EPISODE 70
 
How Can The Same Cybersecurity Job Be So Different Depending On Who You Work For?
 

HOW CAN THE SAME CYBERSECURITY JOB BE SO DIFFERENT DEPENDING ON WHO YOU WORK FOR?

About this episode

In this episode, we are focused on job titles. It is important to know the job you are doing, but the job title doesn’t really matter that much.

Do realize that there’s not just one type of cybersecurity job out there. Even if you know the job by title, it doesn’t mean that it is any different from another cybersecurity job. If you are keen on details, you will know what the differences are between job titles.

Kip and Jason talk about five cybersecurity positions so that you will be able to identify how they are different from each other. The discussion includes various keywords to look out for, basic requirements and experience required for the job title, as well as company background to keep an eye out for.

Job titles mean everything. Job titles mean nothing. ~Kip

What you’ll learn

  • Why are job titles important
  • Why do you have to be keen on job descriptions
  • What are the basic requirements and experience to look out for
  • Why is it important to know how large the organization is

Relevant websites for this episode

Other Relevant Episodes

Episode Transcript

Jason Dion:
Hi, and welcome to another episode of Your Cyber Path with your hosts, Kip Boyle and Jason Dion. Kip, how are you doing today?

Kip Boyle:
I’m doing really well. Thanks. It’s springtime here in Seattle. I went on a walk yesterday, pretty long walk, and we’ve got all these trees here that are flowering. We’ve got so many fruit trees, I wouldn’t eat all of it, but we’ve just got like apples and pears and berries and all this stuff. And this is a wonderful time of the year because just the blossom is just everywhere. It’s fantastic. Anyway, I was really enjoying that.

Jason Dion:
I think that’s awesome. My wife, not so much. She has really bad allergies. And so spring tends to be the death of her. She does not like when everything’s in bloom. That is not a good time for her, but for me, I think that’s beautiful and that’s awesome. So we won’t come visit you until the blooms are all done with. But otherwise, it sounds great, man.

Kip Boyle:
That seems reasonable.

Jason Dion:
All right. Yeah. I mean, everything here has been going good as well. I mean, we’ve just been super busy at Dion Training. Just finished up my PenTest+ course. It’s about 30+ hours of content going through the theory and the hands on of hacking and all that fun stuff. And man, it is a huge improvement over our old version, one core. It was about eight or nine hours. This new one is about 30 hours. So huge difference. Took a lot of time. Just got that behind us. And now I’m starting on my next project, which is actually for the Data+ certification, which is all about being a data analyst, which is becoming one of those big, huge fields that’s kind of cyber adjacent. It’s not necessarily cyber security, but it is definitely cyber adjacent. And so I’m working with another instructor on that one and it’s going to be a pretty awesome course once we’re done with that.

Kip Boyle:
And is this your first iteration of Data+?

Jason Dion:
It is. Yeah. So the Data+ is a brand new certification that just came out from CompTIA back on February 28th of 2022. As we’re recording this today, it’s the beginning of April. By the time people are listening to this, it’s going to be in the middle of May. But yeah, that is a brand new certification. And so far, the marketplace seems to be very interested in it. It’s going to take some time, as we’ve talked about before with certifications, for the industry to catch up and have HR start asking for certified Data+ persons. But I think it’s one of those things that we’re going to be getting in there early to help people get those certifications and start driving that message about the importance of a certification like Data+ for those who want to be in the data analytics world.

Kip Boyle:
Yeah. I think that’s great. I mean, cyber security is almost all about protecting data. So yeah, a cyber security adjacent, I like the way you describe that. That makes a ton of sense.

Jason Dion:
I mean, it’s even something that in my own business, we use a lot of data analytics as we’re looking at students and their completion rates and what questions they’re getting right versus what questions they’re getting wrong so we can always make our courses better and make our exams better and all that stuff. So I have a pretty good background in data analytics and so is most of my team. And so we thought it was going to be a great thing for us to kind of get involved with as we start supporting that new Data+ certification. So we’re interested to see where it goes.

