The words “cybersecurity” and “burnout” are next to each other in countless headlines for a reason. This industry is constantly changing, and a cybersecurity job requires extreme time, dedication, and continued education—and practitioners often face repetitive failure.
These stressors impact cybersecurity professionals who have been in the industry for years, but what about applicants who are running out of steam before they even land their first job?
Since joining Huntress in January 2022, I have had the privilege of interviewing many candidates for open positions on our Threat Operations team. A trend emerging is the disconnect between what applicants are told will land them a job and what their potential employers in the industry are actually looking for. There are several potential reasons for this discrepancy, but one major repercussion? Pre-employment burnout.
When it comes to entering the cybersecurity industry, pre-employment burnout is caused by a lot more than submitting a multitude of applications. Candidates I’ve interviewed have spent hundreds and even thousands of dollars getting various certifications, completing trainings, attending industry events, and more … and that’s almost always after spending tens of thousands of dollars on college.
It’s vital to recognize that this is not the applicants’ fault. This is what the industry has instilled in them as a requirement for getting a job in cybersecurity. Completing a certification does not make someone an exceptional cybersecurity professional; it simply ticks a box that everyone else already has ticked and can cost thousands of dollars.
This is not to say that what individuals learn throughout the certification process isn’t valuable. It just shouldn’t be the standard by which the industry measures the capabilities of applicants against one another.
So what should managed service providers and others be looking for when hiring cybersecurity professionals? When Huntress seeks entry-level analysts, for example, three major traits come to mind:
1: Community Involvement – Knowledge sharing is one of the most important responsibilities when you hold a job in cybersecurity. Posts on personal blogs, Twitter, Reddit, LinkedIn, etc., about what the applicant is seeing, what they’re interested in, or what they find valuable with others go a long way toward showing genuine interest. This demonstrated knowledge stops the interview from becoming an interrogation. Instead, it’s a conversation and then negotiation.
2: Communication Skills – Breaking down complex situations into digestible pieces is an enormous requirement for Huntress. Having a technical mind that can also communicate effectively is crucial for success in cybersecurity, both at entry-level and senior positions.
3: Courage – One of the biggest telltale signs that a junior analyst is going to be successful is their level of participation in discussions with their superiors. If they jump into a Twitter thread and share their two cents, even if they’re “wrong,” it shows they’re eager to learn.
Of course, it’s equally important for the potential employers to foster environments where all three of the aforementioned traits are encouraged.
So many of the skills that come up on a day-to-day basis as a cybersecurity professional can’t be measured by certifications or trainings. Not making those things a requirement for getting hired doesn’t mean you’re lowering your standards for applicants. It demonstrates that as a company, you recognize there are more important qualities in an applicant than the ability to pass standardized assessments.
Removing these expensive programs as requirements also allows for a much more diverse group to be considered for positions. Not everyone has the money, time, or resources to complete trainings and certifications.
This also goes for the types of higher education degrees companies require. It’s not feasible to think everyone will have the ability to achieve advanced degrees. Importantly, those abbreviations also don’t mean you’re hiring a well-rounded, qualified candidate.
And by the way, cyber bootcamps, certification companies, and postgraduate courses make a handsome profit regardless of how employable their students come out the other side. The industry needs to lead the conversation, or other institutions will, and it’s the yet-to-be-employed who are the casualties from our lack of intervention.
As an industry, we need to stop just talking the talk about fostering diverse workplaces and actually walk the walk. It starts at the hiring process.
Change job descriptions and interview tactics to show you value passion, skills, and determination—not abbreviations. Your company will be better off for it, and so will the industry.
DRAY AGHA is senior ThreatOps analyst team lead (UK) at Huntress.