EPISODE 24
How to Navigate a Skill Gap
EPISODE 24
How to Navigate a Skill Gap

HOW TO NAVIGATE A SKILL GAP

About this episode

In this episode, we are focused on the ever-divisive question of the importance of certifications in the cybersecurity industry. The answer to this question has changed over time from certifications being unimportant, to them being extremely important, to well, it depends.

 

Certifications can be extremely important for several reasons, including their ability to help your resume get through the Applicant Tracking System (ATS) filters used by the human resources and recruiting team, but they are not a silver bullet that will instantly land you a job.

 

As Jason Dion (Lead Instructor of Dion Training) shares with us in this episode, certifications can be your ticket to getting an interview, but they alone won’t get you the position. That said, without having that certification on your resume, you can easily be filtered out of consideration before a hiring manager even gets a chance to look over your resume. This makes having the right certifications and experience imperative if you want to land your dream cybersecurity position.

 

Just as a certification isn’t a substitute for a college degree, you will also learn that a college degree is not a substitution for having the right certifications. This is often not an “either-or” thing, but a “yes-and” type of thing that you must achieve for many cybersecurity positions.

 

What you’ll learn

  • Why certifications are important in the cybersecurity industry?
  • Are certifications or experience more important to a hiring manager?
  • Are certifications or college degrees more important to a hiring manager?
  • Which certifications should you be getting to advance in your career?
 

Relevant websites for this episode

Tags:

Episode Transcript

Kip Boyle:

Hi, everyone. This is Your Cyber Path. This is the podcast that helps you get your dream cybersecurity job. I’m Kip Boyle. I’m here with Wes Shriner and we are experienced hiring managers of cybersecurity professionals. And if you want to give us feedback on the show, or if you want us to answer your question on a future episode, all you have to do is visit the show page it’s at anchor dot f-m forward slash your cyber path. When you get there, there’s a message button. Press that and start talking and we will get your question or comment. So let’s talk about skills. So here’s the thing. What if you have a gap between your current skills and the employer’s required skills for your dream cybersecurity job. What do you do? That’s what we’re going to talk about.

Wes Shriner:

And it’s going to be a good conversation. I had an interesting happen this week, interesting thing. We were plumbing the well, the agricultural well on the property. I had a friend over-

Kip Boyle: 

Because you have a farm.

Wes Shriner: 

I have a farm and neither of us know how to plumb a well. So-

Kip Boyle:

Well, could you just back up for just a moment-

Wes Shriner:

We had a bit of a skill gap.

Kip Boyle: 

What does it mean to plumb a well? I don’t even know what that is. I’m a suburban guy.

Wes Shriner: 

I got a 90 foot hole in the ground. I got a little pump that drops down in there and a hose that comes out. I was able to get that and I can squirt water in the air. And that was one of the most amazing things coming to the farm was I can get water out of dirt and that was awesome. But once I got over that, now I’ve got to be able to get water to each corner of the yard. And how do you plumb a well water to the Treehouse. Or to the tractor over there in the corner. And so it was really a skills gap for me, but I was there with a fellow who was also willing to learn, and we did our best. And right now there is water at a post about 20 feet from the tree house. So I’m not saying we know exactly what we’re doing, but we knew enough and we knew who to call and we solved our skills gap. And I think that’s what we’re going to be talking about today.

Kip Boyle: 

Yeah.

Wes Shriner:

So I think it should be fun.

Kip Boyle: 

Yeah, definitely skills gap. So, I mean, just about any time you think about applying for a job and you read that JD, you’re going to detect gaps. And I think that just goes with the territory.

Wes Shriner: 

A couple episodes ago, we talked about how to write your resume. So your skills clearly match those listed in the posting.

Kip Boyle: 

Yeah.

Wes Shriner: 

As being required by the employer for the job.

Kip Boyle: 

Yep. We did. Yeah. And so let me just recap. So what that means is a few things, like first of all, is that you’ve defined your own skills. That you’ve actually written down what you can do. The second thing is that you’ve organized your skills into logical groupings.

Wes Shriner: 

Yes.

Kip Boyle: 

Cause you probably have a ton of skills and you need to put them in some buckets so you can find them and put them on the application in a way that’s going to make sense for the hiring manager. We also made sure to point out that you either need to eliminate or properly qualify any aspirational skills. So it’s like, no, I don’t know how to work in AWS right now, but I want to, and you may be tempted to say that’s a skill. What you really want to do is say, I aspire to that. So go back and listen to the previous episode. And we tell you exactly how to do that.

