#NextGenResearch: Are Jobs Requiring Unachievable Levels of Experience and Qualifications?

At the start of this year, Infosecurity conducted its second State of Cybersecurity Report. This determined 31 distinct trends in cybersecurity that respondents believed were driving the industry.

Following on from the publication of this report, Infosecurity launched a second piece of research, engaging with students, people on work placements and those starting out their careers in cybersecurity to find out how these trends affected them.

For this penultimate article of the series, we looked at the issue of job adverts in cybersecurity roles, and asked if the respondents were seeing job ads for roles in cybersecurity which required unachievable levels of experience and qualifications?

In total, we had 54 responses, of which 31 were positive and that it was necessary, and 23 said that they had not noticed.

Firstly, to the positive responses, there was a feeling that there is a demand for a level of skill that graduates are not going to have. For example, one response stated pen testing firm required “OSCP for an entry level internship.”

The issue seems to stem from a need for graduates to have a certification such as CISSP, which requires at least three to five years, and one respondent said that they had “recently came across a junior position that required six years’ experience”.

The general feeling was there is too much of a “tick box” attitude towards creating job adverts, and HR people not being engaged with the requirements for a role. One person said: “it would be great to see a shift in advertising and recruiting tailored to the experience of a graduate or a new professional in the field and a focus on the innovation and skills an individual can bring to the team rather than a ‘black and white’ requirement.”

Another said this led to an inclination to apply anyway, because “if the skills required are unattainable then they won’t have any applicants therefore anyone that does apply is in for a good shot”. Another said it can be rather disheartening to get negative responses, especially when “recruiters contact junior employees for senior positions and then dash their hopes with the usual ‘you're not qualified’ email”.  

Some of the most memorable comments we received in all of this research were around the advertising of junior roles. One respondent said they had seen a job advert requiring a degree in Computer Science, a certification (i.e. CISSP), and 15 years’ experience, offering a salary of £45k. Another said the issue with hiring is employers “want them to be Cyber Ninjas straight out of Uni and pay them entry level wages”.

Unfortunately we live in a world where mentoring and training are not the norm, as employers want staff to be able to start and get going with minimal supervision. In cybersecurity roles, it seems this is not unusual. One more “positive” comment we received suggested that it depends on the country, as in India where most of the entry-level jobs require at least three years’ experience for security analyst and two years for a junior security analyst.

“Very few companies are willing to take graduated interns [or] freshers, whereas in Europe, I was able to find the same job roles that do not require any experience, just certifications and a clear understanding of SIEM tools among others, they require either graduation or related experience.”

On to the “negative” responses, some suggested that they only look for roles within their skill set that they know they could get. One response did say the best way get hired was via personal relations, “rather than follow the traditional pathways into certain jobs” as “this seems to be a more reliable way of getting the job and role which you want”.

Others said it was about spotting the right job for you. One said “some job postings are refreshingly open with minimal requirements” while another claimed the job postings they see “are accurate about the knowledge an applicant should have” as high-level certifications are often listed as preferred but not required.

Another respondent said the issue is more with the wording of job ads, than the actual requirements, calling them “dense and organization specific”. They said this can make it seem like job ads are asking you to do things you haven’t seen before because the skills are being described in a way that you might not immediately connect with your previous experience, knowledge base, and skills.

“I think it’s a good idea to read job ads multiple times and think through each point and look to make sure you understand what is required of the role,” said one respondent.

The issue with the hiring model in cybersecurity is that new hires are needed to fill changing roles in a dynamic industry. As we have discussed in this editorial series, the next generation are well aware of the issues surrounding compliance, cloud and malware, but overcoming the bridge between hirer and applicant may be a more tricky one to overcome.

Hopefully if you are one of the people hiring, this series has proved that the people you are aspiring to hire are well aware of the business issues that await them.

What’s Hot on Infosecurity Magazine?