How to achieve qualified applications with adequate job vacancies
Make sure you attract the right candidates with a well-fitting and eye-catching job ad. In this article, we will not only show you how to create an ideal job offer, but also provide free templates for job advertisements in information security, e.g. for an Information Security Officer (ISO) or a Data Protection Officer (DPO).
A job ad is the first contact point with potential applicants. It is one of the most important tools for recruiters or HR. With so many job postings out there, yours should stand out and grab the reader’s attention. Of course, you want only certain candidates to be targeted – those who are eligible for the position and meet your requirements. The difficulty lies in getting all the relevant information into a short text and still making it look attractive. If, for example, the job ad is far too long, unclear, incomprehensible or possibly even describes the wrong content, you may either miss out on suitable applicants or the wrong people will apply.
Especially when formulating job vacancies in specialized fields, such as information security or IT security, problems arise quickly. Different job profiles are mixed up, so that the competencies and areas of responsibility described become blurry. They no longer reflect what the company – or, in turn, the applicant – is looking for. The fact that you actually described a completely different position may only become apparent in the personal interview. When this happens, the application process to date has been of no use to either the applicant or the company.
Structure and content of a job advertisement
When creating the job advertisement, you introduce both your company and the job to be vacated. In addition, you can state the advantages that your company offers the employees. At the end, you should provide data on contact options, application deadlines or other conditions of the application process so that no questions remain unanswered.
While candidates are reading the ad, they should be guided according to the AIDA concept (a concept from marketing).
- A– Attention
- I – Interest
- D – Desire
- A – Action
After you got the reader’s attention, he should read the vacancy with interest held high. While reading, the desire to apply should arise. After all, the process should end with a successful application.
Do you have difficulties when formulating job advertisements?
Are you looking for an information security officer (ISO) ? We’ll help you create the ideal job description to target qualified candidates.
Due to the shortage of skilled workers, it can take several months to find a suitable candidate. However, we have a suitable offer for you: Our ISO-as-a-service Solution provides you with an external ISO to bypass the time until you found a new candidate. Stay flexible with a monthly cancellation period!
We would be happy to present our concept to you in detail in a non-binding discussion.
Elements of a job advertisement
The following structure is recommended:
Title of the job ad
The job advertisement should start with a strong title. It should, of course, describe the announced position in the best possible way. You shoudln’t have to read the tasks first to know what the job is actually about.
Here are some inappropriate examples for titles of job ads (for information security jobs):
- Regional Information Security Officer
- Referent Information Security / Information Security Officer
- Senior IT Security Specialist
- IT Security & Compliance Specialist
- Expert for Information Security – Audits and Certifications
- CISO Chief Information Security Officer
- Information Security Officer
- IT-Governance Expert – Focus on IT-Security
- Coordinator for Information Security ISMS/ISO 27001
The problem:There are many different job titles or job descriptions, but they actually mean the same and have identical requirements. You should make sure to use the best-known and, if possible, “standardized” terms that can be objectively assigned to a job description including tasks.
The terms Information Security Officer (ISO), Chief Information Security Manager (CISO), Data Protection Officer (DPO), Chief Security Officer (CSO) or Chief Information Officer (CIO) are common designations. We will present the exact job descriptions later in this article.
Introducing your company
In this part, you should answer the following questions in a short text:
- In which industry is your company operating??
- Which product or service do you offer?
- How many employees are employed at how many locations?
- Have you been able to achieve any particular successes as a company?
- What characterizes the work in your company?
- What is your vision and what are your values?
Job description incl. scope of tasks
While formulating, be specific and avoid phrases that no one can relate to. First, name the area of responsibility and list the work tasks in bullet points. Then add key points on the requirements for the applicant that are necessary in order to be able to handle the previously described tasks.
Examples of formulated job descriptions can be found below.
Requirement profile of the applicant
What skills and qualities must the applicant have? Specify what your ideal candidate must be capable of. Remeber: clear and precise wording, no empty phrases. In addition you can divide the key points into “must-haves”, i.e. what the applicants should definitely bring with them, and “nice to have”, i.e. what they should optionally already be able to do or are willing to learn.
The requirements and tasks should match. If the requirements call for knowledge of specific standards, guidelines, and auditing, the tasks should also indicate why the applicant should have these skills.
Job-Benefits and additional details
The option to work from home has been a necessity for many applicants since the Corona Pandemic. If your company offers this option, it should definitely be mentioned in the job vacancy. Other benefits such as free lunches, special team events or sports activities also find place here and should once again strengthen the desire to apply. Feel free to be creative and show the truly unique sides of your company.
Supplementary data and contact options
- How can applicants get in touch with you (by mail, application portal, etc.)?
- What documents are required (cover letter, resume, certifications, etc.)?
