Published on September 25th, 2020 📆 | 7832 Views ⚑
0Meet the researcher who wants employers to write better infosec help wanted ads
Spot the problem: A job description posts that requires five years experience on software brought to market last year. Or it calls for expertise on every system developed since the Apollo program.
Dozens of help wanted ads are shared and ridiculed among experienced pros looking for new gigs and novices looking to start careers in an industry notorious for a workforce gap. Alyssa Miller, a security advocate at Snyk and a longtime hacker and researcher, wants to save employers the embarrassment. Sheâs researching the phenomenon and what to do about it, even soliciting ads that âsuckâ for study here.
SC Media spoke to her about all the ways ads go bad, and what to do about it.
When you say youâre looking for ads that âsuck,â what exactly does that mean?
Youâve got tons of people trying to get into the field who canât. Youâve got companies who say theyâre looking for skilled people but canât find them. And youâve got experienced people who are in the job market and canât find jobs.Â
At the beginning of the year I did two surveys with about 1,500 people â one for people who were experienced and one for people who were newer. What I found was a significant number of people looking for a new job for six months to a year or even longer. One of the things coming up I see a lot is that job descriptions are awful.Â
You see â10 years of Kubernetes experienceâ when Kubernetes has only been around seven years. You see entry-level positions that require three to five years of experience. Or you see internships that require a CISSP, which you canât get without five years of experience. Thereâs a lot of different patterns out there. Iâm trying to identify what it is people are perceiving as bad job descriptions, analyze those job descriptions and come up with strategies for what needs to be done differently. [This is better than] a bunch of people saying that recruiters and hiring managers are lazy or donât know what theyâre doing. None of thatâs helpful.Â
It seems like, by listing unrealistic or impossible standards, you would be asking applicants to self-select as the type of person who would lie to you about being qualified.
The reality, based on the stats weâve seen, is that one demographic group does that most often. Males. In an industry thatâs only 20-25 percent women, we know women are more likely to self exclude when they donât check all the boxes whereas men will say âIâll apply, why not.âÂ
Now, Iâd struggle to say thatâs the only problem with the gender gap. But I would say itâs probably a contributing factor.Â
Whatâs funny about that is what we tell people who want to get into the industry. âGo do CTFs. Go do labs. Go do all of these self-taught things that are not demonstrable in a hiring perspective.âÂ
If we want to see it all documented in work experience, why are we telling people to do all this other stuff we wonât acknowledge as valid experience?Â
So, why would a company set out unobtainable hiring goals?
Thatâs what Iâm trying to get to the heart of, what Iâm trying to answer.
Hiring managers have told me that some of the listings, especially in government, are intentionally designed to receive no applications, so they have an application process but hire the person they decided on in advance.
But based on the analysis Iâve done I think most of the time our expectations in hiring are unrealistic, and I think there is a problem where hiring managers and recruiters donât really consider how their lists of requirements affect job seekers. A lot of times you have someone sit down and write a job description and think about all the technologies in the organization and put all of them in â maybe prioritize them [by saying] âthese five technologies are critical.â
And I think even at that point, it still isnât the right approach. Iâve had success as a hiring manager myself by not being so worried about the specific technologies that they come in with and instead understanding those core transferable skillsets that I need for someone to succeed. It may not be technology at all.Â
Is it more important that someone understands Splunk or that they can look at a screen, see the information they have to process, prioritize, and execute what they need.Â
What about in companies that are not prepared to train a candidate up from scratch? How do they get the candidate they need without overdoing the listing?
Again, it is going to focus on what you absolutely need. But part of the problem, honestly, is that organizations are going onto the job market not wanting to train people up in the first place. Itâs an unsustainable model that every organization wants that ready made security expert, just bring them in and go.
Security is a $177 billion industry in products alone. There are no two companies that have the same mix of products. Thinking youâre going to find a special unicorn that has this exact mix of all the experience that you want them to have doesnât work. Itâs not going to happen. But very few industries are willing to bring in someone new to bring them up to speed.Â
We donât do this anywhere else. We donât hire programmers assuming they will design software free of bugs and flaws. We accept thatâs going to happen and that theyâll work with the enterprise-class people and theyâll grow.Â
Gloss