Entering the Profession

Sept. 11, 2020
While some claim a shortage of cybersecurity applicants, others wonder where all the jobs are

On the heels of several years of studies, articles, and presentations on the purported cybersecurity workforce gap, we have been conditioned to believe there are millions of unfilled cybersecurity positions globally just waiting for us to figure out the best way to train the necessary workers.  On the other side of the gap, we have a generation of willing and talented people who simply cannot fathom why they cannot quickly slide into one of these innumerable open positions.  Even if you discount the number of supposedly available jobs by a factor of three or four, there should still be companies lining up to hire those with even modest entry-level credentials. Yet that isn’t borne out by the anecdotes and street-level analysis.

Every day, social media, jobs boards, and training centers are awash in frustrated applicants wondering how to pierce the veil of the cybersecurity profession.  Many seek validation of their abilities by sitting for difficult certification examinations. Some seek expertise with key security technologies.  A new crop of academic degrees has emerged to anoint graduates with cybersecurity proficiency within the existing collegiate system. The end state for most of these pursuits is the underlying need to satisfy the perceived requirements of automated resume screening software that will allow job seekers to finally connect with the hiring manager who controls one of these millions of coveted positions.

I see many aspirants asking today’s CISOs, CSOs, and security entrepreneurs how to break into the field.  Many, if not most, of these senior professionals cannot easily recommend clear pathways into the field to the upcoming generation.  The career trails they followed have been washed away by the dramatic changes in technology, work culture, and hiring practices. Today’s job seekers have to navigate a completely new environment.

There have been a myriad of disparate approaches to encourage young people to pursue technology careers, even targeting students in elementary school.  Outside of basic STEM education, many programs seek to offer specific computer programming and networking skills for youngsters who grew up using these technologies.  At the high school level, industry-led groups have organized around capture-the-flag competitions among competing schools.  In all, there are plentiful emerging opportunities to influence and educate the upcoming generation of technology experts.  In addition, there has been a robust outreach for retraining workers, veterans, and others looking to enter the field after years spent in other disciplines. 

So why does this perceived chasm of open positions and companies desperately seeking to fill critical requirements seem to keep growing?  The expanding gulf is largely due to the difference between what many large organizations think they need and the existing workforce. It is also due to a hiring system in need of significant improvements.  Instead of an eco-system of job-seekers, human resources staff, recruiters and hiring managers, we have an infrastructure of screening software and overworked departments trying to cull resumes among hundreds of applicants. This impersonal and bloated system is not working in the applicants’ favor – nor the hiring organizations’.

What has remained constant is the value of diligent research and professional networking in finding cybersecurity opportunities. The latter will be more difficult in this Time of Corona, but it’s always a good idea to continue recurring outreach to friends and colleagues.  Yes, it’s not easy, but it’s never been easy. It can be frustrating trying to navigate the Big Company hiring process.  One tack I have always advocated is seeking out a team leader or a relevant group and asking to start as a volunteer or intern.  Get some insight and some hands-on experience and see where that takes you.  For those seeking to enter the profession, I wish you the best.

About the authorJohn McCumber is a security and risk professional, and author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, e-mail [email protected].

About the Author

John McCumber

John McCumber is a security and risk professional, and author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, e-mail [email protected].