Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Joshua Goldfarb
Joshua Goldfarb
Connect Directly
E-Mail vvv

The Cybersecurity Hiring Conundrum: Youth vs. Experience

How working together across the spectrum of young to old makes our organizations more secure.

One of my favorite jokes in the security industry is the one that deals with the difficult challenge of recruiting: Everyone seems to be looking to hire a 30-year-old with 20 years of security experience. Obviously, that's impossible, but this joke can actually teach us a lot about information security.

Is there value to life experience and age in security? Is youth better? Or is age irrelevant altogether? As the poignant adage states, "Youth is wasted on the young." That being said, I think that both the young and experienced can learn from one another. Let's examine these questions by listing and discussing a few of the pros and cons for each.

Pros: Youth

  • Energy: New entrants to the security profession come in with a strong desire to improve the state of security. It's admirable, and I'm sad to say that it's something that gets beaten out of us over the years.
  • Drive: Someone who is trying to build a marketable skill set and prove themselves within the profession is likely to work harder than the average person.
  • Ability/willingness to be molded/mentored: Those new to the field often come in with a sparkle in their eye. They can be inspired far more easily than someone who has been around a while, and that often results in them doing very creative and interesting work.

Cons: Youth 

  • Skills: Unfortunately, school doesn't prepare you for a career in the security profession. It is true that you will learn valuable skills that will help you on your way to becoming successful. That being said, no one comes out of school with the perfect set of skills. That requires time on the job.
  • Inexperience: If you're good and you've been around a while, you know fairly quickly what is a good use of time versus what isn't, or what is interesting and what isn't. You know how to navigate the business environment, how to handle an incident, how to speak to non-security professionals, what is spin versus what is real, and a whole host of other valuable life lessons that you've acquired. If you're new, you have yet to acquire this knowledge.
  • Emotions: There are exceptions of course, but security professionals tend to mellow with age. We get hot under the collar less and less as we gain experience.
  • Fewer life commitments: Believe it or not, I view this as a con for youth. True, having fewer life commitments means you're more available to your job. However, life commitments mature us and make us grow up. They also teach us how to prioritize and manage our time well. I believe that the maturity that comes with additional responsibility outweighs the time those responsibilities take.

Pros: Experience

  • Even temper: There is seldom cause for alarm, panic, or overexcitedness in the workplace. As bad as things may seem, we are seldom, if ever, in any real physical danger. With experience, we learn to maintain an even temper, which allows us to function more logically and consistently as we go about our work duties.
  • Life commitments: Whatever your life commitments, they mature you and make you grow up. Whether you realize it or not, this makes you a more competent and valuable security employee.
  • Skills: If you've worked 10, 20, or 30 years in the security field, you're competent and you likely have a very valuable skill set. This is something that can only be achieved by time in the trenches. It can't be taught in a classroom.
  • Judgment: Our judgment improves with age. What seems like a good move professionally with two years of experience may seem downright foolish when viewed with 20 years of experience. The irony here is that whatever age we are, we likely think that we have good, sound judgment. We don't. It improves over time for most of us.

Cons: Experience

  • Cost: With more experience and a stronger skill set comes additional cost to an organization. It's not just salary, but also benefits, sick days, etc. No one likes to think about this angle, but it is an important one. Security organizations have fixed budgets, and when people cost more, it means you can hire fewer of them. Granted, an experienced person is far more efficient than one who is inexperienced. That being said, cost is a variable that factors into the equation.
  • Cynicism: Whereas the young often come in to work with vigor, the experienced sometimes come in with an unhealthy dose of cynicism. Of course, we can't believe everything we hear or chase down every crazy idea that pops up. But we all need to watch how quickly and cynically we dismiss and discount things.
  • Inertia: It's almost always easier to do nothing than it is to change something. Sometimes, with time, we become so used to doing things a certain way that we can't see how they can be improved by making a few changes or by taking a different approach. It can be difficult to be self-aware enough to see that we've become this way. This makes inertia a con when it comes to experience.

As I believe I've shown, youth isn't better or worse than experience and vice versa. They complement each other, which makes the security organization more well-rounded as a whole. We can all learn from each other, and working together across the youth-experience spectrum, we can make our organizations more secure.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "5 Ways to Prove Security's Worth in the Age of COVID-19"

Josh (Twitter: @ananalytical) is currently Director of Product Management at F5.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye.  Prior to joining nPulse, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-15
SolarWinds Web Help Desk 12.7.0 allows XSS via a Schedule Name.
PUBLISHED: 2021-01-15
An issue was discovered in Erlang/OTP before 23.2.2. The ssl application 10.2 accepts and trusts an invalid X.509 certificate chain to a trusted root Certification Authority.
PUBLISHED: 2021-01-15
An issue was discovered in flatCore before 2.0.0 build 139. A stored XSS vulnerability was identified in the prefs_smtp_psw HTTP request body parameter for the acp interface. An admin user can inject malicious client-side script into the affected parameter without any form of input sanitization. The...
PUBLISHED: 2021-01-15
An issue was discovered in flatCore before 2.0.0 build 139. A time-based blind SQL injection was identified in the selected_folder HTTP request body parameter for the acp interface. The affected parameter (which retrieves the file contents of the specified folder) was found to be accepting malicious...
PUBLISHED: 2021-01-15
An issue was discovered in flatCore before 2.0.0 build 139. A reflected XSS vulnerability was identified in the media_filter HTTP request body parameter for the acp interface. The affected parameter accepts malicious client-side script without proper input sanitization. For example, a malicious user...