Category Archives: Sourcing

niche job boards value

SHRM Examines The Value of Niche Job Boards

This article originally appeared on SHRM here.

Niche Job Sites Still Valuable as Legacy Boards Fade

By Roy Maurer

Smaller, atypical job boards segmented by industry and region help target relevant talent but require more proactive work from recruiters to be truly effective.

Staffing firm Randstad’s 2016 acquisition of an ailing Monster—one of the original behemoth online job boards—and indications that the sole remaining mega-board CareerBuilder is also for sale have reignited discussions on the recruiting blogosphere about the decline of the model.

“The big job boards are not exactly the darlings of the recruitment industry these days,” said Chris Russell, a recruiting technology and job board consultant with RecTech Media, based in Trumbull, Conn. Russell curates a free database of more than 1,100 job boards.

“Recruiters are balking at their high prices and the many unqualified candidates that they generate.”

But savvy talent acquisition professionals know that not all job boards are waning, and in fact, smaller niche boards that cater to specific regions, membership associations, specialized industries and types of contracts are a valuable tool for recruiters. Examples of niche boards include AllRetailJobs, CollegeRecruiter, JobsInLogistics, Medzilla, GitHub and Minnesotajobs.

“Niche job boards are particularly useful for cutting through the clutter and finding talent for hard-to-fill roles, specialized positions, specific industries—or to tap into unique candidate audiences, such as military veterans,” said Susan Vitale, chief marketing officer at Matawan, N.J.-based recruitment software provider iCIMS.

“Niche boards will always play a part in recruitment advertising,” Russell agreed. “By posting jobs or searching resumes on these sites, the employer has access to a targeted pool of candidates on demand.”

[SHRM members-only how-to guide: How to Target Passive Job Seekers]

But recruiters might be wasting their time if they treat these sites as they would Monster or CareerBuilder. “If you are going to a niche board and throwing up a generic job ad and expecting big results, you’re probably going to be disappointed,” said Jessica Nettleton, recruitment media strategist at end-to-end recruitment services firm Decision Toolbox.

“If recruiters actively source from niche boards and proactively engage with potential candidates, then [the boards] can be a huge value,” she continued. “It’s not a ‘post-and-pray’ situation. You won’t reach the numbers that you would by using a bigger job board, but you will probably reach the right candidates. If recruiters do the work, they will see a ROI [return on investment].”

Quality over Quantity

Recruiters are often frustrated with having to sift through a massive amount of unqualified applicants to find suitable candidates. Niche boards don’t boast the traffic of sites like CareerBuilder and Monster but are more likely to attract candidates with specialized skills and relevant experience, leading to lower cost-to-fill and higher quality-of-hire, according to experts.

Amber Hyatt, SHRM-SCP, director of product marketing for SilkRoad, a talent management system, noted that niche job boards may be a particularly effective way for organizations to snag candidates in high-demand industries, or to help ensure that companies meet their compliance goals regarding diverse candidates and veterans.

A recent survey conducted by iCIMS revealed that military veteran job boards are one of the top sources veterans use when searching for a new position. “Employers should make it a priority to showcase their brand on these types of niche job boards to find and attract best-fit talent,” Vitale said. iCIMS partners with job-distributing engines like JobTarget and eQuest to enable employers to post their jobs on many boards, including niche sites.

“The targeted aspect is the main benefit, whether we are talking about an industry-specific candidate or one where location is a big factor,” Russell said. He added that in his experience, niche sites are more approachable and do more to engage their clients. “One of the big ways they contrast with bigger sites is customer service. When I ran my boards in the 2000s, I knew a lot of my customers by first name and I also met many of them in person.”

bridging the talent gap in cybersecurity Domini Clark SC Magazine

Bridging the Talent Gap in Cybersecurity: Domini Clark to SC Magazine

InfoSec Connect founder Domini Clark  contributed a byline article to SC Magazine, sharing her tips on how employers should be bridging the talent gap in cybersecurity.

The article originally appeared here, and an excerpt is below.

***

Major companies are investing to increase diversity in their workforce, says recruiter Domini Clark.

The talent gap in technology came into sharp relief in 2014 when Google, Yahoo! and Apple, among other industry leaders, started releasing data on diversity among their employees. All three companies are investing in increasing diversity and they are making progress, but the problem won’t be solved overnight. As you might expect, the problem is particularly acute in cybersecurity, where the scarcity of talent is hard to over-estimate.

