I have personally been stuck in a situation where I have a large amount of talent/potential with minimal skills due to not having the opportunity and being looked over constantly for new roles. I am referring to this happening towards the beginning of my career and not present day. This was without a doubt one of the most frustrating situations I for myself. I wasn’t getting hands on experience with security tools at work because I worked for a company that was very small and couldn’t afford any security solutions let alone big-name ones. I was stuck with trying to do vulnerability management with free open-source tools, learning and testing things in my home lab, preparing for certifications and getting my masters. This was all a gradual build. After 50 or so interviews I realized that even though I managed all of vulnerability management at my company it wasn’t enough to employers. I then graduated to doing new things in my home lab, when that didn’t work, I started earning certs, and when that wasn’t enough, I got a master’s degree.
All of that being said, I was willing to do whatever it took to get a job with a security focus so I could get the experience I desperately needed. I even offered employers to work for free just so I could get the experience. I always got the same response from my interviews, “the team really liked you and thought you show a lot of promise and potential but you lack the experience with the tools we have and so we are passing on you”. In my opinion this is a cop out response. They should have just said we don’t want to take a risk (a small one at that) on someone that has zero experience with these multi-million-dollar tools. Get that experience then please reach back out. It would have been a slap in the face but at least it would put things into perspective. I am not able to pay for licenses with Splunk or Carbon Black or CrowdStrike or CyberArk. If I could then I wouldn’t be applying for a Security Analyst position that pays $70k.
I have always been extremely disappointed by companies when they have this mentality especially at lower entry level roles. It has always made me feel like they have their heads on backwards because they aren’t willing to give someone a chance but also won’t pay someone market value for the skills they are looking for. As a company you should either be willing to pay market and above for the desired skills and/or experience or you should be open to hiring young talent that has the ability to learn and train them up.
Companies are always looking for exceptional talent externally to fix problems internally. Rather than looking internally and investing into that talent they feel it’s better to find the unicorn outside of the company and either not offer them enough money or hire them as a one-man army with too much to do.
So what am I saying? Companies need to have a blend of both worlds. You need to have experienced and skilled professionals that can run projects, teams and tools properly. You should also have a talent line where you are hiring less skilled high potential people for lower-level roles and invest the time and money into them so they can grow. Doing it any other way is a disservice to your company, your employees and the marketplace. This will develop not only the skills you need to be successful as a company, but it will bring loyalty along with the workforce that you have built up. This seems like a very common-sense thing to implement but I have barely seen this implemented at companies of any size and market. It is a true shame that the industry is missing out on great talent that is only looking for a chance to turn their passion into a career. I know people that are willing to do anything for the proper experience, that are great workers and even better people and companies still won’t give them a chance. In the security industry as a whole we need to do better in this area.
In other news I do have big news coming that may be announced in the coming weeks. There is quite a few moving pieces but once everything gets sorted out I will immediately let you know. Thank you to all my readers, viewers and commenters. The support for my blog has been far more than I deserver and I really appreciate it.