Wes Shriner: 

A resume is not an exercise in creative writing.

Kip Boyle: 

Not unless you like to live a roller coaster life where you have no idea what’s going to happen tomorrow, when you show up for work and they say, oh, fraud on the resume. Thank you very much. You’ll be leaving now. So, but to continue the recap, right? So you’ve done all the things I’ve just described. You looked at the job description, you’ve identified your skills and you’ve matched them up to what the employer’s looking for.

And then the other thing that we’ve talked about is you have to tie each skill that’s relevant to the job that you’re applying to down into the job history bullets. So if I see a skill listed, I should be able to see in your job history where you acquired that skill or where you used that skill to create business value.

Wes Shriner:

Exactly. we can tie it together like that, we’re telling the story for our employers so they can see it easily. But what do you do?

Kip Boyle: 

And believe it or not, that’s selling. So-

Wes Shriner:

It is. So what do you do if you have only a few matching skills? I mean, ideally your skills list is a reasonable match for the position. Hopefully we’re getting more than 70%, maybe. I don’t think we’re going to get to a 100. So what do we do there?

Kip Boyle: 

Well, I think the only way you’re going to get to a hundred, by the way, is if you’re applying for a job that you’re overqualified for, right? Keep that in mind is that if you’re seeing a 100% fit, you’re probably going sideways in this job. In other words you’re not moving up with this job change or you maybe even going backwards a little bit.

So what is a skills fit? I mean, it is kind of squishy. There’s actually a lot of study on this as far as like if somebody sees that, oh, I fit about 70% of what they look for. Am I going to feel like, Hey, that’s a win. I should apply for it. But we also know that some people look at that and say, oh, I’ll never get that job. There’s no point in applying. And then there’s still other people that see a 90% fit and they still think that’s too much of a stretch. So people are kind of all over the place on this. And that’s why it’s squishy.

Wes Shriner:

And some of that might be a gender interpretation as well. I think we see that in some studies. And so my big encouragement here is [crosstalk] don’t rule yourself out. You can’t really trust that job description to be custom and perfectly written for this job. There’s a lot of job description reuse. Is it really describing the job available? You can assume no one spent an hour writing a brand new document for this job. So weird things are going to appear, that’s okay. Skip over them and keep going, because I don’t want you to rule yourself out just because there’s a weird line in there that somebody didn’t edit out.

Kip Boyle: 

And I think what’s tough for job seekers… job hunters is really what I want for our audience, don’t just seek jobs hunt for them, is it can be difficult to know, okay, this looks weird in the JD, but is that a true mistake? Is that an oversight? Is that a result of somebody just quickly recycling the JD because they just don’t have a lot of time or is that for real? I mean, that can be difficult to discern when you’re a job seeker. But I’m glad you pointed that out because at least now our listeners know that sometimes when you see that it’s just an artifact of somebody trying to move fast and just get a lot done. They’re being sincere, they’re not deliberately trying to mess with you, but sometimes that can happen. Based on my own experience and the comments that I read on social media, again, it’s just not an easy judgment.

Wes, what I’m wondering is what’s stopping cyber security hiring managers from taking more care when they create their job description?

Wes Shriner:

So I saw this on LinkedIn last week. I don’t know him, but Sebastian Ramirez posted on LinkedIn, “I saw a job post the other day. It required four plus years of experience in fast API. I couldn’t apply as I only have one and a half plus years of experience since I created that thing. Maybe it’s time to reevaluate the years of experience equal to skill level.”

Kip Boyle:

That’s perfect.

Wes Shriner:

If you invent the technology [crosstalk] a year and a half ago, you’ll never have four years experience in that. And we’ve got to as a job seeker, understand that some of those years of experience are really just, are you an expert? Are you intermediate? Tell me more about where You’re at.

Kip Boyle:

Yeah. In my experience, sometimes things like that happen because maybe the hiring manager kind of sketched out what they were looking for in terms of a position that they needed to fill. But maybe the recruiter in the HR department looked at that and not being familiar with fast API or knowing how long it’s been around they just kind of said, well. For this position, at this pay rate, with this title, that’s a four plus years of experience. I mean, that’s a pretty reasonable explanation of what might have happened.

