The Cybersecurity Hiring Conundrum: Youth vs. Experience

How working together across the spectrum of young to old makes our organizations more secure.

Joshua Goldfarb, Global Solutions Architect — Security

May 4, 2020

5 Min Read

One of my favorite jokes in the security industry is the one that deals with the difficult challenge of recruiting: Everyone seems to be looking to hire a 30-year-old with 20 years of security experience. Obviously, that's impossible, but this joke can actually teach us a lot about information security.

Is there value to life experience and age in security? Is youth better? Or is age irrelevant altogether? As the poignant adage states, "Youth is wasted on the young." That being said, I think that both the young and experienced can learn from one another. Let's examine these questions by listing and discussing a few of the pros and cons for each.

Pros: Youth

  • Energy: New entrants to the security profession come in with a strong desire to improve the state of security. It's admirable, and I'm sad to say that it's something that gets beaten out of us over the years.

  • Drive: Someone who is trying to build a marketable skill set and prove themselves within the profession is likely to work harder than the average person.

  • Ability/willingness to be molded/mentored: Those new to the field often come in with a sparkle in their eye. They can be inspired far more easily than someone who has been around a while, and that often results in them doing very creative and interesting work.

Cons: Youth 

  • Skills: Unfortunately, school doesn't prepare you for a career in the security profession. It is true that you will learn valuable skills that will help you on your way to becoming successful. That being said, no one comes out of school with the perfect set of skills. That requires time on the job.

  • Inexperience: If you're good and you've been around a while, you know fairly quickly what is a good use of time versus what isn't, or what is interesting and what isn't. You know how to navigate the business environment, how to handle an incident, how to speak to non-security professionals, what is spin versus what is real, and a whole host of other valuable life lessons that you've acquired. If you're new, you have yet to acquire this knowledge.

  • Emotions: There are exceptions of course, but security professionals tend to mellow with age. We get hot under the collar less and less as we gain experience.

  • Fewer life commitments: Believe it or not, I view this as a con for youth. True, having fewer life commitments means you're more available to your job. However, life commitments mature us and make us grow up. They also teach us how to prioritize and manage our time well. I believe that the maturity that comes with additional responsibility outweighs the time those responsibilities take.

Pros: Experience

  • Even temper: There is seldom cause for alarm, panic, or overexcitedness in the workplace. As bad as things may seem, we are seldom, if ever, in any real physical danger. With experience, we learn to maintain an even temper, which allows us to function more logically and consistently as we go about our work duties.

  • Life commitments: Whatever your life commitments, they mature you and make you grow up. Whether you realize it or not, this makes you a more competent and valuable security employee.

  • Skills: If you've worked 10, 20, or 30 years in the security field, you're competent and you likely have a very valuable skill set. This is something that can only be achieved by time in the trenches. It can't be taught in a classroom.

  • Judgment: Our judgment improves with age. What seems like a good move professionally with two years of experience may seem downright foolish when viewed with 20 years of experience. The irony here is that whatever age we are, we likely think that we have good, sound judgment. We don't. It improves over time for most of us.

Cons: Experience

  • Cost: With more experience and a stronger skill set comes additional cost to an organization. It's not just salary, but also benefits, sick days, etc. No one likes to think about this angle, but it is an important one. Security organizations have fixed budgets, and when people cost more, it means you can hire fewer of them. Granted, an experienced person is far more efficient than one who is inexperienced. That being said, cost is a variable that factors into the equation.

  • Cynicism: Whereas the young often come in to work with vigor, the experienced sometimes come in with an unhealthy dose of cynicism. Of course, we can't believe everything we hear or chase down every crazy idea that pops up. But we all need to watch how quickly and cynically we dismiss and discount things.

  • Inertia: It's almost always easier to do nothing than it is to change something. Sometimes, with time, we become so used to doing things a certain way that we can't see how they can be improved by making a few changes or by taking a different approach. It can be difficult to be self-aware enough to see that we've become this way. This makes inertia a con when it comes to experience.

As I believe I've shown, youth isn't better or worse than experience and vice versa. They complement each other, which makes the security organization more well-rounded as a whole. We can all learn from each other, and working together across the youth-experience spectrum, we can make our organizations more secure.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "5 Ways to Prove Security's Worth in the Age of COVID-19"

About the Author(s)

Joshua Goldfarb

Global Solutions Architect — Security, F5

Josh Goldfarb is currently Global Solutions Architect — Security at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights