InfoSec Hiring Needs to Change (Opinion)

#1

Hello Everyone, my name is Josh Rickard (Security Research Engineer @Swimlane) and I wrote this opinion piece about the current hiring practices for InfoSec Professionals and why/how it needs to change. Let me know what you think!

InfoSec Hiring Needs to Change

The Information Security community is diverse. We all come from a unique background and may or may not have degrees in Computer Science. Either way, Information Security Professionals have one thing in common–passion.

A few days ago a fellow Swimlaner shared this picture:

This is funny, right? Certifications in many careers are needed as part of minimum requirements, but in InfoSec I continue to see companies missing out on some amazing talent that doesn’t have certifications. If only they would give them chance.

When I see hiring managers/recruiters posting job requirements like this post by Ming Y. Chow titled Hall of Shame Job Postings and Recruiting I laugh. What are they thinking? If your organization has job postings similar to these then you’re missing out on a lot of great talent!

You cannot expect an entry-level security analyst to have 5+ years experience, an expert in DevSecOps, and any of the trademarked standard certifications (e.g. CISSP, GIAC, OSCP, et. el.). First of all, you cannot even take the CISSP exam unless you have 5 years experience; that is not entry level.

Don’t get me wrong, certifications are important and set standards but be cognizant of the position you’re filing. Does this position really require a CISSP and GIAC certifications?

For example, both myself and Nick Tausek (fellow Security Research Engineer at Swimlane) come from a “Blue Team” background. We both have several certifications from GIAC, but neither of us have a CISSP or OSCP. Those simply weren’t needed for our roles. Additionally, these certifications and trainings were provided by our former employers and we’re both happy that those companies invested in our education.

That’s another thing. If you’re an employer, don’t be afraid to pay for training and fear that your investment/money will be wasted if that individual decides to leave. I understand an organization’s frustrations when they invest in employees by training them and then they jump ship. But, offering your staff training they will be more likely to stay then if you don’t. Also, believe me that some of that knowledge did transfer to other teammates. What do you think we talk about before/during/after hours anyways?

Don’t be afraid to invest in your staff’s training but also don’t let it be a crutch for your hiring practices. We’re a diverse community and many of us come from non-standard backgrounds (e.g. mechanics, retail workers, physicians, etc.). Hire the person that shows passion both within their career but also outside of work. Do they blog, have code on GitHub, stay on-top of the latest news?

Hire the tinkers, the ones that want to really understand how something works. If they say “I don’t know but I will find out” and actually follow through; hire them. These individuals are driven, have integrity, and want to better themselves while helping protect your organization.

I would hire someone with passion for security and 2 years experience in System Administration over someone who has a bunch of certifications but lacks ambition any day of the week.

Additionally, if you are looking for entry-level internal candidates, then look no further than your “help-desk” or front-line support team. Believe me, they know the organization and where the proverbial bodies are buried.

With the reoccurring news articles about the cybersecurity skills shortage we InfoSec Professionals can help guide our HR/hiring managers.

While SecOps teams continue to receive more and more alerts every day, we need to hire individuals that have unique perspectives. We also need to continue to automate, orchestrate our response to security events but make sure that you are still training and mentoring others. If you want to hire great Security Professionals then hire those with passion and drive; these are the next innovators.

0 Likes

#2

It’s really nice to see someone else state this. I’m currently looking for a security job while most of my experience is from home lab environments and self-education. This is a field I’ve been passionate about for a long time, and have just not had the money to get officially certified in. I know a lot of people getting hired in the security industry who just went to a boot-camp, or something similar, and are just interested in a higher paycheck. They don’t have any passion for the work, or even enjoy it. I think this type of thing is going to cause more and more problems.

2 Likes

#3

@Garrick Thanks for the reply! My best advice is to keep working on stuff in your lab! This is where I spent a lot of my time early on and it really helped. Additionally, what helped me personally was to write/blog about what I worked on or studied. It’s a great way of having living documentation but it is also a great way to give back to the #InfoSec community, and it shows your passion for security when you go to apply for that next position.

Lastly, you can always post what you are learning/studying here on SecOpsHub - i’m sure others would find it valuable! Good luck!

1 Like

#4

Thanks for the advice :). I’ve been trying to figure out a good way to showcase my projects, or make a sort of portfolio. A blog would be a great way to do that, and could be rewarding on a personal level too. I just discovered SecOpsHub, and am going to try and be active on here as well.

Thanks again!

0 Likes