A Matter of Quality

A friend of mine got together with us last week, after a year away.  We were talking about the quality of the new people coming into the cyber realm and working for his company.  He was disappointed in their abilities and the salary they were expecting for an entry level job.  One of the things it boiled down to was the number of people who know cyber is a hot field, and try to capitalize on that without having the skill set expects of a person with that kind of salary.  He called it Millennial Expectations, which would make a good book title.

He interviewed a young woman who had 2 years of experience in the field, so he expected she would have quite a bit of knowledge across a range of cyber subjects.  She didn’t.  Her sole job before coming for the interview was publishing vulnerability announcements on websites.  He salary expectations were twice what a new person would expect to get.  She might get it somewhere else, but she wasn’t going to where he was working.  It was all too common a scenario.

When I first started in this field, nobody wanted to be anywhere near it.  It was not well defined, and there were no certifications for people in it.  You had to be something else, “a computer specialist” or a “computer security specialist” were not real fields at that time, but almost anyone could claim it.  Now, all you have to do is go to a two week prep course and get a certification test that costs quite a bit.  With that, and no experience, you are qualified for a job.  How rediculous is that?

HR departments are not very knowledgeable about any of the criteria that make good employees in this field.  Part of that is because they are not getting much help from the people who know how to do the job.  Knowing how to post vulnerability announcements isn’t even one of the qualifications that a Department would look for.  I went out to look at a couple of job announcements and found this as typical:  “Prepare System Security Plans Conduct reviews of computer security requirements for compliance, efficiency, and standardization of technical computer security configurations. Perform technical upgrades, repairs, and patches, modifications or replacement of information security tools and technologies as directed. Perform/assist with technical investigations of security violations involving customer IT systems information. Determine corrective actions, prepare and submit reports in accordance with government and corporate directives. Required Skills Include: Must have a current DODI 8570.1-M IAT Level II (Security+ CE) (minimum) certification. Minimum of three years IA experience Must have experience with ICD 503 accreditation and Information Assurance Vulnerability Alerts (IAVA) tracking, reporting and implementation Must have a good working knowledge of security practices and procedures for various network devices and operating systems. Experience presenting technical information to customers, clients and/or other audiences The ability to work efficiently with frequent and direct customer interaction in a real-time operational environment Must have basic experience with network design; router configuration, and firewall configuration Desired Skills Include: CISSP or CCNP Security Certification Working knowledge of network protocols and common services Experience as an ISSO or ISSM.”  I picked a company that I knew had a good cyber security staff and expected this level of knowledge and skills.  This one expects some work experience in a cyber environment doing work related to security.  This is not an entry level job.

So, take a little more time to write a job description that says what skills you really need to to the job and what experience qualifies a person for a step up.  My friend should not have had to interview somebody who had such little experience and she should have been filtered out by HR before she ever got to an interview.