Posted on 06.05.2016
If the title of this post looks familiar, that is because it is deliberate. Thomas Ptacek, Matasano founder and infosec expert has written at length about hiring both there on his blog and elsewhere on the internet. I am going to write about the same subject, but as an applicant for jobs in both the information security and developer fields.
I didn't necessarily intend to work in IT. I learnt to program as a teenager and eventually gravitated towards Linux, but I never really set out with the intention of becoming a programmer. My first real job was in statistics. However, for various reasons I gravitated towards software engineering as I realized I could solve some of the limitations of our statistical packages by writing a solver - and since my internship was essentially based on concaternating datasets I upset a lot of people by writing a program to do this automatically, because who wants to copy and paste a 50,000 column dataset and call it work experience? For more complex and involved reasons I started a maths degree at a brick university but this didn't work out and I got a job writing software while doing my degree via distance learning. Incidentally thank you to The Open University for making doing a degree like this possible.
However, I was always interested in Mathematics and cryptography and it didn't take me long to discover other areas of computer security. One of the very first programs I wrote was a terrible caesar cipher in pascal (I know better now, but the average 10 year old does not). So you can see why I might decide it would make sense to combine my interests in both areas.
Applying to jobs as a software engineer is luck, much like any other job application, but there are some interesting caveats:
Some jobs will demand a degree and will not consider you without one. These tend to be large-ish organizations such as IBM, who will hire almost anyone with a 2.1 regardless of prior knowledge of computing or demonstrated expertise. Indeed, such large organizations and much of UK government have precisely two application paths: (very) experienced and graduate.
Many jobs contain a huge wishlist of critera, which you must match as closely as possible regardless of your ability to learn. It is fairly commonplace for jobs to list a ton of critera. The top item on careers.stackoverflow.com for my homepage right now requires:
Finding a developer that matches these requirements exactly is likely to be difficult and I would argue it would be impossible to find someone with expertise in all of those, particularly PKI/Encryption techniques, ElasticSearch/MongoDB. I would for example match the scripting language Python but my Ruby/Perl knowledge would not immediately be sufficient to write quality software using it tomorrow.
Having filtered out all the available candidates using the above two
criteria, the company will then do an interview where they ask you
questions like "what is the
In startup land it is common to replace salary with vague promises of future wealth, or create a cult of personality where those you deign to employ are special because you "only hire the best" and that you are a "dream company", or attempt to distract from the fact that work is work with nerf guns and table tennis. Or maybe all three. At my last interview I was asked "do you want to be a millionnaire?"
Needless to say, I have been employed as a software engineer, so the lack of degree hasn't held me back. The downsides and difficulties of such employment we can leave for another time, but it also had its upsides.
During this time, however, I have also applied for jobs in the infosec industry. The most common jobs in such an industry are to my mind web application penetration testing and as someone who does not usually develop web applications I am not necessarily surprised by the results. However it is worth breaking down my experiences.
There are others, but they are repeats of the above, or complete silence. Am I "that good"? that I should get a role? Well, I am nowhere near project zero material and I won't be speaking at blackhat any time soon, but I am convinced with a bit of ramp-up I have the ability to test webapps and I have already reverse engineered a fair amount. Needless to say I can structure extended text in English (and in French, but I'd need a native-speaking proofreader to iron out issues).
Companies (and many governments) are aware they have problems hiring "talent" and you'll hear an awful lot in the press about how we have a shortage of talent in the "cybersecurity" world. Talking to people I know in this area, they believe we lack a shortgage of difference-making talent, i.e. talent-talent and not just grunts. But difference-making talent only rarely turns up and you can nuture it in the right environment, too.
These companies have started to believe that the solution to this problem is to take the CTF concept and make games the new job application. For example, now games are being run nationally in the UK and by individual companies with appropriately stupid names and graphics (grow up please). This form of recruitment is a little more promising in terms of the technical evaluation for potential but it is otherwise catastrophic, because it selects for people with an abundance of free time and the inclination to spend it playing games. Who has the most free time? Young people probably at university or having not long finished. Who is inclined to play games? Males. So, a game like this will attract exactly the sort of people who will likely apply anyway... and only those who have the free time to do so. Do I have the time for this? Between a job and a degree, not at all.
I do not doubt hiring is a difficult, time consuming process. I have heard it said that a job interview is really a coworker interview - I would agree and I don't see this as necessarily problematic as you do not want someone who antagonizes an entire team, but sometimes you also need people who bring fresh views and perspectives and (constructively) challenge dogma. Technically, demanding an exact list of skills needed and rejecting people who do not meet that list (in general, I am not accusing anyone directly) sends a very clear message: you are here to solve our problem right now, but your personal development is of no interest to us. There are many posts on google about software engineering being a dead end career and to get out by 40. If you hire only exact matches, this creates an artificial expiry of skills. Software engineers can and should re-skill frequently and it would be helpful if they can. Yet, the advice of a 40+ developer in Switzerland is that (at least european) software engineering companies offer no career path whatsoever. This is my experience too. How dumb is this? Similarly, infosec's tendency to believe that developer skills equate to no skills at all in infosec is equally as dumb, not not surprising. As for money, this is a contentious topic, but, if you're going to offer an absolute pittance you also rule out people who simply cannot afford the career change. Sure, a small company might have a constrained budget and might not be able to offer much, I understand this. However, as an applicant I have my own self interest at heart.
So, in closing, every time I hear we have a shortage of cybersecurity talent I feel the need to write this post, which I have now done. I disagree. We do not have a talent problem, we have a hiring problem.