Special Editions 11.30.17
Ep 20 | 11.30.17

Building your cyber security career — CyberWire Special Edition


Dave Bittner: [00:00:03] It's no secret that the cybersecurity job market is hot these days, and it's not unusual to hear stories about serious shortages of qualified candidates, of thousands of high-paying jobs going unfilled all over the world. Colleges, universities, and educational institutions provide training, degrees, and certifications. And some organizations are looking outside the traditional channels and training people in-house.

Dave Bittner: [00:00:27] In this CyberWire Special Edition, we take a closer look at finding your career in cybersecurity. Just how important is that degree? Does it make sense to invest in certifications? What are employers really looking for when they're searching for qualified cybersecurity talent? And why is it critical that you not just hunt down a sexy, high-paying job, but build yourself a fulfilling career? Stay with us.

Dave Bittner: [00:00:57] Time to take a moment to thank our sponsor, Cylance. Are you looking for something beyond legacy security approaches? Of course you are. So you're probably interested in something that protects you at machine-speed, and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily, and it protects your network with minimal updates, less burden on your system resources, and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence, but it's real protection. Visit cylance.com to learn more about the next generation of anti-malware. Cylance: Artificial intelligence. Real threat prevention. And we thank Cylance for sponsoring our show.

Kathleen Smith: [00:01:53] It's interesting that we're still seeing the articles that like to inflame everyone that there is this skills gap.

Dave Bittner: [00:02:00] That's Kathleen Smith. She's the Chief Marketing Officer at ClearedJobs.Net and CyberSecJobs.Com. One of her specialties is providing career support for people with security clearances.

Kathleen Smith: [00:02:12] We're still seeing a high demand of cybersecurity professionals with experience. We're seeing, you know, the Bureau of Labor Statistics say that, you know, information security - which is where they categorize cybersecurity - you know, there's a 37 percent growth in that industry, and that's going to continue to 2022.

Kathleen Smith: [00:02:34] What we're also seeing is other solutions coming into the marketplace. We are seeing that all of the colleges and certification programs are starting to produce students who are interested in cybersecurity, that have some education about it, but not much in the way of hands-on experience. I think that is going to be a big challenge for us, because we're having many universities, many schools that are coming out saying, we have a degree program, we have a certification program, and then they don't have any way for these students to get any hands-on experience.

Robert M. Lee: [00:03:12] But in truth, we're not leveraging the people we have correctly, and we're oftentimes not asking the right questions to get the people we need.

Dave Bittner: [00:03:20] That's Robert M. Lee. He's the CEO at Dragos, a company that specializes in protecting industrial control systems.

Robert M. Lee: [00:03:27] I mean, it's always a common joke that there will be a technology that's only three years old, and the job hiring requirement's looking for an expert with ten years experience on it. Like that's - that job bill - it's not going to be filled. And so it goes and gets tracked in the number as, oh my gosh, we have, like, not enough people in the field. And it's like, no, that job announcement's stupid.

Robert M. Lee: [00:03:43] Or, you hire somebody to be a Tier 1 SOC analyst, and they're supposed to triage alerts, but our technology could actually do that itself. Like we can - as a community, we've already solved that problem. But we're just not leveraging it, we're just going to throw people at it. So I would say, into his point, we are not effectively and efficiently using the talent we have, and we're requiring or requesting things that we're not doing correctly on the talent we want.

Kathleen Smith: [00:04:13] When I was at the CyberWire's Women in Cybersecurity celebration, I had the pleasure of chatting with Cyndi Gula from Gula Tech Adventures, and we were talking to some of the students there. The challenge that both Cyndi and I saw was that the students were saying, "We're interested in cybersecurity." And Cyndi would then go in and say, well, what part? You know, what in particular? And all of the students were saying, "Everything."

Kathleen Smith: [00:04:40] And that, I think, is part of the challenge. We've actually done ourselves a disservice by making cybersecurity this very in-demand career, that many people are rushing into it thinking they're going to have this rock star experience, that they're all of a sudden going to be able to take care of any of these breaches, and all they have to do is have a few years of a certification program or a college degree, without really truly understanding how cybersecurity has moved from being information security into an overall practice that surrounds every aspect of business.

