The applying post

Posted on 06.05.2016

If the title of this post looks familiar, that is because it is deliberate. Thomas Ptacek, Matasano founder and infosec expert has written at length about hiring both there on his blog and elsewhere on the internet. I am going to write about the same subject, but as an applicant for jobs in both the information security and developer fields.

I didn't necessarily intend to work in IT. I learnt to program as a teenager and eventually gravitated towards Linux, but I never really set out with the intention of becoming a programmer. My first real job was in statistics. However, for various reasons I gravitated towards software engineering as I realized I could solve some of the limitations of our statistical packages by writing a solver - and since my internship was essentially based on concaternating datasets I upset a lot of people by writing a program to do this automatically, because who wants to copy and paste a 50,000 column dataset and call it work experience? For more complex and involved reasons I started a maths degree at a brick university but this didn't work out and I got a job writing software while doing my degree via distance learning. Incidentally thank you to The Open University for making doing a degree like this possible.

However, I was always interested in Mathematics and cryptography and it didn't take me long to discover other areas of computer security. One of the very first programs I wrote was a terrible caesar cipher in pascal (I know better now, but the average 10 year old does not). So you can see why I might decide it would make sense to combine my interests in both areas.

Applying to jobs as a software engineer is luck, much like any other job application, but there are some interesting caveats:

Needless to say, I have been employed as a software engineer, so the lack of degree hasn't held me back. The downsides and difficulties of such employment we can leave for another time, but it also had its upsides.

During this time, however, I have also applied for jobs in the infosec industry. The most common jobs in such an industry are to my mind web application penetration testing and as someone who does not usually develop web applications I am not necessarily surprised by the results. However it is worth breaking down my experiences.

There are others, but they are repeats of the above, or complete silence. Am I "that good"? that I should get a role? Well, I am nowhere near project zero material and I won't be speaking at blackhat any time soon, but I am convinced with a bit of ramp-up I have the ability to test webapps and I have already reverse engineered a fair amount. Needless to say I can structure extended text in English (and in French, but I'd need a native-speaking proofreader to iron out issues).

Companies (and many governments) are aware they have problems hiring "talent" and you'll hear an awful lot in the press about how we have a shortage of talent in the "cybersecurity" world. Talking to people I know in this area, they believe we lack a shortgage of difference-making talent, i.e. talent-talent and not just grunts. But difference-making talent only rarely turns up and you can nuture it in the right environment, too.

These companies have started to believe that the solution to this problem is to take the CTF concept and make games the new job application. For example, now games are being run nationally in the UK and by individual companies with appropriately stupid names and graphics (grow up please). This form of recruitment is a little more promising in terms of the technical evaluation for potential but it is otherwise catastrophic, because it selects for people with an abundance of free time and the inclination to spend it playing games. Who has the most free time? Young people probably at university or having not long finished. Who is inclined to play games? Males. So, a game like this will attract exactly the sort of people who will likely apply anyway... and only those who have the free time to do so. Do I have the time for this? Between a job and a degree, not at all.

I do not doubt hiring is a difficult, time consuming process. I have heard it said that a job interview is really a coworker interview - I would agree and I don't see this as necessarily problematic as you do not want someone who antagonizes an entire team, but sometimes you also need people who bring fresh views and perspectives and (constructively) challenge dogma. Technically, demanding an exact list of skills needed and rejecting people who do not meet that list (in general, I am not accusing anyone directly) sends a very clear message: you are here to solve our problem right now, but your personal development is of no interest to us. There are many posts on google about software engineering being a dead end career and to get out by 40. If you hire only exact matches, this creates an artificial expiry of skills. Software engineers can and should re-skill frequently and it would be helpful if they can. Yet, the advice of a 40+ developer in Switzerland is that (at least european) software engineering companies offer no career path whatsoever. This is my experience too. How dumb is this? Similarly, infosec's tendency to believe that developer skills equate to no skills at all in infosec is equally as dumb, not not surprising. As for money, this is a contentious topic, but, if you're going to offer an absolute pittance you also rule out people who simply cannot afford the career change. Sure, a small company might have a constrained budget and might not be able to offer much, I understand this. However, as an applicant I have my own self interest at heart.

So, in closing, every time I hear we have a shortage of cybersecurity talent I feel the need to write this post, which I have now done. I disagree. We do not have a talent problem, we have a hiring problem.