WHY ENTRY LEVEL JOBS AREN’T REALLY ENTRY LEVEL

Kip Boyle: 

Hi, this is Your Cyber Path. This is the podcast that helps you get your dream cybersecurity job. I’m Kip Boyle, and I’m an experienced hiring manager of cybersecurity professionals. In today’s episode, I want to answer a common question that I get. Here’s the question. Why do all the cybersecurity job postings ask for five years of experience, but they’re labeled as entry level positions?

Well, there’s really two common reasons for what’s going on there. The first thing you need to understand is that an employer’s job description is really a wish list. They don’t expect to find someone who hits on 100% of the requirements. They would be glad if that happened, but it doesn’t always happen, and so typically they need to make some compromises. And no, they don’t say any of this that I just shared with you openly, but as an experienced hiring manager, I can tell you that, that’s usually what’s going on behind the scenes.

So my advice to you is that if you meet even 50% of the requirements in a job description that you see, make sure that you apply. Don’t read the job description as if it’s the requirements for a new video game that you want to play. And we all know how that goes. You need a certain caliber of video card, you need so much RAM, and if you don’t have it, then you know the gameplay is not going to be very good. You may not even be able to load the game. And so you don’t buy the game or you go off and you upgrade your system, and then you go and you get the game. Well, job descriptions are not video game requirements. They’re not meant to be taken that literally. So if that’s the way you’re thinking about it, please get into a different head space because you’re unintentionally blocking yourself from really great opportunities.

So that’s the first reason. Now, the second reason why they ask for five years of experience is a little tougher for people to hear. I know they call it an entry level job, and it is entry level for cyber security, but it’s not entry level in the traditional way that we think of that term. It’s a little different. Cybersecurity entry level jobs typically require a lot of knowledge and experience before you’re actually qualified for one. Now, most people pick up that work experience in a feeder job and they might spend two or three years working in that feeder job to get the necessary amount of experience. So, what’s a feeder job? Well, typically it’s a systems administrator, or a network administrator. Now I want to try to explain this in a different way. I want to use a different example all together.

Let’s let’s look at the aviation industry, okay? So you might ask, what does it take to become an entry level, Boeing 787 pilot, right? Because let’s face it, until you start flying a 787, that’s entry level, isn’t it? The first time that you get behind the controls of a 787, that’s the first time, right? So I think you could see where I’m going here, right? But let me walk you through it. So to begin the process of getting an entry level 787 job, the first thing you need to do is accumulate 1,500 hours of total flight time. And why do you need to do that? Because that’s what you need to achieve in order to qualify to take an examination. Now, this exam is called an Airline Transport Pilot Exam.

When you get that you are then certified to fly scheduled flights for scheduled airline. And so in those 1500 hours of flight time, you need 500 hours of cross country time, a hundred hours of nighttime flying, 75 hours of instrument time. And you need 250 hours of time as, what’s called, pilot in command. And there’s some other requirements too, but clearly you need a lot of experience just to take this first examination. Now, once you’re certified as an Airline Transport Pilot, you’re authorized to act as what’s called, pilot in command, again, on scheduled commercial flights. Okay, but all that does is actually get you to a stepping stone in the path to becoming a 787 pilot. So if you get that certification, you don’t go right to 787’s, you go to a turbine powered twin engine aircraft like the one that you see on the screen here, where you’re carrying passengers.

Now it takes about two years of full-time work to accumulate those 1500 hours of flight time. And you may do some, or all of that work on your own. It depends on whether you get a job as a pilot, maybe as an instructor pilot, teaching other people who want to fly. But a lot of this is going to come out of your own pocket, and it’s going to be something that you’re going to have to do on your own. Now, to become a 787 pilot, you still need to accumulate more experience. You need about 5,000 total hours of piloting a multi engine aircraft carrying passengers. And that’s going to take another five or six years. And you might accumulate that experience flying, for example, a 737 like you see here.

Okay. So now you’re maybe coming up on 10 years of flying, you’ve got 5,000 hours and you’re still trying to get that 787 pilot job. Okay, once you’re qualified, there’s still actually a lot of competition to get that job. And it’s really expensive to train a pilot. As you can probably imagine, 5,000 hours, every hour costs a lot of money. And so most for-profit companies are not going to train you from the very beginning. From the time that you don’t know anything at all about how to fly or how weather works, or how weather affects flying. Most companies, aren’t going to do that. Now, there are some who will, right? The military. I started off in flight school in the military and so I’ve kind of had an up close look at kind of how this whole process works, which is why I think it’s a good analogy for me to use to help you understand it.