Kathleen Smith: [00:05:21] And I think that that is one thing that we're losing right now in all of the degree programs, is there's some risk analysis being taught, there's some penetration, some coding, some forensics, but there isn't a real delineation between - you're going to need forensics if you want to go into specific intelligence agencies, threat vulnerability if you want to go work for a services company. What you need if you want to take your skills to a healthcare company or a financial institution?

Kathleen Smith: [00:05:56] We're at this point now where we also have a lot of professionals who have been in the industry for a long time, but they don't understand how to craft their career. We have professionals who finally are speaking out at many of the conferences, DEF CON, Black Hat, saying, we really have information security professionals - pen testers, malware researchers - who have been doing this kind of work for ten, twenty years, and they're not being given the opportunity to craft a career where they can make a difference in business. They're not being given the mentoring or the guidance on how they would advise someone at the boardroom. So, I think we are moving in a really great direction. We still have a lot of work to do.

Dave Bittner: [00:06:48] So, for that person who is in school - either getting a four-year degree or certifications - is it inaccurate for them to think that that degree or those certifications are going to be their ticket to a high-paying job right out of school?

Kathleen Smith: [00:07:03] I would say so, yes. The salaries right now, for someone straight out of college in information security or cybersecurity is, you know, in the mid-60s. And I think that, when you hear about the person that found a breach or who has created a new vulnerability testing that's out there, they're looking for, you know, a salary that's 150, 185 thousand. I think that, with any career in any profession, you have to be passionate about it. And that is one thing I don't think we're really teaching in college. I don't remember them teaching that when I was in college.

Robert M. Lee: [00:07:42] I've seen some debates around this, where people are like, well, you don't need to be passionate - if I have somebody that comes in eight-to-five and does their job, that's fine, they don't need to stick around till 2:00 in the morning. And that's a bad metric. And I get what they're saying. You shouldn't overwork your people, but you still need passion. And why I say that you have to have that passion is mostly on the learning portion. I don't think there is a single well-structured program in place - nor could there be - to train up somebody to be exactly what we need them to be. They have to take it into their own hands at some point, and that's where the passion kicks in.

Kathleen Smith: [00:08:14] The recertification, the programs are costly. Sometimes an employer will pay for them, sometimes they won't. So this is something that, if you're going to start in the career of cybersecurity, really look at it for the long-term. Is this something that you really want to not only invest your time, in creating your own home labs? Is this something you're willing to create your time as far as setting aside your budget to get the recertifications? And a lot of the recertifications or certifications, like the CISSP, or any of the others, you have to have three to five years experience before they'll allow you to even start taking the exam.

Dave Bittner: [00:08:55] Help me understand, because I see people talking about, with the shortage of people available, that they're hiring - they call it new-collar jobs. You know, that they'll hire music majors, because those are people who can work on teams and think creatively, and they can teach them the cyber part. And yet, I think about HR departments being gatekeepers, where, having checkboxes of saying, you have to have this degree, or this certification, to even get to the next round to get an interview. So, it seems to me like there's a there's a little disconnect there. Is my perception of that accurate?

Kathleen Smith: [00:09:28] Your perception is right on, because most of the jobs that you'll see posted out there - four out of five of them - will require some kind of degree, will require some kind of bachelor's degree. And when I was looking at several of the studies, it's interesting that they don't really say it necessarily has to be a computer science degree or an engineering degree. Which I think is great. I think that having a degree requirements sets you up to say, okay, I'm willing to go through the education that you're going to have to continually need to do within cybersecurity.

Kathleen Smith: [00:10:04] And you're right - there is going to be screening by the recruiters and the hiring managers that say, okay, we need a minimum of a degree. Specifically if you are looking in the government contracting community, if you're looking for working for one of the intelligence agencies, yes, you are going to need some kind of college degree.

Kathleen Smith: [00:10:23] The other thing is, when you talk to several of the program managers - and program managers have been inserting themselves into the entire hiring process. Normally, in a hiring process, you're working with a recruiter, a sourcer, an HR manager. There's not that much education currently going on between a cybersecurity program and the recruiting department to explain to them what kind of individuals they're looking for. So a lot of the program managers are going out and doing their own hiring.

