CyberWire Daily - Building your cyber security career. [Special Edition]
Episode Date: November 30, 2017In this CyberWire special edition, we take a closer look at finding your career in cyber security. Just how important is that degree? Does it make sense to invest in certifications? What are employers... really looking for when they’re searching for qualified cyber security talent? And why is it critical that you not just hunt down a sexy, high paying job, but build yourself a fulfilling career? Sharing their insights and expertise are Kathleen Smith, CMO from Clearedjobs.net and cybersecjobs.com, and Robert M. Lee, CEO of Dragos. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing
the world what AI was meant to be.
Let's create the agent-first
future together. Head to
salesforce.com slash careers
to learn more.
In a darkly comedic look at
motherhood and society's expectations,
Academy Award-nominated Amy Adams
stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
It's no secret that the cybersecurity job market is hot these days.
And it's not unusual to hear stories about serious shortages of qualified candidates,
of thousands of high-paying jobs going unfilled all over the world.
Colleges, universities, and educational institutions
provide training, degrees, and certifications,
and some organizations are looking outside the traditional channels
and training people in-house.
In this CyberWire Special Edition,
we take a closer look at finding your career in cybersecurity.
Just how important is that degree?
Does it make sense to invest in certifications?
What are employers
really looking for when they're searching for qualified cybersecurity talent? And why is it
critical that you not just hunt down articles that like to inflame everyone,
that there's this skills gap.
That's Kathleen Smith.
She's the Chief Marketing Officer at ClearJobs.net and CyberSecJobs.com.
One of her specialties is providing career support for people with security clearances.
We're still seeing a high demand of cybersecurity professionals with experience.
We're seeing, you know, the Bureau of Labor Statistics say that, you know, information
security, which is where they categorize cybersecurity, you know, there's a 37%
growth in that industry, and that's going to continue to 2022.
What we're also seeing is other solutions coming into the marketplace. We are seeing that
all of the colleges and certification programs are starting to produce students who are interested
in cybersecurity that have some education about it,
but not much in the way of hands-on experience. I think that is going to be a big challenge for us
because we're having many universities, many schools that are coming out saying,
we have a degree program, we have a certification program, and then they don't have any way for
these students to get any hands-on experience.
But in truth, we're not leveraging the people we have correctly.
And we're oftentimes not asking the right questions to get the people we need.
That's Robert M. Lee. He's the CEO at Dragos,
a company that specializes in protecting industrial control systems.
I mean, it's always a common joke that there'll be a technology that's only three years old and the job hiring requirements looking for an expert with 10 years
experience on it. Like that's that job bill. It's not going to be filled. And so it goes and gets
tracked in the number as, oh my gosh, we have like not enough people in the field. And it's like, no,
that that job announcement is stupid. Or you hire somebody to be a tier one SOC analyst and they're supposed to triage alerts, but our
technology could actually do that itself. Like we can, like as a community, we've already solved
that problem. But we're just not leveraging it as we're just going to throw people at it.
So I would say, and to his point, we are not effectively and efficiently using the talent
we have and we're requiring or requesting things that we're not doing correctly on the talent we have, and we're requiring or requesting things that we're not doing correctly
on the talent we want. When I was at the CyberWires Women in Cybersecurity celebration,
I had the pleasure of chatting with Cindy Gula from Gula Tech Adventures, and we were talking
to some of the students there. The challenge that both Cindy and I saw was that the students were
saying, we're interested in
cybersecurity. And Cindy would then go in and say, well, what part? You know, what in particular?
And all of the students were saying everything. And that, I think, is part of a challenge. We've
actually done ourselves a disservice by making cybersecurity this very in-demand career that many people are rushing into it thinking they're
going to have this rock star experience, that they're all of a sudden going to be able to
take care of any of these breaches. And all they have to do is have a few years of a certification
program or college degree without really truly understanding how cybersecurity has moved from being information security
into an overall practice that surrounds every aspect of business.
And I think that that is one thing that we're losing right now in all of the degree programs
is there's some risk analysis being taught, there is some penetration, some coding, some
forensics, but there isn't a real delineation between you're going to need forensics if you
want to go into specific intelligence agencies, threat vulnerability if you want to go work for
a services company, what do you need if you want to take your skills
to a healthcare company or a financial institution? We're at this point now where we also have a lot
of professionals who've been in the industry for a long time, but they don't understand how to craft
their career. We have professionals who finally are speaking out at many of the
conferences, DEF CON, Black Hat, saying we really have information security professionals,
pen testers, malware researchers who've been doing this kind of work for 10, 20 years,
and they're not being given the opportunity to craft a career where they
can make a difference in business. They're not being given the mentoring or the guidance
on how they would advise someone at the boardroom. So I think we're moving in a really great
direction. We still have a lot of work to do. So for that person who is in school, either getting a four-year degree or certifications,
is it inaccurate for them to think that that degree or those certifications
are going to be their ticket to a high-paying job right out of school?
