Poor recruitment processes are causing the great security talent drought It's a refrain at this and past RSA conferences, that companies can't hire enough top-notch talent, but it's addressable if companies hire smartly and applicants learn how to play the game. "Far too many hackers have expectations that are unrealistic," said Tim O'Brien, director of threat research at Palerra – who has been on …
With how specific my job skills are, poor recruiters without realizing it will let me know if an employer is shopping around for cheaper very quickly. Another reason why unless you really like and have some trust for you current company (like I now do but took my 15 years in my career to reach) you should dangle your resume/CV out there every now and then even if you are not that serious.
"Companies should also be doing more to hire a diverse team, panelists said. Currently, women only account for around 10 per cent of information security positions, and with minorities, that falls to just 2 per cent, meaning there is a reservoir of untapped talent out there."
Bullshot. I'd *love* to hire more women in IT jobs. Seriously, it would create a better working environment for developers and ops staff. But it's a simple fact that (less than) one applicant in 10 is a woman. How does the lack of interest for a certain group in a certain class of job equate to "untapped talent"?
Either way, point the finger at schools / etc for not getting enough women interested in the field, not for companies that are not hiring non-existent candidates.
There was a good balance of women in IT before the 90's but the hacker-kid image started putting a barrier to entry and a lot of the low end InfoSec jobs (where anyone good starts out) perpetuate that image. As with the general talent problem, I think they need to hire outside the mainstream of IT, people with the right mindset and talents who need a little extra technical skills to fill the role, rather than those with the technical skills and try to develop their mindset.
While applying for a diagnostics and (Linux) driver job, I was required to submit my CV in MSFT Word(tm) form. Because *nix kernel hackers all use Word, or because their pre-screen software could not handle any other format? See also requiring n years experience in some language/technology that has only been out for (n-2) years.
I my experience, the problem is almost always the HR people.
In my last job, my boss the IT manager decided we needed a new PFY, he had a young fellow recommended to him who he interviewed. The young gentleman seemed ideal, had some good experience and seemed to have a great attitude.
A few days tagging along with me was arranged, I thought he was great, a job was offered and accepted.
HR then intervened, saying he couldn't be employed as he didn't have the correct Microsoft qualifications.
Fortunately the IT Manager shouted and got his way, the PFY joined us, and was as good as we thought he would be.
I have similar issues with HR in my current job.
HR should simply not be involved in recruiting in anything but procedural details -- checking driving licences, security clearances, credit check etc. The idea that any of them should participate in, let alone conduct, any interview in which the technical (suit)ability of a candidate is addressed is ... well, it's beyond stupid.
A few years ago a young computing graduate friend was failed at the first HR computerised hurdle for a big IT company. He didn't have enough UCAS points from his GCSE results. There was no way that he could communicate that his work at university had earned him accolades from Microsoft. Shortly afterwards he was snapped up by a prestigious IT company at an eye-watering starting salary. They only recruited a few graduates each year - and they offered him the job on his first interview.
Another graduate, in Economics, was rejected at that same first company's out-sourced second hurdle. It took the form of a telephone interview. The interviewer's English was very poor and my friend was constantly asking her to repeat what she had said. He went on to become a Chartered Accountant for one of the big accountancy names.
They're a nightmare.
I've been in my current role for 3 months. For TWO YEARS previously, the role went unfilled - on paper at least - and I was basically doing it unpaid, because HR wouldn't accept that I was qualified to do the job. I mean, never mind the fact that I was already doing the job; the fact that I'm self taught and have nothing more than a decade or so's experience with the exact systems the role supports - some of which I DESIGNED - wasn't good enough. I didn't have the paper qualifications, so they wouldn't submit my name for interview.
After over a year and 2 rounds of interviews where they failed to appoint anyone, I was finally allowed to apply for what was effectively my own job. (And immediately appointed to it.)
We are forced to advertise all jobs via HR and it is just as painful for us. They just don't understand technical skills and have no idea what makes a good business intelligence candidate and would send me terrible CVs while screening out good ones that didn't have the right buzzwords in them. In the end I told him not to screen any applications and just to send them all through to me. It takes me a little while to go through them but at least I can actually see the people who are qualified!
