Hello Everyone, my name is Josh Rickard (Security Research Engineer @Swimlane) and I wrote this opinion piece about the current hiring practices for InfoSec Professionals and why/how it needs to change. Let me know what you think!
InfoSec Hiring Needs to Change
The Information Security community is diverse. We all come from a unique background and may or may not have degrees in Computer Science. Either way, Information Security Professionals have one thing in common–passion.
A few days ago a fellow Swimlaner shared this picture:
This is funny, right? Certifications in many careers are needed as part of minimum requirements, but in InfoSec I continue to see companies missing out on some amazing talent that doesn’t have certifications. If only they would give them chance.
When I see hiring managers/recruiters posting job requirements like this post by Ming Y. Chow titled Hall of Shame Job Postings and Recruiting I laugh. What are they thinking? If your organization has job postings similar to these then you’re missing out on a lot of great talent!
You cannot expect an entry-level security analyst to have 5+ years experience, an expert in DevSecOps, and any of the trademarked standard certifications (e.g. CISSP, GIAC, OSCP, et. el.). First of all, you cannot even take the CISSP exam unless you have 5 years experience; that is not entry level.
Don’t get me wrong, certifications are important and set standards but be cognizant of the position you’re filing. Does this position really require a CISSP and GIAC certifications?
For example, both myself and Nick Tausek (fellow Security Research Engineer at Swimlane) come from a “Blue Team” background. We both have several certifications from GIAC, but neither of us have a CISSP or OSCP. Those simply weren’t needed for our roles. Additionally, these certifications and trainings were provided by our former employers and we’re both happy that those companies invested in our education.
That’s another thing. If you’re an employer, don’t be afraid to pay for training and fear that your investment/money will be wasted if that individual decides to leave. I understand an organization’s frustrations when they invest in employees by training them and then they jump ship. But, offering your staff training they will be more likely to stay then if you don’t. Also, believe me that some of that knowledge did transfer to other teammates. What do you think we talk about before/during/after hours anyways?
Don’t be afraid to invest in your staff’s training but also don’t let it be a crutch for your hiring practices. We’re a diverse community and many of us come from non-standard backgrounds (e.g. mechanics, retail workers, physicians, etc.). Hire the person that shows passion both within their career but also outside of work. Do they blog, have code on GitHub, stay on-top of the latest news?
Hire the tinkers, the ones that want to really understand how something works. If they say “I don’t know but I will find out” and actually follow through; hire them. These individuals are driven, have integrity, and want to better themselves while helping protect your organization.
I would hire someone with passion for security and 2 years experience in System Administration over someone who has a bunch of certifications but lacks ambition any day of the week.
Additionally, if you are looking for entry-level internal candidates, then look no further than your “help-desk” or front-line support team. Believe me, they know the organization and where the proverbial bodies are buried.
With the reoccurring news articles about the cybersecurity skills shortage we InfoSec Professionals can help guide our HR/hiring managers.
While SecOps teams continue to receive more and more alerts every day, we need to hire individuals that have unique perspectives. We also need to continue to automate, orchestrate our response to security events but make sure that you are still training and mentoring others. If you want to hire great Security Professionals then hire those with passion and drive; these are the next innovators.