I would say so, yes.
The salaries right now for someone straight out of college in information security or cybersecurity is in the mid-60s.
And I think that when you hear about the person that found a breach or who has created the new
vulnerability testing that's out there, they're looking for a salary that's $150,000, $185,000.
I think that with any career in any profession, you have to
be passionate about it. And that is one thing I don't think we're really teaching in college.
I don't remember them teaching that when I was in college.
I've seen some debates around this where people are like, well, you don't need to be passionate.
If I have somebody that comes in at 8 to 5 and does their job, that's fine. They don't need to
stick around until 2 o'clock in the morning. And that's a that's a bad metric. And I get what
they're saying. You shouldn't overwork your people, but you still need passion. And why I say that you
have to have that passion is is mostly on the learning portion. I don't think there is a single
well-structured program in place, nor could there be to train up somebody to be exactly what we need
them to be. They have to take it into
their own hands at some point. And that's where the passion kicks in. The recertification, the
programs are costly. Sometimes an employer will pay for them. Sometimes they won't. So this is
something that if you're going to start in the career of cybersecurity, really look at it for
the long term. Is this something that you really want to not only
invest your time in creating your own home labs? Is this something you're willing to create your
time as far as setting aside your budget to get the recertifications? And a lot of the
recertifications or certifications like the CISSP or any of the others, you have to have three to
five years experience before they'll
allow you to even start taking the exam.
Help me understand, because I see people talking about, with the shortage of people available,
that they're hiring, they call it new collar jobs.
They'll hire music majors because those are people who can work on teams and think creatively
and they can teach them the cyber part.
Those are people who can work on teams and think creatively, and they can teach them the cyber part.
And yet I think about HR departments being gatekeepers, where having checkboxes of saying you have to have this degree or this certification to even get to the next round to get an interview.
So it seems to me like there's a little disconnect there.
Is my perception of that accurate? Your perception is right on because
most of the jobs that you'll see posted out there, four out of five of them, will require some kind
of degree, will require some kind of bachelor's degree. And when I was looking at several of the
studies, it's interesting that they don't really say it necessarily has to be a computer science degree or an engineering degree, which I think is great.
I think that having a degree requirement sets you up to say, okay, I'm willing to go through
the education that you're going to have to continually need to do within cybersecurity.
And you're right, there is going to be a screening by the recruiters and the hiring managers that
say, okay, we need a minimum of a degree. Specifically, if you are looking in the government contracting community, if you're
looking for working for one of the intelligence agencies, yes, you are going to need some kind
of college degree. The other thing is when you talk to several of the program managers,
and program managers have been inserting themselves into the entire hiring process.
Normally, in a hiring process, you're working with a recruiter, a sourcer, an HR manager.
There's not that much education currently going on between a cybersecurity program and the
recruiting department to explain to them what kind of individuals they're looking for. So a lot of
the program managers are going out and doing their own hiring. And when I talk to them, they say, you know,
all we want is someone that has the initiative, someone who has an inquisitive mind. Yes,
they'll hire someone that is a music major because that is a creative way of thinking.
That is a different way of thinking. And these are the skills that we need in cybersecurity.
That is a different way of thinking.
And these are the skills that we need in cybersecurity.
You can train somebody, but you cannot train them to be inquisitive or creative or innovative.
It does not matter if you have a cert.
It does not matter if you have a degree.
It does not matter if you go after a PhD.
None of that is going to position you to be a security expert.
Only thing that's going to position you to be a security expert is taking advantage of whatever you're doing and being passionate about it and learning and pushing the field.
So if it is in a PhD program that you're doing that, fantastic. If it is at home with an internet connection, taking advantage of the plethora of free courses and information out there, rock on.
But you're going to have to take advantage of wherever you go because it's not going to get
done for you. And there's a mixture of a lot of information.'s not going to get done for you and there's a mixture
of a lot of information so you have to kind of specialize i do not think you need a degree i do
not think you need a cert i do not think you need to need anything other than passion and taking
advantage of wherever your path leads you now is your job going to require those things maybe if
you're in the federal government as an example you better get a bachelor's and a master's. You're going to need it to rise to the ranks, period. It's just
antiquated and that's how they view the world. Many of your larger job hires are moving away
from that though. However, certifications still really matter for a lot of job hires.
