1 00:00:00,05 --> 00:00:02,01 - I provide mentorship and advice 2 00:00:02,01 --> 00:00:04,02 to countless individuals looking for ways 3 00:00:04,02 --> 00:00:06,08 to break into the cybersecurity industry. 4 00:00:06,08 --> 00:00:09,07 The most consistent feedback I receive is the frustration 5 00:00:09,07 --> 00:00:11,07 they feel when viewing job descriptions 6 00:00:11,07 --> 00:00:13,07 for entry level cybersecurity roles 7 00:00:13,07 --> 00:00:16,02 that either require too broad a skill set 8 00:00:16,02 --> 00:00:19,00 or have unrealistic certification requirements. 9 00:00:19,00 --> 00:00:20,07 There are a number of reasons for this, 10 00:00:20,07 --> 00:00:23,09 but the bottom line is we have to get better 11 00:00:23,09 --> 00:00:26,03 because the better and more realistic we are 12 00:00:26,03 --> 00:00:29,07 the better and more prepared our talent can become. 13 00:00:29,07 --> 00:00:31,00 Let's check on our friend Chris 14 00:00:31,00 --> 00:00:34,00 at Global Bank International. 15 00:00:34,00 --> 00:00:37,07 As the saying goes, no good deed goes unpunished. 16 00:00:37,07 --> 00:00:39,06 Chris was so happy with our proposal 17 00:00:39,06 --> 00:00:43,01 for the SOC analyst role, he gave us major kudos 18 00:00:43,01 --> 00:00:45,06 and more work to do. 19 00:00:45,06 --> 00:00:48,06 As Chris begins to build his team, he wants to make sure 20 00:00:48,06 --> 00:00:50,08 that job descriptions are clear, 21 00:00:50,08 --> 00:00:53,05 specifically those targeting entry level talent. 22 00:00:53,05 --> 00:00:56,03 So he's asked us to review 23 00:00:56,03 --> 00:00:58,03 the qualifications and requirements 24 00:00:58,03 --> 00:01:01,00 for a couple of entry level job descriptions 25 00:01:01,00 --> 00:01:03,01 and provide him with our thoughts. 26 00:01:03,01 --> 00:01:05,05 I'll be putting on my entry level candidate hat 27 00:01:05,05 --> 00:01:08,04 so we can have some fun with this. 28 00:01:08,04 --> 00:01:13,01 All right, exhibit one. 29 00:01:13,01 --> 00:01:14,09 So far so good. 30 00:01:14,09 --> 00:01:20,00 I know all about networks and logs and packing analysis 31 00:01:20,00 --> 00:01:22,06 and I'm pretty good with these operating systems. 32 00:01:22,06 --> 00:01:24,08 Malware and forensics check. 33 00:01:24,08 --> 00:01:28,02 I'll tell the hiring manager all about my home lab. 34 00:01:28,02 --> 00:01:30,08 This is awesome. 35 00:01:30,08 --> 00:01:33,04 Eh, I don't have any coding skills, 36 00:01:33,04 --> 00:01:36,05 but maybe it's just a nice to have, I can navigate that. 37 00:01:36,05 --> 00:01:39,06 I'm going to go for it. 38 00:01:39,06 --> 00:01:41,02 Oh, wait. 39 00:01:41,02 --> 00:01:44,07 I also have to wear the governance risk and compliance hat, 40 00:01:44,07 --> 00:01:47,04 manage vulnerabilities and be the help desk 41 00:01:47,04 --> 00:01:49,08 and access control manager. 42 00:01:49,08 --> 00:01:52,05 I don't even know what this job is anymore, 43 00:01:52,05 --> 00:01:57,00 but what I do know is that it's not for me. 44 00:01:57,00 --> 00:01:59,01 End scene. 45 00:01:59,01 --> 00:02:01,05 Let's break character and review. 46 00:02:01,05 --> 00:02:04,06 This job description is a classic example 47 00:02:04,06 --> 00:02:06,06 of an organization that is unclear 48 00:02:06,06 --> 00:02:10,00 on where entry level talent fits within their organization. 