In Cybersecurity, Experience is King.

The Future's So Bright...

A collection of young talent is a fairly rare commodity. Whether it be a sports team, club, school, or company, any establishment that can build a core group of young talent has a bright future ahead.

> Building a Strong Foundation

There is a reason why professional sports teams spend months analyzing, critiquing, and identifying possible draft picks, why colleges recruit and impress the best of the best, and why companies hold job fairs, student days, and internships. The desire to build a strong foundation for future success is a universal trait. As humans, we understand that the future reality is shaped by the young people of today. The ability to identify, draw in, and build young talent is what sets successful organizations apart.

Some careers have very well-established talent pipelines. Consider the healthcare industry, the legal profession, and the financial industry. There is a fairly common path towards a career in these fields. Fields that lack a clear path to a job? Well, cybersecurity and tech come to mind first. There is a large difference in maturity between the fields with straightforward job routes and those that do not have a common path toward a job. Analyzing professions reveals that the age of the profession helps solidify standardization for companies and individuals.

> Everyone is Different. Every Path is Different.

Now when it comes to cybersecurity, identifying methods to land a job is a wild conversation. Everyone has a different opinion, and terms like degrees, certifications, and years of experience will always be thrown out by people, with all sorts of differing levels of importance. That conversation is tiring, and personally, I believe that it typically focuses too much on how to get a job, and not enough on how to learn your desired route within cybersecurity. What good does it do to land a job in cybersecurity and then realize that you hate it? Every person is different, and there are so many different jobs within the cybersecurity profession. It is almost impossible to offer recommendations without knowing what a person would like to do, much less what will work for them, as everyone’s path is unique. If you are looking to get a job in cybersecurity, learn everything you can for free, and then see where you are. Go check out this guide from USCG Pipeline coach Dennis Devey: https://www.hoppersroppers.org/library/breakIntoSecurity. Also, research the job options out there, cybersecurity is not just pen-testing (difficult to land without being a senior) or SOC analyst.

Instead of the individual side of the conversation, I am going to spend a few minutes discussing what companies should be doing when it comes to identifying and drawing in young talent. I think there is a distinct lack of information on this topic.

> In Cybersecurity, Experience is KING.

It is the one thing that most often equates to a new role, increased responsibility, and higher salary. The truth is, from a hiring perspective, without experience, there is no simple way to clearly identify if someone is skilled in the tasks required to perform the job. There are many reasons why there are so few entry-level roles in cybersecurity. These include:

• There is a lot of prerequisite knowledge necessary to perform even some of the more basic cybersecurity tasks (IT, networking, operating systems, and even programming at times)
• A bad hire in cybersecurity has the potential to cause lots of expenses and problems if your security program is not very mature. A lot of trust and expectations are usually placed on the security team, so mistakes can be costly here (usually not Crowdstrike-level bad, but I’m sure everyone has a story or two to tell)
• A senior member can often produce 3 to 5 times the output that a junior member can
• Security teams are small, the budget is often low, it’s expensive to train someone who could move on quickly, and if you only have one spot open, you want someone you know who can do that role well
• Due to the lack of a common career trajectory, it’s also difficult to define what level a role should be
• Many hiring teams have no clue what they’re looking for and just copy/paste other job reqs

> Recommendations to Find & Attract Young Talent

I believe that a good amount of organizations do not look for young talent in cybersecurity because they only budget for a couple of cybersecurity positions. This is due to many reasons, but most often because they do not properly understand all of the responsibilities a security team must perform. However, for all those security vendors, MSSPs, and large organizations that have teams of people on the security side, it’s important to be able to recruit new team members.

Here are a few things I would recommend that help to find and attract young talent.

Have situational awareness. You need to know where younger professionals and future professionals are. It’s not on Indeed (until they must), rarely in-person job fairs, and probably not at the big organization security chapter luncheons. They are at college CTF teams, on Discord, and using online training or challenge sites.

