Editor's note: This month, contributor Ernie Hayden responds to a reader inquiry regarding the tumultuous information security job market. Below is the reader's letter, edited for brevity, followed by Hayden's response.
I read your recent article, Mining for infosec talent: How CISOs can fill security positions; however, on the opposite side of the coin, finding employers when you are already qualified is just a tough an endeavor.
For those of us looking to move into positions of security architecture, policy, or just to another organization, it appears there is a glut of information security professionals. In my case, I hold a CISSP, CISM, Security+ and a Windows certification, I was an intelligence analyst and linguist with NSA and the military, I hold a "Top Secret" clearance, I have ample applicable experience and I continue to educate myself on the field and emerging technologies.
I am not new to the field, yet I am unable to find a position in which I can work with an organization to set policy, develop procedures, and build sound standards. Why is this? In my experience, it is because most organizations only want to hire from within, want security practitioners to be both their IT technicians and their security managers, and place security under IT and want only technical personnel -- a poor fit for good security.
The field is a mess, as are the organizations looking for information security professionals; they do not know what they want, they just know they need to hire someone. This leaves the field wide open for those who want to "game the system." True infosec professionals will still be a mix in the pack hoping to be selected, until their qualifications are recognized by a clearly defined profession. Hiring officials will continue to hire and scratch their heads trying to figure out why no one knows anything about information.
There is no problem finding information security employees, because there truly is a glut of them. What is missing, however, is how to get hired in a field where it is increasingly difficult to stand out. I would like to see an article based on how to land a security job, when there are literally thousands of equally unqualified individuals selling themselves as security professionals.
Dave raises excellent questions about the marketplace, including why it is difficult for qualified security personnel to even land a first interview -- never mind a job offer -- in the midst of a supposedly booming infosec job market. Among my security peers and friends in the Seattle area, this dilemma is not unusual. Although I do not personally know Dave, there are a few approaches to job searches that immediately come to mind that could be helpful to security professionals, as well as technical project managers and executives.
In this tip, we'll advise on how to navigate the difficulties and challenges that exist in the infosec market, including finding a potential position, selling security credentials to unaware employers and showing value to an organization.
Finding an infosec position
The obvious place to begin any information security job search is with personal contacts. Tell friends, current and former co-workers, and colleagues you are looking for employment in the infosec field. Describe your dream job for them. Explain what you like to do and how you think you can help a company. Remember, even your spouse and friends may not really understand what you do for a living, so education is necessary. Don't forget that communicating with friends and colleagues about your career can lead to broader networking opportunities.
Speaking of networking, I think it is generally the No. 1 approach to job seeking, regardless of career field or marketplace. That said, aspiring and current security pros should realize that mindlessly adding LinkedIn connections or collecting business cards is not effective networking. Those people rarely know about your strengths and weaknesses, your personal and professional goals, or anything else that will give you a leg up in the job hunt. I would personally avoid relying on "LinkedIn blast"-style messaging to communicate your aspirations because these messages come across as too informal and may not be targeted effectively, though LinkedIn can be used for targeted contacts and researching potential future employers.
Instead of relying on social networks, joining and actively participating in networking groups can help build meaningful relationships, which can then be tapped when making your next job move or attempting to break into a different field. Professionals specifically seeking infosec jobs should check out local chapters of InfraGard; Information Systems Security Association, or ISSA; ISACA; and other security-centric organizations to expand on their professional network. Attending such meetings should be considered a mandatory part of any information security job search.
Other good sources for security positions are recruiters and job boards. Although I've not had much personal experience with infosec recruiters, there are a few who advertise their services and are present at security-related trade shows like RSA Conference and SecureWorld. Probably the best bet when dealing with recruiters is to make a call and possibly even arrange a face-to-face meeting, with the primary goals being to simply get a sense of the job market, see what credentials are in demand, have the opportunity to personally explain your experience and better understand ways you can help the recruiter. Remember, the recruiter is also looking for talent to fill their searches, so even if you are not the perfect candidate for certain position, you may know someone who is and can pass that contact along to the recruiter. By helping the recruiter solve their problem, they may more readily remember you for future searches, while the contact you helped find a new position will also be a future resource in the job hunt.
