I hear from entry level candidates that it’s impossible to find a job. And then I hear from employers that the quality of entry level candidates is not great. Part of the disconnect stems from conflicting concepts of what entry level means. Another contributor is that not every organization has the bandwidth or willingness to take on entry level candidates.
From my viewpoint, entry level in cybersecurity is being able to understand security concepts while having a grasp of technical innerworkings. Entry level candidates have to know how a network works, how computers work, how applications talk to each other via the network, etc. They have to understand ports and the OSI model. They need a really clear understanding of how people use computers in a work environment. And they have to have some level of understanding about major security issues like malware, ransomware, viruses and social attacks.
Notice – I mentioned the need for entry level security candidates to understand concepts, not to be experts. I struggle with the idea that you can have a cyber security professional who doesn’t have those base levels of knowledge.
Lots of people will disagree with me on that. They say cybersecurity is one of those things that you can learn on the job. But I think that would only work in very large companies with security departments of 30, 40 people where you have experienced practitioners who are working as analysts, in engineering, and are in the trenches dealing with vulnerability management, controls management, appsec, etc. In that kind of organization, it probably does make sense to bring in entry level people with fresh eyes. Diversity of thought, background and experience is enriching and can enhance departments where resource constraints are minimal.
But I am confident that entry level roles simply will not work in smaller environments where you need to squeeze as much value out of every security resource that you can hire.
I also struggle with the idea that some business leaders are advertising for people with 10 years of networking experience and eight years of server experience, and calling that an entry level job. Who’s going to apply? What’s more, using a person with that experience in an entry level job would be a waste of their talent and skills.
There are 750,000 unfilled cybersecurity positions in the U.S. And the reason we have so many unfilled jobs is because companies reacted at the same time to a couple of really high-profile incidents that made companies realize they had to spend money on cybersecurity. But no one has time or room for entry level. CISOs want people who are ready to go from day one, and as a result, you have an industry where it’s hard to get hired in.
The jobs gap is more of a skills gap, in my opinion. When the industry began, you saw organic moves from IT personnel to security personnel. Today, we don’t have a shortage of IT personnel. But we are not empowering people who are in IT to think about being in security careers. Companies are inflexible about hiring across disciplines and industries.
There needs to be an overall shift in the industry to change what our idea of entry level means and to start steering some of our IT people into cybersecurity roles, because there are lots of them. And that’s how we’ll start to solve the problem.
I do think there’s a place for CISOS to take the initiative and recruit internally from IT departments to fill some of these entry level roles. Executives have to present the case that yes, this is entry level, but you’ll be able to develop at a much more senior level and contribute at a higher level to the organization. These roles have to be aspirational for folks inside the organization. This also means that entry level in cybersecurity should not mean entry level pay. Even entry level cyber security professionals are providing 6-figures of value to their organizations and should be compensated accordingly.
Now let’s talk about education – the average company is unwilling to take on people who don’t have college degrees (especially in 6-figure jobs), but I would argue that aptitude is more important than anything else when it comes to technical disciplines, any discipline, really. People who are good in technical disciplines like to pick something apart, understand how it works, and then be able to diagnose issues along the way. They are naturally curious. They’re lifelong learners who focus on learning in areas of relevance.
Four-year colleges have started to come up with cybersecurity degrees, but these programs aren’t doing much to address the skills gap. They devote very little time to cybersecurity, and most of what they teach is theoretical rather than practical. I have yet to see a school offer a degree concentration in cyber risk, which is where the real-life work is. They spend more time on the reactive side of cybersecurity – what to do when something breaks – and not so much on the proactive side, with risk management and vulnerability management and controls. I’m not belittling college by any stretch of the imagination, but I think the degree requirement is silly. Aptitude and a basic understanding of security and technology concepts are what count in cyber disciplines.
I think employers need to go back to the days of behavioral interviews that are focused on a person’s aptitude and the way that they approach situations and solve problems. They should be looking to determine whether an entry-level candidate is a go-getter who is willing and able to innovate and raise their hand. Leadership should be looking for people who aren’t afraid to think outside of the box, and who aspire to be leaders themselves down the road.