Is cybersecurity the right job for you?

Headlines, reports and keynote addresses describing a cybersecurity workforce crisis continue to dominate the IT security landscape, with thousands – even hundreds of thousands – of open positions for cyber pros. Are you one of the many IT workers looking to make the jump, only to fall short of getting hired? It's all too common, and there are some surprising reasons why.

At a time when cybersecurity is more important than ever, countless thousands of tech workers are looking to find a way into the lucrative and ostensibly wide-open field. A number of them, limited by a lack of security experience, the wrong educational background or inadequate skill sets, are being shut out, even as the staffing shortages mount. Combine that with a hiring process that doesn't quite fit the mission, and it's a recipe for confusion and frustration all around.

"The problems and shortages are so severe at this point, employers want people who can hit the ground running and who have that experience," said Hord Tipton, executive director of (ISC)2, a top IT education and certification organization, and former Interior Department CIO. "In many cases they don’t have the time, patience or comfort level for hiring entry-level people who have to learn on the job. So that makes it difficult, and fixing it won't happen overnight."

Even though workers with IT experience might not be considered entry-level, the lack of security-specific experience creates barriers to jumping into cybersecurity. But there may be deeper reasons, too: if you keep getting shut out, it might not be right for you.

"You have to have a passion for what you're doing. You have to have that natural sense of curiosity about how things work," said Fred Kerby, instructor at the SANS Institute and formerly an information assurance manager at the Naval Surface Warfare Center. "It's not something you can just get a certificate for and check that box on your resume. You can learn everything about the subject matter, but a good manager can see if the passion is there. And if it's not, then it's not the job for you. That's not necessarily a bad thing, but it is something that people wanting to get into cybersecurity should be thinking about."

Further up the chain, getting through the hiring filters can be a struggle. Tipton and Kerby both agreed that the traditional human resources process, through which applicants typically are sorted, might not work so well when it comes to cybersecurity hiring.

"Today all the applications are filtered by keywords and reviewed by people who don't necessarily understand what the mission is. If you don't understand what the mission is, how do you find the right person for the job?" Kerby said. "When I was hiring, I used to sit down with a candidate and tell them, I'm going to ask you 20 questions. Here's the 20 questions; it's not a pop quiz. There are no right or wrong answers. By the end of those 20 questions, chances were I knew whether that person was right for the job, but more importantly that person knew whether the job was right for them. You can't know, whether you're the manager or the candidate, if someone is right for the mission until you sit down with them and figure out what makes them tick. And that's hard to do when you're talking about huge numbers of workers and positions."

Tipton pointed out that with the growing awareness of cybersecurity – as evidenced by high-profile cyberattacks such as the November 2013 Target hack – even hiring managers are becoming more savvy. The hope is that broader understanding of cybersecurity will continue to grow as the field expands in two ways: vertically and horizontally.

"Vertically, we're going down now into grade school, finding kids with the knack for security and growing them up through college into places where they can get the right experience and certifications," Tipton said. "We also recognize that there are a lot of people out there ... that have to pick up and enhance what they know about security in order to operate in a very complex area. That’s more of a horizontal pathway."

Continuing education, certification and training all are key in getting hired, but success after the first day on the job also is an integral part of resolving cyber-staffing woes. Much depends on employers making known their expectations and requirements.

"Before I left my [Navy] job, one of the most important things I did was sit down and write down everything I did as the incumbent," Kerby said. "You have to have a clear description of what your requirements are before you can find the right person to meet those requirements and succeed in the role. There has to be that clear understanding on both sides."