Part Three: The Chasm Between Entry-Level Applicants and Entry-Level Jobs
(Hint: there are no entry-level jobs!)
In case you missed it, this is the third part in my series, "The Truth and Lies of Seeking an Entry-Level Cybersecurity Job." Read Part One here which also contains the Prologue outlining my intentions for this series of articles.
-Hello everyone, thank you for your patience. It's taken a few weeks to release this next part, and I'd like to explain the delay before diving in.
The final draft of Part Three has been mostly completed since the day after Thanksgiving, shortly after the publication of the previous parts. Initially, I planned on an immediate release, but something kept nagging at the back of my mind. It took a few days for me to recognize the issue. Part Three discusses my opinion on what's broken with job postings for junior roles in cybersecurity and, to an extent, in IT in general. As an outsider with no real experience in the career field, my nagging dread was that some IT hiring manager or recruiter might read this and say, “you just don't have a good enough certificate or relevant enough experience in your career field for these roles."
It's a valid critique, and I let it haunt me for a while, partly due to my own day-to-day self-doubt reflected in endless canned rejection emails. But then an idea came to me, an idea that took a few weeks to set up and execute properly. With my experiment's results, I now have an answer to what I anticipate the critics might say, and I can publish my critique of the entry-level cybersecurity landscape with more peace of mind.
With that minor programming note out of the way, welcome back to Part Three of my series on trying to start my career in cybersecurity.
Today, I want to start by describing what I see when I look for entry-level cybersecurity jobs and how the application process goes. I’m sure that some or all of this may be familiar to veterans of the field. If my description seems familiar and unremarkable, please understand that I think it goes a long way to explaining problems of diversity and the lack of “talent” in the field. My sincere hope is that those established in the field can take some ideas for encouraging change in their spheres of influence.
Also, I’ve taken the liberty of expanding my discussion to entry-level IT roles as well. Since failing to gain a foothold in Infosec, I’ve tried to get started at this more fundamental level over the last six months or so. From my perspective, it doesn’t lessen the relevancy of what I have to say, but perhaps there are some gatekeeping guards that I offend in crossing these two streams.
What Does an Entry-Level Job Posting Look Like?
I’ve found that there are two basic types of job descriptions when we are talking about “Entry-Level” or “Junior” roles. There are those posted by temp staffing and recruiting sites, and those I find everywhere else. I want to talk for a minute about the first type, found mostly under the temp staffing umbrella. I have found without fail that these “Junior SOC Analyst” roles attract immense attention (according to LinkedIn application stats) and are gone within days or hours of being advertised on LinkedIn. Just as often, when I get an “urgent” notification from a staffing agency saying I’m a match for a role they are seeking to fill, it turns out they are either a scam or I never hear back from them again after I respond. In any case, the giveaway is often how these roles use the phrase “Junior” in their title. Elsewhere “Junior” is nearly universally absent in infosec career listings. Apparently, the first rule of “Junior” Infosec is that there is no “Junior” in Infosec.
So, I’m going to discuss “Entry-Level” postings instead. Entry-level, for me, is defined most often by the required experience and skills, the pay range, and less often by the actual title.
The Unreality of Entry-Level roles
If you’ll forgive a bit of snark the TL;DR of entry-level job postings is this: there are none… No really, there are a statistically trivial amount of legitimate entry-level roles. Let’s start with “Required Qualifications” that are present on most every job description.
My experience is that most every entry-level role asks for 3-5 years of work experience in closely aligned areas of the role described. If that level of experience seems antithetical to being entry-level, apparently you must not understand the mystic art of how infosec is going to close the personnel gap that it apparently faces. Don’t feel bad, I don’t either, and I investigated and analyzed complicated problems for over a decade. Alyssa Miller has a great thread on this irony on Mastodon a year ago or so, but without the ability to search on Mastodon, I haven’t been able to find it (If someone knows it or can find it, please let me know, this was a rabbit hole that sucked up more than an hour of my day!). In short, asking for years of work experience doing the job you are hiring for makes it not really entry-level anymore.
The next area is often around rigid education requirements. I think that CompSci and CyberSec degrees must actually be Illuminati induction portals because I am convinced that apparently an Associates in CompSci from a local community college holds more respect and awe on an application than my Bachelor and Masters of Science do, both from excellent schools. Yes, I understand that hands-on education in a field is extremely relevant and valuable, but I’m always shocked at how rigid and inflexible this is in the field. It’s even sometimes quite absurd as @r0wdy_ points out on Twitter. I understand that I may sound a bit snobbish, and that’s a fair critique. However, as a first-generation college student who started life in the scuzziest of trailer parks in rural Montana and who came up through family circumstances that were wholly indifferent to my education; I’m inordinately proud of my education and of myself for achieving it. Therefore, it feels ridiculous to see what I treasure so dearly to be so worthless to the great maw of recruiting.
Sure, this is a personal gripe of my own on display, but I think it gets to the impersonality of the recruiting system, both for cybersecurity and the larger corporate world in general, and I think that’s a loss for both sides of the equation.