The worst thing though is this mandatory "behaviours" test HR put on our application site. Even people applying internally have to go through it, and if you fail it point blank stops you applying. Hilarious for it to tell people who've worked here for years very successfully that they aren't the right fit for our company!
> ... screening out good ones that didn't have the right buzzwords
That, and the above mentioned "wants years of experience in something new" approach to over-speccing the requirements.
It's really really frustrating to read between the lines, work out what the job actually is (not what HR have said it is), work out that it's something I could do quite well, but it just isn't worth the waste of time applying as I can't tick the boxes for skills not needed for the job.
Worse than that, there's a local large employer who has a system that, as explained to me, will never put more than 5 CVs on the hiring managers desk (well, email inbox). So not only are HR filtering out good candidates, they are artificially restricting how many of those that actually pass the first filter actually get considered by the person who understands what they need ! And they are always complaining about how hard it is to get good people to go and work there !
Anon because ... well don't want to tip the boss off (yet) that I'm looking elsewhere.
Stepping out of the Wayback Machine in 2001, I got a ping from a pimp^h^h^h^h recruiter who was looking for 10 years of experience with Windows 2000 server. Even though I had done some work with every version of Windows Server since NT 3.51, the fact was, in 2001, NOBODY ON THE PLANET had worked with Windows Server for 10 years in 2001.
The recruiter was nonplussed. . . the dotcom I was working at, at the time, was laughing about it for at LEAST a week. . .
I my experience, the problem is almost always the HR people.
And with this, the whole of my current situation is explained. I've tweeted about it, blogged about it but nothing resolves what I view to be the biggest problem with current IT employment.
I have "dangled my CV" out there, rejigged it to please any number of different companies yet nobody seems interested. Yes, I get the occasional recruitment consultant (hack, spit) phoning up to say that I'm a perfect fit for a job only to never hear from them again or get promised an email with a job spec which never turns up.
I am admonished to make my CV truthful, check the spelling, fit it into two pages (a difficult task at my age since I've seen so much, done so much and have so much that I have to leave something out! Suffice to say that I've had experience in a lot of different areas), make it as authoritative as possible, dot the eyes and cross the tees yet when I see the state of the adverts I am applying for I wonder if some of these jobs will ever get filled.
Things like shopping lists of brand names or obscure, even far legacy applications, requirements of experience of systems that have barely been released, the ability to "hit the ground running" as so many will put it are often the reasons why I find myself asking why I even bother anymore. That's even assuming that they can even spell their own advert! Employers want it all and have no wish to put any effort into finding the best fit and filling the gaps where necessary which means that so many people end up jumping through so many hoops only to find that the ultimate end result is a big, fat zero return.
And it's the "Human Resources" attitude and methodology that is often to blame. They deal in lists, labels and other bits of paper. They are the beancounters of the job world yet few call them out on it. Few are allowed to call them out on it since they often hold the future of your career in their hands.
Fortunately the IT Manager shouted and got his way, the PFY joined us, and was as good as we thought he would be.
And well done to that IT Manager. Would that a few more would stand up to the HR mentality in that way.
My friends and family think I am a wizard. They stare open-mouthed at my achievements of building computers, installing OSs, even tackling ransomware viruses once they have hit (3 days to restore a system and clean it).
So imagine their incredulity when I tell them that I'm too stupid to get a job in IT. That I am just not 'clever enough'. They don't believe me. How could they? Dunning-Kruger by proxy if you will.
No, they simply believe that I am lying.
I probably am clever enough for a job in IT, but the fact I have not worked for the last ten years means no one will consider employing me.
"Oh, so you're a lazy bastard then?"
That always makes most sense, and it's just what I tell people now. Cut to the chase.
And in what way are your friends and family qualified to judge your ability? People who know nothing about a subject will be impressed by someone who knows only a little more about it than they do.
Your skills sound like you could do low level desktop support, which wouldn't pay very well...
@A Ghost
And you aren't alone. They seem to think that just because you have been out of work for whatever amount of time (in my case just over a year during which I have been looking for work!) they believe that you aren't "up to speed" with the current technology.