Kathleen Smith: [00:10:53] And when I talk to them, they say, you know, all we want is someone that has the initiative. Someone who has an inquisitive mind. Yes, they'll hire someone that is a music major, because that is a creative way of thinking. That is in a different way of thinking. And these are the skills that we need in cybersecurity. You can train somebody, but you cannot train them to be inquisitive, or creative, or innovative.

Robert M. Lee: [00:11:17] It does not matter if you have a cert. It does not matter if you have a degree. It does not matter if you go out for a Ph.D. None of that is going to position you to be a security expert. Only thing that's going to position you to be a security expert is taking advantage of whatever you're doing, and being passionate about it, and learning and pushing the field. So, if it is in a Ph.D. program that you're doing that, fantastic. If it is at home with an internet connection, taking advantage of the plethora of free courses and information out there, rock on.

Robert M. Lee: [00:11:45] But you're going to have to take advantage of wherever you go, because it's not going to get done for you. And there's a mixture of a lot of information, so you have to kind of specialize. I do not think you need a degree. I do not think you need a cert. I do not think you need to need anything other than passion and taking advantage of wherever your path leads you.

Robert M. Lee: [00:12:03] Now, is your job going to require those things? Maybe. If you're in the federal government, as an example, you better get a bachelor's and a master's. You're going to need it to rise through the ranks, period. It's just antiquated and that's how they view the world. Many of your larger job hires are moving away from that, though.

Robert M. Lee: [00:12:20] However, certifications still really matter for a lot of job hirers. So, certifications generally demand a higher salary for you, which is useful. But is the degree or certification going to position you to make sure you know the information? No. There are usually barriers to entry for salary or jobs at places you want to work.

Dave Bittner: [00:12:40] What about the stories that we hear about people chasing signing bonuses, or hopping from job to job, getting a raise here or getting a raise there, and, you know, chasing the money that way?

Kathleen Smith: [00:12:51] It's the same thing that we had in the Dot-Com era. I mean, that was when we had the signing bonuses, and jumping from one startup to the next, and we all know what happened with that. We have the same thing going on within cybersecurity, where they're actually called the exploding job offers, which are, you know, if you come, we'll give you this enormous bonus, but you have to come now.

Kathleen Smith: [00:13:17] And I think that's a challenge that companies are getting themselves into, rather than saying, can we train the people that we have inside to do the job, versus chasing after someone that you need desperately? Currently, the Department of Labor is saying that most professionals who are in information technology/information security stay in one job for eleven to thirteen months. It will take close to eighteen months to be able to find that replacement.

Kathleen Smith: [00:13:47] So, we have not only a problem on the side of the companies, but we also have a problem on the side of the professionals, because they're not asking the questions during the interview process. What is my career progress within this company? What are the other advantages that I can take advantage of? What are - you know, are you going to pay for my training? Are you going to pay for me to go to DEF CON, or one of the conferences? Really looking at the sustainability model requires both the companies and the professionals have that conversation.

Kathleen Smith: [00:14:23] And we have unfortunately built a society where the information technology professional was never really treated very well. I mean, there's several sitcoms about, you know, the IT departments in the basement, and they only drink Red Bull and eat pizza. I think it is now getting the information technology professional to be more part of the business, to create the career.

Kathleen Smith: [00:14:47] We were doing a career panel at DC CyberWeek last week, and it was fascinating to me. We had a room of about forty-five professionals and none of them had been in cybersecurity, but several of them had been in finance and in healthcare. And their managers had actually said, you're really good at finance and data analysis. We want you to have a career where you can take that knowledge into cybersecurity. And I would - you know, I said, you know, please go back and thank your boss for me, because they're looking at your career. They're creating opportunities for you. They're saying that you're really strong in this area and they want to keep you as an asset, and they'll provide more training, and they were they were shocked. They said, no, that's the way I am treated.