But yeah, this episode, what we’re going to focus on is not data analytics or PenTest+, but instead we’re going to focus on job titles. We always tell people that it’s important for you to know what job you’re going after. But today, we’re going to talk about something a little bit different and talk about why job titles really don’t matter that much. Now, why, Kip, do job titles not matter? All the time, I hear you tell people, you got to know what you’re aiming at. You got to know if you’re going to be a cybersecurity analyst or you’re going to be a system administrator or whatever it’s going to be.

Kip Boyle:
PenTest or whatever it is.

Jason Dion:
And now here we are telling people, they don’t matter.

Kip Boyle:
Yeah. I know we’re talking out of both corners of our mouth on this one. I could see why people might think that. Well, the idea here is that you actually need to hold both of these thoughts in your mind. And let me just recap why it’s important to know your job by title. We’ve encountered so many people who come to us and say, “Well, I want a job in cybersecurity.” And we’re like, “That’s great. We’re happy to help you.” But what they don’t realize is that there’s more than just one type of cybersecurity job. They don’t get that in the beginning, many of them.

And so we’ve done a lot to help people understand what the different opportunities are. For example, we’ve got a lot of back episodes in the Your Cyber Path Podcast that you can go and listen to where we actually broke down what are the typical services of a cyber security organization in a large-ish company, and really started to break out all of those roles. So it is important to know the job by title when you first say to yourself I want to get a cybersecurity job.

But once you’ve crossed that hurdle, then there’s another realization you’ve got to have, which is, just because you know the job by title doesn’t mean that all jobs with that title are the same. And so what I’m really encouraging people to do is to dig into the job descriptions to make sure that they’re comparing apples to apples, because the reality is that there’s a lot of variability and you could be comparing an apple to a watermelon. If you’re not careful, if you just assume that all these jobs are really the same at the end of the day, then you could… Well, first of all, you might not even get the job because when you make your application and you don’t realize just how different it is, you’re going to be sending a single type of resume to different companies. So you’re going to kind of undermine yourself.

And then secondly, if you get the job and you show up, you might find out it’s just a wildly different experience than what you expected. I don’t want either of those things for you, people who are watching this and wanting to get in cyber. So yeah. So I hope that at a high level anyway explains why job titles are very important and job titles are not very important.

Jason Dion:
Yeah, definitely. I think to bring this point home, that’s what we’re going to do today is kind of go through, I think you picked out five different job positions that all have the same basic title of cybersecurity analysts, but they’re for five different organizations and each one treats that job title or those functions a little bit differently. I know I’ve personally experienced this in my own career. I went and took a job as a network engineer at one organization. And when I got there, they go, “You know what? We don’t actually need you to do network engineering where you’re working on routers and switches all day long. Instead, we really want you to do almost a higher level function of network architecture to design the security controls and how we’re going to do that.” And then I passed that down to other network administrators who then implemented those controls across these devices.

And so I thought I was going into a very highly technical position, hands on, I’m going to work on routers and switches and firewalls all day long. And in the two years I was there, I don’t think I logged into a router or switch, not even once, because I was so busy at the high level designing these things with all the security controls they needed and they had other people that went in and did that work and actually did the configurations. And so it is really important to understand what job you’re being hired for and to make sure it is something that is a good fit for you and what you were looking forward to doing.

Kip Boyle: 
Yeah. It’s funny, that story you just told made me think a couple of things. One thing it made me think of is, well, that’s a bait and switch, right? Like they advertised one job, but then I showed up and they gave me a different job. Some people might be cranky about that and I could see why, but in your case, it was actually a good bait and switch because they actually promoted you on day one.

Jason Dion: 
Well, yeah, except for the fact that they didn’t promote me in pay. They just gave more responsibility but no extra pay.

Kip Boyle: 
Okay. So it was a bit of a bait and switch.

