Friday, January 15, 2016

The Skills Dilemma

Is there an issue of skills within information or "cyber" security?  Yes, without a doubt.  But it's not the way you think...the dilemma is not one of a lack of qualified and skilled practitioners, it's one of a lack of skilled managers.

Okay, caveat time...if you're a manager, you might want to stop reading.  If you get butt-hurt easily, you might not want to continue on beyond this point.  Just sayin'...

I read Scott Scanlon's The Hunt for Cyber Security Leadership Intensifies article recently, and I have to say, being in the industry for the past 19-some-odd years, I have different perspective on the issue.  The second sentence of Scott's article, referring to executive recruiters, says:

But they are finding a lack of qualified candidates just as companies put a greater emphasis and give a higher priority to corporate security.

It's not my intention to take anything away from Scott, nor am I suggesting that he's incorrect.  I'm simply saying that I have a different perspective.  In doing so, I'd like to take a look at that sentence; specifically, what constitutes a "qualified candidate", and who decides?  If you're "finding a lack of qualified candidates", how are you looking?

Let's look at the process of finding a "qualified candidate":

Job Posting
Who writes job postings or position descriptions?  Managers?  Are you a manager?  Write a description for a position you need to fill.  Now, ball it up and throw it away, because you're wrong.

Here's what I mean...I was engaged in a thread recently on LinkedIn, where an employee of a company had posted two position descriptions, one for a threat intel analyst.  When I read the position qualifications, one of the stated requirements was a familiarity with "EnCase or FTK".  I was curious, so I asked why that was a requirement, and the employee who shared the links didn't know.  Shortly, one of the C-level execs from the company responded, saying that it wasn't a requirement.

Then why say that it is?

Have you ever seen those position descriptions?  "The candidate MUST have a CISSP, EnCE, etc."  Really?

Running the Gauntlet
Position descriptions are passed from the manager to HR or a recruiting firm, who become the gate keepers.  Most of the recruiters I've encountered have no experience in the information security field themselves...they're recruiters.  So for them, the position description is a set-in-stone road map, and the words used by the hiring manager become the round holes in the board.

I once worked at a company where, after I was hired, one of the recruiters stated publicly that when they receive a resume from a candidate for a position in information security, they search the resume for the term "information security", and if they don't find it at least 4 times, they throw the resume out.  What about qualifications?  The hiring manager includes "CISSP" and "EnCE" as a "requirements", but doesn't tell the recruiter that they really aren't "requirements".  So, the recruiter looks at resumes, and if "CISSP" AND "EnCE" aren't listed, you don't pass GO and you don't collect $200.

So the question then becomes, how does someone who's qualified pass through that gauntlet and get an actual interview?  I "came up" in the industry before there were courses you could take, and a lot of what I know is self-taught.  I know enough about EnCase and FTK to know when they're suitable for use.  I'm not suggesting that I'm a "qualified candidate" but if I was, how would anyone know?

Interviewing a Candidate
I'll be 100% with you...most of the people I've encountered while interviewing don't know how to interview.  We all like to think that we're good at it, but the simple fact is that we don't know how to interview.

When I first got out of the military, I interviewed at a defense contractor, and had four hours of interviews with different departments scheduled.  At the beginning of the first interview of the day, the senior manager started off by telling me, very clearly, that he'd run all of my qualifications through a model that he'd developed, and he'd determined how much I would make in my first job.  This is before he even spoke to me or got to know me.  That's not how to conduct an interview...and I made considerably more than what his model showed in my first job.

A great way to loose a candidate is to take them around the office, and surprising members of your team by dropping the candidate off for a "spur of the moment" interview.

Look, I've been on both sides of the fence in 19 years.  When I was getting out of the military, I had to take classes in "how to interview".  What made it disheartening was that the people I wasn't interviewing with had NO training at all.  All the preparation in the world cannot stand up to the first question in an interview being, "so...why are you here?"

I've also been responsible for conducting interviews.  I've seen people lie on their resume, simply to make it past the "recruiter gauntlet" and get an interview.  I've had interviews go really well, and some that didn't go well.  I've also been in a position where someone was hired to support the work that I did, and I was not involved in the process, at any level.  In fact, in that case, I wasn't even aware of the vision or business decision for filling the position...all I know is that I heard a discussion in the hallway about offering this person a signing bonus.

The Reality of the Position
What is the reality of the position itself?  Yeah, I know what the job description says about the position and the company (words like "dynamic" are used), but all bullsh*t aside, what's the reality?

