The Skills Dilemma
Is there an issue of skills within information or "cyber" security? Yes, without a doubt. But it's not the way you think...the dilemma is not one of a lack of qualified and skilled practitioners, it's one of a lack of skilled managers.
Okay, caveat time...if you're a manager, you might want to stop reading. If you get butt-hurt easily, you might not want to continue on beyond this point. Just sayin'...
I read Scott Scanlon's The Hunt for Cyber Security Leadership Intensifies article recently, and I have to say, being in the industry for the past 19-some-odd years, I have different perspective on the issue. The second sentence of Scott's article, referring to executive recruiters, says:
But they are finding a lack of qualified candidates just as companies put a greater emphasis and give a higher priority to corporate security.
It's not my intention to take anything away from Scott, nor am I suggesting that he's incorrect. I'm simply saying that I have a different perspective. In doing so, I'd like to take a look at that sentence; specifically, what constitutes a "qualified candidate", and who decides? If you're "finding a lack of qualified candidates", how are you looking?
Let's look at the process of finding a "qualified candidate":
Job Posting
Who writes job postings or position descriptions? Managers? Are you a manager? Write a description for a position you need to fill. Now, ball it up and throw it away, because you're wrong.
Here's what I mean...I was engaged in a thread recently on LinkedIn, where an employee of a company had posted two position descriptions, one for a threat intel analyst. When I read the position qualifications, one of the stated requirements was a familiarity with "EnCase or FTK". I was curious, so I asked why that was a requirement, and the employee who shared the links didn't know. Shortly, one of the C-level execs from the company responded, saying that it wasn't a requirement.
Then why say that it is?
Have you ever seen those position descriptions? "The candidate MUST have a CISSP, EnCE, etc." Really?
Running the Gauntlet
Position descriptions are passed from the manager to HR or a recruiting firm, who become the gate keepers. Most of the recruiters I've encountered have no experience in the information security field themselves...they're recruiters. So for them, the position description is a set-in-stone road map, and the words used by the hiring manager become the round holes in the board.
I once worked at a company where, after I was hired, one of the recruiters stated publicly that when they receive a resume from a candidate for a position in information security, they search the resume for the term "information security", and if they don't find it at least 4 times, they throw the resume out. What about qualifications? The hiring manager includes "CISSP" and "EnCE" as a "requirements", but doesn't tell the recruiter that they really aren't "requirements". So, the recruiter looks at resumes, and if "CISSP" AND "EnCE" aren't listed, you don't pass GO and you don't collect $200.
So the question then becomes, how does someone who's qualified pass through that gauntlet and get an actual interview? I "came up" in the industry before there were courses you could take, and a lot of what I know is self-taught. I know enough about EnCase and FTK to know when they're suitable for use. I'm not suggesting that I'm a "qualified candidate" but if I was, how would anyone know?
Interviewing a Candidate
I'll be 100% with you...most of the people I've encountered while interviewing don't know how to interview. We all like to think that we're good at it, but the simple fact is that we don't know how to interview.
When I first got out of the military, I interviewed at a defense contractor, and had four hours of interviews with different departments scheduled. At the beginning of the first interview of the day, the senior manager started off by telling me, very clearly, that he'd run all of my qualifications through a model that he'd developed, and he'd determined how much I would make in my first job. This is before he even spoke to me or got to know me. That's not how to conduct an interview...and I made considerably more than what his model showed in my first job.
A great way to loose a candidate is to take them around the office, and surprising members of your team by dropping the candidate off for a "spur of the moment" interview.
Look, I've been on both sides of the fence in 19 years. When I was getting out of the military, I had to take classes in "how to interview". What made it disheartening was that the people I wasn't interviewing with had NO training at all. All the preparation in the world cannot stand up to the first question in an interview being, "so...why are you here?"
I've also been responsible for conducting interviews. I've seen people lie on their resume, simply to make it past the "recruiter gauntlet" and get an interview. I've had interviews go really well, and some that didn't go well. I've also been in a position where someone was hired to support the work that I did, and I was not involved in the process, at any level. In fact, in that case, I wasn't even aware of the vision or business decision for filling the position...all I know is that I heard a discussion in the hallway about offering this person a signing bonus.
The Reality of the Position
What is the reality of the position itself? Yeah, I know what the job description says about the position and the company (words like "dynamic" are used), but all bullsh*t aside, what's the reality?