One: What companies believe is current technology and what actually constitutes current technology isn't exactly the same thing. I've even seen adverts for jobs where Windows XP is still an essential skill (and yes, I've tried applying. My MCDST in Windows XP should be a plus point, I would imagine, but why the hell would I need to?)
Two: If you are serious about working in IT, you don't just drop the ball when you are put out of work. You read, you do things, you keep up. Or I do, at least. I look into new stuff (I'm dabbling with Python, Docker, even Puppet at present, and I have Windows Server 2016 knocking around on a VM too but does that impress anyone? Not really because, as you put it, being out of work makes me "a lazy bastard").
I got my current job when HR was told - "He has the skills we need. Hire him." I didn't send in any resume. The HR person was only on the "interview" because she was based in Sydney like me and the manager doing the hiring was in Melbourne and just wanted to speak with me to let me know what the job was and what was expected...
These areas come up informally and often get talked about, but are rarely written about in the media. So thanks, nice read! I basically retired from IT as it was a thankless plumber-like 'blue-collar grind' (as the mass-media likes to allude to).
But I've often thought about scrubbing up, catching up on security and going back at it, especially now that so many companies / organizations / governments are so heavily exposed. But what's the use, if they still offer so little in return? Just a little respect would go a long way.... Choice quotes...
--------------------------------------------------------------------------------------------------
.........."Generally, you've got a choice of a job being interesting, legal, or well paid – and you only get to choose two of those."
.........."A lot of ATS systems require the input of a social security and driver's license number," ... "If you're a security person and think 'OK, I'll put my social security and driver's license number in there,' then I'm going to think twice about hiring you to protect my data...
.........."But that cuts both ways, she said, and a lot of applicants will simply bow out when confronted with some unwieldy ATS. By far the worst ATS was the USAJOBS site run by Monster for US government positions, the two agreed, with its essay questions and clunky format."
.........."Instead, employers and potential employees should concentrate on networking first as a way to further career goals. From an employer perspective, firms need to recognize that a lot of gifted security personnel have non-standard resumes. For example, contractor work is generally short term, and having lots of short jobs is a warning sign for some HR departments."
.........."Companies also need to broaden their minds a bit, Having tattoos and piercings doesn't mean someone's a convict any more, and HR departments need to be smart about the interview process – a lot of hackers are socially awkward and won't do well in group interviews."
.........."At the end of the day, however, some people are just unsuited for certain roles, and employers have to accept that. A classic case is the FBI, which has been complaining that it can't hire hacking talent because they don't play by its rules. - "The FBI insists that you become an agent first before going on to its cybersecurity school," O'Brien told The Register. "That's just not going to work for many hackers, either philosophically, or because they have some earlier legal problems, so the FBI has its own rules to blame."
It is always worth keeping in mind that HR's first priority is not to find you the best person for the job.
It is to winnow down that stack of resumes by throwing as many out as they can for any reason, before they actually start looking at them.
Unfortunately, good IT folks seem to have a problem coloring inside the lines, so a good many of their resumes are never actually seen by anyone.
As IT types, it really helps to look at getting recruited as just another problem with its own landscape of user needs that they expect you to guess, etc., just like that 'database for accounts'.
The hiring manager would not be hiring if they didn't have a problem to solve. Indeed it must be a big problem if they've had to do battle for headcount. As such, it's safe to assume they haven't got a lot of time, and need someone to solve that problem above all. The applicant's job is to balance that person's needs with the needs of the pricks in HR.
HR live in a perpetual state of knowing they're a cost without value, worrying that they might be found out for the over promoted typing pool charlatans they are. Their need is to seem like they're somehow worth their salaries, by inserting artificial hoops for applicants to jump though so they can seem important.
