Driving the Highway to Today’s Cybersecurity Job Market

We are not in an economic recession, but the tech job market is definitely in a recession, along with slowdowns in cybersecurity. Insights and strategies follow to help navigate the path.

Based on an Interview with Matt Cellar, and written by Debbie Christofferson.? A Case Study is also included, with Celia Savidge, regarding employment gaps.? Matt and I met when he presented on the job market and hiring to our local ISC2 Phoenix education event.

Contents:

·???????? A picture of today’s cybersecurity job market

·???????? What the recruiting agents look for

·???????? Resume Q&A

·???????? Case study on employment gaps

Cybersecurity Job Market?

The job market has shifted since the pandemic resurgence. ?It burned white hot following the pandemic.? Then it cooled in the tech sector and cybersecurity, due to three factors:?

·???????? Silicon Valley layoffs spooked the whole tech sector

·???????? US Interest rates started to rise

·???????? The Silicon Valley Bank wholly failed?

Work at Home Dominates?

In early 2021, the US was not technically in recession, but because of the pandemic impact, we actually were.? Only jobs like the supply line and other critical day-to-day functions showed high demand.??

Normally following a recession, the spigot opens up again, in a barrage, usually through a firehose.? That happened.? However, the tech job market then became one of the hottest markets Matt saw in his 30 years’ experience.?

Work-at-home dominated.? Then companies asked and failed to get employees to return to onsite offices. Those companies struggled to find people, and competing tech startups were paying more, for a remote workforce.? When given a choice, probably 90% of people will choose to work from home.?

Silicon Valley Lays Off?

Then in November, the Silicon Valley big tech companies started laying off--Meta (Facebook), Google, Oracle, Amazon, and Twitters. These layoffs happened, leading into the US Christmas holidays.?

This impacted cybersecurity more than he ever would have expected.? 20 years ago, this would not have affected mainstream companies like Wells Fargo, T-Mobile and others in the non-tech sector.? But today, it has penetrated across sectors.?

To slow inflation, the government propelled US interest rates upward, and they started to rise.?

Up to then, Matt was turning away contracts because he lacked the capability to full-fill it.? The market burned scorching hot. ???

Venture Capital Funding Dries Up?

The third factor kicked in, when the Silicon Valley Bank collapsed. Many startups had placed all their money in that bank. Startups are also more susceptible to interest rates. ?

From November last year until January this year, that market fell off the face of the earth, and remains slow today.?

We are in a “Technical Recession.”?

So many people who Matt knows, have been laid off since the start of the year, even within the cyber security space.? He never would have predicted this when speaking to us in 2021.?

Corporate America is pulling back in the tech space. When Silicon Valley starts to collapse, it scares the rest of the players.??

We are not in a recession.? Unemployment is still very low.? People outside of the tech sector can go out and get a job anywhere.? But that is not true in the tech job sector.?

We rolled right into a “Technical Recession”.? Right now.? Things have slowed and the market is bad.? The tech sector has been hit hard.? The big Silicon Valley layoffs trickled down to the cybersecurity sector.?

Companies with new tech and tools are sitting on this $200 million sideline waiting for investors.?

Yet they still had to cut staff, because their market is so sluggish.? ?

On average, every eleven years, US companies face a downturn, so this is a natural market evolution.? Instead of a small correction, we seem to be holding.? He expects a rapid ramp next Spring.?

How do Newcomers Enter the Field??

The easiest path into security is probably via the infrastructure space, where you can move from technical support to firewalls and escalations.? Developers also make good candidates, and this is where a majority of penetration testers originate.??

University Programs Taste Stale?

At many universities, their 4-year degree programs don’t offer many developers among the graduates.? They offer outdated curriculums and technology at many institutions.?

Matt attended a graduation for example, some years back, at the University of Missouri.? With an approximate sized 12,000 graduating class within a 40,000 undergrad population, only 28 people walked for a Development and Information Technology degree.? Half of those were foreign nationals on a tech degree visa program.? All remaining graduates earned Business and Finance degrees.?

Traditional universities run too far behind.? They may offer cybersecurity courses, but not enough to gain skills for real traction within cyber security.? Such a degree offers little practical advantage over a certification.? Many students also take the traditional engineering route, and figure out they like writing code instead.??

Overall, traditional universities run too far behind, even in cybersecurity.? He sees the CISSP as having more cache within the hiring market than a degree, or completing a six-week program.?

