Manage Learn to apply best practices and optimize your operations.

How to cope with information security job search challenges

Veteran CISO Ernie Hayden offers advice to one security pro who, despite many job openings, can't overcome information security job search challenges.

Editor's note: This month, contributor Ernie Hayden responds to a reader inquiry regarding the tumultuous information security job market. Below is the reader's letter, edited for brevity, followed by Hayden's response.

Mr. Hayden,

I read your recent article, Mining for infosec talent: How CISOs can fill security positions; however, on the opposite side of the coin, finding employers when you are already qualified is just a tough an endeavor.

For those of us looking to move into positions of security architecture, policy, or just to another organization, it appears there is a glut of information security professionals. In my case, I hold a CISSP, CISM, Security+ and a Windows certification, I was an intelligence analyst and linguist with NSA and the military, I hold a "Top Secret" clearance, I have ample applicable experience and I continue to educate myself on the field and emerging technologies.

I am not new to the field, yet I am unable to find a position in which I can work with an organization to set policy, develop procedures, and build sound standards. Why is this? In my experience, it is because most organizations only want to hire from within, want security practitioners to be both their IT technicians and their security managers, and place security under IT and want only technical personnel -- a poor fit for good security.

The field is a mess, as are the organizations looking for information security professionals; they do not know what they want, they just know they need to hire someone. This leaves the field wide open for those who want to "game the system." True infosec professionals will still be a mix in the pack hoping to be selected, until their qualifications are recognized by a clearly defined profession. Hiring officials will continue to hire and scratch their heads trying to figure out why no one knows anything about information.

There is no problem finding information security employees, because there truly is a glut of them. What is missing, however, is how to get hired in a field where it is increasingly difficult to stand out. I would like to see an article based on how to land a security job, when there are literally thousands of equally unqualified individuals selling themselves as security professionals.

Best regards,

Dave H.

Dave raises excellent questions about the marketplace, including why it is difficult for qualified security personnel to even land a first interview -- never mind a job offer -- in the midst of a supposedly booming infosec job market. Among my security peers and friends in the Seattle area, this dilemma is not unusual. Although I do not personally know Dave, there are a few approaches to job searches that immediately come to mind that could be helpful to security professionals, as well as technical project managers and executives.

Aspiring and current security pros should realize that mindlessly adding LinkedIn connections or collecting business cards is not effective networking.

In this tip, we'll advise on how to navigate the difficulties and challenges that exist in the infosec market, including finding a potential position, selling security credentials to unaware employers and showing value to an organization.

Finding an infosec position

The obvious place to begin any information security job search is with personal contacts. Tell friends, current and former co-workers, and colleagues you are looking for employment in the infosec field. Describe your dream job for them. Explain what you like to do and how you think you can help a company. Remember, even your spouse and friends may not really understand what you do for a living, so education is necessary. Don't forget that communicating with friends and colleagues about your career can lead to broader networking opportunities.

Speaking of networking, I think it is generally the No. 1 approach to job seeking, regardless of career field or marketplace. That said, aspiring and current security pros should realize that mindlessly adding LinkedIn connections or collecting business cards is not effective networking. Those people rarely know about your strengths and weaknesses, your personal and professional goals, or anything else that will give you a leg up in the job hunt. I would personally avoid relying on "LinkedIn blast"-style messaging to communicate your aspirations because these messages come across as too informal and may not be targeted effectively, though LinkedIn can be used for targeted contacts and researching potential future employers.

Instead of relying on social networks, joining and actively participating in networking groups can help build meaningful relationships, which can then be tapped when making your next job move or attempting to break into a different field. Professionals specifically seeking infosec jobs should check out local chapters of InfraGard; Information Systems Security Association, or ISSA; ISACA; and other security-centric organizations to expand on their professional network. Attending such meetings should be considered a mandatory part of any information security job search.

Other good sources for security positions are recruiters and job boards. Although I've not had much personal experience with infosec recruiters, there are a few who advertise their services and are present at security-related trade shows like RSA Conference and SecureWorld. Probably the best bet when dealing with recruiters is to make a call and possibly even arrange a face-to-face meeting, with the primary goals being to simply get a sense of the job market, see what credentials are in demand, have the opportunity to personally explain your experience and better understand ways you can help the recruiter. Remember, the recruiter is also looking for talent to fill their searches, so even if you are not the perfect candidate for certain position, you may know someone who is and can pass that contact along to the recruiter. By helping the recruiter solve their problem, they may more readily remember you for future searches, while the contact you helped find a new position will also be a future resource in the job hunt.

Finally, though the Internet has changed a great many things, including information security job searches, online job boards are still a great source for finding open security positions. A few security-centric job boards that come to mind are ISC2 and Dice, though university and corporate alumni associations often have job boards too.

What employers want

In today's tough security environment, you would think that most companies would have the perfect vision for their next chief information security officer (CISO) or infosec staff; however, I'm not sure they do. For instance, I've worked in information security management for four different organizations, with each stint being a first-time position that came with different management expectations. Based on my current view of the industry, this is still common; many companies are only now creating their first information security job roles.