So certifications generally demand a higher salary for you, which is useful.
But is the degree or certification going to position you
to make sure you know the information? No. There are usually barriers to entry for salary or jobs
at places you want to work. What about the stories that we hear about people chasing signing bonuses
or hopping from job to job, getting a raise here, getting a raise there, and chasing the money that way?
It's the same thing that we had in the dot-com era. I mean, that's when we had the signing bonuses and jumping from one startup to the next. And we all know what happened with that.
We have the same thing going on within cybersecurity, where they're actually called
the exploding job offers, which are, you know,
if you come, we'll give you this enormous bonus, but you have to come now. And I think that's a
challenge that companies are getting themselves into, rather than saying, can we train the people
that we have inside to do the job versus chasing after someone that you need desperately.
do the job versus chasing after someone that you need desperately. Currently, the Department of Labor is saying that most professionals who are in information technology, information security,
stay in one job for 11 to 13 months. It will take close to 18 months to be able to find that
replacement. So we have not only a problem on the side of the companies, but we also have a
problem on the side of the professionals because they're not asking the questions during the
interview process. What is my career progress within this company? What are the other advantages
that I can take advantage of? What are, are you going to pay for my training? Are you going to pay for me to go
to DEF CON or one of the conferences? Really looking at the sustainability model requires
both the companies and the professionals to have that conversation. And we have unfortunately built
a society where the information technology professional was never really treated very well.
I mean, there's several sitcoms about, you know, the IT departments in the basement,
and they only drink Red Bull and eat pizza. I think it is now getting the information
technology professional to be more part of the business, to create the career.
We were doing a career panel at DC Cyber Week last week, and it was fascinating to me.
We had a room of about 45 professionals, and none of them had been in cybersecurity,
but several of them had been in finance and in healthcare. And their managers had actually said,
you're really good at finance and data analysis. We want you to have a career
where you can take that knowledge into cybersecurity. And I said, please go back
and thank your boss for me because they're looking at your career. They're creating opportunities for
you. They're saying that you're really strong in this area and they want to keep you as an asset and they'll provide more training. And they were shocked. They said, no, that's the way I am treated.
And I find that interesting. There are different industries that treat their professionals with
respect and cater to providing career development. In information technology, you don't see that. You don't see
the training, the cultivating of the next C-level executive. I mean, any company should be able to
look inside their workforce and say, I see the future CSO, CISO within our ranks right now.
We are going to train them. We are going to cultivate them so that they stay with
us, that they bring other people along with them. But we haven't gotten there yet. We are approaching
that, but we haven't gotten there yet. And I think that that will be a big shift.
What would your advice be to that person who's either coming up through school,
looking for a career in cyber, or maybe switching to a career in cyber from another profession?
What kind of advice would you provide them?
The one piece of advice that I always give anyone who says,
I want to get into cybersecurity, be it cyber policy, be it vulnerability testing,
get out into the community first.
Really go to the meetups, go to the B-sides events, the hackathons, go to the hackathons
online and really see if this is what interests you. It's a really great way to test, you know,
do you want to do forensics? Are you very happy just being a pen tester? Do you want to work in
a high stress environment? Really understand that before you make the investment
into a college program or any kind of certification program. I think it is wonderful that we have all
kinds of opportunities to be able to test, do I really want to do this or am I doing it because
it is the most fashionable career at this point. The other part that I look at,
and I always recommend, and I have a great recent example of this, is cybersecurity is not just
the services industry. It is not just the companies who provide the cybersecurity services
to other companies. It is now impacting every part of our lives, healthcare, finance, retail.
And being able to say, I'm not necessarily going to go into a services company, but I really like medical devices.
I'm going to study medical devices, but then also have the cybersecurity component to it. I do a lot of mentoring and coaching to transitioning
veterans. And I had a recent example of a 26-year Air Force veteran who was waiting for his next
government job. And that is a challenge that I find for many of our transitioning veterans is
that they're more interested in staying within
working for the government because they're more comfortable with that culture rather than breaking
out on their own. I find that not enough cybersecurity professionals are looking at
our energy grid. We have, you know, this from a national security standpoint, but also as a career
development standpoint, we have so many opportunities in this country to be able to have an impact on the security of our energy grid.
So in talking to this Air Force veteran, he had a combined background of physical security and
cybersecurity. And for family reasons, he wanted to be in the Northwest United States. And he said, have you ever thought of energy?
And it really excited him because he could be at the forefront of national security,
a veteran being able to continue supporting the mission, which is why he's part of the
military, and being able to create a new kind of career path, combining physical security
and cybersecurity.
a new kind of career path, combining physical security and cybersecurity.
