Careers & People

11/12/2015
10:30 AM
Jamesha Fisher
Jamesha Fisher
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Point of Entry: The Missing Link in the Security Hiring Gap

How misguided notions of capability and lack of access to enterprise tools discourage diversity in Infosec.

About a year ago, I tweeted to help a friend looking for an entry-level security position. The first few responses were particularly telling. Everyone in our industry knows this dirty little secret: companies collectively pretend there are no junior Infosec opportunities. It seems like every posted opening requires fairly extensive experience with very specific tools or is front-loaded with “mid-level” or “senior” title signifiers, regardless of whether the actual job duties really require advanced skills. And even after getting the relevant education and/or certification, there’s a roadway laid out to newbies in our profession that isn’t very welcoming. That needs to change.

The point of entry to a career in security is blocked by many obstacles. Even if you find a company that recruits for junior positions, the first hurdle is the perception of capability. Tech companies encourage the view that they hire only the best and brightest -- and only from the most prestigious institutions; bootcamp vets need not apply. This involves recruiting the most brilliant minds, paying top dollar, and then giving them only unstimulating administrative chores and busywork.

While this is okay for a time, eventually it leads to another enthusiastic job search and another lost seat. Instead, in addition to having geniuses on staff dreaming up the next multi-platform network protocol analyzer, most companies need someone to actually monitor the existing network, manage updates, analyze traffic, etc. Construction requires carpenters in addition to master builders. And creating a pipeline of learners is the best ramp up to creating the next generation of master builders.

So, if you can get by the capability bias, you’ll probably run directly into the next barricade: tool knowledge. More and more positions require direct experience with specific tools/compliance/standards.  A lot of the tools are expensive…so there’s no way to gain any experience with them until you are behind the paywall! Unless you are wealthy enough to afford your own Cisco Firewall Device or run a cluster (even with today’s free technologies), chances are you aren’t ever going to touch enterprise-grade tools anywhere but at work — work you can’t get without experience. It’s a Catch-22.

Networking -- the human kind

Even knowing about the existence of these tools requires a community that can share that knowledge, as well as advice on obstacles into the job market. Everybody says that networking is the way over, under, and around these barriers. Join communities. Build relationships. Get referred. And it does work.

I was lucky enough to attend university in an area with an active tech community and, by nature, I’m the type of person who is willing to reach out. As a student, I had both the time and inclination to actively participate in campus-based groups like SecDaemons, attend meet-ups, and go to local conferences. I played the networking game without really even knowing it, building personal relationships around my area of study, which eventually led to important internships, which eventually led to employment in my chosen field.

But what if you’re an introvert? What if you don’t live in Silicon Valley or Chicago or Boston? What if you live in Smalltown, USA? How are you supposed to build relationships at those far-away meet-ups? Fly to security conferences? What if you have to pay rent? Support children? What if those networking opportunities aren’t so opportune? Too bad.

In point of fact, if you are interested in an Infosec career, but do not fit into a very narrow mold, there really is no visible point of entry for you. And this is both sad and wrong. In our socially aware and hyperconnected world, there should be a well-marked path to professional employment that does not rely on the cyber-equivalent of a good ol’ boy’s club. I think we, as an industry, need to get over our preconceptions and become a bit more welcoming to the different types of people who want to do what we do. Companies could encourage more diversity, perhaps offering apprenticeships instead of just internships, or holding free tool workshops for students, or directing recruitment toward nontraditional and less-obvious talent pools.

And we working pros could help more as well. Take a cue from the Jedi and mentor at least one Padawan, actively offer your knowledge and time and support to those trying to join our ranks. Now, this is just one perspective that certainly doesn’t present all the answers. But it’s pretty obvious to me that the point of entry in security hiring should be expanding, not disappearing.

Jamesha has been a security and technological professional for over 10 years and is currently working at CloudPassage. A voice in the community, she has worked at companies epically large and small, shaving tons of yaks along the way. Email: [email protected] View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
smartinson
100%
0%
smartinson,
User Rank: Apprentice
11/13/2015 | 9:13:21 AM
Ah, the experience Catch-22
Yes, the experience requirement is and always has been vexing and perplexing.  It was no different back in the 90s for me.  Your point about networking with actual people is true - the old "It's not what you know, it's who you know" adage still applies in many cases, especially in the early stages of one's career where you actually don't really know yet!  (Read:  Have few experiences in the field.)  You MUST be able to sell yourself.
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7399
PUBLISHED: 2019-02-17
Amazon Fire OS before 5.3.6.4 allows a man-in-the-middle attack against HTTP requests for "Terms of Use" and Privacy pages.
CVE-2019-8392
PUBLISHED: 2019-02-17
An issue was discovered on D-Link DIR-823G devices with firmware 1.02B03. There is incorrect access control allowing remote attackers to enable Guest Wi-Fi via the SetWLanRadioSettings HNAP API to the web service provided by /bin/goahead.
CVE-2019-8394
PUBLISHED: 2019-02-17
Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.
CVE-2019-8395
PUBLISHED: 2019-02-17
An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request.
CVE-2019-8389
PUBLISHED: 2019-02-17
A file-read vulnerability was identified in the Wi-Fi transfer feature of Musicloud 1.6. By default, the application runs a transfer service on port 8080, accessible by everyone on the same Wi-Fi network. An attacker can send the POST parameters downfiles and cur-folder (with a crafted ../ payload) ...