According to the Bureau of Labor statistics, of the employed adult population, about 47 percent are women, 12 percent are African-American, 16 percent are Hispanic and 5.8 percent are Asian-American. In contrast, the National Cybersecurity Institute reports that women make up only about 20 percent of that profession and African-Americans, Hispanics and Asian-Americans combined make up only 12 percent.

Make your environment welcoming – If those industry giants are challenged, what can the rest of us do? A good first step is a long, hard look at your own organization. Even if there is no active discrimination, lack of diversity can make cybersecurity departments look like good ol’ boys clubs, further discouraging members of under-represented groups from pursuing careers in this space.

Leaders in the field need to make a point of integrating and welcoming women and minorities, ensuring that they are engaged, contributing members of the team. “Women at the senior level are beacons for other women,” says Elizabeth Ames, the Anita Borg Institute’s senior vice president of marketing, alliances and programs. Undoubtedly this is true for people of color as well.

Outreach and engagement – Another strategy is to promote outreach programs that engage women and minorities. According to the Wall Street Journal, big banks like J.P. Morgan Chase and Citigroup are getting results through programs targeting different groups. Some have even started “re-entry” programs to attract women who took a career break to care for dependents or others.

You might post openings on job boards of associations and magazines, like the National Black MBA Association, Ascend Pan-Asian Leaders, National Association of Professional Women, Association of Latino Professionals for America, and others. For entry-level roles, recruit from colleges and universities that have large numbers of students from underrepresented groups.

Enhance your employment brand – Members of under-represented groups can promote their own interests by getting involved with organizations like the Women in Security special interest group within ISSA, Women in Technology (WIT), Blacks in Technology (BIT), the International Consortium of Minority Cybersecurity Professionals (ICMCP), and others. Your company should also get involved in these kinds of organizations to establish a reputation for supporting diversity in cybersecurity.

According to Sharon Florentine of CIO.com, two other big issues are: access to and the cost of training. Even entry-level classes can cost thousands. However, organizations like Cybrary.it and SANS CyberAces are trying to fight that by offering free online courses covering the most current topics.

Women and minorities should be encouraged to explore cybersecurity at a young age. Melinda Gates, for example, recently launched a new initiative to attract and retain women in tech fields, citing a “leaky pipeline” in education as a key issue. According to her, solutions have to start at the elementary school level. If your company has an opportunity to attend career events at high schools and even middle schools, be sure to promote the field. If you can send employees who represent the target demographics, so much the better.

The demand for cybersecurity talent will continue to grow, and it is in everyone’s interest to promote growth on the supply side.

attract cybersecurity talent

Looking to Attract Cybersecurity Talent? Enhance Your Covert Ops. Domini Clark to The Staffing Stream

InfoSec Connect founder and cybersecurity recruiting expert Domini Clark shared her tips on how to attract cybersecurity talent in a recent article in The Staffing Stream.

Excerpt from the article:

Cyber-attacks are on the rise, with a 38% jump in security incidents from 2014 to 2015. Companies in all industries are vulnerable, regardless of size – some 43% of attacks target small business. Attacks can cost into the millions for a single data breach, and more than half of these costs are related to lost business due to customer churn.

Since the best approach is prevention, it’s clear that cybersecurity needs to be part of your IT program. Finding the right talent is not so clear. Cybersecurity professionals are a unique group, so you’ll need a recruitment approach that is different from what you’re using with other positions.

A Unique Profile

The best in the trade think like the criminals they oppose, enabling them to anticipate hacker tactics and identify chinks in a system’s armor. Insiders joke that superstars have an “evil bit” (as in bits and bytes) in the code of their personalities. “Paranoid” is too strong a word, but they tend to be hyper-cautious, and some take pride in operating under the radar.

Very few post résumés, so you’ll need to leverage your best networking skills and hardcore power searching techniques. Be creative, Sherlock. But don’t email a link — they don’t click on links from unknown sources. Send a PDF with instructions for connecting with you.

Sell, Sell, Sell

Some estimate that half of cybersecurity professionals get a recruitment call at least once a week. If you reach out with a standard list of duties and requirements, your message will wash out among all the other background noise. You have to court talent in all areas, especially with hard-to-fill roles. Don’t think of it as a job posting, think of it as a sales pitch. Instead of focusing on what your company needs, lead with the selling points that will engage your target audience.

