Companies go to great lengths to hire cybersecurity staff

Employers are desperate to fill cybersecurity positions. The number of cybersecurity jobs available, coupled with accelerated attrition due to the Great Resignation, has led companies to offer ridiculously high salaries, a host of benefits, and free training and certifications to entice employers. candidates. Even so, the pool of candidates is limited. Employers are exploring ways to help candidates fill gaps in their experience so they can be hired.

“The first thing anyone interested in careers in cybersecurity should do is apply,” says Justine Fox, senior product manager, technical, at NuData Security, a Mastercard company. “Most tech skills are adjacent to the necessary cybersecurity builds, and there’s no faster way to learn the skills required for the role than in the role. Whether you’re self-taught or formally educated, I encourage people to apply.”

Mitch Ashley, director of Techstrong Research, echoes this sentiment. “Cybersecurity is no longer a network-centric skill,” he says. “Security recruitment is hopelessly behind, while software continues to devour the world.”

Cyber ​​leaders need to “widen the network” to attract “talent beyond just traditional cybersecurity areas,” he adds, and managers “need to think more like software leaders and less like network engineers. “.

Hiring companies are also becoming more flexible with job requirements and creating opportunities to help people transition into the industry quickly. There are also quite a few things people can do to bolster their applications and get the skills they need, even if they don’t have exactly the work experience in demand.

Growing desperation is undeniably driving employers to “get creative to help fill positions and stay competitive,” according to Dan Desko, CEO of Echelon Risk + Cyber.

Get real, fast
Given changing current hiring guidelines for non-traditional candidates, what skill or experience matters most on a winning resume? Practical experience in the real world. But how to gain experience before do you get a job in the field?

“A well-stocked GitHub page showing contribution to security tools and projects, a blog talking about security research, their bug bounty, or Hall of Fame vulnerability disclosures – these are all convenient ways to demonstrate and communicate real-world skills to a hiring manager quickly,” says Casey Ellis, Founder and CTO of Bugcrowd.

Whichever way you choose to do it, get a real-world experience as quickly as possible.

“In many cybersecurity jobs, training requirements are now a thing of the past,” says Peter Lowe, senior security researcher at DNSFilter. “Therefore, people looking to get into cyber should prioritize gaining real-world experience and skills over degrees.

Dive into Open Source projects
Indeed, open source projects are a great place to gain hands-on experience at a lower cost.

“Two of the easiest ways to take it to the next level is to engage with the infosec community through social media, namely Twitter, and to contribute in a small way,” says Lowe.

Choosing an open source or open data project to contribute to is “a fantastic way to connect with others and start developing the techniques and skills required in professional environments,” he adds. “Nothing big to start with – just a way to have a thread to follow that will expose you to people and ideas. As a bonus, any public work and/or conversation you have are great proof points to show employers potential that you have a real passion for cybersecurity.”

Try to score a learning
Apprenticeships are becoming more popular and more widely available.

“Apprenticeships are a great opportunity for cyber skills training because they provide hands-on experience and the chance to learn from someone else,” says Demi Ben-Ari, CTO and co-founder of the security company and Panorays risk management system. “In addition, training in operational cybersecurity, both defensive and offensive, is also a great way to develop a wide range of skills. All opportunities for increased networking, programming and use resources are essential to hone your cybersecurity knowledge and capabilities.”

Apply from inside
Consider changing careers to cybersecurity from your current role at the same company. Many companies have training assistance programs. Other “well-known” candidates, in terms of job performance and willingness to learn, are often preferred hires over newcomers.

“At 1Password, we have several examples of people who joined us and started in our customer support department and then moved on to security roles, given the experience they gained in security roles. in direct contact with our customers,” says Katya Laviolette, Director of Human Resources. from 1Password, a password management company.

Leverage the technical skills you possess
Cybersecurity is a much larger field than before and now contains an increasing number of specialties. Highlight the technical skills you already have, as many of them will likely transfer to cybersecurity.

“Cybersecurity skills today need to be underpinned by new security disciplines, combining cloud security, software development, scripting, automation, infrastructure-as-code and [the] Internet of Things,” says Ashley of Techstrong. “Cisco’s DevNet, for example, helps new and experienced engineers with Python courses, scripting and orchestration training, API usage, code exchange, exposure to MLOps, and sandboxes to learn, test and play. using new skills in traditional cybersecurity.

Improve your self-study program
Self-taught is good but often not enough if that’s all you have.

“Whereas [capture-the-flag contests] and other types of self-directed journeys can help expand your skills as a practitioner, it’s not a direct substitute for training and experience in terms of getting into the business,” says Ben- Ari from Panoramas. “In other words, the self-learning paths like CTFs or bug bounty programs help deepen knowledge, but to excel in the cybersecurity industry, you need hands-on experience that these drills don’t provide. not often.

Security boot camps also have their limitations.

“There are many training camps and programs, but these can only get you so far,” Ben-Ari warns. Most only prepare you for junior positions, which is problematic because most companies looking to hire want hands-on experience so you can instantly excel on the job.

The good news is that many security companies offer programs that can also help you get more structured training.

“Many security companies cater to those just starting out in their IT security career and offer ‘pay what you can’ training,” says Brian Wilson, CISO at analytics software company SAS.

Take advantage of free hacking resources
It is often said that cybersecurity is more about mindset and problem solving, because the rest are just teachable skills. So if you have the mind and the will, there are plenty of free resources where you can learn the skills.

“There are a ton of free hacking resources on the internet and a strong community of people dedicated to curating them,” says Wilson. An example is Awesome Hacking Resources on GitHub.

There are also several reasonable penetration testing lab websites to virtually test your skills to “see if you have what it takes in different areas of security”, he adds, citing HackTheBox as a popular example. .

Find your own mentor
Seasoned mentors are invaluable to aspiring professionals, mid-career professionals, and mentors alike. Many companies assign mentors to new hires, and these programs are often worth their weight in gold, or at least better security for company assets. But if you are not yet employed or your employer does not offer a mentoring program, other resources are available.

“A great strategy is to seek out mentorship opportunities through local security organizations like ISC2 or regional Defcon organizations,” Wilson says. “Similarly, consider checking out cybersecurity-focused groups, many of which are free. These avenues can help newcomers to the field network while sharpening their skills.”

The truth about certificates
Are you wondering about the values ​​of certifications? Almost everyone wants to know where these fit into the new hiring requirements.

“Certifications can definitely help when getting a first job, [but] they don’t matter the longer you stay on the pitch,” says Ben-Ari. “Plus, your industry experience will quickly become the most valuable aspect of your cybersecurity resume.

However, some certifications prove your chops better than others.

“My employer recognized my certification, the eJPT, as a practical benchmark to demonstrate my skills,” says Lily Clark, a former communications specialist turned cybersecurity consultant at Echelon. and TryHackMe gave me confidence that I was ready for the next step.

Show what you’re made of
In the end, the “proof” you need is not documented on paper or in pixels.

“On the talent development side of the house, we look for those who exhibit the underlying values ​​that we consider essential for a company like ours, and combine this with a strong learning capacity,” explains Desko from Echelon. Risk. “Once we find these people, we help turn them into cyber superstars.

Clark, he says, is “an incredible inspiration to all of us, but also a great achievement showing others what is possible. We also have, notably, a former family counselor on staff who is now a senior cybersecurity consultant.” .

Leave a Reply