Why generalist recruiters keep getting cyber wrong

Specialist hires stay 25% longer. Most cyber roles run through generalist desks for 6 to 9 months before reaching a specialist. Here's the gap that creates – and what it costs your programme.

The CV that lands on the hiring manager's desk lists "Cyber Security" five times. The candidate has never handed over a SOC shift, never written a SIEM correlation rule, never sat in front of a board after an incident. This is what the generalist Cyber Security pipeline looks like.

It is not malicious. It is structural. A generalist recruiter who covers cyber alongside software engineering, data, finance and infrastructure cannot, by definition, know the field deeply enough to tell the difference between a GRC analyst and a SOC L3. The keywords on a CV are all they have to work with. And the keywords lie.

The keyword problem

A generalist recruiter searching their ATS for "Cyber Security" will get fifteen profiles. Two of them will be relevant. Most won't. The CV that says "managed Cyber Security across the business" might belong to a former SOC manager. It might equally belong to an IT generalist who set up a firewall once.

Distinguishing the two is the work of Cyber Security recruitment. It requires asking the right second question. It requires knowing that an analyst with three years on Splunk and one year on Sentinel is a different proposition from one with four years on QRadar. It requires recognising when a candidate's claimed Penetration Testing experience is mostly running automated scanners versus genuine manual exploitation. A generalist cannot reliably do this, and a fifteen-CV long list arrives unfiltered on the hiring manager's desk.

The cost is felt in two places. The hiring manager spends hours filtering noise. And the programme loses weeks while the wrong people work through the interview pipeline.

The vocabulary gap

Cyber Security has a working vocabulary that has taken a decade to evolve. A specialist can tell, within ninety seconds of conversation, whether a candidate has lived inside a SOC or read about one. The difference is in how they describe their work – the language, the references, the unconscious shorthand.

A generalist recruiter doesn't have the vocabulary to make that judgment. They have to take the candidate's claims at face value and pass them on. The filter that should sit between candidate and client doesn't function. Hiring managers end up doing the screening that should have happened upstream.

It also shows up in candidate management. A senior Security Architect doesn't want to be sold a role by a recruiter who clearly doesn't understand the difference between Zero Trust and a VPN replacement project. The recruiter is, in effect, signalling that they're not a credible partner for the rest of the candidate's career. The candidate walks. The role stays open. Nobody learns why.

The network gap

The hardest part to replicate from outside cyber is the network. The 30,000 Cyber Security professionals in the UK who are genuinely employable at senior level know each other, in the loose, multi-hop way that any small professional community knows itself. They moved between five firms in their career, attended the same conferences, sit on each other's LinkedIn endorsements, were taught by the same handful of trainers.

A specialist firm has spent years inside that network – placing, advising, staying in touch between placements, attending the events, knowing who's about to come free at the end of a contract. A generalist firm doesn't have the time to invest in any single community to that depth, because the same desk also has to cover ten other disciplines.

The network is what gets a senior contract closed in 24 hours. It is what makes the difference between a long list of "available" people and a short list of "available and right" people. It is the asset a generalist cannot build at the same time as covering everything else.

What the data says

Generalist routes take six to nine months to fill specialised cyber roles. Specialist routes regularly fill the same roles in under a quarter. Specialist hires also stay 25% longer, according to LinkedIn's Global Talent Trends data – because the match was right at the point of hire, not negotiated into being acceptable.

Compound that across a year of Cyber Hiring. A team running three or four cyber roles a year through a generalist desk loses, on average, twelve to twenty months of capability across the programme. That isn't a recruitment problem. It is a board-level capability problem.

When generalists are the right answer

It would be unfair to leave it at "generalists fail at cyber". They don't fail at everything. They are often the right answer for high-volume, well-defined hires where the role is closer to the centre of the IT talent market. A first-line IT analyst, a project manager with no security dimension, a service desk lead. The further you move from there, into the deeper end of cyber, the more the specialist matters.

The signal that you have crossed into specialist territory is straightforward. If the brief contains a specific clearance level, a specific stack, a specific compliance regime, or a named cyber discipline that requires three years of focused experience, you are in specialist territory. Putting that brief on a generalist desk wastes everyone's time.

Where invitise sits

We focus on three lead cyber disciplines: Security Architecture, SOC and Security Operations, Security Engineering. We do not cover everything. We commit to briefs we can do justice to.

Every brief is handled at senior level by someone who has spent their career in Cyber Security and can tell, in a 15-minute call, whether the role is properly scoped, what the market is on rates, and whether we can deliver. A short list, every time, with the work done before it lands on your desk.

See where we go deep →