Kathleen Smith: [00:15:35] And I find that interesting. There are different industries that treat their professionals with respect, and cater to providing career development. In information technology, you don't see that. You don't see the training, the cultivating of the next C-level executive. I mean, any company should be able to look inside their workforce and say, I see the future CSO, CISO, within our ranks right now. We are going to train, them we are going to cultivate them so that they stay with us, that they bring other people along with them. But we haven't gotten there yet. We are approaching that, but we haven't gotten there yet, and I think that will be a big shift.

Dave Bittner: [00:16:20] What would your advice be to that person who's either coming up through school looking for a career in cyber, or maybe switching to a career in cyber from another profession? What kind of advice would you provide them?

Kathleen Smith: [00:16:32] The one piece of advice that I always give anyone who says, I want to get into cybersecurity - be it cyber policy, be it vulnerability testing - get out into the community first. Really go to the meetups, go to the BSides events, the hackathons. Go to the hackathons online. And really see if this is what interests you. It's a really great way to test, you know, do you want to do forensics? Are you very happy just being a pentester? Do you want to work in a high-stress environment? Really understand that before you make the investment into a college program or any kind of certification program. I think it is wonderful that we have all kinds of opportunities to be able to test, do I really want to do this, or am I doing it because it is the most fashionable career at this point?

Kathleen Smith: [00:17:30] The other part that I look at and I always recommend - and I have a great recent example of this - is cybersecurity is not just the services industry. It is not just the companies who provide the cybersecurity services to other companies. It is now impacting every part of our lives - healthcare, finance, retail. And being able to say, I'm not necessarily going to go into a services company, but I really like, you know, medical devices. I'm going to study medical devices, but then also have the cybersecurity component to it.

Kathleen Smith: [00:18:10] I do a lot of mentoring and coaching to transitioning veterans, and I had a recent example of a 26-year Air Force veteran who was waiting for his next government job. And that is a challenge that I find for many of our transitioning veterans, is that they're more interested in staying within working for the government because they're more comfortable with that culture, rather than breaking out on their own. I find that not enough cybersecurity professionals are looking at our energy grid. We have, you know, this from a national security standpoint, but also as a career development standpoint. We have so many opportunities in this country to be able to have an impact on the security of our energy grid.

Kathleen Smith: [00:18:57] So, in talking to this Air Force veteran, he had a combined background of physical security and cybersecurity. And for family reasons, he wanted to be in the Northwest United States. And I said, have you ever, you know, thought of energy? And it really excited him, because he could be at the forefront of national security. A veteran being able to continue supporting the mission, which is why he is part of the military, and being able to create a new kind of career path combining physical security and cybersecurity.

Robert M. Lee: [00:19:31] For me, as a job hirer, I mean, I sort of live in the luxury of working a very small industry. So, we should know you or know of you before we're even approaching you. Or, when people reach out to us, we have enough really smart people that we're going to be able to call BS, and we don't even look at resumes. Like, we do not ask people to send us their resumes. I've never asked anybody of any of their certifications or degrees.

Robert M. Lee: [00:19:56] My general questions are usually, what do you do, like, what are you passionate about, what have you done that can prove it? Are you active in the community and publishing papers and blog posts and things like that about the topic? Okay, maybe you know something about it. Are you writing code? Are you a coder? Where's your GitHub account? What do you code? It's much more about - show me what you are doing, versus, give me a piece of paper that you wrote that self-evaluates what you did. Like, that's not important to me.

Dave Bittner: [00:20:24] What do people need to know about recruiters, about headhunters, about the professionals who are out there helping place you in jobs?

Kathleen Smith: [00:20:33] This is a great question, because it not only applies to cybersecurity, but it also applies to pretty much any profession. A job seeker needs to understand the landscape. They really need to understand that just sending a resume to one person is not going to get you a job. That finding a job is a full-time job, and it is a full-time profession constantly looking for your next opportunity.

Kathleen Smith: [00:21:00] Now, I'm not advocating, as I said earlier, job-hopping. But you need to always know, who are the recruiters, who are the staffing firms, and who are the headhunters who are in your particular field. Who are the people that you want to work with? They're not necessarily going to be the person that is calling you and hounding you. It's going to be something that you want to build a relationship with and get to know them, because if they're going to have an impact on your career - which is a major portion of your life - you're going to want to have someone that you can trust.

