The Myth of the Straight Path - Part 2

Are Job Descriptions Failing Us

In this part of my breakdown of the challenges when hiring in cybersecurity I’ll focus on what issues exist for the hiring team when looking for talent. This information is still relevant for job seekers looking to get into the space as it impacts the way they tailor their job search and build their skills.

Ground Control to Major Tom

You ever get the feeling that the job description that you are reading about that stellar position that you KNOW your qualified for is just a generic copy from a standard description? Well, it probably is. When a new role is opened up in a security team (news flash, this applies to most job openings) the hiring manager will work with the hiring team such as HR or internal/external recruitment to determine what is needed for the position. There will be a set of tools that are used by the team, and the new joiner will need to be familiar if not proficient in some or all of the tools. There will be processes and standards that the joiner will need to understand and have prior experience in. Depending on the role, there may be regulatory requirements that the joiner will need to know. Those are discrete and specific checklist items that would be included in the job description. However, the other skills that are more generic are generally taken from a template or your favorite search engine and sprinkled with the specific tools, processes, and regulation requirements for the particular role.

This mostly works, but when you have generic job descriptions, you get a lot of applicants. While there is not a lot of hard evidence, there is plenty of anecdotal evidence that suggests that many people apply to roles even when they know they are not qualified. And this is borne out by recruiters often receiving a large number of applications for a single position. We’ve probably all seen the numbers on LinkedIn for roles that have only been posted for an hour with over 100 applicants having already applied.

Where is the failure here? Is it desperation by job seekers, is it the desirability of the role/company, or is it a vague job description that opens the door for misaligned applicants? In reality, we have a lot of entry-level folks looking to get into the cybersecurity space with a degree and a set of certifications that may not align cleanly to the open roles. But they will apply anyway because whether we like it or not, getting hired today is a numbers game.

Glassdoor found that, on average, each of their corporate job postings attracts approximately 250 resumes. Only 4-6 will get called to interview, and one will get the job from those who apply.

This means that job seekers will apply to open roles that match even just a sliver of their experience with the hope of getting one of those callbacks. And the hiring team is often looking for the exact match to the requested skills in order to find a qualified candidate leaving other qualified candidates continuing their job search.

I remember a year or two ago I was speaking to someone (we’ll call him Bob) at a conference who came up to me after a panel I was on to tell me his job-hunting story. Bob knew the hiring manager at a company, the hiring manager told Bob to apply and that it was just a formality given the hiring manager knew Bob had the skills they were looking for and wanted to specifically hire him. After a few weeks, Bob got a rejection. He reached out to the hiring manager and asked why he was rejected. Guess what? The resume never made it to the hiring manager. Bob was rejected on a technicality in the application process. Bob was hired anyway, but this only highlights the challenges that both sides of the equation have.

Bottom line: even if the hiring manager wants you specifically you still need to get through the system that is built to weed through and reject that deluge of applications.

Can we write better job descriptions?

While not the panacea for the ills of the job market, we may get a better experience if we write job descriptions that actually match the reality of the position we are hiring for. This means no more copying and pasting from a search engine or taking the generic template from HR and giving it some makeup. It means looking at the role you are hiring for and building a job description that expresses what the tasks are for the role, the skills needed to perform the role, and the expectation on the candidate’s knowledge.

This is where the NIST NICE framework can help. I’ve talked about NICE in a previous release where I discussed the challenges facing entry level folks looking to get into the cybersecurity field. What if the hiring manager crafted a job description and outlined specifically to the hiring team what they needed for the role? Will this reduce the abundance of applicants for an open role? Possibly.

Let’s take an example of a hiring manager that is looking to hire a Security Controls Assessor. Based on NICE this role has the following description:

“Responsible for conducting independent comprehensive assessments of management, operational, and technical security controls and control enhancements employed within or inherited by a system to determine their overall effectiveness.”

Pretty straightforward, and likely to be used as the heading for this role being posted on your favorite job site. But what are the actual requirements for this role? Well, according to NICE there are ~300 tasks, skills, and knowledge that are required for someone to be successful in this role. They range from the task of “Develop a cybersecurity risk management plan” to the skill of “Skill in translating operational requirements into security controls.” Can we create a job description based on these ~300 tasks, skills, and knowledge? You bet! Here is a brief job description that can be used as a starting point that aligns to this role:

As a hiring manager, you will be able to take this basic job description and embellish it with your organization specific tools and processes to build a more tailored job description for the role. You should also take a look at the online version of the NICE Framework to ensure that you don’t require other components of this role to be pulled into the job description. The goal is to build a job description that not just meets the needs of the role but clearly outlines who would be qualified for the role.

