As Security leaders we hear all the time about the shortage of qualified candidates to fill our open positions. However, this isn’t a new problem, in fact its one that has existed for 10+ years at this point. Compounding this problem is the “Great Resignation”, and the (still forming) consensus that some significant percentage of your employee base is thinking of leaving their role in the next year. Hiring entry levels roles to help address this gap is often discussed, but rarely implemented.
It doesn’t take long on any job hunting forum or cybersecurity focused social media to see frustration from jobseekers with “entry level” postings. It’s common to see “entry level” roles that require 4+ years of technical experience, knowledge of multiple scripting/programming languages, and certifications that takes thousands of dollars and year of experience to achieve. For jobseekers looking to break into the field, these are significant and very challenging obstacles to overcome. You see the result of this imbalance everywhere in the industry. Any time I speak in front of students, or talk to candidates looking to break into the field, the most common question I get asked is how to “get your foot in the door.”
On the surface, the case against creating true Entry Level roles is strong. Employers worry it will take too long to train less experienced staff, and they won’t be able adequately secure their organization while that happens. Without a doubt, there are situations that require specific skills and expertise where Entry Level isn’t appropriate. However, I think many organizations would be surprised how much upside there is to hiring Entry Level roles in a deliberate and strategic way.
I’ve spent the last 14 years in my current company. Throughout that time I have always believed in having a “pool” of employees in Entry Level roles learning foundational cybersecurity skills. This has allowed us to quickly move an employee up into a more sophisticated role as the need emerges. Over the years I’ve had a dozen or more employees make the transition from non-traditional skillsets like accountants, bank tellers, call center reps, and help desk staff into cybersecurity professionals. Some of these employees have stayed with the company, and are among our most senior/skilled staff.Others have left and become recognized leaders in the broader security community or had extremely successful careers at major companies (Microsoft, Oracle, Splunk, and Mandiant to name a few). Both paths are excellent outcomes, both for my company and the security community as a whole. True Entry Level positions can be extremely successful, and I’ve seen time and again that when a passionate person is given the chance to grow they can exceed your expectations.
Creating successful Entry Level roles doesn’t happen by accident, it requires careful planning and consideration. I’d strongly encourage employers to truly get comfortable with considering non-traditional backgrounds as relevant experience. Other disciplines require many of the same core competencies required for security roles. Medical professionals for example live and breathe process and policy. Financial professionals are experienced with separation of duties, dual control and principle of least privilege. Any profession where writing and communication skills are emphasized can be a huge win for a Security Team. A significant percentage of senior security professionals struggle with writing for a business stakeholder, and clearly communicating complex concepts.
Start your program by opening yourself up to considering other types of relevant experience. Then design the roles in your teams to accommodate an Entry Level skill set. Security Operations Centers can be an excellent place for a new employee to cut their teeth. Every SOC has lower risk alerts triggering in their systems that still need to be worked. Take a risk based approach to assigning those alerts to more junior staff, and implement a peer review system. While it adds some overhead to existing staff, the impact is short lived, especially when your entry level staff are passionate and excited to learn. Similar opportunities exist in research focused roles and Threat Hunting roles. The role itself doesn’t matter too much, as long as you have a supporting structure surrounding it. Take a risk based approach to assigning projects and tasks, and ensure it is OK that mistakes are made and a feedback loop is in place.
When new employees are given the right level of training and exposure, allowing them to build foundational skills, they can grow into and excel quickly in new roles. It means that when you have to fill a more senior role, you can tap that Entry Level employee, to take on a bigger challenge. They know your culture already, they have the right foundation of skills, and bring excitement and passion when give the opportunity for a larger challenge. As a result, in my experience, they can be effective in a more sophisticated role in a matter of months. Ultimately saving you money and time on hiring, recruiters, and integrating employees into your culture. It’s a clear win for both your organization and the employees you help grow.
Today the Entry Level roles that get posted on job forums are rarely suitable for someone new to the discipline. Hiring smart/passionate people, and creating an environment in which they can learn is a huge opportunity. Take the time to design roles that will build the skills of entry level candidates. You will find that those same candidates, accelerate incredibly quickly into more sophisticated roles when you need them to. It’s still going to be a challenging hiring climate, but by truly supporting Entry Level roles you can improve both your own program and the broader industry.