If there is such a shortage, why are companies refusing to hire or train me?I believe it will be up to the security community to provide some context about the industry that is missing from these headlines. I’ll volunteer to be the bad guy today. Before I get started, understand that I am not making excuses for the faulty hiring practices as Robert Walker so clearly articulated in this article. However, I believe it is important for prospective security professionals to understand how overlooked business fundamentals play a role in keeping you on the frustrated sidelines. Here is the truth about what those "shortage of talent” clickbait articles will not tell you: credentials ≠ desired talent. First and foremost, let’s start with the fundamentals: security is a business issue. Having a college degree or certifications does not make you valuable talent to the company trying to fill a specific skills deficit that you do not possess. Typical scenario: The manager needs a Swiss army knife engineer with experience using specific tools, such as Cisco, Tripwire and FireEye. You do not have those specific skills, but you are smart and can learn quickly. The manager will not hire you. Why? These are powerful tools that you may have a conceptual understanding of at best. If you make rookie mistakes that interrupt service for thousands of customers – and he or she hired you – that is a resume-changing event for both of you. Unlike other professions, security has these kinds of implications. The manager is evaluating the RISK of hiring you based on many factors, including the kinds of scenarios described above. That is part of the reason it is so difficult to enter the profession.
You Are a Low Return on InvestmentHiring managers have limited budgets available, and they have an obligation to use those funds to maximize the return on the company’s investment. Most companies run lean IT shops and are trying to hire one employee who can do a “good enough” job of four high-stress roles. Oftentimes, they cannot justify the cost of having to train a newbie when they can just poach talent from their competitors or promote from within. Also keep in mind that your competition may have degrees, certs, relationships in the security community, and a proven track record of thriving under pressure. The ability to thrive under pressure is key to ROI, and it is a characteristic left out of all the stories about exciting security careers. ROI plays a huge role in every manager’s decision-making process. Sorry to break the bad news: un-vetted newbies are high risk and low ROI, which makes it difficult to justify hiring.
You Keep Ignoring Business Skills 101: RelationshipsAre you involved in your local security community? Are you an active member of your local chapter of OWASP, ISSA, (ISC)2 or other industry associations? Did you volunteer at the last security conference or tech user group that happened near you? Have you contributed to an open source project? Do you share knowledge? Have you demonstrated passion for the discipline in any way? The industry thrives on passionate people who give back before they need anything, and all of these activities help build much-needed industry relationships. If you have not tried any of these approaches, that could be why your application is going into the automated tracking system’s DO NOT REVIEW digital folder that gets purged without human interaction.
Your Resume Is Not Results-OrientedSnapchat is not a skill. Instagram is not an app that an infosec hiring manager cares about. The non-technical aspects of your internship or unrelated job tasks you performed in other roles that are not relevant to the employer’s current challenges should not be on your resume. Likewise, IT buzzwords with no indication of how you APPLIED that knowledge can hurt your job search too. What did you automate? How did you improve a process? Did you build anything? Reduce costs by x amount of $$? Minimize risk or vulnerabilities by x percent? Improve OS or app security by x percent? Construct a lab environment to study malware behavior? Build a home lab and teach yourself one of the many commercial tools with free downloads available? Implement, upgrade, or integrate technology? Your resume should tell a story of results of applied knowledge to relevant business scenarios, not just knowledge acquired. If the hiring manager cannot determine how you had a positive impact or produced results, you will continue going to the ‘do not call’ pile.
Shortages Are Regional- and Product-SpecificIn any industry, local supply and demand will determine your market value and availability of opportunities. For example, there is a shortage of Tripwire and Splunk talent in the Houston area. I know this because I have colleagues at both companies and recruiters contact me daily looking for experienced people to manage these products for their clients. Have you conducted market research in your area to understand the specific talent shortages in your community instead of depending on the generic assessments of the headlines? If you do not yet have specific in-demand skill sets that can enable the business from the start, managers will be reluctant to hire you.
Proposed SolutionsYes, the hiring systems are broken. Yes, some companies have unrealistic expectations about skill levels. Yes, there are organizations that still do not take security seriously enough to pay what people are worth. Yes, I have been in the much-hated catch 22: needing a job to get experience and needing experience to get a job. I also empathize with the people who alternate between frustration and disbelief about all the work required to get into a field with so many jobs open. I will be the first one to tell you that there is no one-size-fits-all solution to the hiring challenges in the industry. However, there are steps you can take to increase your chances of landing a role:
- Relationships are key: Give back to the security community before you need a job
- Get to know people, IN PERSON, in your LOCAL security community
- Contribute to open source projects
- Publish research, projects and/or problems you’ve solved on LinkedIn, established blogs, or your own
- Volunteer at tech user groups, chapter meetings, and conferences
- Analyze local supply and demand to identify specific talent shortages in your region and “skill up”
- Expand your job search to include product companies and managed service providers
- Apply for tech support or administrator roles to get your foot in the door