When it comes to hiring, enterprise security teams can use all of the help that they can rally. But when it comes to hiring entry-level talent, that's not as easy as it may seem.
According to a poll last summer of 1,000 18--26 year olds conducted by Zogby Analytics and underwritten by Raytheon, about 40 percent of Millennials reported they would like to enter a career that makes the Internet safer, but roughly two-thirds of them said they aren't sure exactly what the cybersecurity profession is, and 64 percent said that they did not have access to the classes necessary to build the skills required for a career in information security.
That means, at least when it comes to the entry-level information security market, that there will be many job applicants continuing to enter the field with backgrounds that lack formal information security training. This echoes what we hear when we speak with CISOs and others who often hire security talent.
With all of this in mind, we recently reached out to those CISOs to see if there was a common thread of mistakes among information security career newcomers who are in the job market. Here's what we found:
1. Fail to show oneself as a team player
Sounds like a no-brainer, right? But it's not. Many of the hiring executives we spoke with say that personality can -- and often does -- trump technical assets. This is especially true as more and more information security roles interface with the rest of the business. It's essential that applicants be themselves -- amiable, articulate, and able to prove that they can work with different areas within the organization.
2. Sell one's self as a jack-of-all-trades
"Entry level applicants across almost all verticals of information security make the mistake of trying to be a one-size-fits-all candidate," says Boris Sverdlik, head of security at Oscar Insurance. "Security is broken up across many verticals and even among those who are experienced, it's almost impossible to be well versed in all aspects," he says. "The most annoying candidate is the arrogant know-it-all," says Brian Martin, founder atDigital Trust, LLC. "I don't mind arrogance when it's earned, but not in a kid who's never been tested. In cases where we've tried to work with these types, it hasn't ended well."
If you have interests in many skills in information security, highlight a couple that best meet the needs of the organization.
3. Falling flat on job search and interviewing basics
For many CISOs, such as Martin Fisher, manager of IT security at Northside Hospital, it is common for potential hires to harm themselves by flunking the basics of job seeking. "On resumes, misspell HIPAA, and I'll toss the resume," Fisher says. He also says that he too often encounters typos, punctuation errors, and resumes laden with information that's not relevant to the role being offered.
Mike Kearn, principal security architect at US Bank, cited what job seekers don't do when it comes to the basics of interviewing. "When I offer them an opportunity near the end of the interview to ask me anything, and I emphasize the word 'anything,' the majority ask me softball kinds of questions about culture or why I like working there. Missed opportunity on their part," he says.
4. Believe certifications and degrees matter more than practical skills
"Many think that I care more about their degree or certifications than actual skills," Kearn says, while others are under the misguided assumption that a degree or a certification equals a job. It doesn't."
Likewise, many entry-level applicants think technology is the hammer to squash every security risk nail. "Too many think that the solution to most problems is a technology control, rather than people and processes," says Eric Cowperthwaite, former CISO for Providence Health and Services and currently advanced security and strategy VP at Core Security Inc.
Ben Rothke, senior eGRC consultant at Nettitude Group and former CISO, agrees. "The technology tools they have experience with are the definitive techniques for approaching information security. Not every security problem can be fixed by a firewall or IDS," says Rothke.
5. Stretch the truth
This one certainly isn't exclusive to information security, but it is especially silly to try to pull this off on experience security professionals who tend to be a suspicious bunch by nature. "You'll notice that they tend to exaggerate their experience to impress hiring managers; some range from slight fibs to full-blown lies," says Sverdlik.
Kearn concurs: "A lot of them attempt to inflate or enhance their resume by saying they know someone and are connected via LinkedIn. But when I press them on it, because I actually know the individual personally, they cave almost immediately."
6. Don't understand the highly interpersonal nature of infosec
Many entry-level applications come from workers in small businesses, and they are not prepared for or don't seem to understand how large enterprises function. That's fine, and part of the learning process for new professionals -- but keep an open and learning mindset when it comes to practicing information security at a larger enterprise. "A lot of people have expressed ways to do business that simply won't work in a large enterprise. Typically, the person would be very direct toward people who want an exception to security policy, avoid collaboration, avoid discovering why the person wants the exception, and just dictate behavior," says Cowperthwaite.
"They often don't realize that their excitement and sometimes irrational exuberance around all things information security is not shared by most people in the organization," Rothke says.
In the end, perhaps the most important thing is to be one's self. "Show that you have a passion for security, be it examining logs, performing code review or risk assessments, or even administering security appliances. If you are good at critical thinking and have a good technical background, learning the rest is easy," says Sverdlik.