Prior to my time at Reveal Risk, I had spent most of my energy searching for the next story. I believed at one point that I would end up with a career in journalism. Then I started college and met people with different career aspirations across multiple industries. I saw that at least two things connected me to every single industry regardless of background or interest: technology and security.
This connection eventually led on my cybersecurity path. The road to get to this point wasn’t easy, so I decided to ask an expert from the industry everything I wish I had known before job searching in cybersecurity. I sought the advice of Tim Sewell, CTO and co-founder of Reveal Risk. Tim has successfully executed cybersecurity projects on a local, national, and international scale throughout his 20+ years in the field. I thought he’d make a pretty good candidate for an interview.
From my understanding, you don’t just get a job in cybersecurity because it requires focusing on core areas. Can you explain what some of those core areas are?
I don’t believe there are core areas in cybersecurity when it comes to job searching. I say this because there are opportunities in cybersecurity for almost any background. The most gifted cyber analyst I’ve ever met double majored in music and botany. What I will say is that there are certain qualifications needed for someone to do well in this industry: creativity, tenacity, and aptitude. It’s really more about your level of creativity than your [educational] background. The industry itself is also filled with different types of jobs. There’s engineering, network architecture, penetration testing, threat intelligence…and each requires a different level of core skill.
Why do you think people tend to feel intimidated around pursuing a career in this industry when there’s something for a lot of different types of people?
Everyone seems to think that you need to be a malware analyst to do well in this industry when the reality is that that role is super niche. It requires a different skillset to cultivate because you need to understand software and computer architecture, network traffic analysis, and a whole lot of other complex concepts. In other words, when people think about jobs in cybersecurity who aren’t already in the field, they think about hyper-complex roles when they could also be an assessor or analyst. And once you get started in the field, you can more easily move around learning and building up a wide array of skills.
Do you think people have a lot of misperceptions about this industry?
Yes. It’s not fair to equate an entire industry with just a few job roles that are niche, uncommon, and very complex. That’s like being asked by someone what you do for a living, and your response is, “I work in medicine.” That could mean a number of things. Are you a doctor? A nurse practitioner? A pharmacist? This concept is similar when talking about cybersecurity as a whole. There are many disciplines within this field and plenty of opportunities for everyone.
Can you think of any issues within the industry that make it hard for people to land their first job?
Some of the issues pertain to misperceptions about what it means to be in this field, which can keep people from considering a career in cybersecurity. Another issue is the hiring process itself. Expectations are askew for both employers and job seekers. There are entry-level jobs that request unicorns but only want to pay for a pony. That is to say, some businesses don’t want to pay market prices for someone’s relevant experience to come in from another organization, and then they also don’t want to pay to develop their own employees. There are entry-level postings that I don’t qualify for despite having 20+ years of experience, certifications, and being well-rounded. On the other side of the table, some candidates enter the job search with unrealistic expectations – maybe they got a certificate from a training class and were promised an immediate $100k job. We need to be meeting in the middle with rational expectations on salary for talent.
How have you tried to remediate these issues within your own company?
Aaron (Reveal Risk CEO) and I have focused on growing and developing our employees because they all show a great interest in their professional growth. We do this through encouraging mentorships, certifications, workshops, and other career growth endeavors. We also like to place people in different projects and give them different roles for a couple of reasons. We want to figure out what they’re most interested in from a project standpoint, and we also want to make them more well-rounded and marketable.
What should hiring managers do differently when trying to fill positions within their company?
Hiring managers should change their thinking to focus on the needs of today and the needs of 5 years from now with the people they already have. It’s not a popular opinion because taking this route can seem very expensive. It’s also problematic when hiring managers don’t understand the industry themselves and therefore don’t understand why cyber people need so much constant training. For this reason, there’s a perceived level of inequality among different roles and a rebellion against the high costs of experienced cyber professionals.
For example, people from HR may not understand why a cyber professional needs so much training compared to other functions that are just as important. There’s also the idea that some people think these high costs are a scam because they don’t think they’ve been targeted yet.
And they assume this without knowing fully all of the threats they are facing from not investing in their information security?
Exactly. That’s also a fallacy within the cyber industry. We aren’t doing enough to educate others on our needs. We need to do a better job of what it means to be good in the industry. We have some very fundamental vocabulary challenges, we’re immature as an industry yet very expensive, and hiring managers try to minimize their costs as much as they can. To non-experts, experience trumps education when it comes to hiring new talent but that’s not always the case. It’s difficult to talk generically about jobs in cybersecurity because of the various roles and challenges in finding talent. Overall, this field is not well understood therefore it’s hard for businesses to determine what’s important. We need to do a better job of prioritizing the interest and growth of the employees.