top of page

InfoSec Recruiters Recommendations

In this industry, there is an ample movement with positions and new positions to fill. At times people are not always happy with the work, workplace, or manager. At some point, the employee may look at other positions to test the waters and look to see what is available for a new workplace. The business may also be simply expanding their infosec departments. The recruiters fill a crucial role in this need. The business have the role to fill and people are looking for new positions. The people may apply for these positions through various online services, such as Indeed or Careerbuilder. The employee may also receive blind calls from the recruiters themselves.

What Not to Do

The recruiters come in contact with people across the country with varying numbers daily. The task of calling the person, getting to know their career aspirations, and skills does take time. Short-cutting this set of tasks is generally not advisable. This also becomes apparent when the recruiter contacts the candidate. To best serve the candidate and have the greatest potential for placement, there are a few steps or actions not to take to optimize the experience.

  • Read the resume prior to calling. This may sound like Captain Obvious, however it is helpful. By the recruiter telling the candidate that they have not opened the resume yet, asking where they worked, getting the chronology wrong, asking what infosec tools that the candidate has worked with when these are listed repeatedly on the resume installs very little confidence in their ability.

  • Be familiar with the geography. The recruiter should know the major cities within a 45 minute drive and where cities are relative to each other. If the candidate says they live in city A, which is a nationally known city, and states they will drive to city D,which is another massive city well-known through the US, the recruiter should know that large cities B and C, which are along a major expressway for the region are in between the two. Without this, the candidate may think the recruiter is clueless.

  • Don’t ask the same question 3x-4x. This in itself is irritating and indicates of no notes being taken after the prior conversations. There are a very, very few persons who have the uncanny ability to remember every single detail of their life for the last month, quarter, year, etc. By not paying attention, the candidate may feel simply as a commodity or a number. This is especially notable when the answers are plainly listed on the resume.

  • Calling reference multiple times to ask the same or more standard questions. This speaks to the prior bullet point. It is substantially surprising when the candidate gets a call from one of the references complaining about this activity. This also could be borderline embarrassing.

  • With the IT and specifically infosec, the positions tend to be filled relatively quickly. There is not an extended period involved, such as seen in certain other industries. To be called weekly for over nine weeks for a simple phone screening availability is exhaustive and shows the recruiter may not actually know what is occurring with the position or client. With this instance, it is probably that the hiring manager is not interested in the candidate, the position has been filled, or some other action internal to the business has taken place.

  • Applying for a new position is generally a rather taxing experience. A certain level of trust is given to the recruiter as the candidate provides private, confidential information to a third party. It is generally not a significant risk for the candidate of this information getting back to their employer. If the position is no longer available, it would be pleasant to know so that there is closure for the candidate and so the candidate knows to continue looking for and at other positions. When the recruiter simply closes the file with this specific job and does not communicate the lack of the future opportunity, the recruiter’s lack of action infers a lack of respect for the candidate as a person. Granted the recruiter has other work to do, however this action, as unpleasant as it could be, should be done. If not, the candidate may remind the recruiter of the treatment the next time a call is made to see if there is interest in the next position. It is not wise to burn bridges. Ever.

  • After the initial call or email, the candidate may forward the resume to the recruiter to forward to their client. After several days or a week of no communication, the candidate may call or email the recruiter for an update. If no return communication is recieved, these trends to appear to be a tone of apathy from the recruiter. Especially when this happens for weeks. By avoiding the candidate, whatever issue is present is only further exasperated as the candidate finally stops contacting the recruiter.

  • It is presumed the recruiter, who is filling an infosec position for their client would know about and be familiar with the industry. After all, without this, how would the recruiter be able to fully connect with the hiring manager. If the recruiter were also to directly tell the candidate about the unfamiliarity, there would be a distinct lack of confidence in the recruiter.

  • With the recruiters, seemingly as they are placing candidates in the infosec industry, the recruiter should be somewhat familiar with certain acronyms. As an example, recruiters should know that BSBA and MBA are not certifications. The recruiters should also know how to pronounce the well-known acronyms. For an example, SQL is not pronounced as “squirrell”. Yes I am serious.

  • The recruiter’s role on a primary level is to fill their client’s open role with the appropriate person. It is not the function to have a warm body using oxygen to sit in a chair. If the candidate were to honestly be only 20% qualified, the candidate should not be put in for the position. This is a waste of time for all and give the candidate a false sense of hope. This also should not be used as a ruse to gather more person’s information for their database.

The Alternative

To best work through the process and to reach an optimal result, the recruiter should work well with the candidate. When communicated with, the response should be completed within a reasonable amount of time. The candidate should be honestly updated. If the position is not a good fit, there should not be a false sense of hope. Simply rip the band-aid off.


The business model for the recruitment businesses is understandable. In order to operate and thrive, the business has to place candidates in roles to generate revenue. The recruiters individually may have a compensation plan with a smaller base and a bonus based on placing candidates. This is a difficult responsibility and task for the recruiter. The recruiter may receive up to a hundred resume for each position. These have to reviewed for applicability. The time per document may vary. A waitress may apply for a help desk position due to her ability to communicate and willingness to help others.


Somewhere along the way, we lost our way. We lost the basic communication methods and forgot that we are working with other people. The clients that are looking to be placed in positions need to work and are not simply wasting time or processing through the mental gymnastics of applying for work. After actually getting to know the person, the results may be the same (filling the role and increasing revenue for the company), however the intrinsic end result will provide much more value for the recruiter.

About the Author

Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.

Featured Posts
Check back soon
Once posts are published, you’ll see them here.
Recent Posts
Search By Tags
No tags yet.
Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square
bottom of page