Finally, let’s talk about the incredibly narrow technical skill request in job postings. I’m often stunned that there is so little consideration given to the idea that broader skills might overlap or that a technical proficiency might be reasonably learnable? My favorite personal experience with this type of technical skill development came with my participation in Recon Infosec’s Network Defense Range training. Prior to it, I had had exactly zero exposure to Kibana Query Language, OSquery syntax, or in utilizing Arkime, where I had pathetically little exposure to any sort of pcap parsing or with reading TCP/IP traffic. I had literally closed my private practice as a counselor less than two weeks before and was at the very initial beginnings of my infosec journey. I was drinking from a firehose, but guess what, I came ready to guzzle! Four days later I was worlds improved in my Kibana speed, I was sorting through frames and headers with reasonable competency and I knew that, if given the time, I’d dial in the speed of my OSquery work to something faster than very slow (so many selectors to learn!). Was I ready for a job that moment? Probably not, but as someone with more than five years of training student therapists into independent practitioners, I know that the initial learning curves can be overwhelming in the beginning, but most people with passion and some reasonable stick-to-it-ness can master skills and technical abilities in relatively short periods of time. If four days of intense exposure had gotten me as far as it had, 90 days to 6 months on the job would have me pretty well polished. I really do scratch my head when I read that someone needs years of experience to master a piece of software.
So, do I think just anyone can walk off the streets and succeed at a complex role like a SOC analyst? No, I don’t, and I fully recognize the value of experience that comes with exposure over time. What I see as an experienced therapist is markedly different than what a student therapist sees in their work when we are reviewing footage of their work with clients. Experience grants great insights and wisdom, and that irreplaceable “feel” for what the next right step is. SwiftOnSecurity has a great story thread illustrating this. But on the other hand, there is so much to be said for a novice’s hunger, tenacity, and persistence, let alone the near-magical quality that a beginner’s mindset can have on a complex problem. I’ve learned over the years that both experience and inexperience can bring profoundly powerful tools to solution-seeking, and I’m honestly stunned and disappointed that this reality seems wholly lost in the world of infosec.
The Black Hole
Now that we’ve looked at what a typical entry-level infosec posting contains, let’s look at the process that happens after you’ve tuned your resume to the specific job listing, being mindful of keyword filters, and drafted a tailored cover letter, and maybe fretted yourself into an anxiety attack after you’ve hit submit and realize you misspelled an acronym or created a weird but minor indentation issue somewhere on the resume. They won’t reject your resume for that, will they?
Well, here’s what I know of the process after I hit submit. 90%+ of the time I am going to get a canned rejection email. Was it automated keyword screening? AI screening that is heavily biased to look for resumes that only have experience similar to the posting and won’t hold an ounce of value to my non-homogeneous but extensive work history? Was it an actual human who looked at my work history, laughed at the audacity of a therapist trying to work in infosec and hit the reject button? Do I ever even make it in front of a hiring manager, and what do they think and see when they look at my resume? That’s the golden question in my mind: What does that hiring manager think, and how do I stack up against the others they’re looking at? Honestly, they are probably looking at hundreds of other resumes, and someone in that stack has actual tech experience, and that experience in the field I believe is what likely trumps any cert, training, impressive past work performance, or every ounce of enthusiasm and heart I try to pour into every cover letter and line on my resume.
Without that feedback the job-seeking dynamics take a turn towards the worst torture simulators that we have invented as humans. Seriously, as a relationship counselor I can tell you the most abusive form of relational interaction is not necessarily aggression or anger, but rather ignoring and that void of non-acknowledgement. An angry response can be hurtful or damaging, but it also carries with it an implied acknowledgement of being seen, or of some sort of peerage. Anger conveys at least a tiny bit of legitimacy, whereas the void reinforces our own worst fears of our nothingness. The black hole of neglecting and ignoring someone is so dehumanizing and it so malforms our psyche that we flee it almost animalistically. An especially twisted abusers blends in other approaches like praise and fear with withholding and ignoring to create whiplashing feelings and sensations that can keep survivors engaged over the long term, caught in a see-saw of pain and affirmation.
How Things Could be Different
Maybe I can’t single-handedly change anything in the industry, but I hope that if you are reading this and you participate in some way in the hiring process, you can work to introduce some transparency into it. I understand that you may not be able to individually response to every applicant. But if I want feedback, I’d love for something other than “no-reply@” to be the harbinger of yet another rejection. Or if I can’t even ask a real human for feedback, I’d love to know at which stage of the hiring process my application got turned back. Just knowing if it was a keyword filter or a human, or a glut of too many applicants so mine wasn’t even reviewed would be immensely helpful. And I can’t even begin to explain how heartening it would be to know that an actual human even looked at my resume. Seriously, if you think I’m joking I’m not, that sort of job-hunting intel would be helpful in the extreme, and probably result in less wasted time by your recruiting staff as people like me stop bombarding you with resumes you might not want to see anyway.
Coming from a more global perspective; when has communication not helped improve a relational process? If I can’t get direct feedback, I can’t improve, and I often wonder if a heavily automated and algorithmically biased system is turning out better hiring results for companies? Maybe someday we might know something different…
Next up is Part Four: The Experiment where I try to figure out if it’s just me whose not doing it right.