For me as a job hire, I mean, I sort of live in the luxury of working in a very small industry.
So we should know you or know of you before we're even approaching you.
Or when people reach out to us, we have enough really smart people that we're going to be able to call BS. And we don't even look at resumes. Like we do not ask people to send us their resumes.
I've never asked anybody of any of their certifications
or degrees.
My general questions are usually, what do you do?
Like, what are you passionate about?
What have you done that can prove it?
Are you active in the community and publishing papers
and blog posts and things like that about the topic?
Okay, maybe you know something about it.
Are you writing code?
Are you a coder?
Where's your GitHub account?
What do you code?
It's much more about show me what you are doing versus give me a piece of paper that you wrote that self-evaluates what you did.
Like that's not important to me.
What do people need to know about recruiters, about headhunters, about the professionals who are out there helping place you in jobs?
This is a great question because it not only applies to cybersecurity, but it also applies to
pretty much any profession. A job seeker needs to understand the landscape. They really need to
understand that just sending a resume to one person is not going to get you a job, that finding a job is a full-time
job. And it is a full-time profession constantly looking for your next opportunity. Now, I'm not
advocating, as I said earlier, job hopping, but you need to always know who are the recruiters,
who are the staffing firms, and who are the headhunters who are in
your particular field? Who are the people that you want to work with? They're not necessarily
going to be the person that is calling you and hounding you. It's going to be someone that you
want to build a relationship with and get to know them because if they're going to have an impact
on your career, which is a major portion of your life, you're going to want to have someone that you can trust.
There are, you know, there's corporate recruiters that are great.
There are corporate recruiters who are awful.
There are staffing firms.
firms that have started that are filling a need right now because they're former program managers that have really great networks that can go in and speak the language of other program managers.
And there is that divide that's going on right now and does in several industries where the
program managers don't have a really good relationship with their recruiting or HR
department. And that is something that many companies deal with. Some have overcome that. Some are still dealing with that challenge.
So a lot of program managers go direct and they either hire direct or they engage a staffing firm.
But eventually all of that is going to go back to the HR recruiting function because
All of that is going to go back to the HR recruiting function because recruiting new talent is a very costly endeavor.
And unless you can have economies of scale with that, you're constantly going to be running on a deficit. in their mid-career should know who are the companies and their recruiters that they might want to work with and connect with them on LinkedIn or stop by one of their booths at one
of the B-Sides events. Be aware of the good staffing firms and the bad ones. There's lots
of headhunters out there that will treat you very poorly, will sort of forget about you. There was actually a really
great presentation done at B-Sides Higher Ground about how a cybersecurity professional can sort
of do some good vetting on the difference between a corporate recruiter, a staffing firm,
and a headhunter. We have that video on cybersec jobs, if anyone wants to look
at that. So I find it challenging when I go to a conference and someone says, yeah, I work with XYZ
staffing firm. And I was like, do you work with any corporate recruiters? Do you work with any
headhunters? Well, no, I just work with this one person. And, you know, that's sort of like saying just one
person is going to help you find, you know, your mate, or just one source is going to be where
you're going to get your next car. You're going to need to research, you're going to need to try
different relationships out before you find the person that's going to have the right opportunity
for you. How do you know? Are there any red flags where if someone says this to me, run the other way?
Well, the standard is a lot of people will reach out to you on LinkedIn and they will not have a very well-crafted LinkedIn message to you that is sort of auto-generated based on the keywords
in your profile. Usually, have I got an exciting offer for you is something you want to turn and run away
from. Anything that says, you know, it's a hot job, you know, immediate opportunity, signing bonuses
galore, you know, just as you do with, you know, buying that really great shirt. If it's got all
kinds of discounts and flash on it, it might be a reason why it needs to have all that
discounts and flash on it because it's not something of value. Really looking for someone
your friends like to work with, finding the recruiters that go to the conferences, that go to
the hackathons, who understand how to speak your language, because a really good recruiter is
also going to be a coach or a mentor. And sometimes a recruiter may work at one company
and you're like, well, I'll never want to work there. Recruiters do move from company to company,
usually every five to seven years, sometimes shorter than that. And they may have a great
opportunity for you at their next job, but they also have their own
network. So if you're interested in finding a job, they can reach out to their network of recruiters
and say, hey, I've got a really good candidate for you. This is one of the biggest missteps I
think that professionals have in their career search. They wait until it's the last minute
and they don't have a network of people that can help them get
in the door at the right company. So even when you're in a job and you might not be looking for
a new job just for the sake of the care and feeding of your career, you should be nurturing
that network. You should be nurturing a relationship with five to seven recruiters in the space and be them recruiters
or headhunters or staffing firms, you should constantly be checking them, checking in with
them saying, you know, I just got my CISSP, you know, I'm still happy where I'm at, but I'm
interested in XYZ opportunity. Like any professional development,
you should always have four or five recruiters that you are developing a relationship with,
because they are going to have an impact on your overall career.
