These days you apparently need five years’ experience in security before the age of 12 to even be considered an entry level position within the security arena. Not forgetting multiple security qualifications to clearly demonstrate you’re obviously a skilled professional! (Note the sarcasm).
It’s not uncommon for job descriptions to be written by HR or an individual who doesn’t really understand the requirements and searches the internet for things relating to CISSP, CISM, ISO27001…. The list goes on, and I believe there’s a major flaw in the way some companies approach the market for new talent, irrespective of their time in the industry and something really needs to change soon before we’re facing a major shortage.
As mentioned above, CISSP seems to be on practically every security job role, yet the reality of actually doing the day job is miles away from these sorts of qualifications, so you have to question what’s the point of them?
I was fortunate to get in to security 17 years ago, and I’ll be honest, I had no idea what I was doing. Previously I’d looked after mail gateways, internet proxies, AV and patching for the business, but ISO27001 was a world away from all of that. The thing is, that sort of knowledge has stayed with me and proved to be invaluable throughout my career, because it all has a part to play in the security of a company. If I could go back in time to that point and give myself any advice, it would probably be along the lines of…
1. Learn to build relationships with everyone around you. Colleagues, support teams, service desk, stake holders, the lot! InfoSec isn’t just Security, it’s understanding other people’s needs, so you can help them achieve their goals.
2. Being trustworthy and approachable is paramount to the role. Do you want to be the person that others speak highly of and want to talk to about issues within the business or be labelled as the blocker and a waste of time?
3. Get stuck into everything where possible. If you stay in your silo, you’ll never learn about things going on around you.
4. Don’t dictate. Security is there to do a job, but it’s not the only job. The business needs to function with your guidance but you’re just one of many pieces of a bigger puzzle. There’s no room for egos!
5. Never stop learning! The more you learn, the more you realise how much you don’t know.
6. If you want to do qualifications, do the ones that benefit you and the business, not your CV.
7. Burnout is real. You’ll want to save the world and keep all the plates spinning, but quite often that’s just not realistic. Ask for help and set expectations. You’re not a superhero, so don’t act like one.
8. Imposter syndrome is real. You may sometimes feel a failure, but 9.9 times out of ten, that’s in your head.
So where do the likes of CISSP, CISM, CCSP etc. fit in to all of this?
Well, sure there’s benefits to having a cert under your belt, but they don’t teach you the people skills needed, or how to solve problems efficiently. But in my mind, they’re only part of the solution.
I would prefer the focus to be on how an individual works with others, looks at problems, and develops solutions. Do they show a keen interest in Red Teaming and spend lots of their own time developing skills that would benefit us? Do they write blogs on securing OS’s or demonstrate a good understanding of blue teaming?
Why don’t we start looking at what’s under the hood and build upon that? Just because someone has passed an exam doesn’t necessarily make them great at their job (sorry but it’s true). And why don’t we offer more opportunities to upskill internally and offer apprenticeships? Other industries do it!
I’m seeing more seasoned security professionals let their qualifications lapse due to seeing little return in value, with having to pay the yearly fees plus additional work to maintain them. That’s not good! But perhaps it might be a wake-up call to the industry that qualifications are just a small part of the overall picture, only time will tell.
Final words…
There is no silver bullet answer to all of this, but here’s a few pointers.
1. Demonstrate ingenuity on how you approach difficult situations whether they’re security or people related
2. Focus on areas you’re good at and talk about your achievements
3. Keep up to date with current trends and threats. Talk about those and your own views on how you believe they impact businesses
4. Demonstrate your enthusiasm to learn and don’t rely on the employer to train you.
5. Certificates provide an unconscious bias that you can do the job, but it just proves you can study and pass an exam. If you don’t have one, learn about one and talk about its content in the interview. That again will demonstrate your enthusiasm and proactive behaviour to continually improve.
6. You won’t have all the answers, but if you’re confident in your own abilities, that will come across more than you realise.
7. If you don't know how to do something say yes anyway and work it out. Not only will you get a greater exposure to things, but you'll also amaze yourself at what you're truly capable of!
Good luck!!
Comments