Knowing this, and being a brilliant engineer, you have two sets of user use-cases you have to consider. The hiring manager needs a CV where the first half-page tells them you can solve their problem and you won't embarrass them. That's enough for an interview if you can get the CV past HR. The hiring manager almost certainly has a stack an inch or two thick of 'screened' applicants (some jobs would get literally hundreds of applicants who were just applying for everything they saw), and is not going to read past the first half page of anyone. Hiring takes them away from putting out the other departmental fires, takes a lot of time, which is the importance of that half-page. At this stage they do not care about your name, address, 'personal mission statement', photo, qualifications, school, irrelevant jobs, social interests, school grades, etc. The only thing that counts is 'can they solve my problem', and if there are bullet points saying 'I can solve your problem with these skills', you will get an interview.
Getting that past the HR person is the hard bit. They look at those sides of A4 like they're hieroglyphs, they have no means to comprehend their meaning or context. They have been told that the applicant must have 'bird head with two feathers' skills, and so they search for birds heads followed by two feathers, blindly. If the requirement is for MCSE applicants, their searches will miss Microsoft Certified Systems Engineer, and also miss M.C.S.E., however correct. They don't know PL/SQL from T-SQL from SQL and will not want to show themselves up. As such, remember the gatekeeper is a dribbling idiot, and remember you have to get past them. If a job advert says it's an Oracle house and you need SQL skills, talk back in their language getting 'Oracle' and 'SQL' in there, as well as PL/SQL for the hiring manager if it isn't obvious from context in a half-page of bullet points. If the job AD requests 'C Pound' then try against your better nature to not mock then with 'C#, dipstick' comments, but be gracious.
The first gatekeeper would be working in the technical side of IT if they could, so assume they can't, so help them to understand that you match the list of things they've been told to find. Then you can get through to the person who actually needs the help.
Sounds like a good user requirements document for my new "HR Drone Leaper" app.
Take a standard CV template with dynamic placeholder tags.
Point Drone Leaper at the online Job Description to extract all key terms and essential requirements
Use this to fill the tags in the standard CV template and then output a flat PDF file.
It might need a quick human re-read for V 1.0
I am surprised no one has done this yet, because it would eventually bring ATS systems to their knees, if properly tweaked and deployed.
In Canada and the US, there are special visas for foreign workers with skills said to be in demand. The reason behind these visas is an alleged severe shortage of skilled workers, particularly in technology. Companies seeking workers with in-demand skills often end up sponsoring people from countries where the average salary for these tech workers is a fraction of what local workers get.
Whenever I see a story about a lack of workers, specifically in any area of technology, I think about this. I get calls every day from recruiters who I later find have no intention of hiring me, in spite of years of experience and education. They have to go through the motions of pretending to not find any local workers with the skills they are looking for. What we are seeing here is what is called a "manufacturing of consent" to bring down IT salaries by claiming a shortage of workers and then calling for more who coincidentally come from a country where they are accustomed to receiving a much smaller salary. Don't fall for it, or you will be digging your own grave like those Disney workers in the US.
Recruiters are not monopsonists, you know. Go find a company that will hire you at an acceptable salary for your skill level.
We have hired outside-of-the-EU-common-job-exchange-area (whatever it is called), which demands an official signature and a statement that "no local talent could be found in spite of searching". Thing is, we liked the Romanian developerette .. and local talentt could indeed not be found, it positively sucked.
are the bane of my interviewing life.
"Somebody" goes to market for my employer with a piss-poor high-level job spec - and the interviewees CVs turn up with them for a chat.
Most of the time they seem lovely people, good fit for the advertised role, but not who we actually need to do the job.
Continually amazes me that nobody actually bothers putting effort into writing the actual details into the advert - and that's before you've pulled out all the "quality" and "team-work" guff out of the two paragraphs.
When you think about it WTF makes anyone think the two groups should remotely match outside management roles? It's correct HR's 1st goal is to dump as man candidates as possible. So you need to put in the minimal to get on the list.
But in IT you can set up practical test environments.
If they're tolerably acceptable to HR set up the test and tell them "This is the sort of task at the sort of level we would expect you to be able to do from joining. You have x hours and we're looking for <relevant outcomes EG program, object design, network layout> by then."
Give them an office, the necessary tools and let them get on with it.
Either they can get it done or they can't.
The trouble is HR don't even understand what skills they're testing for half the time.
