Careers & People
1/27/2016
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Careers in InfoSec: Dont Be Fooled By The Credential Alphabet

Analytical skills, work ethic, an ability to overcome obstacles, and a natural drive to solve problems are the critical hiring factors in today's tight job market.

There is no shortage of people in the information security community who seem to have an endless sea of letters following their name. Degrees and certifications abound, and some people seem to be on a mission to collect as many of them as possible.

That’s not to say that degrees and certifications are without value.  But the mere existence of a long string of letters after someone’s name does not in and of itself qualify them for a position.  In fact, one of the things I’ve noticed repeatedly over the course of my career is that there is no correlation between degrees and certifications and the skills needed on the job.

For candidates looking to enter the field, don’t let yourself be intimidated by someone else’s “alphabet soup” – and most certainly don’t be discouraged by your own lack of acronyms. That’s not to say that certain degrees and certifications won’t help in finding the right position. But they should be pursued in a targeted and precise manner, based on career interests and goals. It goes without saying, that acronyms are no replacement for independent thinking, problem solving skills, and experience.

For employers searching for the perfect candidate, don’t be distracted or wowed by a job prospect’s “alphabet soup” – and don’t dismiss promising candidates who may not have the exact degrees and certifications you think you need.  Our industry is facing a shortage of talent. That means that we need to be creative and think outside the box when it comes to finding the next generation of security professionals. 

What to look for

So if we can’t rely on degrees and certifications, what can we rely on?  It’s tough to condense years of interviewing and hiring into a few paragraphs, but based on my experience, I would argue that analytical skills, work ethic, an ability to overcome obstacles, and a natural drive to solve problems are the most important hiring factors in today’s tough job market. A candidate either has these skills or s/he doesn't.

Security requires thinking creatively, innovatively, and outside of the box. Most often, there isn't a cheat sheet we can refer to that "feeds" us the solution to our problems and challenges.  Technical skills can be learned but the personality characteristics of a good security professional are innate. From the employer perspective, this is good news because if we can learn to identify these fundamental traits in individuals, we can choose the right employees --even if they may not have the specific work experience we desire -- and train them on the job

For job seekers, your goal is to demonstrate your analytical nature, creative thinking, work ethic, and problem solving skills to a prospective employer. Of course, this means a prospective employer must understand that experience, degrees, and certifications aren’t everything when it comes to employee qualifications. I’m hoping this column will help change that prevailing attitude.

Big egos don’t apply

Another important factor to consider is, quite simply, that the information security field has its fair share (or perhaps more than its fair share) of cynical, arrogant, and egotistical personalities. I don’t think it’s a stretch to say that we probably don’t need any more.

How does this relate to the hiring process?

As a candidate, your interpersonal skills and demeanor are as important to a potential employer as your analytical and technical skills.  So, if you think that you’re hot stuff and you act like the world owes you something, get over yourself.  No one is indispensable, as anyone who has worked in any career for some amount of time will tell you. A humble, hard working person with good analytical skills can be taught technical skills on the job, which is a lot easier than managing an HR nightmare.

From the employer perspective, regardless of how good a job applicant is technically, you don’t want a toxic employee on staff. So during the interview process,  it’s critically important to develop insight and understanding about a candidate’s interpersonal skills and demeanor.  

Finding the perfect match between employer and candidate is never going to be easy, but knowing what makes a good information security professional can help quite a bit in that endeavor.

Related content:

Josh is an experienced information security analyst with over a decade of experience building, operating, and running Security Operations Centers (SOCs). Josh currently serves as VP and CTO - Emerging Technologies at FireEye. Until its acquisition by FireEye, Josh served as ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/30/2016 | 12:02:09 PM
Re: When the Acronyms Don't Matter
My only concern might be with overreliance on tools like that and "overtesting" candidates.  Some companies may truly need programmers who can handle anything.  Others, however, may place more value on hiring candidates with specialties in certain programming areas and encouraging their employees to collaborate and talk with each other to solve problems.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
1/29/2016 | 11:48:20 PM
Re: When the Acronyms Don't Matter
Very true, Joe.  Actually, regarding online applications, I'd like to see more resume applications that are tied to online testing apps, too.  Codility comes to mind, for instance.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/29/2016 | 8:37:39 AM
Re: When the Acronyms Don't Matter
@Christian: And it's a pity that online application systems weed out a great deal of qualified applicants -- often on the basis of the applicants simply not writing a good enough resume for the system (usually because of keyword deficiencies and/or formatting issues).
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
1/28/2016 | 5:02:53 PM
When the Acronyms Don't Matter
I've met lots of unique assets over the years and they all shared something in common - they were found outside the usual hiring process and in many cases they approached the company with a "you need me" pitch.  While I'm not going to be a CEO/CIO anytime soon, it did convince me that hiring off-grid can be beneficial.  The whole HR process of writing up the job req, inserting the usual acronym pre-reqs and pulling together a nearly useless interview panel just can't continue for certain tech roles.  Taking the Free and Open Source Software (FOSS) model into account, there is a strong "show me the code" attitude that we need in tech right now.  

Ignoring the paper credentials, you drop into a reverse engineering IRC and toss out that you have a need for someone who has RE'ed malware and helped identify features, origins, etc.  You get a candidate or two who are interested, point them to a copy of the malware and within a brief period of time you get back a seriously clean and on-point report, and even a couple ideas on how to stop this malware from ever getting on-system.  Another candidate sends back a poorly composed, incomplete analysis with little take-away overall.  After doing the interviews, you find one of them is a CompSci MS, security-certified across the board over a period of ten years.  The other candidate is a High School dropout with a dozen well-respected FOSS projects written in Python and a regular speaker at conferences like Black Hat and DEFCON.

After reviewing all the candidates, you decide to hire the High School dropout.  Just an anecdote, but the tech industry has lots of different needs and they aren't all filled by degree- or certificate-holders.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/28/2016 | 3:52:43 PM
Re: CABC, CXYZ, CBLAHBLAHBLAH
Agreed, I always see CISSP. It's pretty much become a standard for HR to put in a security job listing.

 
cyberartisan
50%
50%
cyberartisan,
User Rank: Apprentice
1/28/2016 | 1:36:53 PM
Agree!
I could not agree more. Although I think this could appy to other professions, it seems to hit the mark in the Info Sec domain today.


As someone who has been in an Info Sec role earlier in my career and looking to get back into it, it almost seems to be impossible to be considered without the certifications as they show up in the "requirements" of the postings.


I just got my CISSP in December. It was a good refresher and validated that I haven't lost my relevant skills/knowledge. I have had numerous conversations with other hiring managers about certifications and its importance in the selection and hiring decisions. We all agreed they are helpful, but do not rank over other qualifications simply due to the rate and pace of change in technology.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/27/2016 | 3:39:13 PM
CABC, CXYZ, CBLAHBLAHBLAH
> "one of the things I've noticed repeatedly over the course of my career is that there is no correlation between degrees and certifications and the skills needed on the job."

Preach, brother Joshua!

Alas, good luck convincing HR departments of that -- especially as certain certifications become more in vogue and more in demand in job postings (CISSP, CISM, and CIPP in particular come to mind).
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Join Dark Reading community editor Marilyn Cohodas and her guest, David Shearer, (ISC)2 Chief Executive Officer, as they discuss issues that keep IT security professionals up at night, including results from the recent 2016 Black Hat Attendee Survey.