When it comes to hiring, enterprise security teams can use all of the help that they can rally. When hiring entry-level talent, that’s not as easy as it may seem — many times because entry-level applicants don’t do everything they could to help their cause.
For years a dearth of young professionals interested in cybersecurity has existed, but that could be changing for the better. This is both good news and bad news for cybersecurity job seekers. While the competition for these positions will be heating up (bad news), the good news (for job applicants, anyway) is that number of openings remains vast. According to the Global Information Security Workforce Study, the cybersecurity talent skills shortage remains stark. By 2022, there will be a 1.8 million worker shortage – a 20 percent increase since 2015, this Frost & Sullivan for the Center for Cyber Safety and Education survey predicts.
The good news for organizations is that more potential employees entering the workforce are interested in careers in security. A report published last fall from the National Cyber Security Alliance and the U.S. defense contractor Raytheon, Securing Our Future: Closing the Cybersecurity Talent Gap found that not only are young adults hearing about cyberattacks more often (64 percent in 2016 compared to 36 percent in 2015 within the U.S.), but awareness of what cybersecurity professionals do has increased. The number of those who have identified what cybersecurity programs are available to them and of millennials who say they are more likely to choose a career to make the internet safer have also risen. The latter is up 43 percent in 2016 from 33 percent in 2015 for men, and from 24 percent to 30 percent for women.
Whether the job market is abundant or tight, job applicants have to make the right moves to succeed and get the best position they can. To find out what security executives seek today, we reached out to those who make, or help make, hiring decisions today. He’s what they see as the most damaging things entry-level cybersecurity job-seekers do:
1. Fail to show oneself as a team player
Sounds like a no-brainer, right? It’s not. Many of the hiring executives we spoke with say that personality can – and often does – trump technical assets.
This is especially true as more and more information security roles interface with the rest of the business. It’s essential that applicants be themselves – amiable, articulate and able to prove that they can work with different areas within the organization. This is more important because as more enterprises embrace DevOps, continuous integration and delivery pipelines, security teams are working more closely with operations teams, development teams and business managers than ever before. Communication is essential.
Chris Blow, offensive security lead at Liberty Mutual, says having the so-called “soft skills” is crucial for success. “If you get hired right out of college, employers will send new hires to training on many aspects of the technology needed for their job. “You need to know how to communicate and communicate effectively. You see the situation all of the time,” says Blow. “Developers and security professionals don’t communicate well with each other and things break down,” Blow says.
2. Sell oneself as a jack-of-all-trades
“Entry-level applicants across almost all verticals of information security make the mistake of trying to be a one-size-fits-all candidate,” says Boris Sverdlik, head of security at Oscar Insurance. “Security is broken up across many verticals and even among those who are experienced. It's almost impossible to be well versed in all aspects,” he says.
[Related: 1 million cybersecurity job openings in 2017]
“The most annoying candidate is the arrogant know-it-all,” says Brian Martin, founder at Digital Trust, LLC. “I don't mind arrogance when it's earned, but not in a kid who's never been tested. In cases where we've tried to work with these types, it hasn’t ended well.”
Years ago, it was enough for an application security professional to understand the waterfall processes and a computer language. Today, they need to understand the languages, agile methodologies, as well as many aspects of the nature cloud computing in most environments today. This is because security works so closely with so many aspects of the various teams today. “Having skills around cloud, pipelines, and automation are the real key, as well as AWS, containerization and programing languages,” Martin says.
Still, the goal isn’t to position oneself as an expert in all areas, but highlight general knowledge, understanding of information security and a couple areas where you may be an expert that would best meet the needs of the organization.
3. Falling flat on job search and interviewing basics
For many CISOs such as Martin Fisher, manager of IT security at Northside Hospital, it is common for potential hires to harm themselves by flunking the basics of job seeking. “On resumes, misspell HIPAA, and I’ll toss the resume,” Fisher says. He also says that he too often encounters typos, punctuation errors and resumes laden with information that's not relevant to the role being offered.
Mike Kearn, principal security architect at US Bank, cited what job seekers don’t do when it comes to the basics of interviewing. “When I offer them an opportunity near the end of the interview to ask me anything, and I emphasize the word ‘anything,’ the majority ask me softball kinds of questions about culture or why I like working there. Missed opportunity on their part,” he says.
4. Believe certifications and degrees matter more than practical skills
“Many think that I care more about their degree or certifications than actual skills,” Kearn says, “while others are under the misguided assumption that a degree or a certification equals a job. It doesn’t."
Likewise, many entry-level applicants think technology is the hammer to squash every security risk nail. “Too many think that the solution to most problems is a technology control, rather than people and processes,” says Eric Cowperthwaite, former CISO for Providence Health and Services and currently advanced security and strategy VP at Core Security Inc.
Ben Rothke, senior eGRC consultant at Nettitude Group and former CISO, agrees. “The technology tools they have experience with are the definitive techniques for approaching information security. Not every security problem can be fixed by a firewall or IDS,” says Rothke.
5. Stretch the truth
This one certainly isn’t exclusive to information security, but it is especially silly to try to pull this off on experience security professionals who tend to be a suspicious bunch by nature. “You'll notice that they tend to exaggerate their experience to impress hiring managers; some range from slight fibs to full-blown lies,” says Sverdlik.
Kearn concurs: “A lot of them attempt to inflate or enhance their resume by saying they know someone and are connected via LinkedIn. When I press them on it, because I actually know the individual personally, they cave almost immediately.”
6. Don’t understand the highly interpersonal nature of infosec
Many entry-level applications come from workers in small businesses, and they are not prepared for or don’t seem to understand how large enterprises function. That’s fine, and it’s part of the learning process for new professionals, but keep an open and learning mindset when it comes to practicing information security at a larger enterprise. “A lot of people have expressed ways to do business that simply won't work in a large enterprise. Typically, the person would be very direct toward people who want an exception to security policy, avoid collaboration, avoid discovering why the person wants the exception, and just dictate behavior,” says Cowperthwaite.
[Related: 10 tough security interview questions, and how to answer them]
“They often don’t realize that their excitement and sometimes irrational exuberance around all things information security is not shared by most people in the organization,” Rothke says.
In the end, perhaps the most important thing is to be yourself. “Show that you have a passion for security, be it examining logs, performing code review or risk assessments, or even administering security appliances. If you are good at critical thinking and have a good technical background, learning the rest is easy,” says Sverdlik.
Let’s not forget the importance of the job interview. You’re not going to get the job if you don’t ace the job interview. Some of the biggest mistakes job-seekers make include treating each interview the same and not coming to understand the industry in which they are interviewing, or anything about the primary interviewer. Going in, you want to understand the specific challenges the industry faces. After all, the security risk and regulatory demands vary greatly from one industry to the next, healthcare and financial won’t look like a manufacturer and government is a different challenge altogether. Different companies are likely to have different challenges and maturity levels themselves. The candidate that comes in understanding this will be at a far advantage from those who do not.
In our story 10 ways to prepare for – and ace – a security job interview, we provide a lot of advice on succeeding at the interview process.