“Cyber talent crunch challenges CIOs,” says one headline. “Businesses vulnerable due to talent shortage,” screams another. Intel even published a report revealing, among other things, that 82% of IT professionals confirm there is a shortfall in information security talent. And yet, at every information security conference I attend, I find no shortage of unemployed and—worse—underemployed talent.
It’s a startling disconnect, one that I see in hardly any other industry, and it’s one that is entirely self-inflicted. I see three major industry issues in information security recruiting: over-filtering, job descriptions that are out-of-step with the actual job requirements, and an over-reliance on certifications.
I’ll begin with a personal story. When I started my career in the IT industry at Microsoft in 1999, the MCSE was all the rage. In fact, Microsoft recruited me in large part because I’d written two MCSE test prep certification books while I was still in college. MCSEs could command improbably high salaries on the strength of their certification alone. And then two things happened.
The tech crash of 2001 required companies to sharpen their focus on results delivered, which were often not correlated (or were even negatively correlated) with the high salaries paid to MCSEs. Additionally, right around the same time that this was happening, the job market became flooded with newly minted MCSEs from “certification mill” boot camps. These were folks with no real IT background or skills, just the ability to borrow thousands of dollars to obtain a certification that was of dubious value at best.
I survived the tech crash in part because Microsoft, unlike many other companies, continued investing – they (correctly) saw the crash as temporary and a golden opportunity to vacuum up top talent they’d otherwise have difficulty recruiting. But in part, I also survived because I was developing real, fundamental IT skills in one of the most challenging IT organizations on the planet. It was the beginning of a career that would land me in one of the highest IT roles in the company, managing the “best-of-the-best” Microsoft Research Asia IT team in Beijing.
And I still don’t have an MCSE. Even though I have written two books on the topic. Even though I had a stellar IT career at Microsoft, eventually running one of the top IT organizations on the planet. At some point, it starts to matter a lot more what you can deliver (and the way you deliver it) than what certifications you have, so they just became irrelevant to my career.
For my part, I reached that point at the end of my first year at Microsoft. And yet, if for some reason I wanted to shift my career focus to information security—something that has been a key component of every IT role I have held for more than a decade—I’d likely be filtered out as a candidate. I don’t have a CISSP or, for that matter, any popular industry certifications.
Granted, I have quite a bit of security experience and understand the hacker world very well. After all, I have been to every DEF CON (starting from the very first) and am the founder of a major event there. I write a telecommunications column for a well-known quarterly information security magazine. What’s more, I’m even the CEO of PCPursuit, a stealth-mode information security startup. No matter. Without a popular industry certification measuring my knowledge on, among other things, the proper height of a cyclone fence (something no IT security manger I’m aware of has ever been involved with), I wouldn’t be able to get an IT security job. And this over-reliance on certifications doesn’t extend only to full-time hires. It is starting to creep as a requirement into consulting engagements, as well.
There may be some value in certifications for entry-level hires, but they mean very little as a filter. We’re already starting to see “boot camps” and “certification cruises” pop up. I have seen this movie before; it’ll result in a tidal wave of applicants with fancy expensive certifications but little or no practical experience. Some may find successful careers in information security, but if past experience is any guide, most will waste a lot of time and money.
The second problem in information security hiring is insisting on over-qualified applicants. If your job description consists of a superhuman combination of deep skills in entirely different verticals, the problem isn’t a talent crunch—it’s your inappropriate expectations. The vast majority of information security today is carried out by IT managers and administrators who perform IT security as one of the many tasks for which they are responsible. However, most of the folks who are already doing these jobs are filtered out of newly created roles at many organizations, and this is absolute madness. Obviously, given the now-critical role of information systems in essentially every modern business and the high visibility of data breaches, information security is beginning to gain some visibility.
However, you don’t fix information security problems in most organizations by hiring an offensive security specialist who is, for example, skilled in a specific combination of penetration testing tools (among all of the other job requirements you have listed). This is a highly-specialized skill that, if you need it at all (which in most organizations is doubtful), you should bring in on a consulting basis. Requirements like these—often supplied by recruiters—simply filter out the best-suited people who are already working in your organization and can grow into the role.
What’s really needed in most organizations is a strong information security generalist who can accept and exercise clear ownership—someone who clearly understands the information security problem space, who can develop an effective information security program that is appropriately tailored to the organization, and who has both the authority and the ability to bring in specialized resources as needed. And—most importantly—who reports through a different organizational structure than the IT organization (because it doesn’t work to have your regulator reporting to management of the organization she is regulating). Unfortunately, far too many organizations are publishing job descriptions that look a lot alike and are entirely out of step with not only their actual needs but what is reasonably available on the market.
The final problem in information security hiring is over-filtering. In addition to requiring certifications of—at best—dubious value, many organizations impose additional filters. For example, a college degree is required. In addition to this, they require a completely clean criminal history. And finally, organizations look for candidates with prior experience in pure information security roles. Unfortunately, all of these things are entirely wrong for the technology industry and particularly information security. Brilliant technologists often skip school and go straight to work. Neither Bill Gates nor Steve Jobs finished college.
The best hackers push boundaries and break rules, especially when they are young. This is what makes them really good at their roles, but it can often also lead to brushes with the law. And on top of all of that, did your organization have a pure information security role until you posted the job description for one?
Guess what: outside of a few select industries (banking, telecommunications, software, and the defense industry), very few companies have specialists like these. Your best candidates may instead be IT generalists with broad exposure to a variety of information systems and the security challenges involved. And they may already be working in your organization.
There isn’t a shortage of available information security talent. Stop writing articles claiming there is. Don’t believe self-serving studies commissioned by companies trying to sell you products and services to fill the talent gap. And for heaven’s sake, stop complaining to your boss that you can’t find anyone who is qualified. Instead, look in the mirror, talk with your HR department, and set your expectations in line with where the best talent actually is.
If you want to recruit the best information security specialists in the world, for heaven’s sake, overlook that 10-year-old conviction for marijuana possession and show up at DEF CON to recruit. The best candidates are there, and if you’re not there making the best offers, today’s overlooked talent (which isn’t exclusively junior) will become tomorrow’s data breach.
About the Author: Robert Walker is the founder and CEO of Seattle-based PCPursuit, a startup backed by top infosec accelerator Mach37. He was previously IT manager for Microsoft Research Asia, and was a Microsoft employee for over 13 years. Robert believes that security works better when it is easier to use.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.