So the military, yeah, they’ll qualify people, bring them in from zero hours, and take them all the way up to fully qualified pilot. But if you want to fly 787, that’s not the case. Now there’s some parallels here with cybersecurity. Turns out the military will take you from zero, as long as you’ve got the right aptitude and you meet other qualifications, but they’ll take you from zero and they’ll train you to become a cybersecurity expert in different types of fields of expertise. Now, not everybody can join the military. I get that, but that’s one of the few organizations that I know of where they really are offering entry level cybersecurity jobs in the way that that term implies. By the way, I thought you’d find this to be a really interesting fact. So the F22, which is a program that I worked on when I was in the military, it costs the Air Force about $11 million to fully train each F22 pilot.

So just to give you a benchmark right. Now, again, it’s nowhere are near that expensive to train cybersecurity people, but we’re talking about a completely different organization. One that’s not required to turn a profit. So even though it’s not that expensive, it still does cost quite a bit to train people. The military can retain the people that they’ve trained. There’s service obligations. And so they can get a return on the investment for training you. In the private industry, it’s not nearly as straightforward as that. But the good news is, is there’s a lot of things you can do to gain expertise without breaking your bank account. All right. So let’s take a look at a couple of ideas that I have for you. The first thing that I want you to think about is, is that you need hands on experience solving real world problems.

And so you need to get skills. Where are you going to get these skills? Well, this is a $600 million professional grade data center. And what you need to do, because you don’t have access to one of these is right now, but you’d like to have access, but you need to find a way to approximate as close as you can come to this type of a setup in your own home. And then once you do that, you’re going to conduct experiments in this home lab that you’re going to build. Now, not only can you build a home lab, but you can actually take your very modest home network, you’ve got an internet router, you’ve got a wireless system, and then you’ve got, maybe, I don’t know, a handful of devices. Now, you can actually build up your home network to make it more like a production network.

And you can add all kinds of different things, like maybe a media streaming server, where you can have your movies and provide that as a service to your family, to your roommates, to yourself. And by doing that, it’s going to give you the experience of what it must be like in a paid position where there are computer services that need to be up and running at all times. You could also volunteer. There’s probably, in your area, wherever you live, I don’t know, there’s probably charities or nonprofit organizations, could be a school, that would love to have a volunteer who’s very interested in learning systems administration, network administration, and pitching in and helping. So a volunteer role will also go a long way to help you. Now, another strategy for using your home lab is to study for a certification. So if you don’t, if you’re starting from zero, you probably need to think about getting a CompTIA A+ certification, a Network+ certification, and a Security+ certification.

And you can self-study, or you can get into study groups, you can buy study packages. There’s all kinds of ways you can do it. Some of those ways cost no money at all. Some of those ways cost a little bit of money. But the thing about it is, is that when you study for these examinations, you don’t want to study just so that you can pass the test. That’s not what I’m talking about. You really need to learn what the certification is teaching you. And that means that you need to have your home lab, your test lab in order to be able to try stuff out in a safe environment where if you mess it up, okay, you lost some time, but more importantly, you learn something. It’s failure that’s going to teach you the most about how this all works, and is going to give you the experience that you need.

The bottom line is, skills matter the most. Now these are the basic components of a traditional home computer lab. And you can start very small, and then you can grow your home lab over time by adding different components. Like you might not have an uninterruptable power supply in the beginning, but you can add one of those later. And you can add one that has a programmatic interface so that you can actually have your computer talk to it, or more importantly, have the UPS tell your computer, hey, electricity’s out, it’s time for you to do an orderly shutdown. And then you can do more complicated networking things as you gain in your skills. Now, in the past, people would build a home lab out of actual hardware and they might store that hardware in a garage or in a closet, or in a spare room, or an attic, or something like that.

Because this stuff’s noisy, generates a lot of heat. Not very fun to share your living space with a lot of this gear. But today you can use virtualization and you can put a lot of computers together, lot of network devices together in a closed isolated TCPIP network in your home. And typically on a single computer, if it’s got enough RAM and storage and processors capabilities, then you can actually go get virtualization software and you can build a very big network in the memory of just a single computer. Now, this approach is cheaper, it’s faster, it’s quieter than having dedicated hardware. So this is actually, I would say, a better place to start. If you want the very best place to start. The one that’s really going to set you up for success for the future is building a home lab in the cloud.

So AWS, for example, has a free tier where you can get in there and sign up. And they’ll give you a huge basket of hours where you can build whatever you like in the cloud. And what’s great about that is you’re going to be able to learn about new concepts that are going to, it’s going to directly translate into a job that’s going to be available for you to get. You’ll be able to say that, “Yes, I know how to administer systems and networks. And yes, I know how to do that in a cloud.” Which is super, super important. This is the trend. We’re going away from servers that are installed in a physical building that you work in and everybody’s going towards virtual servers. Now, not everybody’s there yet. Especially companies and organizations that have been around a long time.