Market like you know what cybersecurity is. Not everyone looking for a job in cybersecurity knows what they are doing, but you, the employer should be able to at least be honest and helpful. It’s alright to let students know they probably won’t make 100k in their first role and that the cybersecurity job statistics on the internet have lied to them.

Write better job postings. If you’re job postings make no sense, list CEH, list CISSP with entry-level pay, or list every function known to man, good luck. People that know what they want will avoid you. Let’s make cybersecurity job postings better for everyone.

I'm a little biased but get in front of places that do gather top young talent, such as the US Cyber Games, National Cyber League, Hack The Box, etc.

> Talent Under Your Nose

Speaking of that talent, I think it’s time to highlight some of the achievements of members of the SIII US Cyber Games program. The program includes roughly 70 individuals, from the SIII US Cyber Team and participants in the Pipeline Program. Since I have been able to see first-hand the incredible young talent that is here, I believe that the skill of these individuals needs to be displayed. The USGC truly does contain the top cybersecurity professionals of the future. Here’s a glance at what these 18-26-year-olds have already accomplished.

• Presentations: DefCon - Justin Applegate, ShaktiCon - Gwen Vongkasemsiri , National Cyber Summit - Micah VanFossen, along with multiple Bsides and other conference talks from other members.
• Multiple National Cyber League winning teams and individuals in 2022 and 2023.
• Internships/Jobs at places including Microsoft, Amazon, Raytheon, Capital One, Disney, MITRE, Cloudflare, Crowdstrike, General Dynamics, Battelle, and multiple USG agencies.
• Certifications including CISSP, OSCP, GSEC, GCIH, CASP+, Security+, CCNA, AWS CCP and many more.
• Multiple SFS CyberCorps winners - Shiloh Smiles and Justin Applegate.
• Multiple CVEs were found (CVE-2023-5089 CVE-2024-6289 CVE-2024-6420 - Juan Pablo Gomez Postigo).
• CTF wins: Hack The Port E.L.F Edition (1st Place) Juan Pablo Gomez Postigo. Wicked6 Tournament 2024 - 1st; MetaCTF Wicked6 CTF 2024 - 1st; MetaCTF Flash CTF June 2024 - 1st; NCL Spring 2024 Team Game Advanced Bracket - 1st Kris Noyes. 3rd place in the Microsoft Intern annual CTF Gwen Vongkasemsiri.

The Season III program began with the US Cyber Combine which featured 128 athletes from 28 different states. 59% had professional certifications, 30% already had at least one college degree, and 70% are currently in degree programs.

> Conclusion

So what traits help to identify young talent that will offer a positive return for your business?
Along with experience, look for passion. Someone who spends time outside of the classroom or job learning and tinkering will most likely be a great choice. An interest in the field goes a long way. US Cyber Games athletes spend hundreds of hours doing capture-the-flag (CTF) competitions and increasing their knowledge and skills in certain cyber domains. While not a requirement, I have never met someone with a home lab that did not make an excellent employee. Another trait that successful cybersecurity practitioners share is the desire for improvement and solving tough problems. Cybersecurity is constantly changing, it takes constant program modifications, improvements, and changes to continue to defend against the attacks of yesterday while also addressing the newest CVEs, changing attack surface, and modified attack methods. There are no easy cybersecurity functions, those have been automated. Organizations need skilled practitioners who are willing and able to solve difficult problems and improve existing security programs. There is no better place to look for this talent than at a program that is dedicated to competitive problem-solving, tool development, and knowledge advancement.

AUTHOR: Micah VanFossen

Micah is a SIEM / Data Engineer. He works to defend against threats by identifying, obtaining, and utilizing relevant data to create detections and inform strategic decisions. He holds a Master's degree in Cybersecurity and a list of top industry certifications, but the differentiator in his career has been his passion to learn, create solutions, and educate others. He is a firm believer in resourceful education and the power of curiosity.