A Guide To Hiring Infosec Beginners

In this article by security engineer Stuart Gentry, we take a look at real life examples of entry-level people getting hired and why they were hired.

A Guide To Hiring Infosec Beginners

Infosec is full of newcomers who want a shot at any job. They may have certifications, a degree, some real experience or maybe even just hobby experience. They will apply for every and all entry to mid level positions and some will get an interview, but many will not. They will study for more certifications to increase their hiring chances and practice their newly certified skills at home waiting on the email and follow-on interview.

However, time and time again, many companies, even if they interview them, will not hire the newcomers. At the same time even though the companies are looking for the best candidate, which is understandable, it also comes across that they are looking for Joe or Jill Hacker to walk through their door.

That's right, Joe or Jill Hacker, “jack of all trades” with everything that the hiring manager thinks they require for the job; reality check, those “jack of all trades” people are usually consulting for themselves. So, why not hire a beginner? Why not give them a chance to prove themselves?

In this article, we will take a look at examples of an “entry level” individual and also talk about real life examples of entry-level people getting hired and, more importantly, why they were hired. I will also give a brief example of defining the required skill set of the “entry level” job. Additionally, I will go over what I see as barriers for beginners brought on by human resources (HR) preventing these beginners from even applying or applying, but not being hired.

Another topic I will bring up is what does the company really need versus what they think they need or want and whether or not to send the beginner to training. I will also briefly touch on security clearance and then look at things from a perspective of a hiring manager.

What Is An Entry-Level Person?

A newcomer we will call Rob with a Security+ and a Computer Information Systems degree wants into the market. He has his own penetration testing lab at home, has done many exercises on his own (with a lot of research) and knows and understands how to penetrate a network and how to defend it. He has also extended his skills into web application penetration testing and has done Damn Vulnerable Web Application (DVWA) among other web applications. In addition, he understands how to research and, if he doesn't quite get it, he tends to figure it out. He has been doing this about 8 months. He does this as a hobby and hopes someone will hire him.

Anytime he sees a new job to apply for in penetration testing, he looks at the tools he needs to know and downloads any free trial version to get familiar with them before and after he applies for the position. He is also playing Capture The Flag (CTF) competitions both online and in-person in his local area at a nearby school. If the local DefCon (DC) 000 group is putting on a CTF, he attends those as well. Another thing, Rob instructs in a meet up group, DC000 group, and the local Information Systems Security Association (ISSA) Chapter on some of the latest hacks and demonstrates those hacks to the group for exposure. He is studying for the Certified Information Systems Security Professional (CISSP) and the Offensive Security Certified Professional (OSCP) certification exams.

Rob has no security clearance, but is aware of the requirements to obtain one and feels he would have no issues obtaining the clearance if he was hired.

Should A Company Hire Him?

From my point of view, they should. Real world example, the owner of a penetration testing company was looking for a penetration tester (ethical hacker) to join his business. He received a gentleman's resume and, after a telephone interview, invited him to the job site. He sat the gentleman down at the keyboard and said, “Here is your system, go to it! Break in!” I was told the gentleman worked on the machine for the time allotted and could not break in, but, again, he was not giving up and kept searching for a way via Google or other means.

The owner, Shaun, hired him and said, to this day, he is one of the best penetration testers he taught. He told me it was the passion, the hunger and the “I will not give up!” attitude. The guy also had the initiative, the patience, and the perseverance to keep going until he accomplished what he needed to (or ran out of time in this case).

Another great example, Cylance hired a malware analyst, straight out of high school with no certifications. She went up against other people that had certifications, or more school and experience than she had. Read her story here. The other two people basically gave up in their pursuit of the position for different reasons. The woman showed the passion and even went home and researched the malware to see what she was missing and was hired.

Two examples and one of them a major firm. Why not hire a beginner who is hungry, passionate, and has that initiative and curiosity? I went to attend a “cyber day” at a college in April 2018. There were many initiatives talked about including the range the college had; scholarships being offered; and all around it was better news than the community had heard in years.

I thought it was good too, but I've seen some of these initiatives before. I honestly felt like they were laying out a 5 course meal for anyone to devour to be "entry-level" in the field and all a person had to do was apply.

But How Do You Define An Entry-Level Candidate?

One person in the room stated if they couldn't define entry-level, then they had a real problem...I stayed quiet, but felt I could help solve it.

My solution: Instead of saying a candidate should have 0-1 year of experience in utilizing an application (e.g. WireShark), why doesn't the company spell out some of the skills a candidate should have when working with the application? For those that say it takes too much time. I would say if you want to fill the position, years of experience does not necessarily equate to being proficient with the application. Also remember, this does not need to be in-depth detail, just a sampling of what the person should know about an application because this will help clarify if the individual has the skill set or not.

Now let's talk about the barriers put up by HR making these beginners shy away from applying. Sometimes it's just the qualifications that are overkill or vague that will make a beginner shy away. When HR lists their qualifications, again, as mentioned before, they need to better define in some detail what they want the beginner to know.

Additionally, when a listing of 15 qualifications is presented, a rule of thumb is usually finding 11-12 to qualify for the position. I did a quick search on indeed.com for an entry-level position with approximately 13 true technical qualifications. One of a few qualifications that jumps out as vague, “Demonstrated ability to research and solve complex technical problems”. I can come up with a few scenarios for this, but, this is vague.

