If you are applying or have ever applied for a role in cybersecurity, you will easily agree that the experience has similarities to the 8th task of Asterix in ''The Twelve Tasks of Asterix'' movie by René Goscinny and Albert Uderzo.
For those that haven’t seen the movie, in that particular task, Asterix and Obelix must obtain a particular permit from a very bureaucratic organisation only to discover that they will keep being redirected for other permits, as pre-requirements, for the one they really need, over, and over, and over, and over.
One will not do! They will need many! (But in the end, they needed none)
In cybersecurity, job candidates are expected to have certain well known certifications. This excludes most academic education (say what!). Without those certifications, applicants will be frowned upon and seen as if they would not be able to appreciate or understand what is communicated, the hardship involved or the level of details required to survive yet alone assist someone else in their survival.
That of course will change once they obtain A, B and C certifications, or A38 for that matter… most likely the same as those the hiring manager holds… as if only then, shall the candidate be able to see the world as it really is! Or at least as they think it is, or the one they are familiar with.
Without A38, Asterix will not be called for an interview!
Artificial Intelligence
Yes, no interviews! Be it because an AI won’t find A38 while CV scanning and reject the application, or if the gatekeeper is a human recruiter, he or she not having the required knowledge as to infer if the job requirements could otherwise be met. As such, your CV will make the pile of those not suitable and you will get no rejection email, as if you are not worthy of the time spent sending it.
As an example of this silliness, imagine being rejected for a Junior role because YARA (Yet Another Ridiculous Acronym) was not found on the CV of a web developer (think JSON and regular expressions for pattern matching).
Nonetheless, as AI is the great next thing, the future looks very bright! I’m of course using sarcasm as it is quite the opposite.
AI in recruitment is a lose lose proposition. At least currently, it is very much so. But such is the state of things… yet, meanwhile some still defend that there’s no talent available and soooooooo many more people are needed (more on this later).
So… certifications appear to be the key! And like Asterix, you’ll need A38.
Trick or treat
But you will need more than A38! And there are so many certs out there, by so many organisations, some new, some old, some academic, some not. Will you know how to avoid paying 800 euros to some knowledge academy just to discover they had no knowledge or academy? Danger lurks! What to do?
You could cheat!
You could get someone to pass an exam for you or you could fake the paperwork by copying real diplomas of those that share theirs online!
Who’s ever gonna find out, right? If in the UK someone manages to fake medical certifications and is able to play doctors, what is there to lose?
You’ll get to avoid the pre test anxiety and having to regurgitate something you memorised into a multiple choice exam paper without ever having to devote time to properly learn or think and no one else will be the wiser! After all, they just want a “laisser-passer”! A piece of paper!
If risking freedom and getting some jail time does NOT sound interesting, perhaps I can seduce you differently: imagine the pride of managing to trick everyone, all of the time… now that! Is social engineering!
Unless you are above 30 of course, the excuse: “I really didn’t know what I was doing, I meant no harm” no longer works, because then it’s just dumb. So if you are going to cheat, do it young!
You will get to feel the excitement of having the FBI, EUROPOL, CYBERPOL or another security agency looking for you. Hell, your name may even make it to a book, and you will never feel alone again, as you’ll have your own agency babysitter always close to you!
Aside: The above as crazy as it sounds, it’s actually a very viable path to get a job in cybersecurity. In Portugal, a known cybercriminal even had a misinformed politician standing behind his absolution, PRE-TRIAL! (the person came to their senses later, we all make mistakes).
Is there another way?
For the slightly more ethical of us and perhaps more dull (and poor), fortunately (ufff), there are many resources available as to obtain knowledge and direction!
There are video casts, podcasts, courses and multiple books advertising ways to get in, made by many authors, that truly mean well and want to help you! You may even get a B43 for free, or a R15 that may or may not be similar or better, than A38. They know how busy, stressed and burnt most cyber professional are, and they still somehow manage, to get time to help others! Hats off.