Jason Dion:
And then when you leave the place, I had to work with the people and say, “Hey, I really wasn’t doing a network engineer job here. I was really doing a network architecture job. Do you mind if I list this position as a network architecture job so when the next employer calls you you say, oh yeah, Jason worked for us. He was our network architect.” And they were nice enough at the end of the two years I was there to go ahead and do that because I did a great job for them. But that is one of those things you got to worry about is you may be getting additional responsibility but not additional pay or benefits.

In my case, I was okay with that. I mean, their pay bands for those two positions were relatively close anyway. So it wasn’t that big of a deal. And it was a place where I was able to gain a lot of great experience. So there’s those benefits too, but you’re right, it can be a bait and switch and you want to make sure you’re actually going to the job you think you’re going to, right? Yeah. So let’s talk about these five different positions. What’s the first one that you have for us, Kip?

Kip Boyle: 
Well, I’d love to share my screen so the people who are watching will be able to actually look at the job descriptions. But don’t worry, if you’re just listening, I’m still going to talk it through. So you won’t lose a whole lot by not being able to see it. But Jason, would you give me… Talk about security, would you give me the permission to share my screen?

Jason Dion:
Yes. Zoom kicking my butt again. All right. Go ahead and try now.

Kip Boyle:
There we go. Now I’m seeing the screen.

Jason Dion:
Okay. As Kip is sharing his screen, I just want to point out if you want to see the screen that he is sharing, you can do this by going to youtube.com/yourcyberpath, which is our YouTube channel. Kip, I’m going to ask you to make that larger by zooming in because otherwise that’s going to be way too small for people to read.

Kip Boyle: 
Yep. Yep. Hang on. I’ll do that.

Jason Dion: 
Right. Yeah. So if you’re listening on the podcast, we’re going to describe everything we’re seeing on the screen. And essentially all Kip has on the screen right now is a position for a cyber security analyst position for the city of Littleton, Colorado, which is a small city in Colorado. This was posted only two hours ago. And what we’re seeing is essentially the job position, and Kip’s going to go through that and talk about what does this particular organization, this small local government, think a cyber security analyst will be doing in their organization. Again, you could see this at youtube.com/yourcyberpath, and we’ll have that link in our show notes at yourcyberpath.com/thisepisode.

Kip Boyle: 
Yep. Okay. Thanks for the intro. I’ve got my screen share going. I went ahead and zoomed in on the page share. So I’ve got five tabs open. What I did is I took the very, very common job title of cybersecurity analyst. I just plugged it into LinkedIn jobs and I got, I don’t know, 3 or 4,000 results. I just went through and I just picked out five representative samples. These are just ordinary cybersecurity analysts. There are all kinds of permutations like principal cyber security analysts, lead cyber security analysts, junior cyber security analysts. I skipped all those because I wanted to make it as obvious as possible.
Littleton, Colorado, they’re shown as… It’s a city between 1,000 and 5,000 employees. So this is a pretty big organization. And it says they’re looking for somebody to join the IT team as a cyber security analyst. All right. So if we scroll down and look at the essential duties, which I’m showing on the screen here. So there are all these essential duties. So let me just skim through them to give you a sense for what it is that they want.

One of the words that I keep seeing over and over again is monitoring; monitoring networks, monitoring email, monitoring storage and server. So there’s a lot of monitoring in this particular version of the job. There’s recommendations. Let’s see, this person needs to recommend and install hardware and software to mitigate security risk. So that’s a very hands on role. Performing network vulnerability testing. And let’s see what else, cybersecurity audits, reviewing firewall logs, investigations, more monitoring, training. This person’s going to be expected to train city employees. There’s going to be cross-functional collaboration with other municipalities. Oh, and then the infamous other duties as required.

So what I’m seeing here is a very full fledged army of one type of a role where you’re going to be expected to do a little bit of everything. Some of it is technical, some of it is more governance, risk and compliance. So it’s all over the place. Is that what you’re seeing, Jason? Are you seeing anything else?