Is the actual work position in the heart of a major city?  As someone who lives outside of a major city (way outside), I know better than to try to drive into the city for the odd social event...and you want me to drive into the city everyday as part of the job?  I thought the position description said that your company "values quality of life"....

What about the actual work itself?  In my time, I've worked for a couple of contracting firms, "supporting" federal law enforcement.  In both cases, a lot of very positive things were said about the position.  When I supported a CSIRT, it took me 8 months to get my agency-specific clearance, and in that time, I found out that the "CSIRT" didn't actually respond to anything; if they happened to find out that something happened, they had to request that someone from network ops run a tool (just one) on the suspect system.  When I found out that the one tool was one that simply listed processes, I suggested that along with the process, we also get the path to the executable image (for context), and the person I suggested this to got offended.

In the other position, all of the case agents would take their work to one or two analysts, while the rest of us got really good at Solitaire.

If you're a contractor and having trouble finding "qualified candidates", then the issue may be one of the positions you're filling themselves.  I've spent time with contracting firms whose business model is to be a seat-filler, and to be honest, I can see why they're having trouble finding qualified candidates.

I'm not talking about being cynical about the position or the company...I'm talking about being honest about it, that's all.  After all, if you're not honest about the position, it's going to be revolving door of candidates.  As bad as it sounds, a worse outcome is having someone realize how it is, and stay.

So, my point is that there are, in fact, highly skilled individuals in the "cyber" arena.  Many of them have time in the industry, have learned a lot of the lessons I've described (and more), and have created for themselves an environment where they're happy.  Some of the highly qualified but relatively new individuals in the industry have gravitated to the more experienced folks, and are similarly very happy.

Rather than repeating the "lack of qualified candidates" mantra, take a good hard look at what you're doing to find those candidates.  Is it the process you're using?  Is it the business model that needs to be changed?  Or, consider "rolling your own"...use your current expertise to develop and grow new expertise.

Addendum, 19 Jan: I ran across this INC article today that gives 16 steps to help make your interview a success.  The problem I've always found is that there aren't articles like this for those on the other side of the table...those who have head count and a position to fill.  There are a lot of articles out there that talk about how to be an interviewee, but few that really prepare the interviewer.

Addendum, 25 Jan: Here's a Forbes article that discusses answers to the 5 dumbest interview questions; the point is that they're still being asked.


dre said...

CISSP isn't a management accreditation typically. The problem is we have people running around with CISAs or CISMs. There is only one certification for managers from my perspective, and that's OpenGroup FAIR. If they can't speak the international standard language of risk -- then they can't talk at all. Even listening doesn't help them. Worst of all, how would they make decisions?

For technical people, Security+ and CISSP are good pathways.

Anonymous said...

Absolutely on target. I am a manager who has written those position descriptions, and having come up in the field, yes, even I have made a mistake or two in the process. I must say though, that the HR can be our biggest obstacle. The gatekeeper function being done too well or not at all has been a problem. Either they take the "requirement" approach or they don't screen. Even when I have told them to ask if there is a question....nothing. I find an even more frustrating restriction when we are not allowed to have an individual prove their claimed qualifications prior to reducing the pool of candidates. On more than one process I have found outright lies in qualifications which I was able to prove, but HR will not eliminate them as candidates. Result - advertise again and keep looking.

H. Carvey said...

@dre, in my experience, the CISSP *is* a management cert.

@Anonymous, I ran into similar issues WRT HR while I was at IBM.

Anonymous said...

Spot on. In this industry is that if you don't fulfill the alphabet soup or certs or specifically been in a roll, a candidate is eliminated. Why not easily cross train someone?

There are forensics people that are well trained and have years of experience but have only been working typical dead box stuff (fraud cases, theft IP, eDiscovery blend) or former LEO (child exploitation etc) that could easily adapt and transition into the "cyber" rolls but these HR folks won't give you a chance. You have to do some old fashion networking to get transition out of dead box forensics to security or go spend a bunch of money on those certs, but again, you get dinged for not having 3-5 years of experience.

Josh said...


It was not that long ago where I was just getting into this field. You are correct with your observations. Unfortunately there is little an applicant can do regarding the hiring announcement. My best advice for applicants would be to find ways to circumvent the HR screeners. Attend conferences and nearby events such as HTCIA chapter meetings, network with others in this field. Having a friend or acquaintance hand deliver your resume to a hiring manager is the best route to go.