Is she really the right candidate?

Just you try looking for an entry-level cybersecurity job.  What you’ll find will require certifications (certainly), education (fine), a bachelor’s degree in computer science or other IT discipline (not necessary) and several years of prior experience. Wait! Doesn’t entry-level mean the first cybersecurity role? But go ahead and see for yourself. It’s true and it’s maddening for cybersecurity professionals already working and worse for those seeking employment. Who writes these job descriptions and requirements? 

In my fifteen years in the cybersecurity industry from the bottom to the C suite, I have never encountered an entry level role that requires a college degree. Sure! If you hope to rise into management, you’ll need both an undergrad and graduate degree, but not for entry-level. 

In case you’re not familiar with the term or are one of the people writing these unrealistic job requirements, let me define what we mean by entry-level. Job titles that can be entry level include words like analyst, specialist, technician, or operator and are often followed by the Roman numeral I. Tasks assigned to entry-level staff include running vulnerability scans, analyzing scan results and system logs, configuring security tools, services, and systems, using security and auditing tools, and communicating with their supervisors, team, and end users. They need proficiency or at least familiarity with security tools, knowledge of risks and threats to their organization, and to communicate their findings to team members and supervisors. Professional certifications are good proof they understand much of that, and interviews can cover the rest. There is absolutely nothing entry-level staff do that requires a college degree.  

College and a Cyber Career 

So why are companies requiring this burdensome credential? It’s no wonder there’s a cybersecurity “talent shortage”. In fact, it’s borderline discrimination! So many talented young people and older career changers are shut out of the talent pool just because they didn’t spend four years and tens of thousands of dollars for their ticket to ride. Give a thought to who these talented people are and where they come from. Now give another thought to the qualities such people have to offer any organization willing to hire them.  Does it make sense to you to obstruct them, so some unspoken corporate standard or culture is maintained? It doesn’t make any sense to me. 

I have been handed staff with graduate degrees who know a lot of stuff about a lot of things, but they didn’t always work out without dedicating weeks of training and mentoring just to enable them to do their job. Some institutions don’t even include the ever-important professional certifications (e.g. Security+, Certified Ethical Hacker, Systems Security Certified Practitioner). Without such certifications, it’s hard to know if the candidate has been exposed to, let alone demonstrated knowledge about what cybersecurity folks do. I’d take a High School graduate computer whiz kid with one of those certs over a college grad without one nine times out of ten. Some colleges get it but many do not. 

You might be thinking this is an anti-education line. It’s not. I know the value of college and graduate degrees. I have two of my own that have proven indispensable in my career trajectory. I always encourage people to go to school and develop their knowledge and credentials. For your first cybersecurity or other IT job, however, you just don’t need it.  

Experience 

So, again, we’re talking about entry-level positions here. If they bring a few years of experience, interview them for an intermediate role. Putting an experienced cyber professional in such a role would bore them and they would be under compensated. How then do you find the right talent for the position you’re filling? 

Here’s what I ask to find what I’m looking for in experience that’s relevant to the job for entry level candidates. Have you ever used Nmap, Nessus, Maltego, Metasploit, or other security testing tools? Tell me about your experience troubleshooting, repairing, or building computers. What has your experience been with capture the flag (CPF) exercises or platforms? Can you tell me how to find a vulnerability in a system? Have you ever exploited a system either in a home lab environment or in the wild? What are ways you prevent cyber-attacks on your own or your family’s network and systems? When was the last time you backed up your own system, scanned for malware, and changed your system and network passwords? Tell me about a time you helped someone else secure or recover their IT systems? These questions get to the real value of the candidate. Couple the quality of their answers with how well they communicated, and you can know if they’ve got potential to succeed in an entry-level cyber position. Even if they don’t have experience in the organizational environment, they will thrive as long as more senior team members and leaders mentor them and guide their learning. 

The Talent is Out There 

The cybersecurity career field does not have a talent pool deficit. What it has is a college degree fetish and an experience required hang up to its own detriment. How do I know this? I have been mentoring newcomers to the field since my first cybersecurity leadership role and I have found tremendous talent everywhere I’ve looked. Find people who have above average skill with a computer, likes to solve problems and puzzles, thinks creatively, and has some personal drive, maybe ambition even. That person with or without a college degree, with or without years of experience already in the field, with a passion or strong interest in cybersecurity would make a great entry-level candidate.