Is cybersecurity the right job for you?

Cybersecurity Hiring

Headlines, reports and keynote addresses describing a cybersecurity workforce crisis continue to dominate the IT security landscape, with thousands – even hundreds of thousands – of open positions for cyber pros. Are you one of the many IT workers looking to make the jump, only to fall short of getting hired? It's all too common, and there are some surprising reasons why.

At a time when cybersecurity is more important than ever, countless thousands of tech workers are looking to find a way into the lucrative and ostensibly wide-open field. A number of them, limited by a lack of security experience, the wrong educational background or inadequate skill sets, are being shut out, even as the staffing shortages mount. Combine that with a hiring process that doesn't quite fit the mission, and it's a recipe for confusion and frustration all around.

"The problems and shortages are so severe at this point, employers want people who can hit the ground running and who have that experience," said Hord Tipton, executive director of (ISC)2, a top IT education and certification organization, and former Interior Department CIO. "In many cases they don’t have the time, patience or comfort level for hiring entry-level people who have to learn on the job. So that makes it difficult, and fixing it won't happen overnight."

Even though workers with IT experience might not be considered entry-level, the lack of security-specific experience creates barriers to jumping into cybersecurity. But there may be deeper reasons, too: if you keep getting shut out, it might not be right for you.

"You have to have a passion for what you're doing. You have to have that natural sense of curiosity about how things work," said Fred Kerby, instructor at the SANS Institute and formerly an information assurance manager at the Naval Surface Warfare Center. "It's not something you can just get a certificate for and check that box on your resume. You can learn everything about the subject matter, but a good manager can see if the passion is there. And if it's not, then it's not the job for you. That's not necessarily a bad thing, but it is something that people wanting to get into cybersecurity should be thinking about."

Further up the chain, getting through the hiring filters can be a struggle. Tipton and Kerby both agreed that the traditional human resources process, through which applicants typically are sorted, might not work so well when it comes to cybersecurity hiring.

"Today all the applications are filtered by keywords and reviewed by people who don't necessarily understand what the mission is. If you don't understand what the mission is, how do you find the right person for the job?" Kerby said. "When I was hiring, I used to sit down with a candidate and tell them, I'm going to ask you 20 questions. Here's the 20 questions; it's not a pop quiz. There are no right or wrong answers. By the end of those 20 questions, chances were I knew whether that person was right for the job, but more importantly that person knew whether the job was right for them. You can't know, whether you're the manager or the candidate, if someone is right for the mission until you sit down with them and figure out what makes them tick. And that's hard to do when you're talking about huge numbers of workers and positions."

Tipton pointed out that with the growing awareness of cybersecurity – as evidenced by high-profile cyberattacks such as the November 2013 Target hack – even hiring managers are becoming more savvy. The hope is that broader understanding of cybersecurity will continue to grow as the field expands in two ways: vertically and horizontally.

"Vertically, we're going down now into grade school, finding kids with the knack for security and growing them up through college into places where they can get the right experience and certifications," Tipton said. "We also recognize that there are a lot of people out there ... that have to pick up and enhance what they know about security in order to operate in a very complex area. That’s more of a horizontal pathway."

Continuing education, certification and training all are key in getting hired, but success after the first day on the job also is an integral part of resolving cyber-staffing woes. Much depends on employers making known their expectations and requirements.

"Before I left my [Navy] job, one of the most important things I did was sit down and write down everything I did as the incumbent," Kerby said. "You have to have a clear description of what your requirements are before you can find the right person to meet those requirements and succeed in the role. There has to be that clear understanding on both sides."

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.


  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Sat, Nov 29, 2014

Is it necessary for an employee to be a US national to get into cyber security field??

Fri, Jan 24, 2014

Maybe they should rehire some of those old mainframers that they trashed to move to PCs.

Fri, Jan 24, 2014

So on one hand the potential employee does not have the "right" background and on the other the company needs to "define what it needs". Along with vertical and horizontal's Friday not in the mood to try and make any sense out of this...

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above