If you haven’t heard yet—which is unlikely—there’s a problem with hiring in cybersecurity.

The issue is we’re not sure of the nature of that problem.

A number of studies are talking about there being 3.5 million unfilled cybersecurity positions by 2021. But many are in that same market looking for work and are unable to find any.

So who’s right? I think the unfortunate answer is that they both are.

Lots of people are trying to hire good Infosec people, and lots of people are looking to get into Infosec. The problem is that there’s a gap between these two groups caused by:

Companies need people who are somewhat effective on day one, even if they have a lot to learn, so they can’t be starting from nothing. Companies are bad at hiring, so they often miss people with no hard credentials but that have the raw talent and a bit of experience that would make them a great hire. People without hard credentials aren’t good at marketing themselves either, which makes it even harder for the interviewer to find their talent through an ancient hiring process.

Basically the system is broken.

People doing the hiring are gatekeeping using old techniques that probably didn’t even work well 30 years ago. They’re filtering for core academic principles, interesting facts within the field, and content that was in their interviews.

Interviewing is far too much like hazing—where the interviewer feels the need to pass on the pain of their previous experience as a right of passage.

These archaic practices filter out people who could likely do quite well if given a chance. And those types of people aren’t getting the advice they need to highlight their talents. Instead they go into the interview scared of the inquisition, which is likely what they run into.

Another part of the problem is that there are many people with some measure of technical skills or qualifications that can’t program and/or think dynamically to solve different kinds of problems. That’s what’s needed in Security roles—people who can adjust to lots of different situations and solve a wide spectrum of problems.

So sometimes the filters work as desired by removing people who have all the skills on paper but aren’t able to actually put them to use.

How we can do better

My advice for both sides of this equation is to focus on practical skills. Ideally, and what will surely be coming at some point, we’d be able to reverse engineer what good security people look like by taking a data science approach to their attributes.

Hmm, turns out the best security people are from Wyoming, are left-handed, and hate the color yellow.

But humans are horrible at this kind of big-data analysis. We’re stupid little bias machines, and that makes us likely to include and exclude people for all the wrong reasons. We can fight those inclinations though, using a methodology.

What we need to do is turn the hiring practice around completely, and start hiring for the things we care about instead of some arbitrary, old-world notions that probably never worked in the first place.

Don’t ask if they have a degree: ask them how they think the world works.

Don’t ask them if they’re an A student: ask them what they have built lately.

Don’t ask them if they can program: ask them to show you some code.

Don’t ask them if they’re good at problem-solving: ask them to solve a problem with you.

Filter for what they’re actually going to do be doing on the job.

Advice for hiring managers

Make a list of the attributes that your best security people have Make a list of the attributes that your worst security people had (hopefully they’re not there anymore) Rebuild your entire interview process based on finding those attributes If they are going to be coding, ask to see recent code they made If they’re going to be making tools, ask them about a recent tool they made, and why they made it that way If they’re going to be hacking stuff, ask them how they would hack a given thing, and then let them do it in a live CTF environment If they’re going to be doing documentation and communication, explain a complex technical and political situation to them, and have them write the documentation and emails that will be used to make all sides happy

Advice for people trying to get into the field

Stop focusing so much on how you look on paper as a candidate, and start thinking more about what you can do as a candidate Have a lab—either at home or in the cloud Have projects that you can talk about Have a blog where you write up the projects you’re working on Be active on Twitter where you are interacting with people with similar interests, where you give help to others, and where you share your projects Have an active Github account where you’re sharing your projects, and where you’re helping others with theirs The one offering assistance and asking for help with your own projects.

The great thing about this approach—on both sides—is that it’s quite hard to fake.

If someone has an active website, a lab, multiple projects in Github, and they’re spending good amounts of time on Twitter talking enthusiastically about their craft—that’s someone you want to hire.

They could be a high-school student or a Ph.D.—you want to hire that person. And that’s kind of the point: a bad interview process could still miss this candidate.

So what’s your work experience?

This same total-badass-in-the-making can completely screw up that question, and basically say:

Um, nothing sir. No experience. Just stuff I do on the side.

Pass.

That’s what’s wrong with the system. People asking the wrong questions, and people giving the wrong answers to the wrong questions.

In both cases, focus on the practical.

It’s not about how someone looks on paper. It’s about what they can actually do. And the best way to know that is to look at what they’ve done already.

Summary

There are two conflicting messages about the cybersecurity jobs gap. Companies are saying they can’t find near enough people, and people trying to get into the industry are saying it’s impossible to get hired. This disconnect is due to there not really being entry-level positions in cybersecurity. You have to be minimally useful on day one if you hope to get hired. This is how both perspectives can be true simultaneously: it’s hard to get into the field, but once you’re in there’s basically zero unemployment. There are basically three ways to get over the initial hump to start the career and be on your way: have a degree, have good certifications, or have a body of work out there that shows real-world capability. As an employer, you can find more candidates by changing your perspective away from gotcha questions and gatekeeping interviews, and moving towards asking people what they’ve done and how they’d solve real-world problems, followed up by practical tests that simulate the actual work they’d be doing. As someone looking to get into the industry, if you have a bachelors in CS, CIS, or cybersecurity you should be fine. If you don’t have that, get a Security+, build a lab, start a Github account, start a blog, get active on Twitter, and start making things. Write code to solve problems, help other people with their projects, ask questions, answer questions, and share your work with the community. Without a degree, the best way to get over the gap is to show your value through real-world projects. Get on it.

Notes