It demonstrates a knowledge level and is similar to sitting for a CPA or JD test.? Some companies do still prefer degrees however, and the specific university also matters!?

Who knew not so long ago that insurance companies would be making thousands of dollars because companies were having their systems breached? You could work for one of the insurance companies!?

What the Staffing Agents Look For?

Consulting and contingent labor usually show the first slowdown to a recession lead-up.

Profiling the Candidates

“We have a job for you, ….”? Then they profile you.? On the other end, ask your recruiting company:

·???????? How many deals they do on an annual basis?

·???????? What is the relationship to the customer they are going to submit you to?? Your odds go up dramatically if they have a relationship already with that customer, and an interview becomes more likely.

Your Resume?

·???????? Most people think it presents a summary of their work experience.? It actually serves ONE purpose only, to land you an interview. ?The goal is to get you in front of the customer.? When writing your resume, focus on strengths, and apply those to the requirements of the job. What can you do, what are you really good at???

·???????? Create one standard resume, that lists all strengths, that you adjust on the fly for different job descriptions.? Focus on what gets you the interview, not peripheral skills.? Everything shows highlights of what you’ve done, and what you really talk about that gives you an advantage in your field. Don’t digress to irrelevant periphery details that you aren’t good at, or don’t matter for the job at hand.?

·???????? Interviews:? Leave off peripheral irrelevant details that you cannot talk about, or that are outside your wheelhouse and not a strength.? You will feel more comfortable and be able to answer all the questions and direct your responses, by focusing only on your strengths and positives in the resume.?

·???????? Example:? A customer comes to HR or the staffing agency, and says: “I need skill #1, skill #2, skill #3.? Make sure those are listed on your resume!? Searching for a job is a commitment, and so is your resume.? Multiple resumes present you with more opportunities.? Multiple opportunities mean you can pick the one you want!?

·???????? Resume Gaps:? They look bad.? Do not leave a gap blank.? It always leaves negative thoughts:?? Why were they out of work that long? Why couldn’t that person find a job in 8 months?? Did they get laid off?? If you take time off, be active in your skill sets, for education, certifications, user groups.? All are important—include them.? Your biggest asset is what you do, and your ability to network.??

Certifications?

Certificates are more important in security space than any others by a large margin.? Get certifications, and network with people.? Introduce yourself to CISOs.? You never know who you will meet.? Networking is the most important thing you can do for your career.

Bridges?

When you leave a company, leave on good terms, and stay in touch with those people.?

Newcomers?

It is no different than looking for a job and is more difficult to land a cybersecurity role if you don’t already work there.? Higher demand means you are more likely to get in with experience, than someone without.? Recruiting seeks to find someone to hit the ground running.? It requires experience.??

Joining groups like the ISC2, ISSA or CSA Phoenix Chapters and being active is CRITICAL.? Education offers the next best thing.?

Try to find companies a little smaller that might give you a chance to get in the industry.? ?It will just take you a little longer to get in.?

Be persistent and work at gaining more knowledge to make you a stronger candidate.? You likely have to start from bottom.? Go get a certificate, work at it, and network.?

New graduates wanting to get hired:? ?What do you want to do in security, do you want to be technical, pen testing, architect level, governance, or what is it you want to do?? Then join groups to fit that, to educate yourself on that space.??

RESUME Q&A:??

Resume Review??

How much time do you look at an Info Sec resume?? Not many firms specialize in security.? He reads top to bottom to find out about the person, then goes back to ask questions to see if they qualify for the customer.?

People in security world are more detailed than developers, programmers, infrastructure people.? Matt’s customers—hiring managers--tend to scour them in a lot more detail than other IT hires.?

Resume Format?

Make sure your content flows and focuses on your strengths and core competence.? If you write a summary at the top, keep it no more than 4-5 sentences, as the only intro, and maybe highlight skills sets you talk about in body of resume.

Resume Length??

10 years’ experience, and you do not want to date yourself!?? No resumes over 3 pages, it’s too much when managers see it.? Keep resume concise.? Make sure each one showcases what you need for THAT job.? Recruiters will give you advice for their firm.?

If you submit it to Dice, etc. on your own:? If more than 2 pages, write a cover letter. What you did 10 years ago is different than today, shorten the older ones.?

Resume Screening??

Appealing to human or a machine, and HR screen?? Make sure that you speak to the requirements of the job, and core parts of the technology they are looking for.? Those words must be in your strengths and what you focus on.? Artificial Intelligence (AI) and parsers will screen for this and eliminate people.??

