A collection of young talent is a fairly rare commodity. Whether it be a sports team, club, school, or company, any establishment that can build a core group of young talent has a bright future ahead.
There is a reason why professional sports teams spend months analyzing, critiquing, and identifying possible draft picks, why colleges recruit and impress the best of the best, and why companies hold job fairs, student days, and internships. The desire to build a strong foundation for future success is a universal trait. As humans, we understand that the future reality is shaped by the young people of today. The ability to identify, draw in, and build young talent is what sets successful organizations apart.
Some careers have very well-established talent pipelines. Consider the healthcare industry, the legal profession, and the financial industry. There is a fairly common path towards a career in these fields. Fields that lack a clear path to a job? Well, cybersecurity and tech come to mind first. There is a large difference in maturity between the fields with straightforward job routes and those that do not have a common path toward a job. Analyzing professions reveals that the age of the profession helps solidify standardization for companies and individuals.
Now when it comes to cybersecurity, identifying methods to land a job is a wild conversation. Everyone has a different opinion, and terms like degrees, certifications, and years of experience will always be thrown out by people, with all sorts of differing levels of importance. That conversation is tiring, and personally, I believe that it typically focuses too much on how to get a job, and not enough on how to learn your desired route within cybersecurity. What good does it do to land a job in cybersecurity and then realize that you hate it? Every person is different, and there are so many different jobs within the cybersecurity profession. It is almost impossible to offer recommendations without knowing what a person would like to do, much less what will work for them, as everyone’s path is unique. If you are looking to get a job in cybersecurity, learn everything you can for free, and then see where you are. Go check out this guide from USCG Pipeline coach Dennis Devey: https://www.hoppersroppers.org/library/breakIntoSecurity. Also, research the job options out there, cybersecurity is not just pen-testing (difficult to land without being a senior) or SOC analyst.
Instead of the individual side of the conversation, I am going to spend a few minutes discussing what companies should be doing when it comes to identifying and drawing in young talent. I think there is a distinct lack of information on this topic.
It is the one thing that most often equates to a new role, increased responsibility, and higher salary. The truth is, from a hiring perspective, without experience, there is no simple way to clearly identify if someone is skilled in the tasks required to perform the job. There are many reasons why there are so few entry-level roles in cybersecurity. These include:
I believe that a good amount of organizations do not look for young talent in cybersecurity because they only budget for a couple of cybersecurity positions. This is due to many reasons, but most often because they do not properly understand all of the responsibilities a security team must perform. However, for all those security vendors, MSSPs, and large organizations that have teams of people on the security side, it’s important to be able to recruit new team members.
Here are a few things I would recommend that help to find and attract young talent.
Have situational awareness. You need to know where younger professionals and future professionals are. It’s not on Indeed (until they must), rarely in-person job fairs, and probably not at the big organization security chapter luncheons. They are at college CTF teams, on Discord, and using online training or challenge sites.
Market like you know what cybersecurity is. Not everyone looking for a job in cybersecurity knows what they are doing, but you, the employer should be able to at least be honest and helpful. It’s alright to let students know they probably won’t make 100k in their first role and that the cybersecurity job statistics on the internet have lied to them.
Write better job postings. If you’re job postings make no sense, list CEH, list CISSP with entry-level pay, or list every function known to man, good luck. People that know what they want will avoid you. Let’s make cybersecurity job postings better for everyone.
I'm a little biased but get in front of places that do gather top young talent, such as the US Cyber Games, National Cyber League, Hack The Box, etc.
Speaking of that talent, I think it’s time to highlight some of the achievements of members of the SIII US Cyber Games program. The program includes roughly 70 individuals, from the SIII US Cyber Team and participants in the Pipeline Program. Since I have been able to see first-hand the incredible young talent that is here, I believe that the skill of these individuals needs to be displayed. The USGC truly does contain the top cybersecurity professionals of the future. Here’s a glance at what these 18-26-year-olds have already accomplished.
The Season III program began with the US Cyber Combine which featured 128 athletes from 28 different states. 59% had professional certifications, 30% already had at least one college degree, and 70% are currently in degree programs.
So what traits help to identify young talent that will offer a positive return for your business?
Along with experience, look for passion. Someone who spends time outside of the classroom or job learning and tinkering will most likely be a great choice. An interest in the field goes a long way. US Cyber Games athletes spend hundreds of hours doing capture-the-flag (CTF) competitions and increasing their knowledge and skills in certain cyber domains. While not a requirement, I have never met someone with a home lab that did not make an excellent employee. Another trait that successful cybersecurity practitioners share is the desire for improvement and solving tough problems. Cybersecurity is constantly changing, it takes constant program modifications, improvements, and changes to continue to defend against the attacks of yesterday while also addressing the newest CVEs, changing attack surface, and modified attack methods. There are no easy cybersecurity functions, those have been automated. Organizations need skilled practitioners who are willing and able to solve difficult problems and improve existing security programs. There is no better place to look for this talent than at a program that is dedicated to competitive problem-solving, tool development, and knowledge advancement.
AUTHOR: Micah VanFossen
Micah is a SIEM / Data Engineer. He works to defend against threats by identifying, obtaining, and utilizing relevant data to create detections and inform strategic decisions. He holds a Master's degree in Cybersecurity and a list of top industry certifications, but the differentiator in his career has been his passion to learn, create solutions, and educate others. He is a firm believer in resourceful education and the power of curiosity.