Wes Shriner:

I think so. I know a skills fit for me is where you demonstrate at least enough skills, that it’s a logical conversation for technologies, capabilities and experience levels. We can anticipate the required skills long before the job interview and we should be doing that, even if the list on the job description seems weird. So every technology job is going to have some form of this recipe. I need you to be an expert in X, Y, Z technologies. You also need to be kind of good with a B and C technologies, processes or methodologies. You need to be a great verbal and written communicator able to work alone and in groups and some sort of certification preferred.

Kip Boyle:

Yeah. That’s a pretty standard recipe. And depending on the situation that could either describe a lot of people that are looking for jobs, or it could actually be describing not just a unicorn, but a purple unicorn with sparkles in its mane. I mean, sometimes this stuff is just like, it’s impossible. But let’s look at it. So it’s a pretty standard recipe. So what skills would you emphasize as a hiring manager [crosstalk] on that list?

Wes Shriner:

Where the skills are a direct match, call those out. It’s okay to make mentioned early in the discussion that you’ve had several years experience writing chef recipes for some environment, and that Python is your favorite scripting language. In fact, you should focus on the positive things that you do know the ways you would normally solve problems. And then in places where you have gaps, you don’t need to spotlight that yourself. It may be that the homework you did is going to be enough. I’m not saying you should make up answers, that’s an immediate penalty flag. But there is no reason to start a skills’ conversation with anything negative.

Kip Boyle:

Okay. All right, good. So there’s no need for you to bash yourself before anybody gets a chance to do it. I think as another way of saying that. In our master class, the one that I mentioned at the end of every episode, one of the things we talk about is parallel skills. And I think that’s kind of relevant here.

Wes Shriner: 

So tell us about parallel skills. What are those?

Kip Boyle: 

So parallel skills is something that you do when you’re applying for a job. And again, there’s a skills gap. And maybe you’re not even close, but you do have some experience that relates. And so the use case that I will often mention this idea, when I’ll bring it up, parallel skills, is when you’re a person who has a non-technical background and you want to move into a role that is information security focused. Which could either be a non-technical role or a technical role, but you’re trying to get into information security or cybersecurity, and I’ll give you some examples.

We need to do data governance as part of information security work. And so maybe you are a librarian, maybe you’ve got lots of experiences as a librarian, and you want to cross over and you want to work on data governance. Well, you’ve got a lot of parallel skills. You’ve never done data governance before, but you certainly know how to manage data. And you’ve got a solid foundation for what does it mean to govern data.

Another example would be a project manager. So maybe you’ve managed projects, maybe they’re IT projects, or maybe in the marketing department or something like that. And you want to come over to cyber security. There’s a lot of parallel skills there. I mean, projects need to be managed. They’re pretty much managed in very similar ways, conceptually similar ways.

Teachers, maybe you’re a teacher and you want to start doing security awareness training. Tons of parallel skills there. Believe it or not there’s actually a couple of other really interesting ones that I’ve encountered before. Like a bartender. Bartenders are incredibly savvy with people. So I think there’s a ton of parallel skills for a bartender to aspire to be a social engineering tester or a phishing tester or something like that. Again, if they have the aptitude for the technological things that they’re going to be encountering.

And I think if you have a background in law enforcement, then working in a security operations center or an instant response team might be a great fit for you. Tons of parallel skills there. But, but again, parallel skills are good. You also have to have aptitude and then you have to go get the hard skills as Well. This can be really helpful for people who want to cross over.

Wes Shriner: 

That sounds a lot like what I did with the well. I have plumbed a bathroom sink. I have done it with PEX pipe. And I have jumpered that PEX pipe from copper. And there was no copper and there was no PEX involved in the well. But I was using poly pipe. I could even use Barb connections. I could drop to a brass fitting. I can set the shutoff valve and I can go to the sillcock in the ground all the way out there, get it connected up and turn on the water. And so I’ve never done that before, but I did something similar and you still got to make sure your fittings are tight. So it worked out okay. It’s transitional skills. [crosstalk]

Kip Boyle:

I’m sorry, but, to my ears you sound like an expert. The way you used all that jargon. Well done.

Wes Shriner: 

I read a lot of YouTube to get there.

Kip Boyle: 

It bamboozles me. You’re hired.

Wes Shriner: 

All right. So interviews are way more than a peer technical fit discussion. It’s really important to make sure you’re checking the technical fit boxes, but it’s not required to have every skill on the list. You’ve heard it said, “I can teach football, but I can’t teach heart”. The same is true in corporate America. If you can teach football, but you can’t teach heart.

If I’m hiring an [arc] site analyst, the person coming in should have logged into our site before.