He lands contracts often because resumes do not get through the system, because the parsing is inaccurate and doesn’t pull the right words in.? A gap exists!? Focus on including requirements in job description.?

Demand for Candidates??

Very basic supply and demand.? Recruiters use LinkedIn and pay a lot of money for site sources where they have access for services.? His company upgrades all their LinkedIn access.?

If he gets a job for a cloud architect, it will take 1-2 recruiters, dedicated to 20-24 hours of sourcing, emailing, and calling people to get him a candidate he can see.? They use job boards, LinkedIn, etc., all the time, seeking new candidates.?

Sourcing: They go out and source candidates for high quality skill set.? If you can find somebody without using him (a headhunter/recruiting firm), then do it.? It is expensive for his services.?

Companies should be out there networking and attending conferences and finding qualified people; that is where they are.?

CASE STUDY?

Celia Savidge Reports on Her Experience with an Employment Gap

Celia took a sabbatical.? She graduated with her master's and planned to leave the field and make a change.? Celia is not a traditional security person in cyber security, but she manages projects and consults.???

She started casting her resume and initially was overwhelmed when she went job hunting as the pandemic unfolded and most hiring ceased.

Celia started with a general resume stating her experience.? She tailored the resume to the job opportunity. For her gap, Celia initially put that she had returned to school to complete a graduate degree.? She was not getting ANY hits.?

Recruiters told her they were seeking people with experience.? Yet Celia has 20 years’ experience.? She removed it, but got recruiter questions, and had to articulate why.?

Celia was also asked if the degree was in CSS (Computer Science) or Cyber Security (no) and then, how she kept up her skillset.? This is important.? Most of us have to maintain CPEs for our certifications—she has two and is always working to keep up her skillset.?

Celia landed a couple interviews and had asked Matt about the new standard for interviews.? She interviewed in May using Zoom—which was all the rage.? Celia decorated her Zoom to look professional, and presented herself in a professional manner, wearing a suit and nice blouse.? She had her resume in hand, ready and prepared as if for an in-person interview.?

Certifications are important, and increased her job opportunities.? Recruiters filtered her out, sans the certs.? Celia is not a technical person, with pen testing, incident response, etc., but offers a general project management and consulting background.? Certifications helped her.?

Networking is important.? If you leave your employer, leave on good terms.? Celia did get several offers and landed at Dell Technologies.?

Before grad school, she worked at a subsidiary, where a former manager gave her a good reference.? That gave the hiring manager confidence, even with a 1-year gap, that Celia was not fired, and did not leave under bad terms.?

Matt REMINDER:?

• His company does a Boolean Search, and certifications are a 1st search.?
• Getting references from prior bosses are better than peer references.?

?

QUESTIONS (Matt Cellar)

Q: With such a shortage in the field, why are companies passing on people with security background, for taking a year off?? Why is there such scrutiny???

A:? You will still get interviewed, but first question is the gap not the skillset, “What was this person doing for the last 12 months?”? It’s a natural negative thought.? It does not mean you won’t get the job or interview if you don’t fill that job in your resume.? If five candidates possess the exact same skills, they interview two, then yours with the unexplained gap, will be the first out.? This is less likely to happen in security.? BUT be aware and account for it, to give a positive message for your search.?

In Conclusion?

Pay attention to your resume, network like crazy and get engaged in groups like ISC2 and ISSA.

If you want a picture of the certification market for cybersecurity today, visit this 20 min YouTube for the certs based on reputation, cost, difficulty in obtaining and usefulness.? It’s worth every minute if certifications are on your mind:?

www.youtube.com/watch?v=YeWYlp9JP6g

About the Authors?

About Matt Cellar:? Matt works for Strategic Placement Solutions, for cybersecurity staffing.?

Strategic Placement Solutions (SPS) is a full-service staffing company, with expertise is delivering the difficult to find IT skill sets. We have placed people in the following industries. Financial, Banking, Telecom, Insurance, Cyber Security, Salesforce, Oracle, SAP, Manufacturing and Emerging Technologies.? linkedin.com/in/mattcellar/?

About Debbie Christofferson:? 25+ years cybersecurity experience across the field in large organizations including local and global workforce management. CISSP, CISM, CSSK.? She is an IT security consultant, who serves the International Board of Directors for ISSA and is an experienced speaker and published author.