite culture as the number one reason new hires fail.

Natural language processing (NLP), which is now being used across different business functions, can reveal candidate traits and biases based on what they write. Screening questions where written long-form or even audio answers are analyzed provide employers with the opportunity to do so.

6. Candidate Self-Presentation. Many automated candidate screening algorithms discredit candidates for improper grammar and spelling and the use of non-standard resume formats. Security hiring leaders and their HR recruitment counterparts need to determine their level of importance and employ them accordingly when screening candidates.

Working the Logistics of Screening and Shortlisting

The actual execution of candidate screening and shortlisting needs to account for several different factors. Let’s take a quick look at a few of them.

1. Automated or Manual Screening. Many HR recruiting organizations have deployed candidate automated tracking systems that include algorithm-based resume and application materials scoring. These systems tend to favor candidates who align their resumes with these system formats and employ keywords that increase the likelihood that they will be on the shortlist of candidates to interview. However, while the volume of incoming applications might make such systems necessary, cybersecurity is a field that values non-conformists and lateral thinkers—thus resulting in the elimination of qualified candidates.

2. Put the Cover Letter to Use. Rather than simply denoting that a cover letter is required, many organizations have migrated to asking candidates to include specific content in them—what they bring to the job opportunity, why the organization should hire them, and other topics more revealing of the thought process. Here, candidates who simply repeat points already made in their resumes or don’t seem to have performed any research on the hiring organization in their cover letters may be revealing their lack of some of the intangibles that mark the difference between a successful and unsuccessful candidate.

Around 20 percent of hiring leaders indicate they read cover letters, even fewer regard them as a critical artifact in the recruiting process. This is a huge mistake and missed opportunity to glean valuable insights on a candidates soft skills, cultural fit, and personality. 

For candidates who fail follow directions and include a cover letter with their application, as those some foibles likely translate into their professional life, organizations can remove them from the candidate shortlist. In other instances, cover letters—particularly if specific content requests are made for it—can provide valuable insights that can be analyzed using NLP for candidate traits.

3. Internet-Based Candidate Vetting. Screening is also a good time to take a look at what candidates reveal about themselves on the internet. In addition to doing a simple search to see what the candidate might have published, presented at conferences, or been quoted in the media, screeners should look at candidates’ LinkedIn, Facebook, Twitter, and other social media presences. If their online personas match what they’ve told you in their application materials, great. If it doesn’t, this may be a cause for concern.

4. Pre-Interview Phone Screening. Before inviting candidates in for a formal interview, many organizations will set up phone conversations to get a better read on candidate personality, cover any factors in the hiring process the candidate should be aware of, offer the candidate an opportunity to give their side of the story on anything in their background that might appear odd, and prepare the candidate for the onsite interviews.

5. Candidate Experience. The screening and shortlisting process should not be treated as a way to give candidates a quick brush-off prior to being forgotten. Basic business courtesy demands that organizations acknowledge receipt of all applications and inform candidates as to the status of their application, especially when they have dropped out of active consideration for a role.

While there’s no sugarcoating bad news, candidates respect organizations that keep them in the loop. Besides, an unsuccessful candidate for an immediate opportunity may prove ideal for another posted at a later date. This is particularly important in an area such as cybersecurity, where building a private talent pool that can be tapped for future openings—full time and contract—is critical.