Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

10:30 AM
Jamesha Fisher
Jamesha Fisher
Connect Directly
E-Mail vvv

Point of Entry: The Missing Link in the Security Hiring Gap

How misguided notions of capability and lack of access to enterprise tools discourage diversity in Infosec.

About a year ago, I tweeted to help a friend looking for an entry-level security position. The first few responses were particularly telling. Everyone in our industry knows this dirty little secret: companies collectively pretend there are no junior Infosec opportunities. It seems like every posted opening requires fairly extensive experience with very specific tools or is front-loaded with “mid-level” or “senior” title signifiers, regardless of whether the actual job duties really require advanced skills. And even after getting the relevant education and/or certification, there’s a roadway laid out to newbies in our profession that isn’t very welcoming. That needs to change.

The point of entry to a career in security is blocked by many obstacles. Even if you find a company that recruits for junior positions, the first hurdle is the perception of capability. Tech companies encourage the view that they hire only the best and brightest -- and only from the most prestigious institutions; bootcamp vets need not apply. This involves recruiting the most brilliant minds, paying top dollar, and then giving them only unstimulating administrative chores and busywork.

While this is okay for a time, eventually it leads to another enthusiastic job search and another lost seat. Instead, in addition to having geniuses on staff dreaming up the next multi-platform network protocol analyzer, most companies need someone to actually monitor the existing network, manage updates, analyze traffic, etc. Construction requires carpenters in addition to master builders. And creating a pipeline of learners is the best ramp up to creating the next generation of master builders.

So, if you can get by the capability bias, you’ll probably run directly into the next barricade: tool knowledge. More and more positions require direct experience with specific tools/compliance/standards.  A lot of the tools are expensive…so there’s no way to gain any experience with them until you are behind the paywall! Unless you are wealthy enough to afford your own Cisco Firewall Device or run a cluster (even with today’s free technologies), chances are you aren’t ever going to touch enterprise-grade tools anywhere but at work — work you can’t get without experience. It’s a Catch-22.

Networking -- the human kind

Even knowing about the existence of these tools requires a community that can share that knowledge, as well as advice on obstacles into the job market. Everybody says that networking is the way over, under, and around these barriers. Join communities. Build relationships. Get referred. And it does work.

I was lucky enough to attend university in an area with an active tech community and, by nature, I’m the type of person who is willing to reach out. As a student, I had both the time and inclination to actively participate in campus-based groups like SecDaemons, attend meet-ups, and go to local conferences. I played the networking game without really even knowing it, building personal relationships around my area of study, which eventually led to important internships, which eventually led to employment in my chosen field.

But what if you’re an introvert? What if you don’t live in Silicon Valley or Chicago or Boston? What if you live in Smalltown, USA? How are you supposed to build relationships at those far-away meet-ups? Fly to security conferences? What if you have to pay rent? Support children? What if those networking opportunities aren’t so opportune? Too bad.

In point of fact, if you are interested in an Infosec career, but do not fit into a very narrow mold, there really is no visible point of entry for you. And this is both sad and wrong. In our socially aware and hyperconnected world, there should be a well-marked path to professional employment that does not rely on the cyber-equivalent of a good ol’ boy’s club. I think we, as an industry, need to get over our preconceptions and become a bit more welcoming to the different types of people who want to do what we do. Companies could encourage more diversity, perhaps offering apprenticeships instead of just internships, or holding free tool workshops for students, or directing recruitment toward nontraditional and less-obvious talent pools.

And we working pros could help more as well. Take a cue from the Jedi and mentor at least one Padawan, actively offer your knowledge and time and support to those trying to join our ranks. Now, this is just one perspective that certainly doesn’t present all the answers. But it’s pretty obvious to me that the point of entry in security hiring should be expanding, not disappearing.

Jamesha has been a security and technological professional for over 10 years and is currently working at CloudPassage. A voice in the community, she has worked at companies epically large and small, shaving tons of yaks along the way. Email: [email protected] View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/13/2015 | 9:13:21 AM
Ah, the experience Catch-22
Yes, the experience requirement is and always has been vexing and perplexing.  It was no different back in the 90s for me.  Your point about networking with actual people is true - the old "It's not what you know, it's who you know" adage still applies in many cases, especially in the early stages of one's career where you actually don't really know yet!  (Read:  Have few experiences in the field.)  You MUST be able to sell yourself.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There are CSRF issues with the log-clear controller action.
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There is stored XSS in the Bulk Resize action.
PUBLISHED: 2020-05-25
A Remote code execution vulnerability exists in DEXT5Upload in DEXT5 through 2.7.1402870. An attacker can upload a PHP file via dext5handler.jsp handler because the uploaded file is stored under dext5uploadeddata/.
PUBLISHED: 2020-05-25
Cybozu Desktop for Windows 2.0.23 to 2.2.40 allows remote code execution via unspecified vectors.
PUBLISHED: 2020-05-24
ffjpeg through 2020-02-24 has an invalid read in jfif_encode in jfif.c.