Part Four: The Experiment
Where I try to stir up some "good trouble" for science
In case you missed it, this is the fourth part in my series, "The Truth and Lies of Seeking an Entry-Level Cybersecurity Job." Read Part One here which also contains the Prologue outlining my intentions for this series of articles.
The Idea
Welcome back to Part Four of my series on attempting to kickstart a career in information security. In the beginning of Part Three, I explained the delay in posting due to uncertainty regarding potential criticism from those already in the field. I expressed my fear that an IT hiring manager might say, "you just don't have a good enough certificate or relevant enough experience for these roles."
This fear has haunted every application I've made, from Helpdesk roles to my most aspirational attempts to get a foot in the door. I constantly thought, "if only I had one more certificate or more aligned career experiences, I would have gotten a callback!" After a particularly disappointing rejection, I decided to conduct a little A/B testing to see if the ideal version of myself would fare any better in getting initial interviews or contacts. Do you have any doubts about the results?
Experimental Setup
My goal was to create a fictional, idealized version of myself, equipped with all the reasonable certificates, training, and experiences I could hope for, and then apply for the same jobs I've been seeking to see how much better this fictional me fared. I set up a semi-rigorous scientific experiment, minimizing extraneous variables. My fictional name was as generic and White-sounding as my own, and my healthcare career history mirrored my real progression of seniority and responsibility but with more direct experience in tech and policy roles at fictitious locations.
I substituted work at a large corporate treatment setting for my actual decade in private practice, addressing my internal concerns about my relatively isolated practice being a drawback on my resume. I included plausible volunteer time in the tech world doing direct networking and security volunteer work for the local community instead of my more meaningful work with Operation Safe Escape. Additionally, I went all out in giving myself tailored training and certifications for four different resumes representing the four areas I am seeking careers in.
- A Cybersecurity/Threat Analyst resume
Focused on computer and malware expertise, featuring a GIAC Incident Handler (GCIH) cert, serious Python programming skills and training, along with a SANS Sec511 course.
- A GRC/Risk Analyst resume
This role leaned heavily on revamping my work history. Risk, controls, and audits are a central part of the healthcare world, and my roles emphasized my working in this space in an administrative capacity. While I do have experience in this area in my real career history, it’s been a tangential aspect instead of a central one. I also gave myself an ISACA CISM certificate as well. This one is funny to me because I’m well prepared to take and pass the CISM exam. I score in the high 90s of any serious practice exams I’ve taken, but I just can’t stomach forking out $760 for a cert that I doubt people will think I earned in the first place. However, fictional me went for it and earned it!
- A Tech Support resume
This resume has a myriad of Tech Support staples. My volunteering for the last year was providing tech support to my local chamber of commerce business community, complete with a generous list of successful projects I’d tackled. I also had my CompTIA A+ and Cisco CCNA (I’m working at the CCNA right now) as well as the Sec+ as well.
- A Customer Success/Service resume
For this one I gave myself a bit of a stretch to examine the theory that others can’t get past my therapy work history to see me as suitable for other work. Instead of volunteer experience, I gave myself a customer service role for the last year and a half for a local mid-sized tech-focused company. I still gave myself a Sec+ and a CISM as well as my current trainings to emphasis my preparation for technical work in the infosec space.
To be honest, crafting these resumes felt a bit like creating a Dungeons and Dragons character. I was trying to keep them in the realm of reasonable for a therapist to have done over the last year and a half, while also gifting them with every imaginable feat and ability I could reasonably bake into their experience.
Applying for Jobs
My goal was to apply for forty jobs in total, ten for each role. I prepared a generic but solid cover letter for each role and started looking for suitable positions. I focused on closely matching the roles I've been pursuing and ones that were well-matched to my resume. I avoided cross-applying for OpSec reasons, as it seemed improbable for multiple therapists trying to get into infosec. (Please reach out to me if you are, I want to meet you!)
I didn't customize my resumes to the job postings, finding it an exhausting task for pseudo-me roles. However, I sought out roles that would be excellent fits for this fake me. I allowed myself to apply for a few reach roles based on having at least the advanced certifications sought by those positions. It took about a week to assemble the resumes and apply for the jobs, and it's now been about 3-4 weeks, depending on the job and resume type.
The Results
Before sending out my resumes, I contemplated how to interpret the results. Did I need to beat my existing response rate? My sample size was too small for that to make sense. Was any response a validation of my theory about why I wasn't getting any responses? Maybe? I was unsure of what this would all mean in the wash, anything seemed possible. As of this writing, I haven't heard back from every application, but 35 of the 40 have rejected the fake me. I'll update if I get a serious positive response, but I'm not optimistic, as I usually get a rapid response or none at all.
My single positive response was for a Tech Support role with a large local firm. I didn't respond to the request to schedule an interview with the recruiter and decided against explaining my ruse. In hindsight, I may have made the Tech Support resume a bit over the top, as they were essentially running their own small computer and network consulting business before applying for the job.
Admittedly, these resumes would not hold up under scrutiny; none of these certifications or trainings were verifiable. And therefore there is a possibility that I was too over the top and got rejected as implausible or for lying. If so, it seems there is a fine line between too little and too much qualification for an entry-level role.
Conclusion
I was a bit surprised that I didn't receive any serious attention from my applications. On paper, fake me looks incredibly good and well-motivated. Fake me spent over $8,000 out of my pocket on a SANS course and lots of expensive certificates, but what I learned is that most entry-level certifications have next to no worth in the modern hiring environment, at least for getting a foot in the door. I'm not sure how much benefit expensive trainings have either, as I don't know whether a recruiter would appreciate the value of a SANS Security course compared to an AntiSyphon course without matching real-world experience.
I was also surprised at the emotional validation this test brought. It was powerful and liberating to realize that even an ideal version of myself couldn't even land an interview. This experiment gave me the confidence to point to the hiring environment as the barrier in this equation. While not a rigorous scientific experiment, it is highly suggestive of the general hiring environment.
Homework for Part Five
I’ve alluded that this series originated from me reading an article. That article was by Ross Haleliuk, whose thoughtful piece, "Cybersecurity talent shortage: not the lack of people, but the lack of the right people" caught my eye when he published it in early November. I'll delve into his article in Part Five, but in the meantime, please read his excellent article as it continues to influence my thoughts on approaching cybersecurity, the frustration at the entry-level training and education realm, and the serious mismatch in communication between what is implied is possible versus what is actually possible. Here’s the line that has stuck with me since I read it:
“If two engineers and two incident responders can do the work of twenty analysts, we may very well be better off hiring the engineers and incident responders capable of building solutions to the organization’s problems. Instead of getting 700,000 people into security trained to use tools, we could get fewer people who are much more proficient and well-versed in the fundamentals, as well as highly effective in their roles.”
In my experience with User Experience (UX) roles, the same job title can have very dramatically different requirements that ATS systems will boot people out quickly over. I suspect some basic tailoring of your actual resume would still yield better responses than your idealized ones.
Yes, I hate this job environment too.