In 2024, I embarked on the journey to become a recruiter for an IT Security Consulting team. I thought, “How hard can it be?” I had already been a recruiter for over 10 years, focusing predominantly on software developers, and I imagined my new task would be fairly similar. However, I quickly realized that my established methods wouldn't be as effective in this domain.
Why?
IT Security professionals (and particularly DFIR colleagues) are notoriously hard to find, much harder than, let’s say, Kotlin developers. They keep a very low profile on business platforms and the internet in general. In many cases, even the most sophisticated keyword searches fail to uncover their profiles, unless they actively desire to be found. So, what’s the cause?
Firstly, these professionals are acutely aware of the risks associated with personal information exposure and exploitation, given the nature of their work. Secondly, they often distrust the data collection practices of large corporations, fearing the misuse of their information for marketing or political purposes. Finally, publicly displaying their professional information online can inadvertently make them targets for “the bad guys”: hackers, attackers and malicious actors of all sorts.
So, where does this leave the eager recruiter? How do you “catch the good guys”?
My learnings
Proactive Engagement: Even with minimal profiles, I initiated contact to gain insights within the industry. While my approach may not have always been highly tailored, I emphasized engaging with wit and curiosity. This allowed me to generate responses from fantastic future candidates and gather valuable industry insights. As much as I appreciate speaking with potential candidates, I am equally thrilled to connect with professionals who may not be looking for a new role but are happy to chat. Over the past year, this strategy has significantly enhanced my understanding of the cybersecurity community in Germany.
Community Immersion: Speaking of the community and their members who often fly under the radar of classic recruitment methods, I found it to be essential to go where they are. Our team members regularly attend and speak at meetups and conferences, which I joined as often as possible to mingle with the crowd. We also exhibit at IT:SA, which has proven to be an outstanding networking opportunity. It goes without saying that this is a relatively indirect and long-term approach. While active recruiting efforts are generally unwelcome at dedicated industry events, my presence has allowed me to network organically and build relationships. I’ve also successfully scheduled meetings with prospective candidates at events we both attended. Added benefit: I had colleagues from the IT Security team around to help me make “the pitch”.
Online Visibility: As the saying goes, "The best place to hide a dead body is on the second page of Google search results." Since IT security professionals are so difficult to locate, we wanted to make sure that they could find us. This was a collaborative effort involving leadership, marketing, the IT Security team, and HR.
We launched a dedicated sub-brand homepage for IT security, the team started publishing more blog articles, and I optimized my recruiter profile with relevant keywords. This stronger online presence has been crucial in attracting passive candidates who were quietly looking for their next professional opportunity.
Employee Referrals: People referred by existing employees are far more likely to be hired than applicants coming through any other channels (direct search, job boards, events, etc.). Good people know good people. While they will still take part in the official recruitment process, these candidates have automatically undergone an “informal vetting process”. Team members wouldn’t recommend a new colleague who they don’t believe to have a suitable skillset or be a team fit, right? This approach is even more important for IT security professionals whose networks are often not openly accessible. And yes, we have been successful in hiring new colleagues through team members’ referrals over the last year.
Niche Platforms: IT Security professionals often have a deep passion for their work that extends far beyond their daily tasks. You'll find them actively involved in organizations like the Chaos Computer Club (CCC) and honing their skills on online platforms such as TryHackMe or Hack The Box – these are essentially online hacking playgrounds and vibrant cybersecurity communities.
Interestingly, some of these platforms allow you to post job roles directly and even anonymously approach members who've indicated they're "open for opportunities." While you won't know the individual's name you're reaching out to, their scores on these platforms can offer valuable insights into their technical skills and areas of expertise. (I haven't personally tried this approach yet, so if you have, I'd love to hear about your experiences!)
These are the most successful strategies I've used over the past year to grow our IT Security team, along with an outlook of what I'm still eager to try in the future. While the core approaches aren't revolutionary, adapting them for the unique challenge of finding IT security specialists was absolutely key.
Do you have any other ideas on how to find and recruit "the good guys"? I'd love to hear them!
Was this post helpful?
Your job at codecentric?
Jobs
Agile Developer und Consultant (w/d/m)
Alle Standorte
More articles in this subject area
Discover exciting further topics and let the codecentric world inspire you.
24.3.2025
Blog author
Christine Seagar
Do you still have questions? Just send me a message.
Do you still have questions? Just send me a message.