Careers & People
1/27/2016
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Careers in InfoSec: Dont Be Fooled By The Credential Alphabet

Analytical skills, work ethic, an ability to overcome obstacles, and a natural drive to solve problems are the critical hiring factors in today's tight job market.

There is no shortage of people in the information security community who seem to have an endless sea of letters following their name. Degrees and certifications abound, and some people seem to be on a mission to collect as many of them as possible.

That’s not to say that degrees and certifications are without value.  But the mere existence of a long string of letters after someone’s name does not in and of itself qualify them for a position.  In fact, one of the things I’ve noticed repeatedly over the course of my career is that there is no correlation between degrees and certifications and the skills needed on the job.

For candidates looking to enter the field, don’t let yourself be intimidated by someone else’s “alphabet soup” – and most certainly don’t be discouraged by your own lack of acronyms. That’s not to say that certain degrees and certifications won’t help in finding the right position. But they should be pursued in a targeted and precise manner, based on career interests and goals. It goes without saying, that acronyms are no replacement for independent thinking, problem solving skills, and experience.

For employers searching for the perfect candidate, don’t be distracted or wowed by a job prospect’s “alphabet soup” – and don’t dismiss promising candidates who may not have the exact degrees and certifications you think you need.  Our industry is facing a shortage of talent. That means that we need to be creative and think outside the box when it comes to finding the next generation of security professionals. 

What to look for

So if we can’t rely on degrees and certifications, what can we rely on?  It’s tough to condense years of interviewing and hiring into a few paragraphs, but based on my experience, I would argue that analytical skills, work ethic, an ability to overcome obstacles, and a natural drive to solve problems are the most important hiring factors in today’s tough job market. A candidate either has these skills or s/he doesn't.

Security requires thinking creatively, innovatively, and outside of the box. Most often, there isn't a cheat sheet we can refer to that "feeds" us the solution to our problems and challenges.  Technical skills can be learned but the personality characteristics of a good security professional are innate. From the employer perspective, this is good news because if we can learn to identify these fundamental traits in individuals, we can choose the right employees --even if they may not have the specific work experience we desire -- and train them on the job

For job seekers, your goal is to demonstrate your analytical nature, creative thinking, work ethic, and problem solving skills to a prospective employer. Of course, this means a prospective employer must understand that experience, degrees, and certifications aren’t everything when it comes to employee qualifications. I’m hoping this column will help change that prevailing attitude.

Big egos don’t apply

Another important factor to consider is, quite simply, that the information security field has its fair share (or perhaps more than its fair share) of cynical, arrogant, and egotistical personalities. I don’t think it’s a stretch to say that we probably don’t need any more.

How does this relate to the hiring process?

As a candidate, your interpersonal skills and demeanor are as important to a potential employer as your analytical and technical skills.  So, if you think that you’re hot stuff and you act like the world owes you something, get over yourself.  No one is indispensable, as anyone who has worked in any career for some amount of time will tell you. A humble, hard working person with good analytical skills can be taught technical skills on the job, which is a lot easier than managing an HR nightmare.

From the employer perspective, regardless of how good a job applicant is technically, you don’t want a toxic employee on staff. So during the interview process,  it’s critically important to develop insight and understanding about a candidate’s interpersonal skills and demeanor.  

Finding the perfect match between employer and candidate is never going to be easy, but knowing what makes a good information security professional can help quite a bit in that endeavor.

Related content:

Josh is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA. Prior to joining IDRRA, Josh served as vice president, chief technology officer, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/30/2016 | 12:02:09 PM
Re: When the Acronyms Don't Matter
My only concern might be with overreliance on tools like that and "overtesting" candidates.  Some companies may truly need programmers who can handle anything.  Others, however, may place more value on hiring candidates with specialties in certain programming areas and encouraging their employees to collaborate and talk with each other to solve problems.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
1/29/2016 | 11:48:20 PM
Re: When the Acronyms Don't Matter
Very true, Joe.  Actually, regarding online applications, I'd like to see more resume applications that are tied to online testing apps, too.  Codility comes to mind, for instance.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/29/2016 | 8:37:39 AM
Re: When the Acronyms Don't Matter
@Christian: And it's a pity that online application systems weed out a great deal of qualified applicants -- often on the basis of the applicants simply not writing a good enough resume for the system (usually because of keyword deficiencies and/or formatting issues).
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
1/28/2016 | 5:02:53 PM
When the Acronyms Don't Matter
I've met lots of unique assets over the years and they all shared something in common - they were found outside the usual hiring process and in many cases they approached the company with a "you need me" pitch.  While I'm not going to be a CEO/CIO anytime soon, it did convince me that hiring off-grid can be beneficial.  The whole HR process of writing up the job req, inserting the usual acronym pre-reqs and pulling together a nearly useless interview panel just can't continue for certain tech roles.  Taking the Free and Open Source Software (FOSS) model into account, there is a strong "show me the code" attitude that we need in tech right now.  

Ignoring the paper credentials, you drop into a reverse engineering IRC and toss out that you have a need for someone who has RE'ed malware and helped identify features, origins, etc.  You get a candidate or two who are interested, point them to a copy of the malware and within a brief period of time you get back a seriously clean and on-point report, and even a couple ideas on how to stop this malware from ever getting on-system.  Another candidate sends back a poorly composed, incomplete analysis with little take-away overall.  After doing the interviews, you find one of them is a CompSci MS, security-certified across the board over a period of ten years.  The other candidate is a High School dropout with a dozen well-respected FOSS projects written in Python and a regular speaker at conferences like Black Hat and DEFCON.

After reviewing all the candidates, you decide to hire the High School dropout.  Just an anecdote, but the tech industry has lots of different needs and they aren't all filled by degree- or certificate-holders.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/28/2016 | 3:52:43 PM
Re: CABC, CXYZ, CBLAHBLAHBLAH
Agreed, I always see CISSP. It's pretty much become a standard for HR to put in a security job listing.

 
cyberartisan
50%
50%
cyberartisan,
User Rank: Apprentice
1/28/2016 | 1:36:53 PM
Agree!
I could not agree more. Although I think this could appy to other professions, it seems to hit the mark in the Info Sec domain today.


As someone who has been in an Info Sec role earlier in my career and looking to get back into it, it almost seems to be impossible to be considered without the certifications as they show up in the "requirements" of the postings.


I just got my CISSP in December. It was a good refresher and validated that I haven't lost my relevant skills/knowledge. I have had numerous conversations with other hiring managers about certifications and its importance in the selection and hiring decisions. We all agreed they are helpful, but do not rank over other qualifications simply due to the rate and pace of change in technology.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/27/2016 | 3:39:13 PM
CABC, CXYZ, CBLAHBLAHBLAH
> "one of the things I've noticed repeatedly over the course of my career is that there is no correlation between degrees and certifications and the skills needed on the job."

Preach, brother Joshua!

Alas, good luck convincing HR departments of that -- especially as certain certifications become more in vogue and more in demand in job postings (CISSP, CISM, and CIPP in particular come to mind).
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
Surviving the IT Security Skills Shortage
Surviving the IT Security Skills Shortage
Cybersecurity professionals are in high demand -- and short supply. Find out what Dark Reading discovered during their 2017 Security Staffing Survey and get some strategies for getting through the drought. Download the report today!
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.