About a year ago, I tweeted to help a friend looking for an entry-level security position. The first few responses were particularly telling. Everyone in our industry knows this dirty little secret: companies collectively pretend there are no junior Infosec opportunities. It seems like every posted opening requires fairly extensive experience with very specific tools or is front-loaded with “mid-level” or “senior” title signifiers, regardless of whether the actual job duties really require advanced skills. And even after getting the relevant education and/or certification, there’s a roadway laid out to newbies in our profession that isn’t very welcoming. That needs to change.
The point of entry to a career in security is blocked by many obstacles. Even if you find a company that recruits for junior positions, the first hurdle is the perception of capability. Tech companies encourage the view that they hire only the best and brightest -- and only from the most prestigious institutions; bootcamp vets need not apply. This involves recruiting the most brilliant minds, paying top dollar, and then giving them only unstimulating administrative chores and busywork.
While this is okay for a time, eventually it leads to another enthusiastic job search and another lost seat. Instead, in addition to having geniuses on staff dreaming up the next multi-platform network protocol analyzer, most companies need someone to actually monitor the existing network, manage updates, analyze traffic, etc. Construction requires carpenters in addition to master builders. And creating a pipeline of learners is the best ramp up to creating the next generation of master builders.
So, if you can get by the capability bias, you’ll probably run directly into the next barricade: tool knowledge. More and more positions require direct experience with specific tools/compliance/standards. A lot of the tools are expensive…so there’s no way to gain any experience with them until you are behind the paywall! Unless you are wealthy enough to afford your own Cisco Firewall Device or run a cluster (even with today’s free technologies), chances are you aren’t ever going to touch enterprise-grade tools anywhere but at work — work you can’t get without experience. It’s a Catch-22.
Networking -- the human kind
Even knowing about the existence of these tools requires a community that can share that knowledge, as well as advice on obstacles into the job market. Everybody says that networking is the way over, under, and around these barriers. Join communities. Build relationships. Get referred. And it does work.
I was lucky enough to attend university in an area with an active tech community and, by nature, I’m the type of person who is willing to reach out. As a student, I had both the time and inclination to actively participate in campus-based groups like SecDaemons, attend meet-ups, and go to local conferences. I played the networking game without really even knowing it, building personal relationships around my area of study, which eventually led to important internships, which eventually led to employment in my chosen field.
But what if you’re an introvert? What if you don’t live in Silicon Valley or Chicago or Boston? What if you live in Smalltown, USA? How are you supposed to build relationships at those far-away meet-ups? Fly to security conferences? What if you have to pay rent? Support children? What if those networking opportunities aren’t so opportune? Too bad.
In point of fact, if you are interested in an Infosec career, but do not fit into a very narrow mold, there really is no visible point of entry for you. And this is both sad and wrong. In our socially aware and hyperconnected world, there should be a well-marked path to professional employment that does not rely on the cyber-equivalent of a good ol’ boy’s club. I think we, as an industry, need to get over our preconceptions and become a bit more welcoming to the different types of people who want to do what we do. Companies could encourage more diversity, perhaps offering apprenticeships instead of just internships, or holding free tool workshops for students, or directing recruitment toward nontraditional and less-obvious talent pools.
And we working pros could help more as well. Take a cue from the Jedi and mentor at least one Padawan, actively offer your knowledge and time and support to those trying to join our ranks. Now, this is just one perspective that certainly doesn’t present all the answers. But it’s pretty obvious to me that the point of entry in security hiring should be expanding, not disappearing.