Jason Dion:
Yeah, most definitely. The other thing that I thought was really interesting in this one was in the first line of this job description, they said, “We are seeking out an IT professional, an experienced IT professional, not a cybersecurity professional.” So this may be a transitioner person’s job and they’re expecting you to have those IT professional skills like running servers, running switches, being able to go in and configure firewall, in addition to doing cybersecurity work. So as Kip said, this is going to be a very hands on role and their team, I don’t know how large their cybersecurity team is, but it’s probably going to be less than five people. Especially with an organization that has 1,000 to 5,000 employees, I wouldn’t expect their team to be much larger than about three to five people for this-

Kip Boyle:
This might be the only one to be honest with you.

Jason Dion:
It very well could be the only one. You might be an army of one. You’re exactly right. And so, because it’s a very small team or an army of one, you’re going to be expected to do a little bit of everything, kind of that Jack of all trades master of none kind of mentality here.

Kip Boyle:
Right. And this is a really tough lift. I mean, I’ve seen people work in jobs like this before. There’s a lot of conflicting requirements here or tasks. So for example, you’re installing stuff, but then you’re also auditing things. That means you’re sort of checking your own work, which I think is a bit of an issue. They’re probably going to expect you to work on projects, but at the same time, they’re also expecting you to respond to alerts. Well, try to get a project done by a due date when you’ve got alerts going off in your ear all the time. It’s really hard. So I would say this is a really tough job for somebody to take just as it’s written, but in any event, hopefully you understand what the city of Littleton is looking for here and how there’s just massive scope.

Now let’s go ahead and roll over to a different job. Again, it’s called cybersecurity analyst. It’s with Visa, which is the credit card company, and they have over 10,000 employees. So it’s a much larger organization. It’s not a municipality, it’s not a city. It’s actually a private organization. And in parentheses, it says GRC-third party risk. So let’s go ahead and look at the key responsibilities. Let’s see here. So perform risk and security assessments of suppliers and third parties, support ongoing monitoring of suppliers and third parties, perform onsite assessments. Let’s see, process remediation and implementation strategies to deal with findings and recommendations, develop trusted relationships with business partners, have an understanding of the broad regulatory landscape, and so forth.

I hope you can see that it’s the same job title, it’s in a different industry, it’s in a much larger organization, and the scope is much reduced. This is a very tightly scoped role which is focused on third party risk management. And you’ll notice, nowhere in there was any duty related to hands on anything. So the amount of technical work here is very, very small, but obviously you need to understand the underlying technology just even to be able to do this job. What are you seeing here, Jason?

Jason Dion: 
Yeah, I think that’s definitely true. And I think the other thing is that this is very focused more on the risk analysis part of being a cybersecurity analyst, and specifically because this is Visa, I am sure it’s going to be very heavily involved with PCI DSS requirements. Whereas if you’re dealing with the other job that we looked at from the government, they probably don’t even care about PCI DSS or couldn’t even spell PCI DSS if they had to because it’s not a part of their world.

Kip Boyle:
Right. Exactly. Visa’s all about payment cards, so yes, PCI. And if you look down to the basic qualifications, they reference all kinds of other things too like ISO and NIST and COSO and COBIT and FFIEC, Sarbanes-Oxley and SOC 2, and that sort of thing. So just looking at these two different job titles, hopefully you’re starting to see same job title, completely different job experience.

Here’s the third one. This is a cybersecurity analyst at a bank. This is called Bank of the West. It’s based in Omaha, Nebraska. They have over 10,000 employees there. So another very big organization in the financial services industry. And let’s take a look at the essential job functions. Assist in the development of business unit analytics metrics with key risk indicators; coordinates, develops, supports management and maintenance of reports; assist in creating project plans and business requirements that impact corporate securities objectives; and finally, documents work effort, dependencies, assumptions, risks, and issues. Well, this really sounds a lot like some kind of a program manager. What are you seeing, Jason?

Jason Dion:
I was going to say that this sounds like the job of a program or project manager to me, especially just trying to get somebody into, maybe they’re trying to work on their DevSecOps as they’re trying to build out new systems and servers, and they want somebody to oversee and look at those projects through a cybersecurity lens. This is very different than the last two we looked at with the last one being much more governance, risk and compliance focused, and the first one being an extremely hands on position.

