I saw yet another security talent shortage article this weekend and thought: it’s just another sad cyb song wrecking my brain. New college graduates and people in career transitions who are struggling to land an entry-level role email me almost daily asking some variation of this question:
If there is such a shortage, why are companies refusing to hire or train me?
I believe it will be up to the security community to provide some context about the industry that is missing from these headlines. I’ll volunteer to be the bad guy today. Before I get started, understand that I am not making excuses for the faulty hiring practices as Robert Walker so clearly articulated in this article. However, I believe it is important for prospective security professionals to understand how overlooked business fundamentals play a role in keeping you on the frustrated sidelines. Here is the truth about what those "shortage of talent” clickbait articles will not tell you: credentials ≠ desired talent. First and foremost, let’s start with the fundamentals: security is a business issue. Having a college degree or certifications does not make you valuable talent to the company trying to fill a specific skills deficit that you do not possess. Typical scenario: The manager needs a Swiss army knife engineer with experience using specific tools, such as Cisco, Tripwire and FireEye. You do not have those specific skills, but you are smart and can learn quickly. The manager will not hire you. Why? These are powerful tools that you may have a conceptual understanding of at best. If you make rookie mistakes that interrupt service for thousands of customers – and he or she hired you – that is a resume-changing event for both of you. Unlike other professions, security has these kinds of implications. The manager is evaluating the RISK of hiring you based on many factors, including the kinds of scenarios described above. That is part of the reason it is so difficult to enter the profession.
You Are a Low Return on Investment
Hiring managers have limited budgets available, and they have an obligation to use those funds to maximize the return on the company’s investment. Most companies run lean IT shops and are trying to hire one employee who can do a “good enough” job of four high-stress roles. Oftentimes, they cannot justify the cost of having to train a newbie when they can just poach talent from their competitors or promote from within. Also keep in mind that your competition may have degrees, certs, relationships in the security community, and a proven track record of thriving under pressure. The ability to thrive under pressure is key to ROI, and it is a characteristic left out of all the stories about exciting security careers. ROI plays a huge role in every manager’s decision-making process. Sorry to break the bad news: un-vetted newbies are high risk and low ROI, which makes it difficult to justify hiring.
You Keep Ignoring Business Skills 101: Relationships
Are you involved in your local security community? Are you an active member of your local chapter of OWASP, ISSA, (ISC)2 or other industry associations? Did you volunteer at the last security conference or tech user group that happened near you? Have you contributed to an open source project? Do you share knowledge? Have you demonstrated passion for the discipline in any way? The industry thrives on passionate people who give back before they need anything, and all of these activities help build much-needed industry relationships. If you have not tried any of these approaches, that could be why your application is going into the automated tracking system’s DO NOT REVIEW digital folder that gets purged without human interaction.
Your Resume Is Not Results-Oriented
Snapchat is not a skill. Instagram is not an app that an infosec hiring manager cares about. The non-technical aspects of your internship or unrelated job tasks you performed in other roles that are not relevant to the employer’s current challenges should not be on your resume. Likewise, IT buzzwords with no indication of how you APPLIED that knowledge can hurt your job search too. What did you automate? How did you improve a process? Did you build anything? Reduce costs by x amount of $$? Minimize risk or vulnerabilities by x percent? Improve OS or app security by x percent? Construct a lab environment to study malware behavior? Build a home lab and teach yourself one of the many commercial tools with free downloads available? Implement, upgrade, or integrate technology? Your resume should tell a story of results of applied knowledge to relevant business scenarios, not just knowledge acquired. If the hiring manager cannot determine how you had a positive impact or produced results, you will continue going to the ‘do not call’ pile.
Shortages Are Regional- and Product-Specific
In any industry, local supply and demand will determine your market value and availability of opportunities. For example, there is a shortage of Tripwire and Splunk talent in the Houston area. I know this because I have colleagues at both companies and recruiters contact me daily looking for experienced people to manage these products for their clients. Have you conducted market research in your area to understand the specific talent shortages in your community instead of depending on the generic assessments of the headlines? If you do not yet have specific in-demand skill sets that can enable the business from the start, managers will be reluctant to hire you.
Proposed Solutions
Yes, the hiring systems are broken. Yes, some companies have unrealistic expectations about skill levels. Yes, there are organizations that still do not take security seriously enough to pay what people are worth. Yes, I have been in the much-hated catch 22: needing a job to get experience and needing experience to get a job. I also empathize with the people who alternate between frustration and disbelief about all the work required to get into a field with so many jobs open. I will be the first one to tell you that there is no one-size-fits-all solution to the hiring challenges in the industry. However, there are steps you can take to increase your chances of landing a role:
- Relationships are key: Give back to the security community before you need a job
- Get to know people, IN PERSON, in your LOCAL security community
- Contribute to open source projects
- Publish research, projects and/or problems you’ve solved on LinkedIn, established blogs, or your own
- Volunteer at tech user groups, chapter meetings, and conferences
- Analyze local supply and demand to identify specific talent shortages in your region and “skill up”
- Expand your job search to include product companies and managed service providers
- Apply for tech support or administrator roles to get your foot in the door
Key Takeaways
I’m sorry to be the bearer of bad news but certifications and degrees alone may not help you get that first cyber role. This includes masters degrees, especially if you do not have an IT background. Broken hiring practices will be a barrier for the foreseeable future, so it is important to understand how business fundamentals impact hiring decisions and adjust accordingly. Managers are making business decisions about security hires. Understand where you are in your career search and the value you provide. You may be too low of a return on investment for the roles you’re applying for at the moment. Very few true entry-level cyber roles exist. You may have to take alternate routes into the field, such as helpdesk or tech support for a security product company. Develop relationships in your security community, including local chapters of OWASP, ISSA, (ISC)2, ISACA and tech specific user groups. Give back as often as you can. Talent takes time to cultivate. Do not mistake your credentials for talent when reading these headlines about shortages in the industry. Look at your resume and LinkedIn profile. What story does it tell? If it does not tell one of results, then take some time to improve it. Talent shortages are regional and product specific. You have to understand your local job market and skill up accordingly.
Common Responses
"But we’ll continue having these problems if the industry does not change its hiring practices!" "But why can’t companies and recruiters just do X, Y and Z instead of making people jump through all of these hoops?"
My Answer
Focus on what you have control over, like giving back, cultivating relationships and gaining in-demand skills. These are the only proven solutions to bypassing the broken hiring practices. Don’t shoot the messenger.