Kathleen Smith: [00:21:35] There are - you know, there's corporate recruiters that are great. There are corporate recruiters who are awful. There are staffing firms - specifically in cybersecurity, there are several staffing firms that have started that are filling a need right now, because their former program managers that have really great networks, that can go in and speak the language of other program managers.

Kathleen Smith: [00:21:59] And there is that divide that's going on right now, in several industries, where the program managers don't have a really good relationship with their recruiting or HR department. And that is something that many companies deal with. Some have overcome that, some are still dealing with that challenge. So a lot of program managers go direct, and they either hire direct or they engage a staffing firm. But eventually, all of that is going to go back to the HR recruiting function, because recruiting new talent is a very costly endeavor. And unless you can have economies of scale with that, you're constantly going to be running at a deficit.

Kathleen Smith: [00:22:41] So, someone coming new to the market or someone who is in their mid-career should know who are the companies and their recruiters that they might want to work with, and connect with them on LinkedIn or stop by one of their booths at one of the BSides events. Be aware of the good staffing firms and the bad ones. There's lots of headhunters out there that will treat you very poorly, will sort of forget about you.

Kathleen Smith: [00:23:12] There was actually a really great presentation done at BSides Hire Ground, about how a cybersecurity professional can sort of do some good vetting on the difference between a corporate recruiter or a staffing firm and a headhunter. We have that video on CyberSecJobs if anyone wants to look at that.

Kathleen Smith: [00:23:33] So, I find it challenging when I go to a conference and someone says, yeah, I work with XYZ staffing firm, and I'm just like, do you work with any corporate recruiters? Do you work with any headhunters? Well, no, I just work with this one person. And, you know, that's sort of like saying just one person is going to help you find, you know, your mate, or just one source is going to be where you're going to get your next car. You're going to need to research. You're going to need to try different relationships out before you find the person that's going to have the right opportunity for you.

Dave Bittner: [00:24:05] How do you know? Are there any red flags, where if someone says this to me, run the other way?

Kathleen Smith: [00:24:11] Well, the standard is a lot of people will reach out to you on LinkedIn, and they will not have a very well-crafted LinkedIn message to you, that is sort of auto-generated based on the keywords in your profile. Usually, "Have I got an exciting offer for you" is something you want to turn anyone away from. Anything that says, you know, it's a hot job, you know, immediate opportunity, signing bonuses galore. You know, just as you do with, you know, buying that really great shirt - if it's got all kinds of discounts and flash on it, it might be a reason why it needs to have all that discounts and flash on it, because it's not something of value.

Kathleen Smith: [00:24:54] Really looking for someone your friends like to work with. Finding the recruiters that go to the conferences, that go to the hackathons, who understand how to speak your language, because a really good recruiter is also going to be a coach or a mentor. And sometimes a recruiter may work at one company, and you're like, well, I'll never want to work there. Recruiters do move from company to company, usually every five to seven years, sometimes shorter than that. And they may have a great opportunity for you at their next job.

Kathleen Smith: [00:25:30] But they also have their own network, so if you're interested in finding a job, they can reach onto their network of recruiters and say, hey, I've got a really good candidate for you. This is one of the biggest missteps I think that professionals have in their career search. They wait until it's the last minute, and they don't have a network of people that can help them get in the door at the right company.

Dave Bittner: [00:25:55] So, even when you're in a job, and you might not be looking for a new job, just for the sake of the care and feeding of your career, you should be nurturing that network?

Kathleen Smith: [00:26:05] You should be nurturing a relationship with five to seven recruiters in the space. And be them recruiters, or headhunters, or staffing firms - you should constantly be checking them, checking in with them saying, you know, I just got my CISSP, you know, I'm still happy where I'm at, but I'm interested in XYZ opportunity. Like any professional development, you should always have four or five recruiters that you are developing a relationship with, because they are going to have an impact on your overall career.

Dave Bittner: [00:26:42] I can also see that if you're getting those calls, if you're fielding those offers, that perhaps it's in your best interest to go to your HR people or your boss, and say, hey, I'm - these offers are coming in - you know, do we need to have a conversation about how things are going for me here?

