Defining and Writing Effective Cybersecurity Job Descriptions

By Editorial Team | May 06, 2019

With one million currently unfilled positions in the cybersecurity field, a number expected to rise to 3.5 million by 2021, recruiting, hiring, and retaining a high-quality cybersecurity team isn’t an easy undertaking. With an ever-evolving attack surface and threat landscape that is increasingly more sophisticated, security skills and the corresponding security staff have never been more important.

Recognizing the difficulty that CISOs and their recruiting partners have recruiting and hiring great talent, we launched a CISO Hiring Guide series. These Hiring Guides cover six different areas:

  • Defining and Writing Effective Job Descriptions
  • Mapping Out a Job Posting Campaign Strategy
  • Screening and Shortlisting Strong Candidates
  • Interviewing as a Two-Way Communication Process
  • Selecting and Vetting the Winning Candidate
  • Onboarding, Engaging, and Retaining High-Value Security Professionals
There are over one million unfilled cybersecurity positions today, a number that is expected to increase to 3.5 million by 2021.

The strategies and recommendations delineated in the CISO Hiring Guide series are intended to apply across the various security occupational areas—from CISOs to security administrators.

Framing the Opportunity

Beyond getting approval for the headcount, the hiring process starts with the creation of a job description. More than simply a laundry list of duties and qualifications, the job description defines:

  • Why the organization is hiring for this particular role (i.e., role justification)
  • The kinds of work the successful candidate will perform
  • Desired candidate qualities and qualifications
  • Results and outcomes expected
  • Reasons why candidates should want to apply (viz., prefer this job posting over others and why this company is more compelling than others)

With nearly every constituency at an organization—management, finance, marketing, operations, legal/compliance, and sales having a stake in an organization’s cybersecurity program—it is important to ensure their requirements and interactions are included in the job description. While language from other posted job descriptions can be leveraged for content, each job description needs to include its own unique content. 

With nearly every constituency at an organization, it is important to ensure their requirements and interactions are included in the job description.

What to Include in the Job Description

Effective job descriptions include six core elements:

  1. Position Title. Job titles convey the most basic information about an opportunity but can go further to provide additional contextual information. For example, there’s a big difference in what candidates will expect about a “CISO for a Large Global Investment Bank” or a “CISO at an Upper Midwest Liberal Arts College” role.
  2. Position Summary. This is a general overview of the opportunity and should be written like the opening sentences of a news story. The objective is to sum up the opportunity and spur interested candidates to read further.
  3. Position Responsibilities. Including this information should go without saying, but candidates will read this to gauge the level of the opportunity as well as its day-to-day activities.
  4. Skills and Qualifications. There’s a subtle difference between skills required of a candidate, and specific achievements and certifications. List skills and qualifications separately and rank them in descending priority order. As you do this, make clear what are absolute requirements and which ones are nice to have.
  5. About the Organization. Candidates are very interested in the kind of organization they might be joining, its mission, market position, and culture.
  6. How to Apply. This is the equivalent of a call to action when it comes to job postings. Be sure that the application process is simple, direct, and transparent.

Recommendations on Writing the Job Description

Job descriptions are communications vehicles. This may seem like an obvious point, but job descriptions have developed a reputation for congested “institutional-speak” seemingly designed to baffle readers rather than enlighten them. Don’t be that organization!

Job descriptions have developed a reputation for congested “institutional-speak” seemingly designed to baffle readers rather than enlighten them.

To differentiate your job posting and compete effectively for talent, the following are some recommendations to follow:

Write for the Candidate. The candidate is your audience and most important decision-maker in the recruiting equation. Visualize yourself presenting the opportunity to an intelligent outsider that you are trying to convince to join your organization.

Keep it Crisp. Verbosity and over-amped informality are proven candidate turn-offs. The job description is the first impression your organization makes on a candidate. Demonstrate that you respect them by not wasting their time and by telling them a compelling “story” about the job and your company in general.

Watch Out for Unintended Messages. To candidates, phrases like “do whatever it takes attitude” can sound like “no work-life balance” and “rockstar” or “ninja” can signal “males only, please.” Run job descriptions past others in your organization who resemble your ideal candidates and ask them what attracts or repels them when reading draft job description copy.

Remember It’s a Digital World. It’s important to optimize job-posting language to connect with search engines. Not only do job boards, recruitment sites, and social media outlets use search engines to find and rank content relevant to their audiences, but candidates also use specific terms to mine for attractive opportunities.

CISO Hiring Guide on Job Descriptions

If the above analysis peaked your interest, you may want to check out our CISO Hiring Guide on Job Descriptions that includes much more detail on what you can do to ensure you are developing compelling job descriptions that attract top talent.