How does this help the job seeker?

As a job seeker your abilities need to line up to the job description. It’s that simple. This alignment is made easier when the job descriptions are better written and actually describe the role. However, you need a bit of forethought into how your skills, education, and experience fit the role.

When I get asked about how entry-level folks can break into cybersecurity, my first question is always “what do you want to do in cyber?” There are 52 work roles in the NIST NICE Framework that vary from the technical to non-technical and each have a set of tasks, skills, and knowledge that are required. Given the variety, you are not likely to be prepared for any specific role the day you graduate from college. You will have a generic set of skills that are similar to many other graduates. So how do you prepare and distinguish yourself? This first approach I would suggest is to look at the 52 roles in the NIST NICE and determine which one appeals more to you and your goals. I can’t stress this enough: you need to like the job you land. Don’t chase a role because you think it will be glamorous or bring you fame and riches. Do it because it interests you or excites you. The reality is, once you land that job, it’s just that: a job. You’ll have to drag yourself out of bed every day and put in effort. Make sure you enjoy that effort.

The 52 work roles are broken into 7 categories that align to a space in cybersecurity. Learn these and understand what they mean and what functions they play in a broader cybersecurity program. More importantly, know which categories fit your abilities. Are you a curious person? Look into the Investigation category. Are you analytical? Check out the Cyberspace Intelligence category. Are you interested in laws and regulations? What about the Oversite and Governance category?

From there, understand the work roles and the task, skills, and knowledge required for them. Take the System Authorization work role as an example. This is one of the roles most in demand today according to www.cyberseek.org. The System Authorization role is “Responsible for operating an information system at an acceptable level of risk to organizational operations, organizational assets, individuals, other organizations, and the nation.” Based on the tasks outlined for this role, the employee is likely to oversee the management and approval of accreditation packages, ensuring compliance with standards like ISO/IEC 15026-2. They would assess the requirements of cyber-physical systems, evaluate the safety and operational impacts of cybersecurity lapses, and align IT goals and objectives with organizational priorities. Additionally, the employee would identify critical procurement needs, integrate leadership directives into their work, and ensure that functional requirements and intelligence collection objectives align with enterprise strategy. Their role would also involve reviewing and validating authorization and assurance documents to confirm compliance and risk mitigation.

Does this sound like something you can do on a regular basis? If so, you might be ready for this role. However, you need to prove it. Taking the knowledge and skills required for the role, you can begin to build your learning journey to not just get the training needed but also start creating a portfolio of work that can be highlighted to a future employer. While cybersecurity training abounds on the web, building skills is a bit more difficult and requires time and effort. For this particular role, you could look at creating projects that can be shared on social media, or a public repository (like GitHub) to share with prospective employers and add to your resume.

Some ideas:

Develop a cybersecurity roadmap for a mock organization that can be used for forecasting to predict future security needs based on current trends and assess specific requirements like infrastructure upgrades or compliance necessities.

Create a security policy framework for handling sensitive data within a department or team that drafts policies and procedures while ensuring alignment with regulations.

Perform a detailed risk assessment for a hypothetical organization's critical systems and analyze vulnerabilities, threats, impacts, while proposing mitigation strategies.

Develop a solution to mitigate a specific cybersecurity challenge, like phishing attacks or ransomware threats and highlight analytical thinking in devising effective solutions.

These can help the prospective organization understand your methodology while also showing your ability to take initiative in creating work. Bonus, you are building experience and muscle memory in the process.

There is no easy path

For job seekers, getting into this industry is a lesson in frustration, and those of us that are in it already are often lost on how best to direct newcomers to the field. But it’s important to go where the data leads you. Look for the roles that are in demand, build your skills and knowledge based on the roles that mostly align to your interests and network with others.

For hiring teams, utilize the NIST NICE Framework to build job descriptions that are true to the role being filled. This will require solid communication between the hiring manager and the hiring team in order to understand the actual need for the role. A good recommendation would be for the hiring manager and team to be familiar with the task, skills, and knowledge required for the role and build that into a job description that describes what a new recruit can expect.

The goal here is to create a healthy job alignment that enables the right people to apply to the right roles where all parties involved have a clearer understanding of their expectations. The intended byproduct is fewer misaligned job applicants applying to roles that are poorly defined.