Gerald Auger is a Managing Partner at Coastal Information Security Group, and Chief Content Creator at Simply Cyber. In this interview with Help Net Security, he talks about the cybersecurity skills shortage, the value of certification, as well as “Cybersecurity Career Master Plan”, a book he co-authored.
Organizations around the world are impacted by the cybersecurity skills shortage. Still, many qualified people are having a hard time finding a job. Where’s the disconnect?
When qualified people are having a hard time finding a job in a market that is so saturated with need I look at HR as a major impediment.
HR is involved in all talent acquisition processes. These professionals do not “speak” information security. They do not understand the language of our profession. When HR sees this candidate has Graylog experience but the hiring manager stated they use a technology called Splunk, an individual who knows the field would know these are both SIEM technologies, the candidate has experience using a SIEM, the skills are transferable, and therefore the candidate is qualified. Unfortunately the HR person who doesn’t know that or isn’t familiar with the terminology would the candidate doesn’t have Splunk, this isn’t a fit.
Two actionable activities that I would encourage people take advantage of that could increase their chances of finding a job is resume tuning and networking. Really going through your resume and making sure that all the bullets are adding value to whatever the job is that you’re trying to get. All of the bullets should help tell a story of how you can bring value to an organization or help address that organization’s problems.
Secondly it’s very important to network within the community. Many jobs don’t ever get publicly posted or by the time they’ve publicly posted a candidate has already been identified and the posting is more of a formality. You can network through Discord servers, LinkedIn, meetups, and conferences. There’s many ways to meet other people within the industry and to contribute to the industry.
When someone knows who you are, knows what you’re doing, knows what you’re capable of, knows what you’re interested in, and when they have a need or they hear about someone in their network that has a need that is a fit for you, they will reach out to you. This happens all the time and it can definitely help qualified people have an easier time of finding a job.
Those new to the infosec industry often find it complex and rapidly changing. What advice would you give to someone considering a career in cybersecurity?
The information security industry is rapidly changing all the time so people who are considering a career in cybersecurity should really understand and be ready to commit to staying informed of threat intelligence and industry developments all the time. Our business is effectively helping organizations defend and become resilient from threat actors and cyber attacks.
Threat actors are constantly changing their techniques, approaches, and tooling. If you’re not staying fresh and informed on what those attack techniques are then you’re not going to be as effective at preventing, detecting, and responding to those attacks. You can get threat intelligence through twitter, cybersecurity news outlets, and podcasts. I personally listen to “Cyber Security Headlines” every weekday morning to get my own threat intel briefing so I can continue to protect my organization.
Even though the industry is rapidly changing, if someone’s considering a career in cybersecurity there has never been a better time to get access to free resources to help you develop skills and get the training that you need in order to be successful across a myriad of jobs in the industry. You can get an ample amount of penetration testing skill development. There’s a lot of mature platforms already out there that can teach you. The blue side (defender side) has recently seen a growth in training platforms including blue team labs online, range force, and several others that really allow you to learn the detection and response skills needed to be a good defender.
Furthermore, there’s substantive free YouTube content. Simply Cyber, my channel, provides lots of different cybersecurity education across multiple dimensions of the industry. Blackperl is focused exclusively on incident response with a nod to cloud security. There are very popular channels like The Cyber Mentor, NetworkChuck, John Hammond, David Bomball, and Neal Bridges. All of this content is free and can help you level up yourself.
One thing that people can do to help distinguish themselves in the industry is get cybersecurity certifications. Some of the more popular ones are Security+ (which is a great entry level one), CISSP (which is kind of the mid-level professional gold standard certification). If you’re interested in going on the red offensive security side EJPT is a good entry level one and then OSCP or PNPT are the professional grade certifications.
What’s your take on the value of certification? Can it help move forward a career in cybersecurity?
Certifications can help you move forward in a career in cybersecurity especially if you’re starting out. Certifications provide a baseline understanding to someone looking at your resume that you have learned or been exposed to the concepts that would be associated with that certification. It can also help get past HR (like we spoke about earlier), where HR doesn’t really understand the field but they do know that this certification is required and that you have it.
Certifications cost money to take, They oftentimes cost money to maintain, but a lot of training that goes toward the certification can be obtained for free. For example Microsoft Azure and AWS both offer all their training for free.
If you can’t afford the certification, you can still go get all the training without the certification (for free) and then mention in an interview or a conversation that you have exposure and experience with those tech stacks, you’re just not certified. Again certifications are more beneficial earlier in your career in order to help differentiate you as a candidate among other candidates.
You are the co-author of Cybersecurity Career Master Plan. How long did it take to write and what were the biggest challenges?
I was very excited to publish my book, the Cybersecurity Career Master Plan. It was a lifelong goal to become a published author and I was really pleased with how this book came together. It took about three months total to write. I had three co-authors, and we had a plan where we wrote a chapter a week and just grinded through it.
One of the biggest challenges with writing this book was in the initial approach on how we wanted frame the book. Writing the content was easy once we had the outline but we really wanted to think about what would be the structure of this book. We wanted to be deliberate in how we could most effectively support and help our community learn how to break into cybersecurity.
We ultimately decided on a career chronological path. The book is three sections and section one is do you even want to work in the industry, and we help you understand if that’s what you want. Section two is about getting the skills, understanding education, understanding what the different roles are, and industries that you could work in.
It helps readers get ready to be able to get that job. In section three you’ve got the job because of section two, now how can you level up your career, have a very successful satisfying career, and how can you contribute back to the community. It follows a nice apprentice, professional, master kind of chronological flow and we’re really really pleased with it.
There are many books and resources dedicated to cybersecurity careers. What makes this book unique?
There are many books written to help people with having a cybersecurity career. What really makes our book unique is that first of all the four authors all have different backgrounds, different career journeys, and different experiences. We’re all different ages we’re all different backgrounds and that amalgamation of personality, experience, and positive attitude really lent itself to the book’s uniqueness.
It is a textbook in the amount of content and actionable intel it has, yet it’s written in a conversational tone. This tone allows you to almost feel as if you, the reader, are sitting with the four authors at a bar or at a coffee shop and you asked the question how do I get a job in cybersecurity and the book was the response that you got back from the four of us. It’s very approachable and easy reading, but it’s very actionable.
That’s really the key difference. We’re not just speaking in broad brushstrokes of what a career in cybersecurity could be, we’re showing you exactly what you need to do, how you need to go do it, the order in which you should do it, and how you can be successful.
I reflected on it and I feel almost like the four of us have walked up and down the career mountain multiple times and now we’re like sherpas. We’re ready to help you walk up your own cybersecurity career mountain but we can tell you what day to go, how to dress for the hike, what to pack in your bag, what paths to avoid, and so much more. All the things that you may not consider or think of we’ve tailored and curated it and we provide it directly to you with no fluff or filler.
I really appreciate this opportunity. I really do thank you for allowing me to share my thoughts on this topic and really promote the book which I believe is going to help a lot of people realize an opportunity that could be life-changing.