However, they are not the gatekeepers! And… once you had a listen or had the chance to read a bit of the material, you will discover that, unfortunately, different content authors will have different views and say different things. There’s no wide agreement on role titles, nor exactly on what the responsibilities of each should be.
Confused? Why is this so? Well, systems are complex and differ immensely. And cybersecurity is still a young field. More experiences and experiments will be required until the absolute truth, and nothing but the truth, will eventually compose what will become common knowledge. Perhaps then all people will say the same things.
What do you do then? You could perhaps pick just one of those content authors to learn from and try to follow their particular path. Yet, I fear you may ended up losing time because the “laisser-passer” holder, will still want that A38!
So if you want to work there, you must have an A38 and it won’t matter how much you know or what else you learned, nor from who. So ya better open thy wallet!
What do I get if I choose to spend money on a cybersecurity certification advertised for a job?
Once you have invested your own capital (or borrowed) as to obtain the exact knowledge required to perform the job certificate or certificates, you will then discover that you must start at the lower ranks making very little money even if you have been in IT for more than 20 years.
And like a cute little soldier recruit, re-learn everything you already know, but this time the way they, the “lesser-passer” holder, learned, no matter what and with no excuses!
“There is no easy way to train an apprentice. My two tools are example and nagging.” - Lemony Snicket
Regarding career progression in your new field, you will discover, that you will need many years overcoming several bespoke hurdles, particular to that organisation and leader, before you can reach any senior or leadership position… just like the “lesser-passer” did. And if he or she leaves and is replaced by another, well, you will have to ask what the new barriers will be.
Aside: If you find yourself listening to someone making up barriers so that they exalt themselves, mention that Japan has a minister of cyber that never used a computer, then sit back and observe the way the geek will laugh. Later share the same with a business man and a politician. I expect that you shall find all will laugh. Yet, that the difference, shall be that the geek will be laughed at. Depending of course on how they believe the world works.
So… What’s going on?
Scarcity is a known instrument to inflate prices and requiring certification is a barrier to entry. Just like water suddenly costs a fortune once you pass the security gates in an airport, so do the value of those that work in any field where talent is at miss.
However, more and more people are noticing that what is said is not the same as what is happening, as it’s getting harder and harder to hide that the wider advertised cyber shortage gap is actually a fallacy! And all one has to do, is to look at the the number of applications each job advertised gets! Recent LinkedIn example:
I spoke to Brian Haugli from SideChannel later that same day. Brian shared that they had received 250 applications in less than 24 hours.
How could this be? What magic did they use?
Well, from the job specification I’ve noticed the following:
Minimum Years of Experience: 2
Certification(s) Preferred (not required): Security+
Like in the “The Emperor's New Clothes” by Hans Christian Andersen: “The king is naked!”
What can be fixed?
Those holding the permit (those hiring), should either embrace change or suffer the consequences of being the laggards. Talent is slipping under processes and procedures and AI is not helping (yet)!
Hiring managers expecting clones of selfs or unicorns, should probably be better off making babies (and remember that even those, will only be half a clone), because fully grown clone technology in only available in the movies (think Star Wars).
Those that have unfriendly super geeks employees, the know it all kind (damn man, they invented the thing) should really be worry about how to get them to develop new talent! What will happen when the guy is gone? Perhaps a fluorescent gun will allow you to get a new unicorn.
Lower the bar! By lowering the entry bar, you will get hundreds of eager and willing!
There’s no shortage, there never was. What there is, is complex work that is best performed by people with experience. And there’s a lot of work, and a lot of experience, lacking. You either reach back and educate those you hire, or you risk letting others capture the talent, develop it to their liking and needs, and see high performers on other teams.
And you may even get a bonus when you do decide to make things easier for everyone, as per the following example from 1906. Oh my, a patent!
There are things that change, a lot, others, don’t. Can Asterix manage to pass the task and get a job in cybersecurity? The real question seem to be: which A38 opens more doors, because there’s no away around it. Or is there (smiley face)?