In general, cybersecurity professionals want the opportunity to:

  • Take on intriguing work that is varied and unique.
  • Try new tools and techniques to keep up with the ever-evolving threat landscape.
  • Do more than just scratch the surface, including taking some deep dives into systems and code.
  • Work remotely, even if only two or three days a week.
  • Receive recognition and rewards, like the rest of us.

Apply Social Media Liberally

The content doesn’t have to be about job openings. Think of social media as digital pheromones that make your company attractive. Have team members in all disciplines share their ideas and insights. Blogs and tweets help establish your company as a thought leader, enhancing your brand.

But be sure to target the cybersecurity community specifically, including forums and discussion groups. Encourage your existing cybersecurity and IT talent to write blog posts and white papers on the topic. Spray those pheromones where they’ll get the best results.

Stay Loose

With a pool this small, you can’t run an effective search if you focus only on screening people out. Loosen the requirements. For example, since security threats are constantly evolving, a degree probably isn’t as important as current experience. Another tactic: Instead of asking for five to seven years of experience, ask for three to five and highlight the opportunity for career growth.

Hopefully you weren’t expecting fast and easy tips for recruiting cybersecurity talent. You’ll have to invest time and money, but you can think of it as insurance against multi-million dollar losses.

talent mapping

Talent Mapping, Staying Ahead Of The Game

By Guest Blogger: Natalya Kazim, Ph.D

Similar to a map of the world, talent maps are a visual guide to help us understand our competition by drawing out their landscape. It can be defined as a form of competitive intelligence that combines both an aspect of sourcing and pipelining. Talent mapping serves as proactive scouting of candidates within a particular industry sector and for us to understand what talent is the best of the best.

In a new age of recruitment, the good ole days of post and pray no longer exists. Over the last several years, talent mapping has evolved as a way to stay ahead of the game.

Identify gaps:  A complete assessment of current talent pool within the organization. It is important to see where gaps may exist prior to mapping. Also in consideration should be succession planning and what gap this will present in the future. Once these gaps are identified, sourcers can hone in on the desired and targeted skill sets early on. What are the key elements of the organization’s long-term goals and business strategy?

Create your World Map:  Talent mapping will visually show us side by side comparisons of competitor employees within an organization or particular functional group and how they are connected within their teams. After identifying competitors that have a similar role within the particular industry and particular functional group, you begin piecing your map together. For example a detailed talent map for a vice president of managed services within the human resources consulting space would list the VP’s name but then build his organization out levels deep to include the directors and managers within his team. Additionally, salary and geographic location would be included. Additional insights on industry trends or information on any specific benefits offered that may incentivize them would be listed.

Use Your Map: Research studies have shown that mapping helps to improve candidate quality and how quickly jobs can be filled. Mapping begins prior to recruitment, defining the best talent within the industry so that once there is an active role, engagement can begin immediately. Instead of being in reactive mode, mapping gives us all of the information at our fingertips. Reaching out and engaging with “right fit” candidates at the inception of a search will speed up the process of getting a hire which in turn leads to organizational cost savings. Your map can also be used to as a visual to demonstrate to hiring leaders the talent climate within the industry.

Resources:

Linkedin: This is of course the obvious.  There is much to be found by simply following competitor pages such as recent promotions, new hires and those that have left.

Glassdoor: This is a great tool to research jobs and understand salaries at a competitor.

Twitter:  Provides great insights on industry trends and news about what changes are happening at competitors.

Slideshare:  Who within competitor is presenting.

Owler: Create lists to receive automatic emails and information on competitors that you are keeping your eye on.

I challenge you, on your next executive role, develop a talent map and see how priceless this information is. Use your visual map to show your managers what exists and what doesn’t. Stay ahead of the game and have your top industry candidates ready for engagement as soon as your roles are opened for active recruitment.

 

Republished with permission from Natalya Kazim

Natalya Kazim is a Sourcing Consultant with 15+ years of experience in the Recruitment world. She has had the opportunity to work in several Fortune 500 companies to help lead the initiative to develop their sourcing function.  Natalya is passionate about learning new, innovative, and efficient ways deliver the best quality results.  She has served as both a Mentor and Trainer sharing her wealth of information to help others succeed. She has a strong background in advanced sourcing, competitive intel research, organizational charting, market analysis, candidate information retrieval, and passive candidate engagement . Natalya resides in the Washington, DC Metro Area.

