Why "Just hire entry-level cybersecurity professionals and train them" isn't as easy as it seems

We have all seen these absurd job postings. Entry-level cyber security analyst: three years of experience is required. This is beyond frustrating. Newsflash: I’m not about to defend them. This is the result of some horrible miscommunication between hiring managers and recruiters. Let them not find anyone, they sort of deserve it.

But there is another thread of frustrated posts that I see online that I want to provide additional context to. Many people feel this is a no-brainer to hire people based on "attitude and soft skills" and "just train them up so in two years, they’re the next trainers"! Voilà! Not so fast cowboy.

I feel you. I've dealt with professional anxiety. I was rejected due to my absent experience. I remember a group interview for a teaching position: maternity leave replacement, 30 people for the job... and one applicant had actually taught me. "All I need is someone to give me a shot, and I'll knock it out of the park!" Couldn't we do it better? Can organizations open themselves? What's holding them back?

I'll tell you.

See, I am not a hiring manager; I am the one doing the training. This is not as easy as it seems. Allow me this week to expose my point of view. Hopefully, by the end, you’ll understand better the mindset of people like me and you will feel maybe a bit less frustrated by what is going on.

The point I’m making is that training is not merely a question of technical knowledge transfer. Training, good training, is a question of caring. And as a father of four kids, I feel I am in a great position to tell you that there is only so much caring in an individual before they get drained.

Psychological aspect

As a trainer, you deal with fellow humans. You deal with their personalities, experiences, and emotional baggage. With all the "on-the-job" training I've done, the truth remains: I must adapt to you. I've experienced it with people who had no prior work experience, and with senior specialists as well!

Real training is not about bringing a bunch of people into class and showing them to run tools. It's not school. To quote Eminem: success is your only option. All the entry-level cybersecurity specialists I've trained needed to overcome some form of self-doubt, or "impostor syndrome". The thing is, to help them, I can't just pat them on the back and tell them they're doing good. I actually have to mean it. So it's less: "You're amazing!" and more: "You've shown initiative when reaching out to the developer about an upcoming access change that will affect him. I chatted with him and he felt you were clear and to the point, but your technical outline lacked some details." Guess which one takes time. Yet, it provides actual training feedback versus just hollow cheerleading.

Even seniors require some emotional support. They may have years over me, but I'm the one who knows all about the organization's specific way of doing things. Some may doubt the choice they've made. Others may worry about the probation period. Over the years, I've found out even management underestimates how much the emotional support of new recruits matters.

I cannot do this if I have a class of 10.

Politics and relationships

Security involves constant conflict. You cannot publish this application unless you fix this critical vulnerability. You cannot access this system because it’s not part of your job description. You cannot use email to communicate this type of information. So it goes.

This perpetual tension is what influencers like me have in mind when we say “soft skills” matter as much as technical ones in InfoSec. Everything is a negotiation. Yes, your experience dealing with annoying customers at your restaurant job is valuable! So, what’s the problem?

Such negotiations happen within an IT enterprise setting. As a trainer, I must provide you with the tools you need to conduct these discussions. What are we willing to give, what are the hills we die on? What are the technical limitations, which law are we following, etc.? Wait, there’s more. I need to introduce you to my allies. I share my political capital, i.e. the trust I have earned with my coworkers. That means the inevitable mistakes can cost me some goodwill. Often, I will take the heat.

I’m not trying to make you feel sorry for me. This is part of the job. It’s simply not easy. I’m not explaining encryption; I’m involving myself in someone‘s success. If it fails, it takes away from me.

And there is more.

Sign up for ppfosec

InfoSec Made Simple

Subscribe

Email sent! Check your inbox to complete your signup.

No spam. Unsubscribe anytime.

IT work ethic is different

One underrated reason for prior experience requirements: it's not just tech familiarity we want; we want the IT work mindset. Every work domain operates on specificities. IT has the agile methodology, kanban, tickets, user stories, knowledge management, the definition of done, service levels, and continuous improvement. When I discuss with friends outside IT, it's obvious none of these principles made their way outside our bubble. Many of them manage their tasks on a paper sheet. It's far from what I keep talking about in my App Reviews.

I spend a lot of time helping people new to the field figure out when to close a ticket. When is done really done? You may feel this is trivial. Even people with a few years in still make the mistake of closing too early.

You may have dealt with hundreds of customers, deadlines, cost-cutting measures, and so on. Many of the stress management mechanisms you've acquired will help. That said, no other sector builds the reflex of "How can I automate this moving forward?"

The obvious: risk allocation

Now, you may feel I'm gatekeeping. "How did you get in?"

I was lucky. When I entered the domain, I joined a company that was investing massively in security. They had allocated one senior individual full-time to support interns, on top of my internship supervisor. That senior did all the little things I've explained above for me while I was busy learning the so-called hard skills by myself. I created the labs, studied the Certified Ethical Hacker curriculum, and passed my degree. That was the easy part! I learned to revamp the way I wrote to appeal to developers' attention spans. I learned who to trust and who to avoid in the mornings. I learned to make allies and who not to invite to the same meeting. Little, invisible, essential things.

My case is so stereotypical in many ways. After the first internship, I got hired part-time. I went back for a second one where I trained other interns and consultants. I got hired full-time, took an intern under my wing within 6 months, and was training most of the new hires.

Then I left.

Now, I believe I gave back as much as I got. But still, this is a case of someone that got trained from the ground up and went to greener pastures after 2 years. Companies keep this in mind. It is not greedy to think about such things from a return on investment point of view. If a senior leaves within 2 years, there is a higher probability that this person delivered more value while they were trained.

There is no easy fix

Allow me to tell you a little secret. That senior who was assigned to interns full-time? They were actually making the most of a complex political situation. I'm sure you can read between the lines.

I'll admit it, these days, the mere idea of training a new person from the ground up tires me.

Trainers must still work, after all. Companies keep investing in amazing technologies, pushing the boundaries. It's normal as a professional to want in on this. That's not even counting market pressure. Some tasks have such high stakes that they must be done by seniors. I work in compliance. I must steer audits, hassle-free.

A few tips and considerations for aspiring cybersecurity professionals:

• Be on the lookout for companies that need talent now. If you are based in Canada, the job listing pages are full of government jobs because they underpay. You'll outgrow them within 2 years, but this is a good place to learn the work ethic.
• Don't frown on bigger organizations. They likely have budgets for trainers, agile workshops, and talent management.
• Full remote might not be the best idea. I spent countless hours chatting with a senior SecOps guy while I was an intern. Lunch, coffee, everything. I understand in-person may not fit everyone's personality and complex family situation. But still. I trained remote people. It's not the same. So if you are remote, how do you compensate?
• Don't expect easy. I admit, this one triggers me a bit. I'm all for dropping the stupid degree requirements. But you know what? You do learn tons of relevant information and methods in university! How can you compensate?
• Passion matters. IT people are passionate, especially in cybersecurity. For entry-level, this means you do compete with people who breathe this day in, day out. How can you differentiate?

I'm not trying to discourage you. But at the same time, sugarcoating it can set unrealistic expectations. It's not an easy job. It has one of, if not "the", highest rates of burnout.

Hopefully, now that you have had a glimpse into the mind of a trainer, you can understand better the circumstances around some frustrating situations you endure.