Finally, though the Internet has changed a great many things, including information security job searches, online job boards are still a great source for finding open security positions. A few security-centric job boards that come to mind are ISC2 and Dice, though university and corporate alumni associations often have job boards too.
What employers want
In today's tough security environment, you would think that most companies would have the perfect vision for their next chief information security officer (CISO) or infosec staff; however, I'm not sure they do. For instance, I've worked in information security management for four different organizations, with each stint being a first-time position that came with different management expectations. Based on my current view of the industry, this is still common; many companies are only now creating their first information security job roles.
An IT professional position is fairly understandable, considering there are plenty of job descriptions and even a moderately structured career path for IT pros. In contrast, security, as a profession, continues to be a bit undefined. As such, finding a perfect security job can be a challenge even if a candidate possesses strong credentials, especially when the hiring manager may not really understand the value of industry certifications such as Certified Information Systems Security Professional (CISSP) or Certified Information Security Manager, or CISM. When communicating with potential employers, security pros need to take the time to spell out what credentials such as the CISSP mean, how hard they are to obtain and sustain, and how they are a globally recognized certification for accomplished security pros. Assume potential employers do not really understand the value these certifications can bring to an organization.
Note from the author
It is critical to realize that most security jobs will probably require relocation. Most senior security positions are in the financial sector (e.g., New York, Chicago, Dallas, Los Angeles) and defense/national security (e.g., Washington, D.C.). For security professionals who either cannot move or are limited in geographic opportunities: I would suggest expanding your information security job search to include consulting companies that allow staff to work at home when not traveling.
Technical knowledge and skill in the information security space is important to any practitioner's success; however, it is only one element of a complete approach to the job. While the technical aspects of network security, firewall rules and the like are quite "black and white," security professionals still need to have the ability to be a "gray thinker," or to think outside the box when fighting back an attacker or nullifying an inside threat. Remember that attackers don't necessarily follow any rules. Understanding this concept and being able to anticipate an attacker's next move are the result of experience -- a valuable asset to any employer.
It's also important to be a strong team player and nimble -- change is going to happen, and being able to support different teams and adapt to different directives is critical to success. Don't forget, the CISSP credential provides some very strong networking and telecom training, which might just be what a manager needs at that moment. Supporting the team, even though it may distract the goals of a security job, is an effective way to demonstrate broader value to an organization.
Overall, the infosec market is in dynamic flux. Following President Obama's cybersecurity executive order for critical infrastructure and the resulting flurry of work at the National Institute of Standards and Technology (NIST) on the new Cybersecurity Framework, there will probably be more opportunities opening up for qualified, dedicated and adaptable security professionals. In the immediate future, security pros will benefit from studying the executive order, paying attention to the upcoming NIST framework and focusing on how to help a potential employer with these new drivers.
About the author:
Ernest N. "Ernie" Hayden, CISSP, CEH, is an experienced critical infrastructure protection/information security professional and technology executive providing global thought leadership for more than 13 years in the areas of critical infrastructure protection, cybercrime, cyberwarfare, industrial controls security, and business continuity/disaster recovery. This is in conjunction with his work in the areas of leadership and technical business management that he has focused on since 1974. Based in Seattle, Hayden devotes much of his time to critical infrastructure protection and analysis, industrial control systems security, energy and utility issues including smart grid security, and studying the security of these systems against contemporary threats. Hayden is an executive consultant with Securicon and has held roles as a global managing principal at Verizon, and as an information security officer/manager at the Port of Seattle, Group Health Cooperative (Seattle), Seattle City Light and Alstom ESCA. Submit questions or comments for Ernie Hayden via email at firstname.lastname@example.org.