Kip Boyle: 

That’s for sure. But that’s the technical fit.

Wes Shriner:

If the person can demonstrate why I need them with their analysis skills that’ll be the part that gets them the job. Now, maybe just maybe I have a team of amazing analysts and I really do need an arc site expert. If that’s the case you’re not getting the job. But you can’t know that from the description. So don’t weed yourself out of that one before you get to the interview.

Kip Boyle: 

Oh, that’s really insightful and really helpful because job seekers I mean the JD doesn’t always tell you, what’s a hard requirement versus what’s not a hard requirement. Sometimes it does. But I mean, let’s think about that. So I understand arc site because I’ve used a competitive product. And maybe I’ve seen screenshots of arc site, but I don’t consider myself to be an arc site expert. I think I can pick it up, but I might not apply because I might kind of make up in my head. Well, because I’ve never actually used arc site that means that they’d have to train me right away. They might have to spend $5,000 or more to train me. And I’ve just shown up. They’re never going to do that. So there’s no point in me applying for this. I’m not even going to try.

Wes Shriner: 

Okay. So these are the voices [crosstalk] in your head talking to you, Kip. These are the voices telling you. You’re not good enough. You’re not smart enough. And that’s totally not true. We know that about you. And we know that about our listeners as well. Hiring a new staff is way more expensive than any $5,000 ticket. This person is joining my team. If they help me succeed, I get a promotion. If they don’t, they may actually slow down the rest of us. I have every incentive to help this person succeed and see this team win. It’s your goal as the candidate to convince me that this team can win more with you on the team than not. And that’s not always about the technical skills’ gap.

Kip Boyle: 

No, it’s not. It’s about having heart. It’s about having confidence. It’s about leaning into the situation. But just kind of going back to why would somebody think that, because I’ve never really used our site or some other tool that they’re not going to spend the money to train me. And I can tell you that I’ve worked in environments where training dollars were reserved for the good people. Like it was a perk, so you had to prove yourself. And there was no way somebody fresh into the team was going to get that kind of a perk. And so if I’ve worked in that kind of an environment, then that’s where my mindset is. When I’m thinking about making an application or going into the interview, what would you tell our listeners about that?

Wes Shriner: 

As a candidate I’m not going to walk in and say, “hi, I need you to train me in order to get started”. No, that’s not how I approach this. I would say that I can learn the mechanics of an application in my spare time. I’m a learner and I like to learn, I learn quickly. I can go to a training or I can learn by doing. You’ll see, I’m proficient with this application in the first couple of months with or without training.

Kip Boyle: 

Okay. So we’re talking about hunger. As a candidate, you’re saying, look, I’ve got skills and I can figure this out. Whether you are going to train me or whether you’re just going to turn me loose to figure it out on my own. However you want to do it. I’m going to make it work for you.

Wes Shriner:

And hunger goes a long ways. That is a huge message you want to come across as a candidate in your interview cycle. I am eager to be here. Common question. “Why do you want to work at this company?” you’re answering a hunger question. That’s where we start. So when I think interview-

Kip Boyle: 

yeah. Don’t tell me you’re hungry for a paycheck.

Wes Shriner:

No, that’s not the right one. When I think about interviewing, I think about what kinds of fit I’m looking for. I’m looking for a technical fit, a team fit and a shared direction. This week we talked a lot about technical fit and a little bit about my well excursion. Next week I think we want to talk about how to build the team fit and communicate where you want to go next in order to really round out that interview.

Kip Boyle: 

Yeah. That sounds great. That sounds fantastic. Let’s count on that listeners. That’s what we’re going to talk about next time. Now, listen, if you like our podcast, then I would like you to consider signing up for our masterclass. It’s called, “How to Get Your Dream Cyber Security Job as Told By Hiring Managers”. Like me, like Wes and other hiring managers that I’ve had help to create this course. And you may not know it, but back in April, just a little while ago, we had one of our students get his dream cybersecurity job before he even finished all the lessons. It’s an inspiring story. I was inspired. If you want to read about it, if you want to listen to this story, you can listen to Steve tell you about it. Just go to your cyber path dot com forward slash Steve. And you can even check out a different podcast called, “The Insecurity Podcast”, where Steve tells you all about it. So check that out. But in the meantime, I want you to remember, you’re just one path away from your dream cybersecurity job, and we’ll see you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!

Headshot of Jason DionYOUR CO-HOST:

Jason Dion
Dion Training Solutions

Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.