Six entry-level cybersecurity job seeker failings

When it comes to hiring, enterprise security teams can use all of the help that they can rally. But when it comes to hiring entry-level talent, that's not as easy as it may seem.

According to a poll last summer of 1,000 18--26 year olds conducted by Zogby Analytics and underwritten by Raytheon, about 40 percent of Millennials reported they would like to enter a career that makes the Internet safer, but roughly two-thirds of them said they aren't sure exactly what the cybersecurity profession is, and 64 percent said that they did not have access to the classes necessary to build the skills required for a career in information security.

That means, at least when it comes to the entry-level information security market, that there will be many job applicants continuing to enter the field with backgrounds that lack formal information security training. This echoes what we hear when we speak with CISOs and others who often hire security talent.

[ What to do when starting a new security job ]

With all of this in mind, we recently reached out to those CISOs to see if there was a common thread of mistakes among information security career newcomers who are in the job market. Here's what we found:

1. Fail to show oneself as a team player

Sounds like a no-brainer, right? But it's not. Many of the hiring executives we spoke with say that personality can -- and often does -- trump technical assets. This is especially true as more and more information security roles interface with the rest of the business. It's essential that applicants be themselves -- amiable, articulate, and able to prove that they can work with different areas within the organization.

2. Sell one's self as a jack-of-all-trades

"Entry level applicants across almost all verticals of information security make the mistake of trying to be a one-size-fits-all candidate," says Boris Sverdlik, head of security at Oscar Insurance. "Security is broken up across many verticals and even among those who are experienced, it's almost impossible to be well versed in all aspects," he says. "The most annoying candidate is the arrogant know-it-all," says Brian Martin, founder atDigital Trust, LLC. "I don't mind arrogance when it's earned, but not in a kid who's never been tested. In cases where we've tried to work with these types, it hasn't ended well."

If you have interests in many skills in information security, highlight a couple that best meet the needs of the organization.

3. Falling flat on job search and interviewing basics

For many CISOs, such as Martin Fisher, manager of IT security at Northside Hospital, it is common for potential hires to harm themselves by flunking the basics of job seeking. "On resumes, misspell HIPAA, and I'll toss the resume," Fisher says. He also says that he too often encounters typos, punctuation errors, and resumes laden with information that's not relevant to the role being offered.

Mike Kearn, principal security architect at US Bank, cited what job seekers don't do when it comes to the basics of interviewing. "When I offer them an opportunity near the end of the interview to ask me anything, and I emphasize the word 'anything,' the majority ask me softball kinds of questions about culture or why I like working there. Missed opportunity on their part," he says.

4. Believe certifications and degrees matter more than practical skills

"Many think that I care more about their degree or certifications than actual skills," Kearn says, while others are under the misguided assumption that a degree or a certification equals a job. It doesn't."

[ 10 security mistakes that will get you fired ]

Likewise, many entry-level applicants think technology is the hammer to squash every security risk nail. "Too many think that the solution to most problems is a technology control, rather than people and processes," says Eric Cowperthwaite, former CISO for Providence Health and Services and currently advanced security and strategy VP at Core Security Inc.

Ben Rothke, senior eGRC consultant at Nettitude Group and former CISO, agrees. "The technology tools they have experience with are the definitive techniques for approaching information security. Not every security problem can be fixed by a firewall or IDS," says Rothke.

5. Stretch the truth

This one certainly isn't exclusive to information security, but it is especially silly to try to pull this off on experience security professionals who tend to be a suspicious bunch by nature. "You'll notice that they tend to exaggerate their experience to impress hiring managers; some range from slight fibs to full-blown lies," says Sverdlik.

Kearn concurs: "A lot of them attempt to inflate or enhance their resume by saying they know someone and are connected via LinkedIn. But when I press them on it, because I actually know the individual personally, they cave almost immediately."

6. Don't understand the highly interpersonal nature of infosec

Many entry-level applications come from workers in small businesses, and they are not prepared for or don't seem to understand how large enterprises function. That's fine, and part of the learning process for new professionals -- but keep an open and learning mindset when it comes to practicing information security at a larger enterprise. "A lot of people have expressed ways to do business that simply won't work in a large enterprise. Typically, the person would be very direct toward people who want an exception to security policy, avoid collaboration, avoid discovering why the person wants the exception, and just dictate behavior," says Cowperthwaite.

"They often don't realize that their excitement and sometimes irrational exuberance around all things information security is not shared by most people in the organization," Rothke says.

In the end, perhaps the most important thing is to be one's self. "Show that you have a passion for security, be it examining logs, performing code review or risk assessments, or even administering security appliances. If you are good at critical thinking and have a good technical background, learning the rest is easy," says Sverdlik.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitycareersInfoSec StaffingIT managementraytheonjob interview

More about Inc.

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place