Concluding Thoughts and Tips for Candidates
Reflecting on the lessons of this cybersecurity workforce development process, it’s important to get back to basics. This book intends to lead you through a complex jungle by taking the first deep cut at the trail. The Can–Trust–Will path will take you from start to finish, as long as you follow the key markers. First, ensure you understand what you actually need on your cybersecurity team. Knowing the basics of the field of cybersecurity and how it interacts with your organization is the starting point. Second, get the job description down to brass tacks: the Can and the Will of the job role. Next, build your preliminary candidate pool wisely: use your network to learn who is out there, use recruiters as partners, use conferences as knowledge builders and candidate showcases, and re-learn the purpose and significance of the resumé.
Candidates choosing to be proactive and read this book: kudos. The detailed background of the Can–Trust–Will hiring process, in addition to the insights of leaders in the cybersecurity field, offers unparalleled access on how to be the best candidate for the right job role for you. In addition to the lessons and observations of the book, remember to hone in on why you love this field. What knowledge do you have about it? Where did you learn it? What behaviors do you have that make you a fit for certain cybersecurity roles?
Rodney Petersen explains the significance of career awareness in the field of cybersecurity, and why people interested in learning more about, starting, or transitioning to a career in cybersecurity should know there are multiple pathways in:
Rodney: An important element of the strategy related to the cybersecurity workforce is what it means to work in a cybersecurity-related career. Increasing career discovery, career awareness, is another area that we are focusing on with a dedicated week on career awareness. While that is a good start, I think we’ll do more over time. Learning and credentialing systems continue to evolve, and there is recognition that academic degrees are just one pathway to a role in cybersecurity. So are apprenticeships, so are career changes for individuals who have relevant life experiences or work experiences. As a community we can help people to think broadly about the multiple pathways to a career in cybersecurity. I think those are some of the general trends that we’re seeing over the coming year.1
Can you solve the problems being faced by your prospective employer? Can you do what they need done? Can you fix the things they have broken? Can you work in a team? Can you speak “people” and not just “tech”? Are you committed to “right” instead of “no”? How much does what Nick Davis has to say resonate with you?
Nick: You really need people who love the subject area who care about themselves, because you can’t be sitting around babysitting people in information security. You need those people to take the responsibility you give them. Otherwise they’re not going to be interested, they’re not going to be adaptive, and you’re not going to get done what you need to get done.2
Regarding how you get to the proper knowledge base, it is becoming clearer that if you have the skill, then not having degrees and certifications is less and less likely to be a barrier to entry. We, alongside our contributors, are not saying to ignore the typical degree process; working toward and obtaining a degree can demonstrate determination, passion, and skill. What we are saying is that businesses—employers—are now seeing that degrees don’t necessarily correlate to success in cybersecurity. What does that mean for you as an employee? It means an employer with a degree prerequisite probably has a bureaucratic culture which fails to recognize when changes need to be made. This is not the only thing to consider when deciding whether to accept employment, but it should be a part of your decision-making process if they make you a job offer.
The innate curiosity, the need to learn, the desire for the difficult problem, figuring things out rather than needing to be right is much more relevant than degrees and certifications. Consequently, this is the mindset the best employers look for in hiring.
Here are a few bullet points which most of our industry experts repeated:
• Learn to search for what you don’t know and what you can’t solve. When you get there, learn to find others who, when working together, can quickly and correctly get to “right.”
• Be a learner, be an unafraid problem solver. Get comfortable with being uncomfortable.
• It’s the accomplishment, not the spotlight which matters. Learn to make the accomplishment of someone on your team a source of visceral satisfaction for you.
• Cybersecurity is a career for a naturally curious person who is also a fast learner.
• Communication is key. If you can’t communicate, you’ll struggle to land a job and you’ll struggle in the job you get.
• Know network architecture and general system structure.
• Don’t be afraid to break things and want to learn how to fix them.
• The stereotypical tech “answer guy” is now a fail.
• Desire to be a member of a team and everything being on a team means.
A great statement of the core concept comes from The New Zealand All Blacks rugby team. They have fifteen Principles for Success which the team lives by. Principle number six is simple and impactful and applies here:
Principle No. 6: No Dickheads. Excuse the language but it conveys the point. You want to enhance your team by adding talented players but that doesn’t mean that any talented player will do. The All Blacks are very much a team first and look to find individuals who have the right character. You can develop talent, you cannot change character.3
It is said there are many extraordinarily talented rugby players in New Zealand who will never pull an All Blacks jersey over their heads—simply because they do not have the character required to put themselves second and the team first. Every single one of the cybersecurity industry experts we interviewed for this book raised and articulated this principle in their own way—every single one.
Finally, ensure you work to create and grow relationships within your company and within your network. As Andrea Markstrom explains:
Andrea: The most important and valuable step that helped me the most was forming relationships right from the get go. For example, at Target, I was a level-one voice engineer, the CIO at the time was a woman. I aspired to be in that role someday and thought she did an amazing job. I observed how she conducts herself and manages herself, and I just went out on a limb and invited her to a meeting to see if I could learn from her. She accepted and provided invaluable advice and insight. It’s about extending yourself and asking for not only to learn from people but asking for help. Ask leaders that inspire you if they would be willing to be a mentor advisor for you. Those relationships are treasures. Don’t forget to give back and be a mentor and advisor to others. That is an incredible learning experience as well. I’ve done this throughout my career, so important and so valuable.4
This type of guiding relationship—mentor or less formal—is truly invaluable. Amanda Tilley outlines how mentors have helped her uncover the fields of information security and cybersecurity:
Amanda: I never thought I’d be working in information security. I didn’t have a technical degree, I didn’t know many women pursuing cybersecurity, and I didn’t know that information security was so much more than hackers in hoodies. I’ve been incredibly fortunate over the years to have mentors in my workplace who actively challenge me to shape and achieve my potential. I cannot stress enough how important that cross-departmental mentorship is for career development. Perhaps that analyst in accounting or risk management with a political science degree could be your team’s next leader in information security?5
Circling back, if you are transitioning to a career in cybersecurity, or are coming from a noncomputer science background, cybersecurity may still be for you. Many of the new entries to the cybersecurity workforce come from nontechnical backgrounds, as Amanda points out. And generally, the opportunities in cybersecurity are diverse, expanding, and constantly evolving.
The following appendices are not intended to be a resource from which you can cut and paste. Rather, they are intended as a starting point, an example of how to articulate behavioral characteristics. Part of an effective behavioral interview is ensuring it’s correctly (and custom!) built, and drafting your own description of the terms you use is an integral part of the thought process. You may note that some of the questions we outline seem close to being duplicates, and some of the characteristics we highlight may overlap to a large degree. This underscores the concept that there is no magic question, nor is there a correct answer. Alternative formulations aid in digging down to the stories which reveal whether a candidate has the behavioral characteristics you need. And that’s the goal—to understand.
The point of these appendices is to trigger your thinking, not give you answers. You simply can’t build or conduct a behavioral interview without thinking deeply about it. We offer the following as a diving board; jump in with your own roles and responsibilities and identify the behaviors which correlate to success in each job at your company.
1 R. Petersen, in discussion with the authors.
2 N. Davis, in discussion with the authors. July 27, 2020.
3 15 All Black Principles. https://thewhitehorsefederation.org.uk/downloads/default/All-blacks-Poster_01.pdf
4 A. Markstrom, in discussion with the authors. June 24, 2020.
5 A. Tilley, in discussion with the authors. July 02, 2020.