An IT professional position is fairly understandable, considering there are plenty of job descriptions and even a moderately structured career path for IT pros. In contrast, security, as a profession, continues to be a bit undefined. As such, finding a perfect security job can be a challenge even if a candidate possesses strong credentials, especially when the hiring manager may not really understand the value of industry certifications such as Certified Information Systems Security Professional (CISSP) or Certified Information Security Manager, or CISM. When communicating with potential employers, security pros need to take the time to spell out what credentials such as the CISSP mean, how hard they are to obtain and sustain, and how they are a globally recognized certification for accomplished security pros. Assume potential employers do not really understand the value these certifications can bring to an organization.

Note from the author

It is critical to realize that most security jobs will probably require relocation. Most senior security positions are in the financial sector (e.g., New York, Chicago, Dallas, Los Angeles) and defense/national security (e.g., Washington, D.C.). For security professionals who either cannot move or are limited in geographic opportunities: I would suggest expanding your information security job search to include consulting companies that allow staff to work at home when not traveling.

Remain flexible

Technical knowledge and skill in the information security space is important to any practitioner's success; however, it is only one element of a complete approach to the job. While the technical aspects of network security, firewall rules and the like are quite "black and white," security professionals still need to have the ability to be a "gray thinker," or to think outside the box when fighting back an attacker or nullifying an inside threat. Remember that attackers don't necessarily follow any rules. Understanding this concept and being able to anticipate an attacker's next move are the result of experience -- a valuable asset to any employer.

It's also important to be a strong team player and nimble -- change is going to happen, and being able to support different teams and adapt to different directives is critical to success. Don't forget, the CISSP credential provides some very strong networking and telecom training, which might just be what a manager needs at that moment. Supporting the team, even though it may distract the goals of a security job, is an effective way to demonstrate broader value to an organization.

Overall, the infosec market is in dynamic flux. Following President Obama's cybersecurity executive order for critical infrastructure and the resulting flurry of work at the National Institute of Standards and Technology (NIST) on the new Cybersecurity Framework, there will probably be more opportunities opening up for qualified, dedicated and adaptable security professionals. In the immediate future, security pros will benefit from studying the executive order, paying attention to the upcoming NIST framework and focusing on how to help a potential employer with these new drivers.

About the author:
Ernest N. "Ernie" Hayden, CISSP, CEH, is an experienced critical infrastructure protection/information security professional and technology executive providing global thought leadership for more than 13 years in the areas of critical infrastructure protection, cybercrime, cyberwarfare, industrial controls security, and business continuity/disaster recovery. This is in conjunction with his work in the areas of leadership and technical business management that he has focused on since 1974. Based in Seattle, Hayden devotes much of his time to critical infrastructure protection and analysis, industrial control systems security, energy and utility issues including smart grid security, and studying the security of these systems against contemporary threats. Hayden is an executive consultant with Securicon and has held roles as a global managing principal at Verizon, and as an information security officer/manager at the Port of Seattle, Group Health Cooperative (Seattle), Seattle City Light and Alstom ESCA. Submit questions or comments for Ernie Hayden via email at

This was last published in November 2013

Dig Deeper on Information security certifications, training and jobs

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

what has been left out of this conversation is the HUGE impact India has on our hiring practices. I work on the windows platform and like David H, I keep paying for the necessary training which is expensive; keep going to the seminars and keep buying the book and the right hardware to keep on practicing for the next job. What do I get for this, Indian companies calling me from India for jobs in Ga, DC, Seattle and on and on offering wages that are just an insult to the amount of time we spend preparing for the next job.
The fault lies with the companies that hire Indian companies whose main interest is to hire Indians and whatever is left then they call us. the interest of the US companies is to pay as little as possible so they can hoard the cash so their officers can go to Cancun with a collection of beauties while they keep their wives at home, and the rest of us be dammed.
we need to push for better wages as we have US expenses, while the Indians want to pay us Indian wages just enough to pay for Indian Expenses.

anywho: that's my opinion, and sure as hell is not a humble opinion.

lcrsharepoint01: That's an interesting perspective, and one I haven't heard often. Admittedly we're seeing the outsourcing of some tasks like event management, log analysis and vulnerability scanning, but the duties, expectations and challenges inherent in most infosec positions dictate hiring someone in the U.S. who can be in the office every day, hence Ernie's point about relocation. But I'd be interest to hear other perspectives about security and outsourcing, offshoring in particular, and its effect on the job market.
Although CISSP offers some broad information security management in general, it doesn’t offer any insights about how to troubleshoot seriously. Since hackers don’t care about any certifications such as CISSP, your only defense may be your deeper technical or developmental know-hows to anticipate their next and future moves as you well suggested in your article. To be honest with you, any burdensome bureaucratic procedures or rigid rules will not prevent them, rather enable them. Let me ask you a real important question, however; how could you prevent the hackers who don’t observe any protocols, assumptions, or rules of society? Again, this may be a real Catch-22 situation: If I were CISO, how can I hire somebody who is weak in troubleshooting to find a position to prevent the hackers and intruders who are truly clever, smart and troubleshooting masters who can find any jobs anywhere anytime? Perhaps, I may need to hire the very hacker to prevent intruders or the other hackers here.
Completely agree with Dave. I hear everyday and see everyday about the "need" for Info sec pros. I hold 4 certs and have 7 classes left in my info sec BS with a 3.89. I can't even get call backs. Sorry, that does not mean there is a need. That means there is a want and we could all be the suckers holding the bag. I remember in the 90's when there was a need for comp sci and dudes were being picked up for 6 figures from second or third tiered schools before they graduated.