Kip Boyle:
Exact. And so even though it’s in the financial services industry at an organization about the same size as Visa, more or less, this is a 10,000+ employee organization, still the job is very, very different, because you might, and I pulled this one out, because you might say to me, “Well, Kip, I can sort of see why a cyber security analyst job in the government in a municipality would be different than in financial services. But even here with another financial services organization, it’s still very, very different.”

So here’s the fourth one. We’re going to look at five. Here’s the fourth one. This is a cyber security analyst. This is for an organization called Proven Recruiting. So this is a staffing and recruiting organization. It’s way smaller. This is a 51 to 200 employee organization. So massively different than the ones we’ve already looked at before in terms of size. Very different industry. Let’s take a look. The job description’s very, very small compared to the other ones.

Jason Dion: 
Yeah. I got to say, Kip, before you go, for those who are on the podcast, this particular job description is a total of about 10 lines. It’s a very, very short job description. And when they have what you do, your responsibilities, there’s only two of them listed here. So I think we can read these verbatim here, Kip. Go ahead.

Kip Boyle:
Yeah. There’s only two bullets. Work with the security engineering team to perform tests and uncover network vulnerabilities. That’s the first bullet. And the second one says, develop company-wide best practices for IT security. And if you go on and read the requirements, you can see that this is a very technical job and it’s about testing, testing, testing, testing, and then coming up with best practices. So again, this is our fourth job and you can see, I think, how it’s… There’s a relationship, right? All these jobs are cousins of each other. But I wouldn’t say they’re brothers and sisters. I mean, so while there’s a thread that sort of runs through them all, they’re all very different. And you can imagine that your work experience here at the recruiting organization at Proven, can you imagine how very different it would be from the other three that I’ve already shared with you?

Jason Dion:
Yeah. And I’m curious, and you probably don’t even know the answer to this is, whether or not this job is for you to work at that recruiting agency as part of their staff or they’re just trying to find people who have experience with endpoint detection response in cybersecurity to be able to farm you out to somebody else that’s one of their clients, they don’t really talk about that in this job description. And as a job seeker, that would be one of my questions is, am I working for you or am I working on a subcontract for somebody else? They really don’t give you a lot of details in this particular job. I’m scratching my head looking at this one going, man, that’s a really bad job posting.

Kip Boyle:
Yeah, it’s really ambiguous and that’s not helpful. And so one of the things that you can take away from this, people in our audience, is when you see a job description like this, not only do you get the question that Jason raised, but I would even say, did the person who posted this job even understand really what all is required here? It kind of gives the impression that this organization doesn’t really understand what this is and that this job posting might be a direct result of some sort of a requirement that they’ve got to meet that they’re really not that interested in but they’re like, “Fine, we’ll do it. We’ll bite the bullet. We’ll get somebody in here to get this done.” So it might not be a very good working experience from the point of view of you show up and you do the work, but they might, for the most part, ignore all the things that you do. And that would be a very uncomfortable work experience, I would think, for people.

Jason Dion:
Yeah. I agree with that completely. What’s our fourth one that you got there, Kip?

Kip Boyle:
Well, that’s the fourth one. So I’ve got one more.

Jason Dion: 
I’m sorry, the fifth one. I lost count.

Kip Boyle:
That’s all right. That’s all right. There’s a lot going on. Here’s the fifth one. This is a cyber security analyst role. Again, same job title. But this is at a college in Poughkeepsie, New York. So this is upstate New York, I believe. This is a higher education, so just another industry completely, full time. Let’s take a look and see what the essential functions here. Monitor computer networks; review daily logs; investigate incidents; administer cybersecurity servers and appliances; install proprietary cybersecurity measures, endpoint security, intrusion detection, agencies; develop internal tools, interesting; prepare weekly and monthly cybersecurity reports, vulnerability assessments; stay current on IT security trends and news, and it goes on and on and on. So this is very interesting. This is an extremely technical role. What really stood out to me is develop internal tools. That suggests you need to be really good at scripting, possibly even a programming language.