- What can they expect after submitting an application? Briefly describe the remaining steps of the application process.
- Who can you talk to if you have any unanswered questions? Here you should name a contact person for questions about the application process and a person for professional questions about the position.
Hints and tips
- Comply with the AGG (German General Equal Treatment Act) and formulate job advertisements accordingly (gender, age, ethnic origin, religion/belief, physical/mental disability, sexual identity).
- Select the appropriate form of addressing (formal or informal): Consider who you want to address and which form of addressing is more in line with the company’s overall image.
- To name salary or not? There is still no legal obligation to state the salary, but it can happen that candidates do not apply if they do not find any information about the salary. Especially for higher or executive positions – like an IT manager or an information security officer this can be crucial.
- Use images and graphics to visually highlight important content. Whether you can use images, however, depends on the platform where you place the job ad. But be careful: you should also not use too many images, because this may be too distracting and take up a lot of space. One to two meaningful images should perfectly support your ad.
- A two-page layout for the job description and the requirements supports the typical reading flow and makes reading easier. If you use bullet points instead of continuous text in between, this can have an additional beneficial effect.
- Use keywords that are relevant for finding the ad in the search engines and attract attention in the second step. Mention the industry, type of employment, location and other aspects that may be decisive for an application.
Research the right content for your information security job ad
There do not always exist legal requirements for professions, such as the ISO, that describe its scope of duties and responsibilities. However, certain government regulations provide detailed descriptions and bulleted lists that you can use as a guide. The German BSI: Bundesamt für Sicherheit in der Informationstechnik =Federal Office for Information Security), for example, offers freely accessible descriptions of such requirements. But the most common standards (such as ISO 27001 for ISMS) are also excellent for deriving job description requirements. Most important is, that you obtain your information for creating the job posting from trustworthy and reliable sources.
TIP: Involving a person from the specialized department can also be helpful. If possible, such a responsible person prepare bullet points for the tasks and competencies that should appear in the job posting.
-
Tipp-Box:
Involving a person from the specialized department can also be helpful. If possible, such a responsible person prepare bullet points for the tasks and competencies that should appear in the job posting.
Information security job profiles
Management positions in information security hold great responsibility for companies. It should therefore be in your interest to staff the positions in accordance with the requirements. For this purpose, the job vacancy should be as professional as possible and as detailed as necessary.
We will be pleased to introduce you to various job descriptions and offer you free templates that you can use for your job advertisements. The shortage of skilled workers is a problem for many companies, especially in the field of information security. One more reason to put a lot of effort into your job advertisement!
(Chief) Information Security Officer - (C)ISO
The only difference is that if there are several ISOs in a company, there is usually one CISO who guides them all.
However, the duties and requirements are theoretically identical. The responsibilities of an ISO are defined as follows:
A CISO is responsible for all issues relating to information and data security in a company or institution. His or her area of responsibility includes…
- Management and coordination of the security process
- Supporting the management with the creation of security guidelines
- Coordinating the creation the security concepts and associated sub-concepts, including emergency concepts
- Preparing realization plans for safety measures as well as initiating and subsequently reviewing their implementation, including emergency plans
- Reporting to management level and other security officers on the status of information security
- Project management: coordinating security-related projects
- Investigating security-related incidents
- Initiating and coordinating information security awareness and training sessions
- Operation, further development and auditing of IT security within the framework of an Information Security Management System (ISMS)
- Reporting all results to the management
- Quality assurance function for information security
To successfully accomplish these tasks and maintain independence of decision-making, the CISO reports directly to top management and should bring the following to this responsible position:
Hard Skills:
- In-depth experience and knowledge in information security and IT. This includes the relevant standards, such as ISO 27001, as well as the BSI’s IT-Grundschutz.
- Ideally, completed studies and certification as an ISB.
- Basic knowledge of the tasks and processes of the company or institution.
- Experience in project management & the coordination of tasks (preferably with knowledge of risk analysis).
- Related experience in change management
- High level of readiness for continuing education
Soft Skills:
- Ability to work independently, strong work ethic & perseverance.
- Interdisciplinary thinking & methodological competence in project management
- Analytical skills and process-oriented thinking
- Communication skills & persuasiveness in presentations or in dealing with staff and top management to reach consensus
- Ability to collaborate, work in a team, and understand and empathize with employees in the context of change management
- Strength in building relationships and developing networks in a large organization
- Goal orientation in action planning and implementation to achieve compliance objectives
- Proven ability to adapt to new environments and to lead and drive change
- Awareness: sense of risks and their magnitude
- Fluent in business English (other foreign language skills an advantage)
These requirements are independent of whether an internal or an external ISO is contracted.
