Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

1/27/2016
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Careers in InfoSec: Don’t Be Fooled By The Credential Alphabet

Analytical skills, work ethic, an ability to overcome obstacles, and a natural drive to solve problems are the critical hiring factors in today's tight job market.

There is no shortage of people in the information security community who seem to have an endless sea of letters following their name. Degrees and certifications abound, and some people seem to be on a mission to collect as many of them as possible.

That’s not to say that degrees and certifications are without value.  But the mere existence of a long string of letters after someone’s name does not in and of itself qualify them for a position.  In fact, one of the things I’ve noticed repeatedly over the course of my career is that there is no correlation between degrees and certifications and the skills needed on the job.

For candidates looking to enter the field, don’t let yourself be intimidated by someone else’s “alphabet soup” – and most certainly don’t be discouraged by your own lack of acronyms. That’s not to say that certain degrees and certifications won’t help in finding the right position. But they should be pursued in a targeted and precise manner, based on career interests and goals. It goes without saying, that acronyms are no replacement for independent thinking, problem solving skills, and experience.

For employers searching for the perfect candidate, don’t be distracted or wowed by a job prospect’s “alphabet soup” – and don’t dismiss promising candidates who may not have the exact degrees and certifications you think you need.  Our industry is facing a shortage of talent. That means that we need to be creative and think outside the box when it comes to finding the next generation of security professionals. 

What to look for

So if we can’t rely on degrees and certifications, what can we rely on?  It’s tough to condense years of interviewing and hiring into a few paragraphs, but based on my experience, I would argue that analytical skills, work ethic, an ability to overcome obstacles, and a natural drive to solve problems are the most important hiring factors in today’s tough job market. A candidate either has these skills or s/he doesn't.

Security requires thinking creatively, innovatively, and outside of the box. Most often, there isn't a cheat sheet we can refer to that "feeds" us the solution to our problems and challenges.  Technical skills can be learned but the personality characteristics of a good security professional are innate. From the employer perspective, this is good news because if we can learn to identify these fundamental traits in individuals, we can choose the right employees --even if they may not have the specific work experience we desire -- and train them on the job

For job seekers, your goal is to demonstrate your analytical nature, creative thinking, work ethic, and problem solving skills to a prospective employer. Of course, this means a prospective employer must understand that experience, degrees, and certifications aren’t everything when it comes to employee qualifications. I’m hoping this column will help change that prevailing attitude.

Big egos don’t apply

Another important factor to consider is, quite simply, that the information security field has its fair share (or perhaps more than its fair share) of cynical, arrogant, and egotistical personalities. I don’t think it’s a stretch to say that we probably don’t need any more.

How does this relate to the hiring process?

As a candidate, your interpersonal skills and demeanor are as important to a potential employer as your analytical and technical skills.  So, if you think that you’re hot stuff and you act like the world owes you something, get over yourself.  No one is indispensable, as anyone who has worked in any career for some amount of time will tell you. A humble, hard working person with good analytical skills can be taught technical skills on the job, which is a lot easier than managing an HR nightmare.

From the employer perspective, regardless of how good a job applicant is technically, you don’t want a toxic employee on staff. So during the interview process,  it’s critically important to develop insight and understanding about a candidate’s interpersonal skills and demeanor.  

Finding the perfect match between employer and candidate is never going to be easy, but knowing what makes a good information security professional can help quite a bit in that endeavor.

Related content:

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/30/2016 | 12:02:09 PM
Re: When the Acronyms Don't Matter
My only concern might be with overreliance on tools like that and "overtesting" candidates.  Some companies may truly need programmers who can handle anything.  Others, however, may place more value on hiring candidates with specialties in certain programming areas and encouraging their employees to collaborate and talk with each other to solve problems.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
1/29/2016 | 11:48:20 PM
Re: When the Acronyms Don't Matter
Very true, Joe.  Actually, regarding online applications, I'd like to see more resume applications that are tied to online testing apps, too.  Codility comes to mind, for instance.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/29/2016 | 8:37:39 AM
Re: When the Acronyms Don't Matter
@Christian: And it's a pity that online application systems weed out a great deal of qualified applicants -- often on the basis of the applicants simply not writing a good enough resume for the system (usually because of keyword deficiencies and/or formatting issues).
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
1/28/2016 | 5:02:53 PM
When the Acronyms Don't Matter
I've met lots of unique assets over the years and they all shared something in common - they were found outside the usual hiring process and in many cases they approached the company with a "you need me" pitch.  While I'm not going to be a CEO/CIO anytime soon, it did convince me that hiring off-grid can be beneficial.  The whole HR process of writing up the job req, inserting the usual acronym pre-reqs and pulling together a nearly useless interview panel just can't continue for certain tech roles.  Taking the Free and Open Source Software (FOSS) model into account, there is a strong "show me the code" attitude that we need in tech right now.  

Ignoring the paper credentials, you drop into a reverse engineering IRC and toss out that you have a need for someone who has RE'ed malware and helped identify features, origins, etc.  You get a candidate or two who are interested, point them to a copy of the malware and within a brief period of time you get back a seriously clean and on-point report, and even a couple ideas on how to stop this malware from ever getting on-system.  Another candidate sends back a poorly composed, incomplete analysis with little take-away overall.  After doing the interviews, you find one of them is a CompSci MS, security-certified across the board over a period of ten years.  The other candidate is a High School dropout with a dozen well-respected FOSS projects written in Python and a regular speaker at conferences like Black Hat and DEFCON.

After reviewing all the candidates, you decide to hire the High School dropout.  Just an anecdote, but the tech industry has lots of different needs and they aren't all filled by degree- or certificate-holders.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/28/2016 | 3:52:43 PM
Re: CABC, CXYZ, CBLAHBLAHBLAH
Agreed, I always see CISSP. It's pretty much become a standard for HR to put in a security job listing.

 
cyberartisan
50%
50%
cyberartisan,
User Rank: Apprentice
1/28/2016 | 1:36:53 PM
Agree!
I could not agree more. Although I think this could appy to other professions, it seems to hit the mark in the Info Sec domain today.


As someone who has been in an Info Sec role earlier in my career and looking to get back into it, it almost seems to be impossible to be considered without the certifications as they show up in the "requirements" of the postings.


I just got my CISSP in December. It was a good refresher and validated that I haven't lost my relevant skills/knowledge. I have had numerous conversations with other hiring managers about certifications and its importance in the selection and hiring decisions. We all agreed they are helpful, but do not rank over other qualifications simply due to the rate and pace of change in technology.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/27/2016 | 3:39:13 PM
CABC, CXYZ, CBLAHBLAHBLAH
> "one of the things I've noticed repeatedly over the course of my career is that there is no correlation between degrees and certifications and the skills needed on the job."

Preach, brother Joshua!

Alas, good luck convincing HR departments of that -- especially as certain certifications become more in vogue and more in demand in job postings (CISSP, CISM, and CIPP in particular come to mind).
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13157
PUBLISHED: 2019-11-22
nsGreen.dll in Naver Vaccine 2.1.4 allows remote attackers to overwrite arbitary files via directory traversal sequences in a filename within nsz archive.
CVE-2012-2079
PUBLISHED: 2019-11-22
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
CVE-2019-11325
PUBLISHED: 2019-11-21
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
CVE-2019-18887
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
CVE-2019-18888
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. T...