Drawing Underrepresented Groups from the Shadows To Build the Cybersecurity Talent Pool

If you’ve been following this series, it should be clear by now that cybersecurity talent represents one of the biggest needs in IT but also one of the smallest talent pools. In Parts 1 and 2 I shared advice for attracting cybersecurity professionals to fill those right-now needs. Taking a longer term view, the demand will continue to grow, and it is in everyone’s interest to promote growth on the supply side as well.

Women and other underrepresented groups comprise a large, untapped talent pool. According to the National Cybersecurity institute, the U.S. Department of Labor’s 2015 population survey indicates that women hold only 19.7% of cybersecurity jobs, while African Americans, Asian Americans and Latinos combined hold only 12%. Women alone represent more than half of the U.S. population, so the potential numbers are out there.

Adjourn the Good ‘Ol Boys Clubs for Good

Discrimination is only one factor. For example, women continue to choose careers in traditional areas such as education, healthcare and social work. Just the same, lack of diversity can make cybersecurity departments look like good ol’ boys clubs, further discouraging members of underrepresented groups from pursuing careers in this space. Those who do often feel like the “odd stepchild” of a team or department. People in these situations report feeling as though their voice is not heard.

Leaders in the field need to make a point of integrating and welcoming women and other underrepresented groups, ensuring that they are engaged, contributing members of the team. One way to do this is to hire and/or develop members of underrepresented groups into your leadership ranks in IT and, ideally, cybersecurity. “Women at the senior level are beacons for other women,” says Elizabeth Ames, of the Anita Borg Institute for Women in Technology. Undoubtedly this is true for people of color as well.

Proactive Engagement

Another strategy is to implement targeted outreach programs. According to the Wall Street Journal, big banks like J.P. Morgan Chase and Citigroup are getting results by hosting events and programs targeting different groups. Some have even started “re-entry” programs to attract women who took a career break to start families.

Post openings on job boards of associations and magazines like the National Black MBA Association, Ascend Pan-Asian Leaders, National Association of Professional Women, Association of Latino Professionals for America, and others. For entry-level roles, recruit from colleges and universities that have large numbers of students from underrepresented groups.

Diversify Your Employment Brand

Members of underrepresented groups can promote their own interests by getting involved with organizations like the Women in Security special interest group within ISSA, Women in Technology (WIT), Blacks in Technology (BIT), the International Consortium of Minority Cybersecurity Professionals (ICMCP), and others. If your company is serious about attracting diverse talent, you should get involved in organizations like these — establish a reputation for supporting diversity in the cyberspace profession.

According to Sharon Florentine of CIO.com, two other big issues are access to and the cost of training. A one-week class can cost $5,000. However, organizations like Cybrary.it and SANS CyberAces are fighting this by offering free online courses. As I suggested in Part 2, companies can enhance their employment brand by providing training in general — combine that with targeted recruiting, and your company could become recognized for being a trailblazer.

Most commenters on this topic agree that women and underrepresented groups should be encouraged to explore cybersecurity careers at a young age. Melinda Gates, for example, recently launched a new initiative to attract and retain women in tech fields, citing a “leaky pipeline” in education as a key issue. Your company should attend career events at high schools and middle schools, ideally sending employees who represent the target demographics.

This post only scratches the surface of a large and challenging issue. If you have strategies that working for you, please share them, below.

Connect with Domini on LinkedIn.

recruiting cybersecurity professionals

Unclassified at Last: A Field Agent’s Guide To Recruiting Cybersecurity Professionals

This blog series on recruiting cybersecurity professionals kicked off in Part 1 with some sobering facts about the frequency and cost of cyber-attacks in the U.S., underscoring the urgency of recruiting talent in this space. You probably know that demand far outweighs supply. In that post I shared some tips for recruiting cybersecurity professionals, and here I’ll share even more. Then stay tuned for Part 3, where I’ll explore a resource pool with rich promise: women and other groups — more than half the population — are sorely underrepresented in the cyberspace professions.

