We’re told over and over again that there are hundreds of thousands of cybersecurity vacancies in the U.S. and millions worldwide. But from what I hear, many new entrants to the application security field find it difficult to land jobs. Why?

I have a few ideas.

The College Barrier. There are a lot of career switchers, as well as folks with a high school diploma, investing in cybersecurity skills, getting new certifications, going to boot camps, and the like. The National Cyber Director issued a press release calling for skills-based hiring, noting that “Skills-based hiring opens up opportunities to workers who have learned skills in programs like apprenticeships and other training programs rather than relying solely on two or four-year college degree requirements.” However, most job postings still require a college degree.

Misaligned Expectations. Many companies seem to have trouble with reality when defining entry-level AppSec job requirements. For example, companies list certified information systems security professionals (CISSP) as a requirement for entry-level jobs. The trouble is that you MUST have five years of security experience to take the CISSP certification test. If you have five years of security experience, you’re not an entry-level practitioner! How can you ask for a CISSP for entry-level when it’s technically impossible to achieve this?

Inability to Accurately Define Roles. Application security covers a lot of areas, from tools and architecture to monitoring and incident response. But most companies do not fully understand what application security is and because of this, they freeze the hiring process until they can determine what they want to do. They may only have one or two positions open, so where do they focus the resources? It’s a tough decision.

Seasoned Workers Clog the Pipeline. I’ve noticed that some companies are looking for absolute unicorns —  those who somehow understand all aspects of network security and are strong developers, too — for entry-level pay. I am concerned that over-qualified/certified/educated people are taking up some of the market’s entry-level positions, leaving little behind for the new generation of security professionals.

No Time to Train. Keeping budgets and staff low causes a vicious cycle where practitioners are too burned out to expend the energy necessary to bring new talent onto the team and mentor them. I’ve seen this firsthand with other teams in previous companies. They feel that it’s easier to “Just do it themselves” instead of training the next generation. More trained staff would give them room to breathe, but they’re already too out of breath to do the training.

General Hiring Shenanigans. AI plays a massive role in hiring these days and can auto-remove applicants from consideration. That means that resumes of qualified candidates may never be seen by human eyes, while others game the system by falsely adding the entire list of requirements to their resume. As an AppSec program director, I would frequently interview applicants who had no experience coding in an area listed on their resumes.

On top of that, fake job postings are a problem. In a recent survey of hiring managers, 30% admitted that they currently have fake job postings listed on job sites. Why are they doing this? I can think of several reasons: To convey the impression of a growing company; to make existing employees think someone new will lessen the workload; to scare existing employees into thinking they will be replaced; and, the least bad of the bunch, to collect resumes for a position they hope to fill down the line.

Putting it all Together

So, where do we go from here? Solving bad hiring practices is beyond my expertise, but I can address application security.

• As an application security community, we should help educate companies on the different aspects of AppSec. Companies should not have to choose between network and application security, and that means being mindful of resource allocation. Security is very expensive, but it’s also very important, and the hiring budget should reflect that.
• Work with HR to promote skills-based hiring. This might mean finding strong application security boot camps and certification programs and building a hiring pipeline, or making sure the listed position does not require a college degree.
• Companies should also strongly consider hiring senior application developers who are passionate about security. Give them the training they need to grow their security chops and be successful. Then let them mentor and help grow the next generation for the team.
• Lastly, candidates should practice their soft skills, interviewing skills and explaining security concepts to non-technical people. And they should not be shy about what they know they can do, even if they’re not the world’s foremost experts!