Jason Dion: 
Yeah, definitely. As I’m looking through this, I’m looking at their preferred qualifications and this also kind of surprised me because as I go down their preferred qualifications, they’re saying, “We want somebody who has a Security+ or CISSP or a CCNP Security or other relevant certifications.” Security+ tends to be a very entry level thing. CISSP tends to be a very high level thing. So those two aren’t usually used in the same sentence like that. And then they talk about you only need-

Kip Boyle: 
Yeah, it’s not comparable.

Jason Dion: 
And they say you only need two years of prior experience in the higher education or nonprofit sector. They don’t really have this really high bar for somebody to come in, yet that job position seems like it actually has a pretty heavy lift to it, especially on the technical side. And so this is kind of, to me, it’s almost unbalanced compared to some of the others.

Kip Boyle: 
Yeah. It’s really strange. And then I love this final essential function, supervise student cybersecurity specialist. Okay, let me get this straight. I’ve got to be highly technical, but then I also have to be a people person because I’m going to be doing some supervision. This is a trend here where we’ve seen it with a couple of the other job posts where this is an organization that’s saying, “Let’s see how much stuff we can pack into a single job description and then get one person to deal with it all.” And I just, I don’t think that this is a good setup for success because how can… I have rarely seen somebody who can program a computer to create internal tools do all these other things and still be a nurturing, mentoring supervisor to students.

Jason Dion:
Are you saying those people normally just belong in the basement out of sight from everybody else?

Kip Boyle:
Well, that’s often the case. People who are really great at nurturing people, I don’t have a strong experience of seeing a lot of people who are great nurturers who are also fantastic coders and really great at twiddling the bits and making all of these [idious] agents and everything do what they’re supposed to do. I’m not saying this person doesn’t exist, but we’re starting to look at like a purple unicorn here, somebody who can do everything. And usually what I see instead is one person will get in here, they’ll be really great at some of the stuff, they’ll be mediocre at another chunk of it, and they’ll be just awful at the third chunk or whatever.

And so, I don’t know, I just think if you’re a hiring manager, this is not a good thing to do. And if you’re a job seeker, be aware of this, because this idea that you’re going to be great at all these different things is somewhat unrealistic. Okay. But anyway, there we go. We’ve got five job descriptions for ostensibly the very same job, cybersecurity analyst. And I hope everybody can see just how very, very different the work experience would be at any one of these particular jobs.

Jason Dion:
Yeah. One of the things I wanted to bring up is when you look at different jobs, it is going to matter on that organization that you’re going to apply for. So if you’re going for a small company or a small organization, you’re probably going to be asked to do a lot more different roles, kind of like this last one here, right? Their organization has between 1,000 and 5,000 employees. So their entire cybersecurity staff might be three to five people, similar to the first one we looked at.

Now, if you have a small staff like that, that means you’re going to be almost like an army of one. You’re expected to do everything because we only have three to five people. So everybody’s got a pitch in and do the work. Now, conversely, if you get a job as a cybersecurity analyst for a large defense contractor or the National Security Agency or the FBI or the department of the Navy or something like that, you’re going to see that you’re going to be pigeonholed into a specific task. And you as a cybersecurity analyst might be the endpoint detection response person, or more specifically, you might be the McAfee endpoint detection response person and somebody else is the one for FireEye or something else, and it’s very, very separated out into these individual functions.

But when you have a smaller organization or a smaller team, everyone kind of has to pitch in. And so that’s the other big difference I see and why I think it’s important as you look at these titles, you think about, what is this job? What are they asking me to do? And where am I going to work? And I’m not saying one is better than the other. Personally, I like working on small teams where we do a little bit of everything because you gain massive amounts of experience very quickly because you kind of have to, right? Whereas if you work in a large organization and I’m only going to expect you to do McAfee EDR, that’s all you’re ever going to know. And when you go to get another job, if that company doesn’t use McAfee EDR, you’re not really that hireable to them because they’re used to some other system. And so these are some of the things you have to weigh as you start looking at these different jobs to figure out where you want to be.