At least give an example of a problem for the beginner to look at and chew on. Another search provided, “Cloud Experience”. We know what the cloud is, but provide an example of what they want the beginner to have experience with. One last item is language skills like python, C, or any other high level language. HR will tend to ask, “Are you proficient in multiple languages?” Based on talking to software engineers, even they will tell you they aren't necessarily proficient in other languages, why?

Every language has it's own syntax and special ways of doing things or inability to do things and, if the language is modern day (e.g. Java, python), the language will have libraries for pulling from to quickly solve tasks. What HR should be asking is, “Given this problem, do you feel you could come up with an algorithm to solve it? If we bring you in for an interview, we will require you to look at a problem and come up with an algorithm or code to solve the problem.”

There are other examples, but this should provide enough for a company to look at their qualifications and ask, “Are we defining these well enough with some examples of what we would like to see in a beginner's skill set? Are we being too broad or listing too many requirements? Are we willing to pay enough for the skill set even though we are hiring a beginner?” Just things for the HR department along with the hiring managers and technicians to talk about and think about before blasting out the job description.

What Employers Really Need vs What They Think They Need

I've heard and read about how the hiring manager will tell HR what they want in qualifications and HR will come up with the position description. HR will ask for someone with a specific language specialty and 10 years of experience in said language when the language has only been around 5 years...what?

It begs the question, does the hiring manager even review the position description before it is advertised? Another question: Does the hiring manager truly know the position's qualifications? Did they talk to one of their security personnel and clarify what the qualifications should be?

Additionally, going back to a previous point made: don't look at years of experience, look at the details of what is required to accomplish the job and what a person really needs to know versus what they can probably learn over time. Again, if the person hired has the passion and hunger and you ask them to learn something, they will likely learn it even in their off-time.

One last thing, when it comes to going past HR, there are times when you need to consider the type of person you are dealing with (introvert vs. extrovert) and the position (e.g. leading a team or a member of the team who is very good at what they do). For example, if an introverted person applies to lead a team, it may not be a good idea. However, they may be very good at what they do. So, maybe make them an offer on doing what they are good at and asking if they would really like to lead the team. If they would like to lead, give them time at their skill set and see how they interact with the rest of the team and go from there. Introverts can be good leaders especially if they're placed in something they are passionate about.

What about extroverts? Believe it or not, there are times when extroverts are poor leaders versus good. They can talk a great game to everyone and not really know what is going on. Also remember, when it comes to leadership and team work, it has been said teams work best when they work as individuals and rely on each other here and there versus having a leader.

But What Training?

The employer may need to send the beginner to training if they don't have all of the proper skills required for the position. When someone mentions training to a company, many times money for the training is the biggest thing that comes to mind. However, it isn't just about the hands-on training (e.g. SANS Institute). Employers need to keep in mind, even though a person may go through SANS training to get their hands on the keyboard and their certifications, they still need to keep on top of the skill set they just learned. So, allowing a beginner (and all employees who could be or are hands-on keyboard) to train on a range of some kind is vital to keeping the acquired skill set in check and advancing it.

In other words, if the beginner is sent to training one year ago and they weren't on the keyboard for that one year, don't expect them to know the commands on UNIX for performing "tcpdump" right away.

One thing that also comes to mind is the company may hire the beginner and the contract is only 9 months long. The company may think if they invest in this beginner, they had better stay around. This topic is a two way street; the beginner may have a family to support, so they may be taking the position with the hope of staying on to obtain a security clearance and experience.

If the company wants to send the person to a boot camp for training, then there will likely be additional employer commitment for the beginner. However, as the contract comes to an end and nothing else is available, usually the beginner cannot resign from the position without pay back for the training or they can be laid off (without pay back), but the beginner will likely be looking out for themselves versus the company. This is where the beginner and the company need to talk things out.

What About Security Clearance Requirements?

Last, but not least, what about working in the Department of Defense, Nuclear, or other establishment with a security clearance requirement and the beginner who comes into the field with none?

Now, there are some companies out there who will hire and then process the employee for a security clearance -- a process that can sometimes take more than a year to complete. To them, I say Good on You!

Then there are others who want that clearance to come with the beginner. I will say that I have noticed some positions posted on indeed.com that state something like, “able to obtain a TS clearance”. To this I say to the employer, if you see the hunger and give them a hands-on test, and they state they feel they have no problems being able to obtain the clearance, TAKE A CHANCE! Invest in the beginner! You can either continue complaining (and not resolve the issue) or take chances and give that beginner the opportunity for them to prove themselves!

In conclusion, this discussion reviewed an example of an “entry level” individual and also talked about real life examples of entry-level people getting hired and, more importantly, why they were hired. I also provided a brief example of defining the required skill set of the “entry level” job.

Additionally, I reviewed what I see as barriers for beginners brought on by HR preventing these beginners from even applying or applying, but not being hired. Another subject was what the company really needs versus what they think they need or want and whether or not to send the beginner to training. Finally, I briefly hit on security clearance and gave a perspective from a potential hiring manager's point of view.

In the end, I feel, if an employer or an employee sees passion and hunger in a person who is looking for a job – HIRE THEM!

Main Image Credit: Junior by Nick Kumbari