Jobs
For candidates
For Employers
For Employers
Cyber professional recruiting
Executive/ CISO recruiting
Board of directors roles
Cybersecurity talent strategy development
Insights & resources
Insights & resources
Blog
Partners
Cybersecurity conference calendar
About
Sign up
Sign up
Name of user
Profile
Assessments
account
log out
Log in
Sign up
Jobs
For candidates
For candidates
For candidates
Cybersecurity sales talent
Technical talent
For Employers
For Employers
Cybersecurity sales talent
Contract/ fractional technical talent
Full time technical talent
Executive/ CISO talent
Insights & resources
Insights & resources
Blog
Partners
Cybersecurity conference calendar
About
Jobs
Hire
For candidates
For candidates
Cybersecurity sales talent
Technical talent
For Employers
Cybersecurity sales recruiting
Contract/ fractional technical staffing
Technical practitioner recruiting
Executive recruiting
Insights & resources
Blog
Partners
Cybersecurity conference calendar
About
Log in
Sign up
Profile
Assessments
account
log out
back
For everyone
for hiring managers
For everyone

AI in Cybersecurity Recruiting: Benefits and Risks

AI
ATS
Hiring
Resumes

AI in Cybersecurity Recruiting: Benefits and Risks

If you are in the job market right now, you undoubtedly notice the little ticker on Linkedin that tallies the number of applicants for each opening, and the rapid pace that number of applicants shoots up.

SOC Tier 1 Analyst

You certainly are noticing the number of form rejections you receive from those applications- even when you are unquestionably qualified for the role. 

While some of this is undoubtedly due to the macroeconomic conditions- including layoffs and less overall job turnover- a good deal of it is also due to the newfound ease of applying (just click a button, or even automate the application itself) and the downstream automation of how systems handle all those applications. 

There are many cybersecurity postings that are attracting north of 500 applications. Guess what, no human is reading all of those. 

If there is a four letter word in job seeking today, it’s probably actually a three letter word- ATS.

What the ATS is really doing

Applicant Tracking System

Applicant tracking systems are the modern boogeyman for the candidate- the black box that is preventing you- the qualified candidate- from getting to interviews and having the chance to truly demonstrate your strengths. The mysterious system that you need to learn how to beat. 

While in some forums ‘the ATS’ has achieved an almost mythical level of malicious capability- the reality is more pedestrian. Most of these originated as tools to manage the recruiting process, manage posts, and consolidate data. A CRM for recruiting, if you will. 

Over time, they expanded capabilities to automate the ranking of potential candidates, and they do so by using ML (and increasingly LLMs) to rank candidates for fit with a given role. They do this by extracting a perspective on a candidate’s skills and experiences from the resume, and comparing those skills against requirements in the job description. 

Most of these systems are still pretty dumb. For example, say ‘project management’ is a requirement, but you don’t list the actual words? Never mind that you were a consultant for a decade leading teams- that skill isn’t recognized because most tools are bad at interpolating context and are really just looking for keyword matches. 

There are tools out there like jobscan that can help look at your resume, compare against a job description, and suggest improvements. They are worthwhile and can help. But overall recognize that fundamentally this is a law of large numbers problem and there is no magic bullet, and ATS systems vary wildly in their capabilities and results. 

Overall advice:

  • You won’t ‘beat the ATS’. But you can improve how you appear
  • You need a skills section in your resume. This is for the ATS, not for humans. Load it with the relevant words and put it at the bottom of your resume
  • You also need a skills section on your Linkedin profile
  • Read job descriptions and ask yourself- what criteria is the recruiter likely looking for? Make sure those words (specifically) appear in your resume
  • Don’t over think this. Your hit rate won’t automatically triple. Your interview/apply ratio will still be low. You need to make human connections to really increase your odds and hit rate.

The arms race

In cybersecurity, we are all too familiar with the cat and mouse dynamic of defense against the adversary. There is a perpetual cycle of discovery and closure of new vulnerabilities, tactics, and vectors.

The concept also applies to recruiting. Candidates experience low interview hit rates and so apply to more jobs. More candidates, more automation.

It’s a vicious cycle. 

One of the great ironies of this all is it is forcing a return / premium to the human dimension. And for job seekers, that means being networked. I won’t go into it extensively here, but you can check out these posts (part 1 and part 2) for deep dives on a how to execute a job search process, with practical networking advice.

Referrals, endorsements, and introductions from trusted people have always been a critical component of the hiring process, and exceptionally valuable. I’d argue that they become even more important in this environment. If you are in the market today, I’d guess that there’s a 90% chance that your next role comes about based on a human connection, not a blind application.

Have I got a bridge for you.

There is a lot of snake oil being sold on the vendor side of recruiting today. I suppose in the software and tech world there always has been. Something along the lines of ‘just buy this tool and your problem will go away.’ (Like the one security company that promises to ‘end cyber risk’ ahem, ahem ❄️🐺). 

In the recruiting world, we are awash in promises to fully automate the process of recruiting from end to end and that AI will automagically find the perfect candidate for every role. 

AI absolutely does hold promise for improving the effectiveness and efficiency of recruitment, and to some degree it is making things easier and faster already. But the promises of full automation and superior screening are misplaced.

Let’s unpack it. 

1) We need to solve for quality before we solve for efficiency

Today, AI is amplifying two bad practices, both of which I’ve written quite extensively about.

First, most job descriptions in cybersecurity are poorly written.