I was once genuinely ordered, by an HR department, to make sure that the "technical test" for a new PA was presented as a printed document, which was to be laid before the keyboard of a laptop. Before each practical test, I was asked to go into the office in which it was being conducted, log in to the laptop with the candidate account, open the "office skills" test document in word, open the "mathematical skills" test document in excel, and open outlook ready for the "email skills" parts of the test. After the test I had to go in, save any documents they had left open, put them on a USB stick, and take it back to HR for scoring.
When I pointed out that anyone applying to be a PA should really be able to log into a computer process some some office tasks, and then save the results by themselves, I was told that those were "IT Skills" and that this wasn't a technical role.
...and they wondered why half their admin staff were incapable of doing their own jobs.
The best Secuirty start point is a broad general IT base with some programming and systems experience, topped off with a knowledge of security controls and a passion for technology, codes and encryption.
People like this generally have had many roles in many industries at many levels, by testing boundaries have probably come on the wrong side of the law, and by buying new tech just because they have to have it, have probably over extended financially.
This gives them 3 HR red flags, a patchy CV, A criminal record or atleast advisories on Security clearence or DBS checks, and a Bad credit raiting.
While it is not imposible to get a job with these three, it is not easy. HR departments need to look beyond these to get the best people for their IT departments, but they seldom do.
It takes a IT manager prepared to go round HR, or a Temp hiring process that excludes them, and a good recruitment firm sending the right CVs, for IT to get the right people through the door.
or occasionally a sympathetic manager at a firm small enough not to have HR to take a chance, based on a gut feeling.
'Competency' based interviews.
Complete and utter garbage but apparently make HR happy, keep them busy analysing diversity stats and supposedly takes the randomness out of the process by scoring you.
I was told by a recruitment consultant that if you are doing one of these and are asked why you would like to work for the company the answer is never, ever because you seem like a good company to work for, the position seems interesting or you know people there who say it is a great place to work.
No, the answer is that you channel the company values of putting customers first, thinking long term and working collaboratively across the organisation. With a fluffy bunny on top.
In other words spout complete and utter airy fairy b******s which you don't believe in and couldn't care less about but it ticks the HR boxes for comparing / scoring candidates.
The security industry - as pervasive as the Microsoft & Apple empire - filled with crap coders and crap software. Finding bugs and holes in all your security, well yeap, that's easy just hire a thirteen year old that uses Linux and say "can you pen-test this for us?" the kid will be only too happy to poke you so called secure set-up full of more holes than a block of swiss cheese. Meanwhile you'll get the unbearable flow of arse-hats that prattle on about secure coding practices and even worse people that actually like SCO - Redhat - Solaris - Xenix and other flavours of Linux clones that are desperately trying to emulate Windows so badly that they're trying to put (dot) net into Linux, meanwhile that rare flow of programmers that are wanting to pressure the likes of Microsoft out of business "oh wait that's nearly all of them!" will all point at there business practices as documented on tech-rights (dot) org just search for "Microsoft is still dying" on google kids.. Then you'll reflect about stories about SCO - Unix flame wars - SystemD and where things like Duel_EC_DRBG came from whilst the rare few programmers that actually want to fix all those bugs and give you a decent computer will be drowned under a flow of ass-hats that are too busy making bugs and getting away with hiding them in your software because being an ass-hat pays the bills. Insecurity never looked so good especially when you'll get paid to do unpaid work to fix some other ass-hats mistakes coding mistakes, things like ELF linked executables which where such a good idea back in the day eh.. Oh and every other ass-hat you meet will all want to do exactly the same thing, so expect competition to which you can scream "By the power of UTF8 and the division of Nine, you shall be destroyed!" dont forget to Suck-Less!
"Like when you're told to develop skills in Cloud Security. . . and then inquire about training, and being told funds are not available for training, nor is leave time for training. . ."
Oh, so utterly this.
Frankly, most companies refuse outright to spend on techy training, yet simultaneously expect you to remain trained to bleeding-edge standards constantly. That's OK, but not when you're also going to demand that every applicant is certified out the backside across 4 separate ecosystems from the get-go and then expect us to pay for our training out of our own pockets and on our own time with 25 days holiday and a £40k salary. You want to contractually require me to spend 10k a year keeping my skills up to date, and then you start complaining about 'unrealistic expectations' when I ask for an extra £10k a year in salary..? Really? I'm the one being unrealistic?
One of the basic rules of the market, which employers gleefully toss around when it suits them, is supply and demand. The 'IT wizard' above with basic 1st line skills can't get a decent paying job in IT because there's an oversupply of guys who can click 'next' through the windows installer and a shortage of demand for that skill, so 1st/2nd line guys get paid £20k a year. Sucks for those guys, but great for employers - who have been milking that particular cow for all it's worth for years.
When we get to IT security, though, suddenly those same employers quickly forget that rule and think a guy with a CCNP, CISSP, VCDX and MCSE combo is going to start drooling over £35k and a car allowance. When the techy isn't interested, suddenly he's being unrealistic in his salary expectations. No, sorry. There's a shortage of highly qualified IT personnel. That means our price rises for exactly the same reason you're getting away with paying your helpdesk minimum wage. If you're the only local guy who can do the job they need done locally, then I'm afraid there's no such thing as 'unrealistic salary expectations', since the alternative is I set up a ltd company and charge you and every one of your competitors that full yearly salary for 'consulting', and then take 6 months off... which is exactly what a lot of security experts ARE doing.
If you want security guys and don't want to be paying around £80-100k + awesome benefits, then you need to start recognizing that actually, you're gonna have to hire someone without those certs, and then pay for them to earn them. I've been noticing how the market is moving over the last year or so in this regard near me - the same jobs being offered by the same companies have gone from £25k and needing to have every cert under the sun to offering £35k for anyone has has one advanced IT qualification and they're still struggling to fill the roles. Recruiters have gone from calling my (equal to national average for my experience and qualifications) salary expectation 'a bit overambitious' to asking why I'm only looking for this much and not 10 grand a year more like all the other applicants are - and I'm just a regular third line guy with a reasonably standard skill set.
Posts are remaining unfilled because we have maybe 80,000 top-draw IT security professionals in the world being chased by 800,000 jobs... so yeah, either start stumping up £8-10k a month for their services, or start growing your own.
It's a little better in .us and in my vertical, pay is decent, although that's also probably because of security clearance as well as certifications and experience.
But as I'm known to opine, if you're not constantly upgrading skills, in 6-12 months, you're doing the IT equivalent of flipping burgers.
Apparently, HR wants fries with that. . . .
Recruiters have gone from calling my (equal to national average for my experience and qualifications) salary expectation 'a bit overambitious' to asking why I'm only looking for this much and not 10 grand a year more like all the other applicants are - and I'm just a regular third line guy with a reasonably standard skill set.
Yep heard the same thing several years ago. Employers and staffing agencies said I was asking too much. Even my friends and family. I gave the same reasons.
Then my credentials starting better with each contract. So while the client/employer didn't want to give me a raise or keep me for very long, I was still getting a 20% raise each year. For the same reasons you gave.
Because skills AND experience matter. So if you're having trouble getting work and you have skills and experience, you need to rewrite your resume/CV. Things have changed in the last 2 years.
Oh, and I still haven't paid for any course work.
Training, what better training do you need than what's already glaring you in the face, the interwebs are full of security holes, just download a pen-testing distribution to see them all, holes in RFID, holes in Windows, holes in Linux, holes everywhere, even in WPA-PSK (its a public shared key!) and the dark-lord is feasting on your wifi brains! Ah the slipery slope, the thing thats astonishing is Google.. I mean these guys wrote Sugar and Bitfrost Linux under the one laptop per child scheme, which had I might add some of the best approaches to security seen in a long time. But then they come along with the ESF - "enduring security framework" and give you all android and let's it spy on you? I mean WTF? Sammy Kamkars ever-cookie.. They can shove there ever cookie and there MIT-Magic-Cookie back where it came from! You know exactly where this is coming from, every user that's using a cookie blocker or a scripting blocker is destroying there advertising model, so suddenly its the advertising empire is facing the big back-lash... A web with no adverts.. OMG! "no one will buy our services, but we shovel shit mostly anyway's so meh!"
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