Kip Boyle:
Yeah. Let me also take a moment here to share something that I think is very helpful as a job seeker. If you’re able to see my screen, and if you’re not, I’m going to talk you through it, but I’m a LinkedIn premium subscriber. What that means is that I’ve got additional information that’s available to me as I consider different employers. And so on the screen right now, I can actually see the hiring trends over the last two years for this university, this fifth job that we just reviewed, and I can see that they actually have 2,327 total employees. And I can actually see that their company-wide growth is down 5% and their IT hiring is actually down 2%, and with a median tenure of 4.8 years.

What this tells me is this is a stagnant organization that is slowly decreasing in size and they have a pretty high tenure of people working there. And so that means if I join this organization, I can expect that I don’t have to work in a maddening scene where the organization is growing like wildfire. This is going to be a fairly stayed sort of an experience. And I can expect that a lot of people around me have been there for a long time and know how to get things done, but it’s not going to be necessarily a very exciting experience. What do you see, Jason, when you look at this?

Jason Dion:
Yeah. I’m also taking into context the fact that this is a college. And so I’ve worked for colleges before. You have to remember that when you have somebody there who is tenured, for instance, the professors and all the teachers on staff, if they’ve gotten tenured, they’re going to likely stay there for a long time, like 20, 30, 40 years before they retire. And so that’s going to drag up that median tenure age really high as well. Just because you see that 4.8, that doesn’t mean the people in the IT world are staying there for 4.8 years, or even three years. They may be going over really quickly because they’re getting burnt out with the lack of funding that’s happening.

Also, with colleges, you’ve seen over the last couple years, there’s been a cut to manpower and they’ve been trying to save money. This happened especially during COVID, and you see that right here where the company-wide, they’ve cut 5% over the last two years. They’ve also had a -2% on the IT staff. That didn’t drop nearly as fast as the rest, but they probably got rid of some tenured professors and decided to hire in adjuncts instead. I’d be interested to see this same look on one of those other organizations we looked at. And I bet you, you’re going to see a much smaller median tenure. And as I talk, I see Kip’s pulling up another one here. This one actually has a higher median tenure.

Kip Boyle:
Right. Because this is Littleton, Colorado. This is the city, this is a municipality. And this is actually very consistent where it’s 7.3 years of the median tenure. Now, median here means average. It’s a form of an average calculation. But 7.3 years. And that makes sense because in my experience, people who join cities really do like stable jobs where there’s not a lot of change. They like to stay in the same place a long, long time. But there’s 408 total employees. So it’s much smaller situation. 15% company-wide two year growth overall, and 14% information technology growth over the last two years.

So this is a place that’s growing. Things are changing, but they have people who work here for a long time. So my bet is that if you went to work here, you’d probably see people struggling with change. You’d probably see them go, “Well, that’s not the way we used to do it.” Or they’re probably just struggling at the idea that things are changing. And so you might experience that in the context of the work that you do. A lot of people feeling reluctant about the fact that there’s growth. I don’t know. I mean, I could be wrong, but that’s my experience, but what do you see, Jason?

Jason Dion:
Yeah. I mean, while I talk, can you pull up the one for Visa? I’m just curious from a corporate perspective, but I spent a lot of time working with the government. I can tell you that when people work for the government, they’re usually trading a lower salary for longevity because they know that job is stable, they know the money comes in week after week. And so when you see things like colleges, universities, local city governments, national government, agencies like the FBI, CIA, NSA, DOD, things like that, you’re going to see people who have very long periods of time because they stay for that 20 to 30 to 40 years so they can get their pension. And so it starts dragging up your averages as well.