Depending on the size of the company or the authority, there may be several ISOs, for example for different areas, locations or even large project plans of the company. If this is the case for you, you can state this as additional information in the job vacancy and announce the position as either (senior) ISO or CISO.
Problems with related departments
Integrating the ISO into the IT department can lead to role conflicts, since the ISO cannot fulfill its obligation to monitor security measures without being influenced by the IT security manager, for example. A personnel union with the data protection officer is also not uncritical. If this is the case, the boundaries between these two tasks must be clearly defined in order to avoid role conflicts from the very beginning.
Are you looking for an ISO or CISO?
At the moment, 370 companies are looking for an information security officer (ISO) on StepStone – 180 on Indeed and 600 companies across Europe are looking on Monster.de.
Are you also having difficulties finding an information security officer or are existing external consultants too cost-intensive?
ISEGRIM X offers a cost-effective ISO-as-a-service solution from which small and medium-sized enterprises can benefit. We provide you with a certified ISEGRIM X INformation Security Officer from our company. Our service can be cancelled on a monthly basis and gives you maximum flexibility.
We define the scope of services together with you in advance in a non-binding introductory meeting. You can easily book this according to your preferences via our calendar tool:
Chief Security Officer (CSO)
The range of tasks of the CSO has a different focus than that of the ISO. The CSO is responsible for corporate security. His or her main task is to ensure physical and technological stability. This includes the security of data, intellectual property, physical assets, and the protection of employees.
The CSO’s responsibilities include:
- Leading the company’s risk control efforts
- Managing and executing security protocols, specifications, policies and procedures
- Overseeing the network of security managers and contractors to secure the company’s intellectual property and database infrastructure
- Coordinate external contractors to perform impartial audits of statutory regulations and reach compliance
- Maintain relationships with local, state and federal law enforcement and all relevant government agencies
- Investigate and oversee security incidents and responses to them
Hard Skills:
- In-depth experience and knowledge in the areas of enterprise security, IT and information security, including current laws and standards
- Ideally completed studies and certification as CSO
- Basic knowledge of corporate or government tasks and procedures
- Experience in project management & ability to coordinate tasks
- Related experience in change management
- High degree of readiness for further training
The soft skills are identical to those of the CISO.
These requirements are independent of whether an internal or external CSO is contracted.
IT Security Offcer or Chief Information Officer - CIO
A CIO or IT security officer develops the company’s global IT strategy. He or she ensures that all systems are working and daily business is proceeding. The aim is to achieve the company’s goals and adding the most value to the business.
The responsibilities of an IT Security Officer or CIO include:
- Setting goals and strategies for the IT department to meet or, ideally, exceed business objectives.
- Working closely with individual teams and departments across the organization
- Supporting the risk management team in the implementation of measures
- Select and implement appropriate technologies to streamline all internal operations and optimize their strategic value
- Plan and adapt technology systems and platforms to improve the customer experience
- Lead and develop the team in the IT organization
Hard Skills:
- In-depth experience and knowledge in IT as well as information security, including current laws and standards.
- Ideally completed IT studies and certification as CIO
- Basic knowledge of the tasks and processes of the company or government agency
- Experience in project management & ability to coordinate tasks (preferably with knowledge of risk analysis)
- Related experience in change management
- High degree of readiness for further training
The soft skills are identical to those of the CISO.
These requirements are independent of whether an internal or external CIO is contracted.
Data Protection Officer - DPO
The data protection officer is responsible for reviewing and advising the company on data protection issues. He or she pursues the goal of ensuring that the requirements of the GDPR (General Data Protection Regulation) are met in the context of the collection, processing and use of personal data.
His responsibilities include:
- The assumption of operational and organizational data protection consulting
- Providing advice on all data protection issues in the national (and international) context
- Setting up, introducing and continuing a data protection management system and drawing up instructions for the company to follow
- Processing inquiries, requests for information and complaints from external contractual partners, customers and employees
- Reviewing and negotiating contracts and working on corporate data protection guidelines
- Ensuring the documentation of data protection-relevant processing operations
- Support in the data protection-related drafting of contracts and supplementary agreements with external business partners as well as in employment contract regulations
Hard Skills:
- Experience and knowledge in (inter-) national data protection law issues as well as data security, incl. common standards
- Ideally through completion of a law degree
- Basic IT knowledge
- Basic knowledge of the company’s or authority’s tasks and processes
- Experience in project management & ability to coordinate tasks (preferably with knowledge of risk analysis)
- High degree of readiness for further training
The soft skills are identical to those of the CISO.
These requirements are independent of whether an internal or external DPO is contracted.
Corporate information security
You do not yet know exactly which certifications you need or would like to learn more about one of our solutions? We will be pleased to consult you.
Clear, competent & reliable. And of course without obligation:
