A recent survey was conducted with cybersecurity professionals around what skills are needed for recent graduates to enter the workforce in a junior security role.
The survey was conducted by Shawn Davis, adjunct industry professor at the Department of Information Technology and Management at the Illinois Institute of Technology’s School of Applied Technology, and he was able to collect 100 responses. He said the purpose was to aid instructors in ensuring their curriculum measures up to industry expectations, and present students and recent graduates with guidelines of areas they should put more self-study effort into.
The survey results showed that over 90% of respondents rated “core security concepts,” over 70% “network and host attack vectors” and over 60% “user authentication and access control” as the most important factor.
Lower down, and only demanded by around 60% as most important, were skills on OS hardening, web application attack vectors and basic shell scripting.
At the other end of the scale, over 20% did not determine steganography to be important, while small percentages did not see malware analysis, digital forensics and incident response, IoT vectors or penetration testing to be important for recent graduates to have immediate skills in.
The full results are available via Shawn’s original blog. In that, he said that “professionals have spoken as to what they want in a recent graduate and are willing to train you,” suggesting what is most important for students to learn based on the survey findings.
He also said that if a candidate does not have the requisite skills but are passionate about working in cybersecurity, “then don't be afraid to build a foundation in another entry level role and gradually transition into a security position.”
Speaking to Infosecurity, Davis said that “mentoring passionate current employees and transitioning them into a security role is a win for everyone.”
He claimed that an employer should quickly recognize that a help desk technician, who excels in their current role and is constantly asking for more opportunities to learn new skills, and can communicate with all levels of staff effectively, should be recognized.
“The same goes for the developer that is interested in reviewing code for vulnerabilities, wants to understand how underlying infrastructure works and has excellent documentation skills.”
In particular, Davis’ research found that 27% of respondents would require any graduating student to work in the help desk prior to placing them in an entry-level security position. Asked if this demonstrates the need for inexperienced people to gain some experience before they can expect to be hired, Davis said: “I imagine many of the 27% have been burned in the past by hiring a recent graduate that interviewed well, had a security certification, but ended up not knowing how to format a hard drive or set up a static IP, let alone how to configure a firewall or harden an OS. In that instance, I definitely agree that person should have to get some experience in a non-security role first.
“However, the majority of respondents mentioned that they would be willing to hire individuals that know the basics and have a good grasp on the most important information security concepts and needed skills.”
Davis said that having taught at undergraduate and graduate levels, he can generally tell within the first couple of weeks of a class which students have the potential to get hired directly into a security position: these are the students that speak up in class, are teaching themselves scripting, have a virtual lab at home to learn more about servers and networking, follow Twitter feeds of industry professionals and attend local tech meetups.
“They also ask questions and use their lessons and homework as a tool to ensure they really comprehend the material in preparation of their career as opposed to simply wanting to pass a class,” he said. “These students have a great shot of being successful in a junior security role and it was refreshing to see that 73% of respondents to the survey would mentor and bring in such students.”
On another research point, 58 of those surveyed suggested that an entry level security certification affects the hiring decision, while 42 said it didn’t make a difference. Is this very positive for those second job types who don’t have the time to take a new certification? Davis said that security certifications generally show that the recipient has at least basic foundational knowledge in the area, but a person that doesn't work towards a certification will still most likely have to spend extra time learning the basics or new skills.
Finally, 62 respondents said that an internship is the best way for a student to gain entry to a junior role. However, how easy are these positions to find?
Davis said: “internships are predominantly available in larger cities and even then are not particularly prevalent. Indeed.com currently lists around 3000 security internships available in the US and only around 150 in the UK. I believe a lot more businesses and government agencies should offer security internships.”
So was he calling for more businesses – particularly more ‘desirable’ tech companies where young people want to get work experience – to offer opportunities? He said that at present, many organizations practice poaching experienced security professionals from each other as opposed to offering needed internships or adding new entry level security positions.
He said that organizations need to realize that:
- There is already a shortage of security professionals which will only get worse
- They are missing out on great talent. Organizations that work directly with academia could create programs to bring in the best students for summer internships in addition to hiring recent graduates
What else can aspiring cybersecurity professionals do to get a first opportunity? Davis recommended that attending local security meetups is a great way for recent grads to meet people in the industry and learn about new potential positions. The survey also showed a few respondents recommended job fairs as another way to enter the industry.
It is positive to see what the hiring companies want, but it seems that the challenge for new professionals is proving themselves and finding the opportunities in the first place.