DFIR Training Blog



That “cyber” hiring problem is a problem

Over the past year, many articles, blogs, and actual news stories have talked about the extreme shortage of “cyber” applications. Yes, I said the word “cyber”, and I am using that term to encompass everything in information security (like the DF and the IR and the infosec).

Lately, many blogs have been talking about the shortage not actually existing, and that it is the fault of hiring departments not hiring the available pool of applicants.

There is the split in the road, and as far as I am concerned, I agree with the pool of qualified applicants being WWWAAAAYYYYY larger than the available jobs. This goes directly against all the talk that we have a shortage.  Looking at it from both perspectives, each side (the HR side and the ‘looking for a job’ side) both see a shortage on the other side. In reality, I believe the shortage is manufactured for several reasons that can be fixed in 30 minutes, because that's how long it takes to type and upload revised job requirements.

Here is the most glaring and talked about issue:

Unreasonable requirements to just apply to a cyber job.

Within this issue, there are many smaller, but just as important, issues. One is advertising a job with requirements that don’t actually match the job being advertised. Some that I have seen are different that it would be like a café advertising for a barista but posting the requirements of truck mechanic and a repair shop posting the requirements of a barista. When this happens, the barista job doesn’t get filled and the truck mechanic doesn’t get a job and the repair shop is short a mechanic.

That’s really what it’s all about, for at least 95% of hiring problems in not being able to find a suitable applicant.

But I want to get a little deeper in this issue. When a job requires the world (degree, competence, and experience), this appears a clear attempt to either thin the herd in order to cut down on the number of applications to review or it is an unfortunate misunderstanding of reality. By the time someone has a degree specific to ‘cyber’, experience to back the degree, and competence gained by experience, then that someone is either running their own business or is at a place they will never leave.  To narrow this even smaller, many of the most highly competent and most experienced cyber folks don’t even have a degree, or if they do, it is nothing related to cyber. Mainly it is because they practically invented the field, mold the field, and teach the field.


This leaves a very small number of folks that can meet this unworldly criteria of competence, experience, and education. I want to get a little deeper in each of these for a bit, and I’ll get into my opinion on what you can do to get hired and what you can do to find these great folks.

Let’s take the degree requirement first.

As I mentioned, many don’t have cyber degrees or any degrees, but are competent and experienced.  When a degree is required, this means the ‘student’ is not going to have much in the way of experience or competence. Sure, there is some practice with a software tool in a class, and maybe exposure to case studies of some sort, but if you rely solely on a degree, expect that you are basically getting a paid intern for a year or two while they get experience on the way to gaining competence.

HR Tip: Consider a college degree in “cyber” as a bonus or a tie breaker when all else is equal. Making it a requirement means you will not have access to all the best applicants.

Getting hired tip: If the job requires a degree….get the degree. If you want a federal job as an example, you will probably need a degree in practically anything . They don’t really care as long as you have a degree in something .  Brett’s advice: be competent too. Don’t go in with just a degree, but really learn your stuff because I want you to stand out like a sore thumb of handling business when you get hired.

On that experience thing.

This is a tough one if you are looking for easily validated experience. Easily as in, getting an internship that can validate that you have experience. In this field, trying to get experience on your own can be risky.  For example, “ethical hacking” can turn into criminal charges if you go outside the law, even accidently. This is tough one. Even if you wanted to volunteer for free, the legalities and non-disclosure agreements that companies have are problematic if considering unpaid interns will see confidential data. The requirement to be experienced with specific software/hardware is also a deal-killer for many. The use of any DFIR tool is many times a personal choice or mandated through an employer.

HR Tip: If you have someone pounding on your door, with all the tell-tell signs of being one of the hardest workers on the planet, but they have no experience, open the door. Open the darn door to at least talk to the person. I promise that one of these folks will rock your company and be a star. On the tool requirement….you don’t want someone that can run a specific tool. You want someone who can run any tool.

Getting hired tip: Pound on doors. Keep pounding on the doors. You have to find that one HR who will take a chance on you because of your tenacity, your positivity, and your promises of being ‘the one’.   Brett’s advice: this sucks as a way to get hired because you will get 99% rejections. But if you can stick it out for that 1%, you just found exactly what you need. And so did that company.

Oh yeah, being competent in the job

Education helps. Experience helps. And self-learning helps. Each of these help in a different way, and it depends on your learning style. Do not think that you need education to be competent, or that you need experience to be competent, or that you need to only self-learn to be competent. You should know by now the best way you learn. If you don’t, then sit down and think about it. What did you learn recently and how did you learn it? Did someone teach you? Did someone tell you to figure out it? Or did you bear down and figured it out yourself?  Whichever works for you, do it. What works for me probably doesn’t work for you. Or maybe if you are lucky, you can learn practically with any method (which means you are lucky and I am a bit jealous…).

HR hiring tip: Competence is difficult, if not impossible, to judge on an application, so stop putting it in there because some of the things you want competence in are not required for the job you are advertising!

Getting hired tip: Get competent. Do it the way that you do it the best. If the hiring manager requires competence in something, whether or not the job needs it, you may just have to learn something that you won’t need to do, but need to get hired. Sucks, but until hiring managers figure it out, if you want that job, you’ll have to pound on the door to convince otherwise, or you have to have what they want.

Ok, here’s a personal story on how messed up this was for me.

I was once ‘recruited’ to apply for a cyber job and given the job description. I applied and got an interview, but when I started the interview process, it took me about 15 minutes to realize that I was interviewing for a different job than what I had been recruited for.

But I went through it anyway. I was incompetent in some of the things needed, as in totally incompetent because I never did that work before! Then, as I started figuring out what the job actually was, it was a job that I even didn’t want to do.

End result was that the entire process was a cluster. I turned down the job before they had a chance to either offer it to me or turn me down. I was a bit disappointed because I actually wanted the job that I had been asked to interview.  I have heard this happening to one other person, so I imagine this is not unique to me and one other person.

Written by :Brett Shavers

{rscomments option="com_rsblog" id="62"}