Kathleen Smith: [00:26:59] Well, that conversation starts in the first interview. That conversation starts at your performance review. That conversation shouldn't be a walk into the HR department and say, I've got three offers for twenty thousand dollars more - when are you going to match? You know, that's holding your management hostage, and they're not going to like it, and you're not going to like working in that environment.

Kathleen Smith: [00:27:22] I think this is one trait that a lot of people don't have, which is creating their career paths. People look to having a mentor or sponsor doing that, but it - that's your own individual responsibility. I really like my job. I would really like to stay here, because I like the values of this company and I like the product that they do. I need to find ways to stay engaged, to stay fresh. This is a conversation I need to have with my manager.

Kathleen Smith: [00:27:50] I mean, I even have that conversation with my staff. You know, are you still happy working here? What are the exciting projects that are on the horizon that you want to be part of? What do you want to have taken off your plate? It is my responsibility as a manager to constantly be checking in with my staff to make sure that they're learning, that they're engaged, they're excited about what they're doing. But they have that responsibility as well. And that is a trait that is not taught in any school, and it is rarely taught in any kind of management course. It's usually carrot-and-stick management, rather than cultivating and training your workforce.

Kathleen Smith: [00:28:32] I'm constantly amazed when I talk to folks who have gone to, like, the most recent Hacker Halted conference, where people were getting their Certified Ethical Hacker training. Folks had to take vacation time to be gone for that week, and they had to pay for the expenses, and they had to pay for the training, even though it's a requirement in their job. I mean, this is - if we could get that one thing changed in our industry, where companies understand that, if they want people with specific certifications, that they have to provide time off, travel, and pay for the fees. And that still isn't happening, which is just devastating to me, because if we're looking for people who are certified, who have experience, who like working where they're working, but you're not giving them the tools that they need to do their job, bad on you.

Robert M. Lee: [00:29:27] Now, if I'm hiring a coder, as an example - and this is one thing I'll push back for job hires - it is not appropriate to tell them, like, oh, go make me some code for something and we'll hire you if it's good. Okay, if you want to do that, pay them. So we've done that exactly once. We had a guy that seemed like a total rockstar, but I had no idea who he was, nobody knew who he was, wasn't active in the community. I needed to make sure he was who he said he was kind of thing, like, he really knew his stuff. The way to do that is not coming in and writing on a whiteboard and coding. That's silly. But we did gave him a task. Like, go do this. But, oh, by the way, we're going to pay you full-rate 1099 to go do that.

Robert M. Lee: [00:30:06] Like, if you're going to give up your time, it's not like, go show me you deserve this job. That's stupid. I, as a job hirer, should be humbled and excited that you want to come work for us, so I should be paying you for your time in the interview if I need you to prove something to me. And I think job hirers need to get better about that.

Kathleen Smith: [00:30:24] I find it very interesting that, you know, the retailers - any company who all of a sudden says, we need to have a cybersecurity department, and they go out and they try to hire people to take care of their business, rather than going into their own workforce and say, you, who have been with us for ten, twelve years, you know what's important to our bottom line. You know what our customers need. You know all of these components. Would you be interested in taking all that knowledge and having us pay to train you to be, you know, a cybersecurity professional, or risk management, or at least help us with this?

Kathleen Smith: [00:31:06] To me, this sounds like a slightly smarter way of handling this challenge, rather than - you know, a financial institution here in Washington DC, they decided, rather than taking their own staff - who knows the regulations, and knows the law, and knows FISMA, and knows all that - they went and started a whole new cybersecurity division, got whole new cybersecurity recruiters. And everyone's stumbling, because they don't understand the quagmire of the financial institution, let alone the industry and the regulations. And that's like - why aren't you sitting down with the people who are at the desk in the bullpen dealing with these challenges, and having them help you? But that's me.

Dave Bittner: [00:31:52] And that's our CyberWire Special Edition. Our thanks to Kathleen Smith and Robert M. Lee for joining us and sharing their expertise.

Dave Bittner: [00:32:01] And thanks to our sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com.

Dave Bittner: [00:32:09] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik; social media editor is Jennifer Eiben; technical editor is Chris Russell; executive editor is Peter Kilpe; and I'm Dave Bittner. Thanks for listening.