  • Laundry lists of requirements that few humans have in totality
  • Requirements not aligned to level/ experience/ comp
  • Overemphasis on things that are not always good proxies for skills: minimum years of experience and educational requirements

LLMs are increasingly being used to generate job descriptions, and they can do a credible job in many ways. The problem is that they push everything back toward the mean, and perpetuate what is generally a sloppy and not well thought through exercise. They can be a great tool for a first pass, or generating ideas, but they don’t nudge things in the right direction. 

Second, these tools are scoring based on the discrete number of skill and experience keyword matches, not on what is most important, and with no distinction between what can be learned and what can’t. I use a visual analogy of an iceberg- everyone pays attention to what is above the surface, because that’s what you can see- but you are missing the bigger picture. Experience on resume is minimally predictive of success. Broader context- motivation, grit, intelligence, curiosity, and capacity to learn matter tremendously. And you don’t pick that up with a keyword scan. 

This perpetuates:

  • Keeping very talented people with high potential out of the initial screens
  • Highlighting the same highly experienced people, over and over again
  • The work not really aligning with candidate expectations, and thus disengagement and turnover

We are solving for the wrong problem. We need to figure out how to hire for quality before we solve for efficiency, otherwise we are just amplifying bad practices. 

AI is only as good as the data that it was trained on. And right now we are training with a definition of success that is totally disconnected from reality.

So we get garbage in, garbage out. 

The cost of a bad hire is tremendous- cultural degradation, lost productivity, more time work is not being done due to vacancy, team time spent sourcing and interviewing, etc. But instead of focusing on solving for an approach that brings in awesome talent, companies are spending time nickel and diming recruiting team productivity. We should only do that after we are getting fantastic hiring results. 

2) AI holds the potential to help vet more deeply, and increase quality of matching

While our current implementation of AI is guilty of perpetuating bad practices, that doesn’t mean that it’s without promise. Today the matching is being done at a keyword level, without context and without validation.

We are close to a world where AI can actually help validate, and likely do so with higher accuracy and less bias than is typical in human interviews.

  • Using labs, we can validate hands on keyboard technical skills
  • Using assessments, we can gauge analytical skills
  • Using analysis of sample work, we can get a sense of written communication skills
  • Using video interviews and mock presentations, we can get a gauge of verbal communication skills
  • Using well trained LLMs we can actually construct good job descriptions

These results won’t be perfect. But they can be better than what we do today, which is typically either 1) making an assumption that a skill is there because of some other proxy, or 2) gauging during interviews with no calibration and minimal intention. 

Beyond validation, AI can help bring liquidity to the job market. There is indeed value in being able to parse through a large number of candidates- if your talent signals are right, the fidelity and quality of your matches will be higher with a larger sample size. And at large scale that’s just too much for a human to manage. 

So if we get the assessments right, and complement initial screening at the skill level with a well designed interview process that provides a second layer of validation and tests for cultural fit, motivation alignment, and manager fit, we will have great results for both candidates and companies.

3) We cannot lose sight of the human element

Candidates are already feeling the isolation of disconnection from the early stage parts of the recruiting process that are automated today- where, if you follow the process, all initial interactions are digital and there’s no transparency or clear logic as to when you get past the ATS screen. 

If you believe the marketing hype, a world of full automation/ low no touch is promised. 

And let’s be honest, it isn’t the connection between the candidate and the recruiter that matters, it’s the one between the candidate and the hiring manager, and the cultural fit with the team and the company. So some transactional squeeze on the recruiting end is fine, as long as it lead to rich engagement with the hiring manager.

The candidate experience suffers significantly if the process goes too far without them being able to do their own diligence on a company and the hiring manager. Space needs to be made relatively early on to ensure real human connection and the chance for both sides to evaluate fit. 

And in the world we are in now, where the results are poor from automated screening, both sides are frustrated, so it’s the ability to have someone that is trusted recommend someone for a job that matters most. And that isn’t going away. 

So get out there and build real human relationships. They will stand the test of time.

Brad Rager
CEO

Our latest insights

expore blog
For everyone
For candidates
For hiring managers
H1 Cybersecurity talent market report
There is no spring without winter
Job market
Remote work trends
Cybersecurity industry
Certifications
For everyone
For candidates
For hiring managers
Communication as a cybersecurity skill
We all know communication is important, but we don't think about it very much
Communication
People skills
Assessing skills
For everyone
For candidates
For hiring managers
Discovering you
First, know yourself
Self-awareness
Careers
Happiness
Positive psychology
Assessment
For everyone
For candidates
For hiring managers
H1 Cybersecurity talent market report
There is no spring without winter
Job market
Remote work trends
Cybersecurity industry
Certifications
For everyone
For candidates
For hiring managers
Communication as a cybersecurity skill
We all know communication is important, but we don't think about it very much
Communication
People skills
Assessing skills
For everyone
For candidates
For hiring managers
Discovering you
First, know yourself
Self-awareness
Careers
Happiness
Positive psychology
Assessment
JobsFor CandidatesAboutContact uslog insign upHire talentpost a job
For EmployersCybersecurity sales recruitingContract/ fractional technical staffingTechnical practitioner recruitingExecutive recruiting
Insights & resourcesBlogPartnersCybersecurity conference calendar
E-mail:
info@crux.so
Phone:
312-330-0788
Social media:
© Copyright 2024 Crux Talent, Inc. All rights reserved.
Privacy PolicyTerms and Conditions