Ben Rothke’s Review of Develop Your Cybersecurity Career Path

 

Ben Rothke has reviewed over 700 books on a range of topics. One of his most frequent topics is Cybersecurity. Suffice it to say he knows a thing or two because he’s read a book or two. Over 5,000 people have found his reviews helpful and CISO DRG is very proud of Gary Hayslip, Chris Foulon and Renee Small for writing Develop Your Cybersecurity Career Path, Ben’s most recent review subject. Thank you Ben – your reviews are always insightful.

Ben posted his review on Oct 1 and gave Develop Your Cybersecurity Career Path 5 stars. Here is the full review:

One does not have to drive very long down a highway to see billboards with programs encouraging people to sign-up to get trained in a career in the lucrative field of information security. Articles such as The 10 fastest-growing jobs of the next decade, Wanted: Millions of cybersecurity pros. Salary: Whatever you want, and other similar pieces have created a feeding frenzy in the information security space.

While those articles are often more histrionic than accurate, the reality remains that there are indeed many information security jobs open. As I wrote in The fallacy of the information security skill shortage, a large part of the so-called information security skills shortage has more to do with firms that refuse to pay market rates for information security professionals.

But for those who have an interest in information security, how exactly can they enter the field? In Develop Your Cybersecurity Career Path: How to Break into Cybersecurity at Any Level, authors and security veterans Gary Hayslip, Christophe Foulon, and Renee Small have written a practical, and more importantly, honest guide on how to enter the field.

One of the mistakes people make is thinking cybersecurity is a monolithic field. But within cybersecurity, there are many different domains are areas. This is best exemplified by Henry Jiang (CISO at Diligent Corporation) in his map of the cybersecurity domain. A quick glance at his map shows scores of different areas, which exemplified how diverse information security is.

Many times, books with multiple authors suffer from consistency and readability due to different styles and approaches. But this book benefits from multiple authors as there are numerous ways to get into security, and each author brings their unique story and strategy.

Many people are tempted to go into security for the money, but the book cautions that they will not succeed without a passion for the topic. While security is portrayed in the media as often being James Bond-like, the authors detail the dark side of information security, which a person should consider before going down the path.

I would have liked to see in the book an emphasis on those considering a security career to get their hands on Kali Linux. Kali is an open-source Linux distro make for security, forensics, and penetration testing. It has over 600 information security tools. Kali is an excellent way for someone to get their hands wet with security tools and see if they are interested in it.

This is an inexpensive way to play with security, as you can run Kali on a $300 desktop. But 20 years ago, the tools on Kali alone would have easily cost over $250,000. A lot has changed in the last few decades.

There are countless articles about getting into the security field, many of them vendor-sponsored. But there’s a death of sage advice on how to do it right. For anyone considering entering the information security career path, Develop Your Cybersecurity Career Path is an excellent book to help them on their journey.

Turn Your Company Into an Incubator for Cyber Talent

We started planning our first true getaway vacation since the start of the pandemic, but this vacation would have a bit of a twist. It would be the first time leaving our rescue pup behind. We had adopted Henry just before California’s first shutdown. We started thinking about which of our pet parent friends might be available to dog sit. It didn’t even occur to us to ask our closest friend, since she wasn’t a pet parent herself.

This is often the case at our companies as well. We usually don’t think to look close to home, because members of our workforce who are not already on the security team lack essential domain experience. Yet, at the same time, we’re facing a tremendous struggle filling many of our cybersecurity job openings. The reasons are many, and there is no one-size-fits-all solution. However, one potential gold mine should not be overlooked.

Most medium to large companies already have several programs, from awareness to advocacy to compliance, that feature or even rely on co-workers from other departments. And many of these same companies do welcome that co-worker when they walk in and visit an internal recruiter and express a desire to explore a formal transition. But how many have an active internal recruiting and development plan to find and nurture future cyber talent from their own ranks? Too few! Why is that? They don’t have (much) cyber experience to start with, is true, but if we go back 15-20 years, neither did any of us. How did we start? We volunteered or were “voluntold,” depending on acumen, curiosity, and necessity.

This article will explore what it might look like if we employ all the techniques that we advocate for in discovering and developing cyber candidates for our own workforce.

DON’T FORGET YOUR CHANGE MANAGEMENT TRAINING

First, a word of caution. Implementing a program of internal recruiting and development should never be done in a vacuum. Depending on the current culture of internal mobility, this could be a significant undertaking in change management, and you’re going to want more than just buy-in at the top. You’re going to want to take a strategic approach to both planning and rollout. Not only will this reduce internal resistance (interdepartmental poaching may still have a level of stigma for some executives), but as with any significant new initiative, you’ll likely have better internal recruiting outcomes if you work across disciplines to design the program.

