In this chapter of Unusual Journey into Infosec, we peek through the blinds, carefully observing the industry from the periphery. Because this time I wanted to explore some of the challenges trying to break into Infosec.
I’ve been speaking to many people on Twitter over the past 6 months, who have been exploring their options to jump into Infosec. Many of these people have transferable skills but for one reason or another this isn’t translating into successful job placements.
In December 2017 I received a response from Colette Weston, someone I’ve been following and interacting with for a while. Her story, really resonated with me, mainly because her skills and experience definitely are directly applicable, but most of all her passion for Infosec really stood out.
I think recruiters have a role to play in managing expectations of employers, opening the employers up to other candidates who fit 60% & can be trained for the other 40% — Colette Weston 2017
Colette has a strong interest in the human, organisational and regulatory aspects of information security such as security management systems and organisational security controls, including standards, best practices and approaches to risk assessment and mitigation also human factors such as usable security, social and behavioural factors impacting security, security culture and awareness as well as impact of security controls on user behaviours.
This is her story, and our discussion about the challenges breaking into Infosec!
CyberSecStu (CSS): So I’m talking to a range of people from the community about their journey into Infosec, can you share yours?
Colette Weston (CW): Not fully in yet — but I think chip server, hair washer, lifeguard, PE teacher, holiday/airport rep, sales, recruitment, PA & SAHM to name just a few is pretty varied. In my honest opinion, many hats gives you much perspective & everything is relevant.
CSS: I think experience in diverse fields helps provide a real world and rounded perspective of Infosec. So what is your perception of the barrier to entry to Infosec if any?
CW: So many employers want you to have experience in a neatly packaged box tied with a bow & a label that says Infosec — life is not so simple.
Experience is gained from many roads - an example of why I didn’t go fully into teaching, I considered all my best teachers had done other jobs before teaching they were fully rounded & had perspective. I wanted to be that teacher so went to get some experience of the world… & now I want to apply that experience to Infosec & help others
CSS: Because there is a shortage of people in the industry what should employers be doing?
CW: What I’ve gained from my many many jobs is experience of people and how they behave and why. My teaching gave me an understanding of teams & how they work together or don’t. My rep’ing taught me how to stand in front of 320 delayed tired Scots & tactfully tell them they would be further delayed because their flight could not be fixed.
As a PA I anticipated my bosses needs before he realised & had the papers or info to hand thinking ahead and running through multiple scenarios. And as a mum how to deal with fractious young people in high stress situations on virtually no sleep.
Employers need to be prepared to train the missing skills or cert’s and acknowledge transferable skills. They need to be prepared to spend a bit of money on moulding existing talent to their specific needs rather than looking for unicorns.
CSS: Excellent! They are certainly valuable skills. Tell me more about Unicorns..
CW: As we know unicorns are few & far between so whilst that role is languishing open waiting for that magical beast they are not doing what they can to make us safer.
I’m on the periphery and maybe slightly biased, but these are my observations, for example I know that one of the women who went through & passed the cyber retraining is still unemployed. A wonderful lady with non-traditional skills & now with all that great training — still unemployed — which seems like under-utilising much needed talent!
I fully agree- and that is a shame. Do you think companies just want someone they can plug in and get immediate results? Moreover, do you think expectations from employers are realistic?
The thing is that this verity of experience means we are less likely to settle for something that does not fit. We want a bit of flexibility from our employers & that makes us more work. So it’s easier to say you know what we will wait until we get x.
A lot of employers have unrealistic expectations of their workforce they forget it is a symbiotic relationship and if it goes too far one way it doesn’t work.
I do think employers want someone who can just sit down & work from day one & yes that is possibly unrealistic, I’ve seen this from my experience of being a Recruiter. I think recruiters have a role to play in managing expectations of employers, opening the employers up to other candidates who fit 60% & can be trained for the other 40%.
There are lots of companies out there who retrain. You only have to look at Dr Black to see how someone can do amazing things if they are given the right support. Furthermore, Lee Munson brought in by Brian Honan is a classic example of non traditional entry but Lee needed some flexibility for his family commitments.
CSS: Excellent. Agree with all your points, in fact what we really need is the 80/20 rule. Someone must have at least 80% of X skills (soft and technical),to do the job, we’ll invest to train on the 20%.
CW: Something like that would be welcomed - it is unrealistic to expect folks who may already be only just about managing, to choose to spend £x on a certificate or course rather than feed the family.
Jenny Radcliffe’s podcast’s, show time & time again that the folks who are already here are from non traditional backgrounds — they (folks already in the industry), need to be (& often do), sending the lift back down to help others from similar backgrounds in.
A bit like Steve jobs saying that the end consumer does not know what they want, employers often do not know the kind of employee they need.
CSS: You’ve given me (and the readers), a lot to think about… extremely insightful.
One final question, how do you plan to fully move into Infosec, and what can we do as a community to help?
CW: My plans are currently being worked - on I spoke Bsides London & Manchester this year (2017), I’m currently rehashing my LinkedIn & have asked Dr Jess & my two Bsides mentors, Stuart Coulson & Andrew Barratt to have a look & make suggestions, by the end of 2018 I will be in — PMA!
I would also like to add how grateful I am for the support that I have had from those already mentioned Jenny, Jess and also from @Freakyclown @ZephrFish @davparkinson @AppSecBloke and yourself who have all been great supporters. Thank you!
Firstly, I have a lot of respect and time for Colette, she is very active on Twitter and is an valuable member of the Infosec community, many who who know her I am sure will mirror this statement!
The question remains though, how do you get into infosec, when you have no direct experience. As Colette mentioned there are retraining schemes available, and usually funded by the Government and social enterprises, but these don’t always work.
If you are just starting out, and don’t want to go down the traditional education route, then there are a range of options, these include in the UK apprenticeships (or equivalent in the US). There is the option of getting an internship and hoping that you are retained- this is a risky tactic in my opinion, but I’ve also seen it work.
Having a blog, being active in the community and finding a mentor will help get you noticed, and this seems to be a popular route. I would add that creating a portfolio of research, work, Github repo’s literally anything you can reference in an interview will certainly add a ton of credibility.
But lets say you are not starting out and like Colette have a diverse skill set, and real world experience to add to a business. Changing industries is never an easy task, however it’s perfectly legitimate- and the Infosec Industry should be no different.
However I’m going to fork this discussion for a second, because of the fast paced nature of the work we do, not to mention that of the attackers constant changing tactics, trying to catch up on everything after taking a week out is hard. So asking someone to jump right in and expect them to know all the things, is not only unrealistic but a risk for the employer. But one in my opinion worth taking. I have a theory that seems to of worked for me:
Hire for work ethic/attitude first, as skills can always be learnt later. — CyberSecStu- just now.
We as an industry need to get better at identifying traits and skills that make a great Infosec professional, and then develop training that can accelerate their learning and growth. By investing in talent we create Infosec professionals that are valued and want to return that investment through hard work, pride and excellence in what they do. And yes this may sound like an idealistic scenario, but with constant warnings of talent shortages, we need to stop looking for Unicorn’s and start creating them!!!! (rant over).
So, closing the loop, if you have diverse skill sets and most importantly transferable skills, then be active in the community, get blogging, but most importantly communicate how these skills are transferable and how your real world experience makes you more rounded. Diversity, and new approaches to solving problems is 100% what this industry needs more of!