It’s harder than you think to identify good talent in cyber security. Whether you’re trying to fill full-time security positions within your organization, or partner with service providers and vendors, there is an ocean of “get rich/smart quick” schemes that make your talent search more difficult. Up-and-coming information security professionals are targeted by these schemes, leaving you with less qualified staff and vendors.
Recent media attention aimed at cyber security makes it an attractive career path. In-your-face coverage of national security issues, businesses held hostage by ransomware, and large-scale breaches illustrate the importance and visibility of the field. The current critical talent shortage gives individuals hope that they will be able to find a job. That is, of course, if they can quickly get up to speed.
There is a cottage industry of training programs that victimize these individuals. These programs exploit the desire to quickly “break into” glamorous penetration testing jobs with high salaries, and are designed to quickly separate ambitious potential hackers from their money. They’re priced affordably, and are either provided in quick “boot camp” formats, or as self-paced online material. Low overhead and minimalist pricing provide training result in lucrative volumes. I recently saw a class that was advertised (in its title, no less) as a path to a six-figure salary in penetration testing, at a discounted price of $39.99.
As you can imagine, these ubiquitous training programs do not naturally output highly-skilled security professionals. The material often lacks structure and comprehensive coverage of the topic, especially in classes that purport to train penetration testers. This is due to the limited experience of the trainers and those involved in course development (both in teaching experience, and in the material that they are teaching). What’s more, the serious limitations of scope that a short class must face.
So, at the same time you’re dealing with a talent shortage, you’ll also be sorting through a group of individuals and vendors that look good on paper, but rely on a very thin background to present themselves as being able to help you protect business against ever-increasingly-sophisticated threats.
How do you separate the wheat from the chaff?
Don’t Settle for Certifications, Look for Degrees and Experience
While there are highly-qualified information security professionals from non-traditional backgrounds, those individuals will not be propping themselves up with short training courses. When you’re in conversations with service providers and vendors, don’t let them settle their qualifications with a list of certifications. Four-year degrees in computer science/engineering, or the equivalent in experience, is far more valuable than passing a multiple-choice test at the end of a one-week course. Even that, by itself, isn’t enough to ensure real capability.
Inquire about Original Research
Ask about original research, presentations at conferences, and other activities outside of the classroom. Would you rather hire a penetration testing team that is limited to publicly-disclosed vulnerabilities, or a team that has experience in identifying new vulnerabilities that weren’t in their training manuals?
Recognize the Difference and Don’t Fall Victim
As cyber security becomes a higher-profile news item, and more businesses are victimized by attacks, the demand for qualified professionals will increase. Especially within the exciting field of offense-oriented services, there will be an ever-increasing number of training programs that fall short of providing value to individuals and, in turn, fall short of being a reliable indicator of talent.
If you are trying to fill security positions within your business, or evaluating vendors of security services, you run a very high risk of employing unqualified individuals and teams. This will lay the ground work for a false sense of security and a “good enough” mentality. Given the devastating impact of recent breaches, you can’t afford to make this mistake. Be very careful and thorough when you discuss candidates’ qualifications!