I can also see that if you're getting those calls, if you're fielding those offers,
that perhaps it's in your best interest to go to your HR people or your boss
and say, hey, these offers are coming in. Do we need to have a conversation about
how things are going for me here? Well, that conversation starts in the first interview.
That conversation starts at your performance review. That conversation shouldn't be a walk
into the HR department and say, I've got three offers
for $20,000 more. What are you going to match? You know, that's holding your management hostage,
and they're not going to like it, and you're not going to like working in that environment.
I think this is one trait that a lot of people don't have, which is creating their career path.
People look to having a mentor or a sponsor doing that,
but that's your own individual responsibility. I really like my job. I would really like to
stay here because I like the values of this company and I like the product that they do.
I need to find ways to stay engaged, to stay fresh. This is a conversation I need to have
with my manager. I mean, I even
have that conversation with my staff. You know, are you still happy working here? What are the
exciting projects that are on the horizon that you want to be part of? What do you want to have
taken off your plate? It is my responsibility as a manager to constantly be checking in with my
staff to make sure that they're learning,
that they're engaged, they're excited about what they're doing. But they have that responsibility as well. And that is a trait that is not taught in any school, and it is rarely taught in any
kind of management course. It's usually carrot and stick management rather than cultivating and training your workforce.
I'm constantly amazed when I talk to folks who have gone to like the most recent hacker halted conference where people were getting their certified ethical hacker training.
Folks had to take vacation time to be gone for that week and they had to pay for the expenses and they had to pay for the training,
even though it's a requirement of their job. I mean, this is, if we could get that one thing
changed in our industry where companies understand that if they want people with certain specific
certifications, that they have to provide time off, travel and pay for the fees.
And that still isn't happening, which is just devastating to me,
because if we're looking for people who are certified, who have experience, who like working
where they're working, but you're not giving them the skills, the tools that they need to do their
job, bad on you. Now, if I'm hiring a coder as an example, and this is one thing I'll push back for job hires, it is not appropriate to tell them like, oh, go make me some code for something and
we'll hire you if it's good. Okay. If you want to do that, pay them. So we've done that exactly
once. We had a guy that seemed like a total rock star, but I had no idea who he was. Nobody knew
who he was. Um, wasn't active in the community. I needed to make sure he was who he said he was. Nobody knew who he was. Um, wasn't active in the community. I needed to make sure
he was who he said he was kind of thing. Like he really knew his stuff. The way to do that is not
coming in and writing on a whiteboard and coding. That's silly. But we gave him a task, like go do
this. But Oh, by the way, we're going to pay you full rate 10 99 to go do that. Like if you're
going to give up your time, it's not like go go show me you deserve this job.
That's stupid. I as a job hire should be humbled and excited that you want to come work for us.
So I should be paying you for your time in the interview if I need you to prove something to me.
And I think job hires need to get better about that.
I find it very interesting that, you know, the retailers, any company who all of a sudden says, we need to have a cybersecurity
department, and they go out and they try to hire people to take care of their business,
rather than going into their own workforce and say, you who have been with us for 10, 12 years,
you know what's important to our bottom line, you know what our customers need, you know
all of these components, would you be interested in taking all that knowledge and having us pay
to train you to be, you know, a cybersecurity professional or risk management or at least
help us with this? To me, this sounds like a slightly smarter way of handling this challenge,
rather than, you know, a financial institution here in Washington, D.C.
They decided rather than taking their own staff, who knows the regulations and knows the law and
knows FISMA and all that, they went and started a whole new cybersecurity division, got whole new cybersecurity recruiters.
And everyone's stumbling because they don't understand the quagmire of the financial institution, let alone the industry and the regulations.
And I was like, why aren't you sitting down with the people who are at the desk in the bullpen dealing with these challenges and having them help you.
But that's me.
And that's our CyberWire special edition.
Our thanks to Kathleen Smith and Robert M. Lee for joining us and sharing their expertise.
The CyberWire podcast is produced by Pratt Street Media.
Our editor is John Petrick.
Social media editor is Jennifer Ivan.
Technical editor is Chris Russell.
Executive editor is Peter Kilby. And I'm Dave Bittner. Thanks for listening. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and
securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.