49 00:02:10,00 --> 00:02:13,02 An easy way to fix this description is to prioritize 50 00:02:13,02 --> 00:02:15,07 the skills that are required for the role. 51 00:02:15,07 --> 00:02:18,03 Then list the others as nice to haves. 52 00:02:18,03 --> 00:02:20,09 As written, this description comes across 53 00:02:20,09 --> 00:02:22,06 as a company that wants too much 54 00:02:22,06 --> 00:02:24,04 from a cybersecurity newcomer. 55 00:02:24,04 --> 00:02:27,04 And if they want too much on paper, it's highly likely 56 00:02:27,04 --> 00:02:30,04 they'll also want too much in practice. 57 00:02:30,04 --> 00:02:32,08 Exhibit number two. 58 00:02:32,08 --> 00:02:38,04 All right, I'm back into character. 59 00:02:38,04 --> 00:02:40,08 All right, we're off to a great start. 60 00:02:40,08 --> 00:02:43,03 I just completed my bachelor's degree. 61 00:02:43,03 --> 00:02:46,00 So glad that was worth it. 62 00:02:46,00 --> 00:02:48,03 I'm good on the experience requirements 63 00:02:48,03 --> 00:02:50,00 and this is right up my alley 64 00:02:50,00 --> 00:02:53,00 since I currently work for my local electric company. 65 00:02:53,00 --> 00:02:55,05 Wow, this job is so me. 66 00:02:55,05 --> 00:02:57,09 I learned all about leading cyber security programs 67 00:02:57,09 --> 00:03:00,01 as part of my degree program. 68 00:03:00,01 --> 00:03:02,04 I'm always up for learning new things 69 00:03:02,04 --> 00:03:06,06 and team collaboration is my jam. 70 00:03:06,06 --> 00:03:10,00 Okay. Where do I sign up? 71 00:03:10,00 --> 00:03:14,04 Oh, no, I don't have any of these certifications. 72 00:03:14,04 --> 00:03:16,08 I'm pretty sure I haven't even been 73 00:03:16,08 --> 00:03:18,07 in the industry long enough to get certified 74 00:03:18,07 --> 00:03:21,05 even if I were to pass these exams. 75 00:03:21,05 --> 00:03:25,08 Ah, bummer, guess I'll keep looking. 76 00:03:25,08 --> 00:03:28,01 End scene. 77 00:03:28,01 --> 00:03:31,07 (groans) We were so close on that one. 78 00:03:31,07 --> 00:03:35,00 This is an unfortunate, but very common mistake. 79 00:03:35,00 --> 00:03:38,07 The CISA and CISSP both require five years 80 00:03:38,07 --> 00:03:40,06 of industry experience. 81 00:03:40,06 --> 00:03:42,02 The CRISC is slightly less, 82 00:03:42,02 --> 00:03:45,04 requiring a minimum of three years, but that's the top end 83 00:03:45,04 --> 00:03:48,09 of the required experience listed in job description. 84 00:03:48,09 --> 00:03:51,07 If we take a look at the list of technical requirements, 85 00:03:51,07 --> 00:03:53,06 it appears that the role is more hands-on 86 00:03:53,06 --> 00:03:55,02 and technical in nature. 87 00:03:55,02 --> 00:03:58,05 Certifications like Security+, Network+ 88 00:03:58,05 --> 00:04:00,07 or any other certification that would validate 89 00:04:00,07 --> 00:04:02,05 some of the technical skills listed here 90 00:04:02,05 --> 00:04:05,04 would've been more appropriate. 91 00:04:05,04 --> 00:04:09,08 Whew, we've covered a lot and you're still with me. 92 00:04:09,08 --> 00:04:11,07 That's a big deal. 93 00:04:11,07 --> 00:04:13,08 Hang in there because now that we've got 94 00:04:13,08 --> 00:04:15,09 the pipeline engine started, 95 00:04:15,09 --> 00:04:18,02 we're going to move on to the next section 96 00:04:18,02 --> 00:04:21,00 and dig into how we keep our pipelines healthy.