There is no shortage of people in the information security community who seem to have an endless sea of letters following their name. Degrees and certifications abound, and some people seem to be on a mission to collect as many of them as possible.
That’s not to say that degrees and certifications are without value. But the mere existence of a long string of letters after someone’s name does not in and of itself qualify them for a position. In fact, one of the things I’ve noticed repeatedly over the course of my career is that there is no correlation between degrees and certifications and the skills needed on the job.
For candidates looking to enter the field, don’t let yourself be intimidated by someone else’s “alphabet soup” – and most certainly don’t be discouraged by your own lack of acronyms. That’s not to say that certain degrees and certifications won’t help in finding the right position. But they should be pursued in a targeted and precise manner, based on career interests and goals. It goes without saying, that acronyms are no replacement for independent thinking, problem solving skills, and experience.
For employers searching for the perfect candidate, don’t be distracted or wowed by a job prospect’s “alphabet soup” – and don’t dismiss promising candidates who may not have the exact degrees and certifications you think you need. Our industry is facing a shortage of talent. That means that we need to be creative and think outside the box when it comes to finding the next generation of security professionals.
What to look for
So if we can’t rely on degrees and certifications, what can we rely on? It’s tough to condense years of interviewing and hiring into a few paragraphs, but based on my experience, I would argue that analytical skills, work ethic, an ability to overcome obstacles, and a natural drive to solve problems are the most important hiring factors in today’s tough job market. A candidate either has these skills or s/he doesn't.
Security requires thinking creatively, innovatively, and outside of the box. Most often, there isn't a cheat sheet we can refer to that "feeds" us the solution to our problems and challenges. Technical skills can be learned but the personality characteristics of a good security professional are innate. From the employer perspective, this is good news because if we can learn to identify these fundamental traits in individuals, we can choose the right employees --even if they may not have the specific work experience we desire -- and train them on the job
For job seekers, your goal is to demonstrate your analytical nature, creative thinking, work ethic, and problem solving skills to a prospective employer. Of course, this means a prospective employer must understand that experience, degrees, and certifications aren’t everything when it comes to employee qualifications. I’m hoping this column will help change that prevailing attitude.
Big egos don’t apply
Another important factor to consider is, quite simply, that the information security field has its fair share (or perhaps more than its fair share) of cynical, arrogant, and egotistical personalities. I don’t think it’s a stretch to say that we probably don’t need any more.
How does this relate to the hiring process?
As a candidate, your interpersonal skills and demeanor are as important to a potential employer as your analytical and technical skills. So, if you think that you’re hot stuff and you act like the world owes you something, get over yourself. No one is indispensable, as anyone who has worked in any career for some amount of time will tell you. A humble, hard working person with good analytical skills can be taught technical skills on the job, which is a lot easier than managing an HR nightmare.
From the employer perspective, regardless of how good a job applicant is technically, you don’t want a toxic employee on staff. So during the interview process, it’s critically important to develop insight and understanding about a candidate’s interpersonal skills and demeanor.
Finding the perfect match between employer and candidate is never going to be easy, but knowing what makes a good information security professional can help quite a bit in that endeavor.