Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

5/4/2020
10:00 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

The Cybersecurity Hiring Conundrum: Youth vs. Experience

How working together across the spectrum of young to old makes our organizations more secure.

One of my favorite jokes in the security industry is the one that deals with the difficult challenge of recruiting: Everyone seems to be looking to hire a 30-year-old with 20 years of security experience. Obviously, that's impossible, but this joke can actually teach us a lot about information security.

Is there value to life experience and age in security? Is youth better? Or is age irrelevant altogether? As the poignant adage states, "Youth is wasted on the young." That being said, I think that both the young and experienced can learn from one another. Let's examine these questions by listing and discussing a few of the pros and cons for each.

Pros: Youth

  • Energy: New entrants to the security profession come in with a strong desire to improve the state of security. It's admirable, and I'm sad to say that it's something that gets beaten out of us over the years.
  • Drive: Someone who is trying to build a marketable skill set and prove themselves within the profession is likely to work harder than the average person.
  • Ability/willingness to be molded/mentored: Those new to the field often come in with a sparkle in their eye. They can be inspired far more easily than someone who has been around a while, and that often results in them doing very creative and interesting work.

Cons: Youth 

  • Skills: Unfortunately, school doesn't prepare you for a career in the security profession. It is true that you will learn valuable skills that will help you on your way to becoming successful. That being said, no one comes out of school with the perfect set of skills. That requires time on the job.
  • Inexperience: If you're good and you've been around a while, you know fairly quickly what is a good use of time versus what isn't, or what is interesting and what isn't. You know how to navigate the business environment, how to handle an incident, how to speak to non-security professionals, what is spin versus what is real, and a whole host of other valuable life lessons that you've acquired. If you're new, you have yet to acquire this knowledge.
  • Emotions: There are exceptions of course, but security professionals tend to mellow with age. We get hot under the collar less and less as we gain experience.
  • Fewer life commitments: Believe it or not, I view this as a con for youth. True, having fewer life commitments means you're more available to your job. However, life commitments mature us and make us grow up. They also teach us how to prioritize and manage our time well. I believe that the maturity that comes with additional responsibility outweighs the time those responsibilities take.

Pros: Experience

  • Even temper: There is seldom cause for alarm, panic, or overexcitedness in the workplace. As bad as things may seem, we are seldom, if ever, in any real physical danger. With experience, we learn to maintain an even temper, which allows us to function more logically and consistently as we go about our work duties.
  • Life commitments: Whatever your life commitments, they mature you and make you grow up. Whether you realize it or not, this makes you a more competent and valuable security employee.
  • Skills: If you've worked 10, 20, or 30 years in the security field, you're competent and you likely have a very valuable skill set. This is something that can only be achieved by time in the trenches. It can't be taught in a classroom.
  • Judgment: Our judgment improves with age. What seems like a good move professionally with two years of experience may seem downright foolish when viewed with 20 years of experience. The irony here is that whatever age we are, we likely think that we have good, sound judgment. We don't. It improves over time for most of us.

Cons: Experience

  • Cost: With more experience and a stronger skill set comes additional cost to an organization. It's not just salary, but also benefits, sick days, etc. No one likes to think about this angle, but it is an important one. Security organizations have fixed budgets, and when people cost more, it means you can hire fewer of them. Granted, an experienced person is far more efficient than one who is inexperienced. That being said, cost is a variable that factors into the equation.
  • Cynicism: Whereas the young often come in to work with vigor, the experienced sometimes come in with an unhealthy dose of cynicism. Of course, we can't believe everything we hear or chase down every crazy idea that pops up. But we all need to watch how quickly and cynically we dismiss and discount things.
  • Inertia: It's almost always easier to do nothing than it is to change something. Sometimes, with time, we become so used to doing things a certain way that we can't see how they can be improved by making a few changes or by taking a different approach. It can be difficult to be self-aware enough to see that we've become this way. This makes inertia a con when it comes to experience.

As I believe I've shown, youth isn't better or worse than experience and vice versa. They complement each other, which makes the security organization more well-rounded as a whole. We can all learn from each other, and working together across the youth-experience spectrum, we can make our organizations more secure.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "5 Ways to Prove Security's Worth in the Age of COVID-19"

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
GDPR Enforcement Loosens Amid Pandemic
Seth Rosenblatt, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4306
PUBLISHED: 2020-05-29
IBM Planning Analytics Local 2.0.0 through 2.0.9 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 17...
CVE-2020-4352
PUBLISHED: 2020-05-29
IBM MQ on HPE NonStop 8.0.4 and 8.1.0 is vulnerable to a privilege escalation attack when running in restricted mode. IBM X-Force ID: 178427.
CVE-2020-4490
PUBLISHED: 2020-05-29
IBM Business Automation Workflow 18 and 19, and IBM Business Process Manager 8.0, 8.5, and 8.6 could allow a remote attacker to bypass security restrictions, caused by a reverse tabnabbing flaw. An attacker could exploit this vulnerability and redirect a vitcim to a phishing site. IBM X-Force ID: 18...
CVE-2020-5572
PUBLISHED: 2020-05-29
Android App 'Mailwise for Android' 1.0.0 to 1.0.1 allows an attacker to obtain credential information registered in the product via unspecified vectors.
CVE-2020-5573
PUBLISHED: 2020-05-29
Android App 'kintone mobile for Android' 1.0.0 to 2.5 allows an attacker to obtain credential information registered in the product via unspecified vectors.