Is the actual work position in the heart of a major city? As someone who lives outside of a major city (way outside), I know better than to try to drive into the city for the odd social event...and you want me to drive into the city everyday as part of the job? I thought the position description said that your company "values quality of life"....
What about the actual work itself? In my time, I've worked for a couple of contracting firms, "supporting" federal law enforcement. In both cases, a lot of very positive things were said about the position. When I supported a CSIRT, it took me 8 months to get my agency-specific clearance, and in that time, I found out that the "CSIRT" didn't actually respond to anything; if they happened to find out that something happened, they had to request that someone from network ops run a tool (just one) on the suspect system. When I found out that the one tool was one that simply listed processes, I suggested that along with the process, we also get the path to the executable image (for context), and the person I suggested this to got offended.
In the other position, all of the case agents would take their work to one or two analysts, while the rest of us got really good at Solitaire.
If you're a contractor and having trouble finding "qualified candidates", then the issue may be one of the positions you're filling themselves. I've spent time with contracting firms whose business model is to be a seat-filler, and to be honest, I can see why they're having trouble finding qualified candidates.
I'm not talking about being cynical about the position or the company...I'm talking about being honest about it, that's all. After all, if you're not honest about the position, it's going to be revolving door of candidates. As bad as it sounds, a worse outcome is having someone realize how it is, and stay.
So, my point is that there are, in fact, highly skilled individuals in the "cyber" arena. Many of them have time in the industry, have learned a lot of the lessons I've described (and more), and have created for themselves an environment where they're happy. Some of the highly qualified but relatively new individuals in the industry have gravitated to the more experienced folks, and are similarly very happy.
Rather than repeating the "lack of qualified candidates" mantra, take a good hard look at what you're doing to find those candidates. Is it the process you're using? Is it the business model that needs to be changed? Or, consider "rolling your own"...use your current expertise to develop and grow new expertise.
Addendum, 19 Jan: I ran across this INC article today that gives 16 steps to help make your interview a success. The problem I've always found is that there aren't articles like this for those on the other side of the table...those who have head count and a position to fill. There are a lot of articles out there that talk about how to be an interviewee, but few that really prepare the interviewer.
Addendum, 25 Jan: Here's a Forbes article that discusses answers to the 5 dumbest interview questions; the point is that they're still being asked.
Okay, caveat time...if you're a manager, you might want to stop reading. If you get butt-hurt easily, you might not want to continue on beyond this point. Just sayin'...
I read Scott Scanlon's The Hunt for Cyber Security Leadership Intensifies article recently, and I have to say, being in the industry for the past 19-some-odd years, I have different perspective on the issue. The second sentence of Scott's article, referring to executive recruiters, says:
But they are finding a lack of qualified candidates just as companies put a greater emphasis and give a higher priority to corporate security.
It's not my intention to take anything away from Scott, nor am I suggesting that he's incorrect. I'm simply saying that I have a different perspective. In doing so, I'd like to take a look at that sentence; specifically, what constitutes a "qualified candidate", and who decides? If you're "finding a lack of qualified candidates", how are you looking?
Let's look at the process of finding a "qualified candidate":
Job Posting
Who writes job postings or position descriptions? Managers? Are you a manager? Write a description for a position you need to fill. Now, ball it up and throw it away, because you're wrong.
Here's what I mean...I was engaged in a thread recently on LinkedIn, where an employee of a company had posted two position descriptions, one for a threat intel analyst. When I read the position qualifications, one of the stated requirements was a familiarity with "EnCase or FTK". I was curious, so I asked why that was a requirement, and the employee who shared the links didn't know. Shortly, one of the C-level execs from the company responded, saying that it wasn't a requirement.
Then why say that it is?
Have you ever seen those position descriptions? "The candidate MUST have a CISSP, EnCE, etc." Really?
Running the Gauntlet
Position descriptions are passed from the manager to HR or a recruiting firm, who become the gate keepers. Most of the recruiters I've encountered have no experience in the information security field themselves...they're recruiters. So for them, the position description is a set-in-stone road map, and the words used by the hiring manager become the round holes in the board.
I once worked at a company where, after I was hired, one of the recruiters stated publicly that when they receive a resume from a candidate for a position in information security, they search the resume for the term "information security", and if they don't find it at least 4 times, they throw the resume out. What about qualifications? The hiring manager includes "CISSP" and "EnCE" as a "requirements", but doesn't tell the recruiter that they really aren't "requirements". So, the recruiter looks at resumes, and if "CISSP" AND "EnCE" aren't listed, you don't pass GO and you don't collect $200.
