Is cybersecurity the right job for you?

Cybersecurity Hiring

Headlines, reports and keynote addresses describing a cybersecurity workforce crisis continue to dominate the IT security landscape, with thousands – even hundreds of thousands – of open positions for cyber pros. Are you one of the many IT workers looking to make the jump, only to fall short of getting hired? It's all too common, and there are some surprising reasons why.

At a time when cybersecurity is more important than ever, countless thousands of tech workers are looking to find a way into the lucrative and ostensibly wide-open field. A number of them, limited by a lack of security experience, the wrong educational background or inadequate skill sets, are being shut out, even as the staffing shortages mount. Combine that with a hiring process that doesn't quite fit the mission, and it's a recipe for confusion and frustration all around.

"The problems and shortages are so severe at this point, employers want people who can hit the ground running and who have that experience," said Hord Tipton, executive director of (ISC)2, a top IT education and certification organization, and former Interior Department CIO. "In many cases they don’t have the time, patience or comfort level for hiring entry-level people who have to learn on the job. So that makes it difficult, and fixing it won't happen overnight."

Even though workers with IT experience might not be considered entry-level, the lack of security-specific experience creates barriers to jumping into cybersecurity. But there may be deeper reasons, too: if you keep getting shut out, it might not be right for you.

"You have to have a passion for what you're doing. You have to have that natural sense of curiosity about how things work," said Fred Kerby, instructor at the SANS Institute and formerly an information assurance manager at the Naval Surface Warfare Center. "It's not something you can just get a certificate for and check that box on your resume. You can learn everything about the subject matter, but a good manager can see if the passion is there. And if it's not, then it's not the job for you. That's not necessarily a bad thing, but it is something that people wanting to get into cybersecurity should be thinking about."

Further up the chain, getting through the hiring filters can be a struggle. Tipton and Kerby both agreed that the traditional human resources process, through which applicants typically are sorted, might not work so well when it comes to cybersecurity hiring.

"Today all the applications are filtered by keywords and reviewed by people who don't necessarily understand what the mission is. If you don't understand what the mission is, how do you find the right person for the job?" Kerby said. "When I was hiring, I used to sit down with a candidate and tell them, I'm going to ask you 20 questions. Here's the 20 questions; it's not a pop quiz. There are no right or wrong answers. By the end of those 20 questions, chances were I knew whether that person was right for the job, but more importantly that person knew whether the job was right for them. You can't know, whether you're the manager or the candidate, if someone is right for the mission until you sit down with them and figure out what makes them tick. And that's hard to do when you're talking about huge numbers of workers and positions."

Tipton pointed out that with the growing awareness of cybersecurity – as evidenced by high-profile cyberattacks such as the November 2013 Target hack – even hiring managers are becoming more savvy. The hope is that broader understanding of cybersecurity will continue to grow as the field expands in two ways: vertically and horizontally.

"Vertically, we're going down now into grade school, finding kids with the knack for security and growing them up through college into places where they can get the right experience and certifications," Tipton said. "We also recognize that there are a lot of people out there ... that have to pick up and enhance what they know about security in order to operate in a very complex area. That’s more of a horizontal pathway."

Continuing education, certification and training all are key in getting hired, but success after the first day on the job also is an integral part of resolving cyber-staffing woes. Much depends on employers making known their expectations and requirements.

"Before I left my [Navy] job, one of the most important things I did was sit down and write down everything I did as the incumbent," Kerby said. "You have to have a clear description of what your requirements are before you can find the right person to meet those requirements and succeed in the role. There has to be that clear understanding on both sides."

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Sat, Nov 29, 2014

Is it necessary for an employee to be a US national to get into cyber security field??

Fri, Jan 24, 2014

Maybe they should rehire some of those old mainframers that they trashed to move to PCs.

Fri, Jan 24, 2014

So on one hand the potential employee does not have the "right" background and on the other the company needs to "define what it needs". Along with vertical and horizontal's Friday not in the mood to try and make any sense out of this...

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group