Invest or Be Hacked

Many executives still clench at the idea of throwing more money at a “cost center” like IT, but the threat of cyber-attacks is very real. The 2016 Ponemon Institute Cost of Data Breach Study recommends treating the cost of data breaches as a permanent cost, and budgeting accordingly. They also claim that the average cost of a single data breach in 2015 was $7 million, across all businesses, small to enterprise. If it saves you $7 million, the ROI on paying a couple of cybersecurity professionals turns this investment from a drainer to a no-brainer.

Keep those unclenching exercises handy, as you’ll also need to be prepared to pay premium. Cybersecurity professionals know what they’re worth, and it’s pretty high in the IT pay bands. The gap between supply and demand is daunting; according to Cisco’s 2014 Annual Security Report, there are between 500,000 to 1 million unfilled cybersecurity positions in the U.S., and that gap is expected to grow. You may be reluctant to pay market value, but if your competitors will pony up, you’ll be stuck on the wrong side of the firewall.

While the purse strings are loose, be sure to include professional development opportunities, such as ongoing training and conference attendance. Not only will it give you an edge in the talent market, but it also will ensure you cybersecurity staff stays current. Threats are constantly evolving and what your people learned last year is already outdated. Can you afford to leave your company’s assets vulnerable?

If you’re still with me after that dose of dire reality, you’ve earned a reward: more tips for recruiting cybersecurity professionals.

Maintain a Robust Presence on Social Media 

This is good general recruiting advice, but be sure some of your efforts target this group. Join cybersecurity forums and discussion groups, for example. Encourage your existing cybersecurity talent and ranking IT leaders to write blog posts and white papers on the topic. This will help enhance your organization’s credibility as an employer of choice among cybersecurity pros.

Loosen the Requirements on Your Search

Tough sell, I know, but focus on the fact that experience is probably more important than a degree. Instead of asking for 5 to 7 years of experience, ask for 3 to 5 and highlight the opportunity for career growth. Conversely, consider hiring right out of school and promote the opportunity to gain hands-on experience alongside your existing resources.

Build for the Future 

Don’t let your urgent needs keep you from looking ahead. This is an ambitious suggestion, but consider offering on-the-job training to turn raw recruits into cybersecurity sleuths. It will be a major investment in your employment brand. Larger corporations, for example, can implement internal training programs that develop cybersecurity professionals from interns, while smaller companies can use outsourced training.

You can try retraining existing IT staff, but keep in mind that success in cybersecurity takes a certain mindset. Ideally you have a System Administrator who can channel her inner hacker and ask, “What would I do if I wanted to get past these security measures?”

In the final installment I’ll continue in the big picture, forward-thinking vein, and explore ways to draw more women and other underrepresented groups into the profession.

Connect with Domini on LinkedIn.

Engaging Cybersecurity Talent

Undercover Recruiting: Tips for Engaging Cybersecurity Talent

It can be easy to think of cyber-attacks as something that only happens to other companies. Unfortunately, a more realistic view is not whether it will happen, but when it will happen to your organization. Cyber-attacks are on the rise. PwC’s Global State of Information Security Survey 2016 stated that, across all industries, there were 38% more security incidents in 2015 than in 2014.

It doesn’t just happen to giant corporations like Yahoo!, Sony and T-Mobile. SmallBizTrends.com claims that 43% of attacks on businesses target small business. Large or small, it can cost you plenty. The average total cost of a single data breach was $7 million — up from $5.4 million in 2013 — according to the 2016 Ponemon Cost of Data Breach Study. More than half of these costs are related to lost business due to customer churn.

The best approach to cyber security is to prevent the hacks, attacks and breaches. However, as you probably are aware, there simply aren’t enough talented IT security professionals available to do this work. In the first two parts of this three-part blog I’ll provide some tips for optimizing your efforts to recruit cybersecurity talent right now, as well as some longer-term suggestions for attracting more people to this field. In part three I’ll explore some ways of promoting inclusion and integration of including women and other underrepresented groups — well over half the working population — into the profession.

Making Contact: “I’ll Be the One with the Red Carnation”

The best cybersecurity professionals think like criminals. The joke in the industry is that superstars have an “evil bit” (as in bits and bytes) in the code of their personalities. They know better than to have a high-profile online presence. “Paranoid” is too strong a word, but they tend to be hyper-cautious, and some take pride in operating in “stealth mode.”

