When I first started on my path to cybersecurity, I was just as eager to learn and pursue challenges then as I am now. I have many more years of learning ahead in my career, but I found it quite difficult to actually get into the industry. During interviews, I was routinely told how great it is that I have x, y and z. Only to hear I was not suitable for the role because I had no experience in the field. This was despite having a Diploma, an Honours degree in IT, and a Masters specialising in Cybersecurity. Not to mention my own personal projects working with Kali/Parrot/Metasploit.
This was incredibly frustrating, as I could technically never get the experience I needed without two things happening. A), a company taking a gamble on me, and b), that company being willing to invest in training to bring me up to scratch. Sometimes, I would get to the third or fourth stages of interviews with good feelings, only to never hear from the companies again or to be told they had somehow found a better candidate with more relevant experience. It’s important to note that I was not applying for senior roles. I was applying for positions applicable to my own skill level, with the intention of learning and expanding my knowledge. I felt it was an infinite loop of disappointment for me.
So, I did what anyone wishing to seriously attain their goals would do. I took jobs that involved working on the prerequisites needed for a job in cybersecurity. I began as a network engineer helping to support my organisation’s IT infrastructure, working with different operating systems and technologies. Then I became a software tester. All the while, I was tapping away at my own labs with Kali Linux, Parrot etc. and gaining relevant certifications.
Fast forward two years. With relevant experience and certifications in hand, I can say it did not seem to get that much easier. I still found companies unwilling to invest and train. Always wanting to hire the person with the most experience at the least cost to them. Which is pretty disappointing, especially considering many companies now are crying out for people with IT knowledge who can improve their own security. Yet, these companies are mystified why they cannot fill security roles. Sure, I had gaps in my knowledge, like everyone does, but nothing I could not have easily picked up after a few weeks of working.
As I gained the experience and found a company that is willing to do both points A. and B. from above (thanks Brian!), I can honestly say I have never been happier. I would like to think my employer is happy with the “gamble” he took in hiring me. I have been told many times it is perfectly ok to make mistakes, provided I learn from them. This is the kind of nurturing environment that companies of all sizes should adopt.
Here is the conclusion I reached from my past experiences in trying to gain employment, and my current experience working for Brian. Companies should stop screening people out because they haven’t previously worked in security. Why not focus more on taking that chance with someone who seems eager and enthusiastic about the job opportunity? What you lose in experience, you gain many times over in loyalty, commitment to work and a drive to improve themselves and their company.
Years ago, I met a very experienced and well-known cybersecurity practitioner who advised me about my situation. Having endured similar problems when starting out, he advised me to remember companies that didn’t want to invest in me. He said I should think twice about taking a job offer if those companies came calling in the future. Back then, I didn’t realise how true his words would be. I am sure there are many others like me who made mental notes about companies that previously rebuffed them. Now, those experienced practitioners would never work for that company. Ultimately, I believe many businesses are harming their chances of better security through their hiring practices.
As more people enter the security field , they are likely to encounter similar situations. It’s true, companies take a calculated risk by employing someone who might be inexperienced and training them. Surely, though, that avoids a much greater risk from leaving roles empty while they wait for the ideal recruit. That mythical experienced and qualified security professional who works on an entry-level salary? They don’t exist.