So the question then becomes, how does someone who's qualified pass through that gauntlet and get an actual interview? I "came up" in the industry before there were courses you could take, and a lot of what I know is self-taught. I know enough about EnCase and FTK to know when they're suitable for use. I'm not suggesting that I'm a "qualified candidate" but if I was, how would anyone know?
Interviewing a Candidate
I'll be 100% with you...most of the people I've encountered while interviewing don't know how to interview. We all like to think that we're good at it, but the simple fact is that we don't know how to interview.
When I first got out of the military, I interviewed at a defense contractor, and had four hours of interviews with different departments scheduled. At the beginning of the first interview of the day, the senior manager started off by telling me, very clearly, that he'd run all of my qualifications through a model that he'd developed, and he'd determined how much I would make in my first job. This is before he even spoke to me or got to know me. That's not how to conduct an interview...and I made considerably more than what his model showed in my first job.
A great way to loose a candidate is to take them around the office, and surprising members of your team by dropping the candidate off for a "spur of the moment" interview.
Look, I've been on both sides of the fence in 19 years. When I was getting out of the military, I had to take classes in "how to interview". What made it disheartening was that the people I wasn't interviewing with had NO training at all. All the preparation in the world cannot stand up to the first question in an interview being, "so...why are you here?"
I've also been responsible for conducting interviews. I've seen people lie on their resume, simply to make it past the "recruiter gauntlet" and get an interview. I've had interviews go really well, and some that didn't go well. I've also been in a position where someone was hired to support the work that I did, and I was not involved in the process, at any level. In fact, in that case, I wasn't even aware of the vision or business decision for filling the position...all I know is that I heard a discussion in the hallway about offering this person a signing bonus.
The Reality of the Position
What is the reality of the position itself? Yeah, I know what the job description says about the position and the company (words like "dynamic" are used), but all bullsh*t aside, what's the reality?
Is the actual work position in the heart of a major city? As someone who lives outside of a major city (way outside), I know better than to try to drive into the city for the odd social event...and you want me to drive into the city everyday as part of the job? I thought the position description said that your company "values quality of life"....
What about the actual work itself? In my time, I've worked for a couple of contracting firms, "supporting" federal law enforcement. In both cases, a lot of very positive things were said about the position. When I supported a CSIRT, it took me 8 months to get my agency-specific clearance, and in that time, I found out that the "CSIRT" didn't actually respond to anything; if they happened to find out that something happened, they had to request that someone from network ops run a tool (just one) on the suspect system. When I found out that the one tool was one that simply listed processes, I suggested that along with the process, we also get the path to the executable image (for context), and the person I suggested this to got offended.
In the other position, all of the case agents would take their work to one or two analysts, while the rest of us got really good at Solitaire.
If you're a contractor and having trouble finding "qualified candidates", then the issue may be one of the positions you're filling themselves. I've spent time with contracting firms whose business model is to be a seat-filler, and to be honest, I can see why they're having trouble finding qualified candidates.
I'm not talking about being cynical about the position or the company...I'm talking about being honest about it, that's all. After all, if you're not honest about the position, it's going to be revolving door of candidates. As bad as it sounds, a worse outcome is having someone realize how it is, and stay.
So, my point is that there are, in fact, highly skilled individuals in the "cyber" arena. Many of them have time in the industry, have learned a lot of the lessons I've described (and more), and have created for themselves an environment where they're happy. Some of the highly qualified but relatively new individuals in the industry have gravitated to the more experienced folks, and are similarly very happy.
Rather than repeating the "lack of qualified candidates" mantra, take a good hard look at what you're doing to find those candidates. Is it the process you're using? Is it the business model that needs to be changed? Or, consider "rolling your own"...use your current expertise to develop and grow new expertise.
Addendum, 19 Jan: I ran across this INC article today that gives 16 steps to help make your interview a success. The problem I've always found is that there aren't articles like this for those on the other side of the table...those who have head count and a position to fill. There are a lot of articles out there that talk about how to be an interviewee, but few that really prepare the interviewer.
Addendum, 25 Jan: Here's a Forbes article that discusses answers to the 5 dumbest interview questions; the point is that they're still being asked.