You won’t find their résumé on CareerBuilder or LinkedIn, so you’ll need to leverage your best networking skills and hardcore power searching techniques. If your quarry thinks like a criminal, you have to think like Sherlock Holmes to track them down. Don’t email them a link to apply — they won’t click on a link from an unknown source (and neither should you). Send them a PDF with instructions for connecting with you.

They’ve Heard it All Before

The demand for these professionals means that they are constantly hearing from recruiters. InformationWeek’s DarkReading.com cites new research by Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) indicating that about half of cybersecurity professionals are contacted by a recruiter at least once a week. If you post a standard HR job description of duties and requirements, it will wash out among all the other background noise.

In today’s talent market you have to court talent, and that is triply true of cybersecurity professionals. Don’t think of it as a job posting, think of it as a sales pitch. Resist the ingrained habit of listing what your company needs, and focus instead on what will engage the interest of your target audience.

What They Want and When They Want It

Your pitch should appeal to this group’s common hot buttons:

  • They want to do intriguing work that is varied and unique — let them use their devious creativity to your company’s advantage.
  • They want to try new tools and techniques to keep up with the ever-evolving threat landscape. If you’ve got the coolest technology, your pitch should highlight that.
  • They want to do more than just scratch the surface . . . offer them opportunities not only to look under the hood, but also to take some deep dives into your systems and code.
  • They want the option to work remotely. Your organization may cling to traditional models, but if virtual options give you an edge in the talent war, it’s time to loosen up.
  • They want to know that the organization appreciates and values their contribution — like other employee in your company. If you don’t have a proactive recognition and rewards program in place, now’s the time.

In Part Two I’ll share more recruitment tactics and strategies, as well as some ideas about building a longer-term talent pipeline, including attracting more women and underrepresented groups to the cybersecurity profession.

Connect with Domini on LinkedIn.

Infosec Candidates

InfoSec Candidates Say: You Snooze, You Lose!!

Increase Your Success Rate of Hiring Infosec Candidates

Okay, we all get it, it’s a tight labor market and information security and the demand for infosec talent is far outstripping the supply of information security professionals available.  This is causing a huge shift in mindset for many HR departments round the globe.  No longer can you run a candidate through 5 interviews over 2 months and expect them to be sitting on the sidelines patiently waiting for you to make a decision.

Smart companies are making BIG changes.  After losing top tier candidates to competitors, one company decided to speed up the process and take more risks in order to hire more, better candidates.  What had been at least a three-month interview process with a consensus hiring posture involving four different Directors, has become a two-week process from interview to offer.

In this case, one Director is in charge of the process and the timing is closely monitored by the CEO, who is deeply invested in making hiring work.  Once a candidate is presented to the Director, the clock starts.  Initial interviews are held within days, an onsite interview is scheduled for the next week and the offer is prepared and available for delivery at the time of the second interview with the hope that there is mutual interest.

Here is the skinny on what makes this work:

  • Executive buy-in (this cannot be stressed enough)
  • Flexibility in HR process
  • Risk tolerance
  • Team participation
  • Candidates are prepped for a swift hiring decision
  • Firing decisions with “bad hires” are handled swiftly

Without all pieces in place, this process does not work.  Leadership MUST take the lead in a cultural/process shift of this nature.  Everyone in the organization must know that the risk of losing top tier talent is far more caustic than the possibility of a making a bad hire. Most of us have policies in place that afford us the ability to remove bad hires from our organizations, yet we are loathe to utilize them.

Take a risk.  Your competition is starting to get the hint and you might get left behind!

hiring in information security

Hiring in information security

In this tough information security market, many organizations make the mistake of approaching talent the same way they approach all other organizational hiring. The truth is, you can’t hire quality information security talent the same way you hire customer service reps. If you just run an ad pulled from the job description HR gave you, don’t be surprised when the top talent you’re searching for is not interested.

Continue reading Hiring in information security

Information Security Candidate Sourcing

Information Security Candidate Sourcing: The Long Game

Whether you’re sourcing for one organization or many, it is important to recognize talent even when you don’t have a position to fill right this minute.  It’s tempting to set those people aside and think that you’ll come back to them when you need them.  However, taking a little time with someone you see something special in may pay dividends in the future. Continue reading Information Security Candidate Sourcing: The Long Game