Determining which candidate to hire can be one of the most difficult decisions to make for a CISO or hiring leaders on her or his team during the recruiting process. If the recruiting organization has done a good job of vetting candidates and hiring leaders have narrowed down a bracket of candidates to a final two or three, each of the finalists may have an array of separately alluring qualifications and attributes that they can bring to the role. So, how do you choose?
Yet, even candidates who seem to be perfect culture fits and check every qualification on the list may have flaws. For example, a candidate may have previously undiscovered issues in their backgrounds that are red flags. Suddenly, a candidate who might have seemed like a great fit before may appear as a risky bet. Thus, it is critical for hiring leaders to perform thorough background checks on final candidates toward the end of the interview cycle, and always before an offer is extended.
This final candidate selection and background check occurs as phase five of a recruiting cycle covered in the CISO Hiring Guide Series published by Fortinet.
The days are past where hiring managers retained full responsibility for deciding which candidates are to receive an offer; hiring decisions for positions across the spectrum should not occur in a vacuum. This is particularly important for cross-functional roles, where there are multiple stakeholders across the business. And with cybersecurity acting as a key enabler of the business, security leaders need to ensure their candidates are vetted by business leaders whose departments are directly impacted by the role.
Often, if one of these cross-functional teams has concerns about a candidate, this is a warning signal; issues that crop up during the interview process are very likely to do so once they are hired. Here, to provide the interview team with an objective means for evaluating and reviewing candidates, it is a good idea to create an interview scorecard and request that each member of the interview team complete it after meeting with candidates. Doing so creates a formal, objective evaluation process and a documented paper trail that prompts those conducting interviews to provide feedback and helps ensure equitable consideration of each candidate.
Of course, in the face of a cybersecurity skills shortage where many candidates may not satisfy every specified requirement, it is important to evaluate candidates holistically and based on hard skills as well as soft skills. With soft skills playing an increasingly critical role in the success of a cybersecurity professional, it is pivotal that hiring leaders include those in the review process, including reference checks.
Figure 1: Employers seeking security architects place a much higher emphasis on soft skills than what candidates include in their resumes. Download the full report “CISOs Seek Security Architects Who Are More Strategic and Possess Soft Skills.”
Figure 2. Both employers and security administrators overemphasize—and underemphasize—certain skill sets in their respective job ads and resumes. CISOs need to carefully consider these discrepancies when vetting and choosing a final candidate for security administrator roles.
Hiring decisions generally need stronger justification than whether hiring decision-makers like or dislike finalist candidates. Good hiring decisions require a rational basis and include the following:
1. Priority-based decision-making. Job descriptions can read like shopping lists that record every possible candidate attribute a hiring organization could desire. But hiring managers need to consider what is really important for the new employee to achieve and what candidate attributes—both hard and soft skills—are most likely to enable them to succeed.
For example, if designing and building a cybersecurity awareness training program is one of the top priorities for the role that is being filled, then prior experience doing so is important. Further, as doing so requires substantial cross-functional collaboration, hiring managers need to vet this soft skill by asking candidates to walk them through how they have actually implemented a cybersecurity awareness training program and how they have collaborated across functions to achieve measurable results. In this context, hiring managers may need to ask probing questions to gain deeper insights as to how the candidate might react and moreover their ability to critically self-evaluate.
2. Candidate growth potential. Organizations have specific functional requirements in mind when filling a job opening. First and foremost, vetting a candidate’s soft and hard skills against those requirements is certainly a priority. But at the same time, retaining top-quality talent requires career development and growth. Thus, hiring managers need to account for organizational needs and circumstances in one year, two years, and so forth. In reality, career development and growth benefits both the candidate and the hiring organization.
Consider the following scenario. A CISO has an opening for a security administrator. But at the same time, their security architect is retiring in a year. Thus, a candidate who meets the immediate requirements for security administrator but possesses the ambition and professional foundation to maturate into the role of security architect may be a better choice than another candidate who meets more of the security administrator skill-set requirements but either is not interested in a security architect role in the future or lacks the skill sets—which often are soft skills—to succeed in such a role.
76% of employees want opportunities for career growth.
3. Cultural fit is a slippery slope. HR and hiring experts agree that cultural fit is an important factor in employee success and retention at an organization. Yet, hiring managers also need to beware of the foible of evaluating candidates through this lens: cultural fit can easily degenerate into a euphemism for discrimination or create a monoculture. Thus, while culture fit is certainly a quality CISOs and hiring managers on their team need to heed, it can also become a hiring inhibitor and lead to poorly balanced teams—from personality to skill sets.
Formal background checks typically take place between the time an organization selects a winning candidate and extends an offer. Background checks should proceed swiftly and be thorough and accurate. For this reason, most companies should hire a third-party firm to perform candidate background checks. Consistency in conducting background checks is particularly important in avoiding allegations of unfairness in hiring practices. They also can uncover discrepancies in what a candidate claims (e.g., degrees not earned) that reveal troubling character flaws. For senior-level positions, these claims can even create legal issues. Professionally executed background checks should encompass:
25% of hiring managers have detected candidates claiming employment at companies they never worked for.
The above aside, organizations should understand that several laws and regulations limit the kinds of background information organizations may consider. For example, the U.S. Fair Credit Reporting Act applies to the use of candidate financial history information, and the Americans with Disabilities Act is intended to prevent disability insurance history from influencing hiring decisions.
Candidate reference checks should be conducted directly by the hiring manager. Reference calls are particularly valuable, as they give hiring managers an opportunity to solicit input on a candidate’s soft skills—fleshing out strengths and weaknesses and gauging potential red flags.
80% of organizations that conduct reference checks have changed their mind on a candidate after conducting a reference check.
Once a CISO or hiring managers on their team have reached a hiring decision, some negotiation over salary and benefits should be expected. If there is no room to negotiate, this information needs to be told to the candidate when the offer is made.
When it comes to what salary to include in the offer, hiring managers need to work with their manager and the HR organization to structure an offer that is competitive for that position as well as the location where the candidate will be based. If the organization employs a salary matrix, it would be wise to start the candidate below the median for the role and location. If the salary is at or above the median, then the hiring manager will have less flexibility to reward top performers commensurate salary increases. This can quickly create retention challenges.
Of course, it is crucial to remember that candidates seek more than just salary when evaluating offers. Stock options, bonus plans, and review cycles play a role, but intangibles, such as work flexibility, travel perks, training opportunities, and paid tuition, among others, can make a huge difference. Whoever makes the offer—whether HR or the hiring manager—needs to highlight those in writing and verbally.
Once the organization and candidate have reached agreement on the offer, the offer letter can be signed and onboarding can commence. For more information on hiring the right candidate, download the CISO Hiring Guide “Selecting the Winning Candidate.”