They’re still going to have a lot of gear and so you might still see that. But a lot of our customers who are smaller, who are newer, this is how they are doing their computing. They’re doing what’s called cloud first and their offices, if they even have an office, it’s nothing more than a private Starbucks where they have a wireless access point, maybe a few, maybe a whole fleet of them. But really, at the end of the day, it’s just a place for people to gather with their laptop computers. There’s no servers. There might be a way to do some printing, some local printing. They might have a print server, but everything else is going to be in the cloud. So think about cloud, that’s where you really need to start. Now, another thing you can do to get experience, to prepare yourself, is go out to the center for internet security because they have benchmarks.

Now, benchmarks are a collection of security settings for a given operating system, or a piece of hardware, a router switch, so forth, wireless access point. Now these benchmarks are freely available to you. You can get them, you can study them, you can learn what’s in them. There’s more than a hundred configuration guides, and they’re dealing with over 25 vendor product families. So there’s a lot there. And the goal of these benchmarks is to safeguard systems against threats. So if you get your hands on them and you study them, especially for popular products like Windows server and Windows desktop, and things like that, then that’s going to give you a leg up. Get in there, crack these things open, understand what’s in them. Now, you can learn even more by actually implementing these settings in the actual computers that they’re intended for.

So once again, I recommend you go into the cloud. You spin up a cloud server and the free tier of AWS, maybe Azure, whatever cloud provider that you’d like to work with, and go ahead and enter these settings. Now you can get pre-built virtual machines that have all these settings enabled, but I don’t think that’s going to help you understand as much as putting in the settings yourself. Time consuming? Absolutely. That’s why people do prebuilt virtual machines so that they don’t have to hand enter. But to do that once, or maybe twice, is going to really put that information into your brain. It’s going to really help you understand what’s going on at the lower levels here. So another thing you can do is think about joining an organization that invests in building a cyber security talent pipeline.

If you ever hear about an organization having a talent pipeline, that usually means that they are identifying people who may not have all the right skills yet, but have the right attitude, the right aptitude. And that organization is willing to invest in training people to learn how to do cybersecurity the way that company likes to do it. So the military, as I said before, and as you probably know, they already have their own in-house talent pipeline. And what’s great about that is you can work full time and get paid while you learn what you need to know. Now, I know not everybody can join the military for various reasons. There are other organizations that probably have a talent pipeline. Here in the Seattle area we have the headquarters of T-Mobile, and I know that they’ve got a talent pipeline. They have an arrangement with the University of Washington.

And so, that’s one of the ways that they are dealing with the problem they have, which is identifying people who have, who can fill all the empty seats that they’ve got. So you might want to think about that, looking for a company that has a talent pipeline. There’s not that many of them, you’re going to have to constantly search for those positions. You need to be talking to people that you know, to find out which organizations might have that available to you.

Okay, so I hope that helps you understand what’s going on when you see entry level job in a job description, but the requirements are much higher than somebody coming at it who wants to learn, who’s hungry to learn, really motivated, but doesn’t have the skills yet. So why is that gap there? I hope you understand why entry level job has a different meaning in cybersecurity than it does in other professions.

You may need to train yourself in order to cross this gap. This gap between where you are now and where you want to be. Or, if you can, you might want to join an organization that will train you how to become a cybersecurity expert while you are actually working and earning an income. So there you go. That’s what I wanted to share with you today. This whole thing about entry level jobs. I hope that makes a lot of sense. Now, I’m not saying that this is the right way for organizations to do things, or that this is the desired way. I’m just helping you understand why most organizations seem to come at this issue of entry level jobs the way that they do. There’s probably organizations out there that are way more generous in terms of training people and identifying people early on. But I would say at this point, in my observation, they are the exception and not the rule.

Okay, hey, if you like our podcast then we’ve made a free guide for you. And I hope you’ll go ahead and grab a copy of it. It’s called, Play to Win, getting your dream cybersecurity job. If you’ve ever played, capture the flag, as a way of training yourself to understand what cybersecurity is all about, attack and defense and so forth. If you’ve ever played, capture the flag, then this guide is for you, because it’s going to teach you how to take that approach of breaking into a computer to capture that digital flag and apply that to your job hunting. So it’s a really helpful 20 page visual guide. I hope you go get it. On the screen you can see pages six and seven, and we talk about different blockers that you’ve got to get through in order to get the job that you really want.

The first blocker is you have to know the job that you want by the title of the job. You can’t just have some vague idea that you want to get into security. You’ve really got to pick a job by title. Anyway, the guide talks all about that. I hope you go get it. If you do, here’s the URL, yourcyberpath.com/pdf. Here’s the thing I want you to remember, more than anything else, you’re just one path from your dream cybersecurity job. Thanks a lot for being here. See you next time.