Career Advice Tuesday- “Observations From Black Hat”

August 9, 2011

Having just returned from Black Hat, we thought it would be good to utilize Career Advice Tuesday to provide our readers with some observations and what it means to you and your career as an information security professional.

1)   Our industry has a short memory

Not too long ago, Mike and I were sitting together putting together the “Career Incident Response” Podcast series, because there were so many information security professionals who were getting outsourced, downsized, or laid off.   How quickly things have changed.   Prior to a the conference an article by Information Security Media Group claimed 0% unemployment and during the event the NSA announced it was going to use DefCon as a job fair as an attempt to hire 1500 information security professionals.    Walking the trade show floor, dedicated their booth to recruiting members for their team, and many of the booths had signs that said “we are hiring”.

While we do not believe that there is 0% Infosec unemployment or that the audience at DefCon will have an easy time passing the NSA Background Check requirements, we do believe that the employment market is increasingly healthy.   During the conference itself, I (Lee) personally had meetings with over 15 new entities (corporations, service providers, product companies) who would like to attempt to engage LJ Kushner & Associates’ services to help them recruit information security talent.

It is my belief that all of the recent events have awakened many to the fact that information security needs to be an element of their business and that hiring the right talent is a great challenge.

2)   We Don’t Have A Quantity Problem, We Have A Quality Problem

Without question employers need to hire information security professionals.  It is also clear that by the attendance at both Black Hat and DefCon, there are plenty of folks who are either information security professionals or who have an interest in becoming information security professionals.  So, if that is the case, what is the issue – the hiring needs should be solved – but they are not.

What many do not understand is that there is a big difference between “people” and “talented people”, and there is bigger difference between a “job” and a “quality job”.

Information security professionals are operating under the misconception that just because they are in the field of infosec, that they are qualified for many of the positions that companies are looking to fill.  The fact is, that although many information security pros are more than qualified to perform their same job at a different company, they are not viewed as qualified for information security opportunities that can be viewed as a “step-up” and will advance their careers.   The main reason behind this is the lack of investment in their professional development beyond standard industry certifications.

On the flip side two things are happening.   First, the positions that many company’s are advertising for are viewed by many information security professionals as “dead end” jobs, that on the surface do not provide the growth and career advancement opportunities that many are looking for.  Secondly, when companies are looking for more talented and experienced professionals, they are creating job descriptions that require complex skill combination and experience requirements, without offering compensation packages that are consistent with their requests and reflect a “risk/recruitment” premium for the applicants that they are searching for.

Therefore their junior level roles go unfilled because no one wants them, and their senior level roles go unfilled because their skill requests lay outside their budget.

Something has to eventually give in this process – or the information security talent myth will continue to grow.

3)   Outside Market Conditions and Industry Events Will Have An Effect on our Future

While we were attending BlackHat, the United States extended our debt ceiling,  and then on Thursday, the stock market plummeted 500 points, which was followed on Monday with another 600 point decline.

We both do not claim to know anything about the stock market, but there is no question that if the world slips back into a global recession, the information security industry is not going to be immune to its effects.  Now is the time for information security professionals to take a pro-active approach to insuring that that they do not become collateral damage if the economy begins to deteriorate.

The only sure way to insure your career is to continue to build your skills, stay current with technology, and demonstrate our value to your current employers.   Now that times are good, and we are in demand, it is time to take advantage of the situation, and use your current role as a platform to exhibit your skills, your impact and your knowledge.

If any one of our readers have their own information security career observations from Black Hat, it would be great to hear from you.

Lee and Mike

Posted by lee | Filed Under Behavior, Career Advice Tuesday, Planning, Recruiting, Security Industry 


3 Responses to “Career Advice Tuesday- “Observations From Black Hat””

  1. philA on August 9th, 2011 10:26 am

    Sage advice.

  2. JT on August 9th, 2011 4:15 pm

    It is a frequent refrain that what we need is skilled people not warm bodies. It has been a problem for awhile and is why NSA created the National Centers of Academic Excellence in IA Education program.

    As someone who is committed to this field, but is on the outside looking in it is hard to find a good map of what things I should be doing to become one of these skilled people. Part of the problem is the field is HUGE. What is a good career path for a pentester is not going to work for some one in compliance.

    I would love to see some recommendations for entry level IA people and for mid-level people looking to make that next move. I know that is beyond the scope of this forum, but someone out there need to tackle this!

  3. JT on August 9th, 2011 4:18 pm

    Ohhh and your BH talk on “Infosecleaders Professional Development Workshop Today at Black Hat” looks like what I am looking for!! You guys going to be doing something similar somewhere else in the near future?!?!