Begin your exploration with your HR business partner. At this stage, you don’t necessarily need any fully formed ideas about program particulars. Perhaps a few “what if we…” thoughts just in case you need to stimulate your HRBP’s thinking. Start your exploration by asking if they know what kinds of programs the company is brainstorming for internal mobility. Chances are, there is something that the HR team has been kicking around for a bit. Perhaps it is lower on their list of priorities, but it is likely something is there to start with. Depending on how developed the thinking seems, you can use this as either a jumping-off point for discussing your ideas or as pure intel for framing your questions and proposals when you are ready to start fleshing out what you want to do.

ATTRACT, PREPARE, AND PLACE

The goal of this recruiting program is to leverage techniques from both your internal mobility program and the portion of your talent acquisition program that focuses on non-traditional candidate pools. If we look at the three-step process of attracting, preparing, and placing from the perspective of the worker who wants to transition their career, we can start to sketch out a program to create a new pool of candidates.

Let’s start at the beginning – how do we create an opportunity to work in cybersecurity for people without the training or background? We must first build awareness that the opportunity exists and that they would be welcome. How do companies create awareness for recruits in general? One common approach is a job fair. Your company might consider holding an internal job fair. This could be an excellent way for employees who are already considering a transition to cybersecurity but didn’t think to ask their manager about internal opportunities. If you’re holding a job fair, it should come with an explicit assurance that their manager would sanction a transition into cybersecurity. 

They don’t have (much) cyber experience to start with, is true, but if we go back 15-20 years, neither did any of us.

You will want to work with the talent team to ensure that you are staffing this correctly so that interested people can get the information they need to start their journey. Help them begin to uncover the skills they have that are most transferable to the jobs in cybersecurity you’re trying to fill. Do they have good analytical skills? Are they well-versed in the compliance requirements of the company’s products and services? Also, make sure they know what step they should take next and follow up with them. 

There are some job roles that have obvious entry-level transferability. Network operations has long been a pool of potential security operations candidates and an internal audit can be a stepping-stone for security compliance. But as we’re trying to go back a little further in the development journey, don’t overlook the soft skills such as institutional process knowledge, curiosity, and communication. Our security teams often could use a transfusion of folks with these kinds of skills.

Remember that we’re also trying to tap into a pool of candidates who may have some level of interest but probably do not have much confidence that they have the required aptitude for cybersecurity. To overcome that barrier, we might use a “Capture the Flag” (CTF) or another introductory event to entice interest and show the candidate pool that cyber is fun (and accessible). Then, of course, we’ll accompany fairs and CTFs with an awareness campaign that keeps the workforce up to date on openings, events, and, for those further along, we can deploy the next set of tools. 

BRING YOUR PROGRAM OUT OF THE SHADOWS

Now that we’ve established interest and given them a glimpse of what skills they might be able to transfer to a potential job, we need to start preparing them for the entry-level roles you are building a bench for within your security program. Just like the initial attraction phase, we’re going to rely on tried-and-true techniques, only this time it will be targeted at a different population. Depending on their skill level, you might create several internal internships along with volunteer opportunities for some and job sharing and rotational assignments for others. 

Create multiple entry points, so you don’t scare away the less experienced or bore the folks who are further along on their journey. Many companies already use cyber champions and evangelists. If you have a formal program, great, you have at least one ready-made path for people that want to transition to cyber. If not, now is your chance to launch or formalize such a program. Make it known that this is a way to demonstrate an interest in a transition to cyber if it is of interest to participants.

But as we’re trying to go back a little further in the development journey, don’t overlook the soft skills such as institutional process knowledge, curiosity, and communication.

Before you place them in an entry-level job, the last step is to integrate them into your network and expose them to the full range of career development you use for your existing team. You likely sponsor membership in professional organizations such as ISACA, ISSA, and ISC^2. You may participate in InfraGard. You probably conduct internal team meetings for knowledge exchange. You send your people to conferences, boot camps and training, and sponsor certifications. You may even have a bug bounty program. Extend these opportunities to your pool of internal recruits. Invest in them as you recruit them. 

Assign a buddy to them just as you would a new hire. Even if they don’t end up transferring into your organization, they will learn skills that make them a much better partner to you in their current capacity. And when they do take the formal step of applying for a position, you’ll know more about them as a candidate than almost anyone else who might interview with you. Their onboarding (which you will not short-change, despite the temptation) will be much more effective. They will bring with them relationships and experience that will be invaluable to your function.

As with any new program, you’ll want to close the loop with management and report on metrics you devise to gauge your effectiveness and make corrections as needed. We know we can’t wait for cyber talent to come to us. We need to grow it ourselves.

Coming full circle with Henry, our friend eventually put her hand up and said, “I’ll do it. I’ve never had a dog before, but I love Henry.” Of course, we were thrilled, but we took it slow. We started by having her hold the leash when we took him for a walk and progressed to putting his walking collar on, and eventually, she was ready to take on the little green bag. She did her first overnight a few months later and is gradually learning how to understand his needs and strike the right balance between indulgence and discipline. So, the moral of the story is look closer to home, hire for attitude, and train for skills.

This article was originally published in Cybersecurity Magazine in Fall 2021