Employer Branding: Why Anthropology matters in your efforts to hire cyber security talent

There’s a lack of talent in hashtagcybersecurity. Nobody seems to be able to hire enough qualified specialists. Nothing’s new in that.

What’s really strange when speaking of this lack of talent is that no one seems to do anything about that and their situation. While you can’t magically snap your fingers to make the specialists you need magically disappear, what you can do is to stand out among the companies looking to hire talent and talk to them in a language they understand.

There’s too many job ads out there that are too formal and neither show the true spirit of the workplace and the specialists already working there nor the specialist they’re trying to attract. Also, there’s practically no companies who understand that engaging with the cyber security community could be a part of their employer branding strategy.

To me that makes absolutely no sense.

In reality, hashtagemployerbranding is marketing and like any other types of marketing it’s about creating immediate value to the recipient who in this case is the cyber security community.

If you think about it, it makes sense: the cyber security community is full of those engaged, talented professionals your company needs to make your business strategy become reality. Those professionals who simply love cyber security so much that they are submerged in pet projects in their spare time, who love seeing other community members with the same passions to share inspiration, knowledge and to feel togetherness in an uncertain world.

By hooking into this community professionally, you show members of the community that you share their values and beliefs; that you are part of the tribe. Tribes are the cornerstone of civilization; people in the same tribe look out for each other, they help and support each other when they can. They truly care for each other. These are the feelings you want to awaken in the cyber security community.

Basically you want sentiment, you want the cyber security community to look up to you as a company, to your specialists. You want to make the cyber security community want to work with you.

The good news is that it’s not hard to do this as long as you know the language of the community, which defines the rules and the tone of your communication and you can predict what community members will find interesting. And, admitted, that last part is quite hard. But basically it’s about knowing about cyber security and knowing about subcultures, about geekiness. Being a geek yourself, regardless of type, is definitely not a disadvantage.

So how do you create value? You give the community what fuels it:

  • Knowledge in the shape of videos, talks, articles, workshops, courses and more.
  • Humor is a tough element to get right but important. It’s important to show that you as a company dare to show a human side of yourself and that you don’t take yourself too seriously. If you’re capable of that and of doing jokes at your own expense, you win.
  • Meetups are where the magic happens; where people interact and get inspired. Your company can support it by sponsoring food and drinks, engaging in planning and doing talks. Those two last ones are always the hardest ones and are typically the reasons for community meetup groups to hibernate or dissolve.

To be frank, community employer branding is not for everyone. Honesty and transparency are important factors. Let me explain:

As a cyber security professional nothing is worse than not being taken seriously; to be hired to help increase security, to see that there is a need and that significant risks need to be addressed but not being able to. What usually happens is that management in theory finds security important but in reality finds other things, like making money, more important. I’m not saying that that isn’t fair to do if it’s done in complete transparency, if all risks have been assessed and addressed on management level and it has been decided. Unfortunately that is rarely the reason. More often than not, it’s the result of incompetent management, bad communication and reporting by people who are not very good at explaining exactly what impact this or that threat has on business risk.

So if you’re not one of those companies that truly does take cyber security seriously in every part of the business, you can’t go around pretending to be. Not forever, at least. And when the community finds out, your efforts will backfire.

So in other words: If your company’s management truly mean it, and you have an organization that supports it, the effort you put into this will pay off if done in the right way.