When you go here to Visa now, this is 4.3 years. This is much more similar to the college we looked at than to the local government. When we look at this one, we see a 5% company-wide growth over two years and a 12% down inside of engineering and tech. So they are actually getting rid of some people. Now, why is that? Probably because of the rise of automation, machine learning, and artificial intelligence. So if we can do more of that using those type of tools and I can have five people do it instead of 10, I can get rid of those five people because I could tell you as a business owner, my number one cost is labor. And if I can reduce labor and still get the same mission done, I would want to do that because I can increase my profits, especially as a publicly traded company like Visa.

Kip Boyle:
Yeah. And now what we can also see here is total employees, 20,000 employee. This is an enormous organization, very, very big. And you can imagine, it’s going to be pretty bureaucratic. It’s part of the financial services industry. Highly, highly regulated. Things are probably not changing there very fast. They probably have a lot of well-established processes that you’re going to have to learn and follow. So it’s going to feel very different from some of these other jobs.

And so why am I showing you this? Well, I’m showing you this because when we talk about how different the jobs are, it’s not just the job descriptions themselves are different, which we saw that they are, but also the bigger context of the organization you’re working in is going to also drive a lot of the differences. So even if you had two cybersecurity analysts jobs with the exact same duties and responsibilities, the fact that one is going to be at a company of 20,000 employees and the other one is going to be at an organization, a municipality with 400 employees, that’s still going to result in some big differences in the experience that you have there.

Jason Dion: 
Most definitely. I think you summed it up really well there. The company culture does matter and that’s going to affect the positions that you’re going to be in. All right. Sorry, go ahead.

Kip Boyle:
So if you like highly energetic growing places like at a startup, you probably don’t want to join Visa where you’re seeing that the engineering department has decreased by 12% over the last two years. You’re probably not going to have that kind of an experience there. So really think about what kind of environments do you like to work in.

Here’s Bank of the West. 9,930 employees, flat growth over the past two years, 1% down company-wide, 2% down in terms of information technology. Median tenure is 6.8 years, pretty high. So again, not a very exciting, changing, dynamic place. Lot of employees in a highly regulated industry. Just like Visa, you could expect that there’s a lot of process, a lot of requirements for getting things done. And 6.8 years, that’s pretty high tenure. And so you’re going to have a lot of people there who are used to the way things are done and will probably be unhappy when things change. So again, just check yourself and prepare yourself for what it might be like to work at Bank of the West.

Jason Dion: 
Yeah. I think the last thing is when you’re looking at these numbers, especially the percentages, you have to keep in mind that these are percentages and that’s going to be affected based on the size of that organization. So we’ve talked about the Bank of the West. If they went down 1% company-wide, they have 10,000 employees. That means they lost 10 people. It’s not really that much. If I lost 10 people, that would be 80% of my staff or 70% of my staff. Conversely, if you see something like a high growth rate in a tech or engineering part of the organization, my company, for instance, we are currently at 250% over the last two years because we’ve been doing a lot of hiring.
                        
Now, it sounds like a huge number. But really, we went from one person to four people. And this year, we’re adding another two more people. I just hired two in the last six months, I’m hiring two more again, because we’re building our own systems and we’re building our own learning management system. We’re building all these different things that I need programmers and coders to do. And so as you start going through this, you have to keep these things in mind because in my company, as of this recording, we’re 14 people strong. And so if I add two more people, that’s a big change in our percentage. If you add two more people to Visa, it wouldn’t even change their percentage at all in such a small number.

Kip Boyle:
Yeah. Okay. And then finally, let’s look at this fifth one. This is the recruiting firm that we looked at. It has 104 total employees. This place is called Proven Recruiting. This is the one where we wondered, are you going to work for Proven Recruiting or are they going to hire you out to somebody? But let’s assume that you’re actually going to be on their payroll and not on the payroll of one of their customers. Well, 104 employees, but over the last two years, they’ve grown 41% company-wide and 60% in information technology. So not a very big company you see 60%, but just like Jason said, well, okay, that could be two people.

Jason Dion:
Exactly.

Kip Boyle:
So the absolute numbers here may not be that big. But for this company, 60%, that might be a really big deal. Their median tenure, 1.8 years. Everybody’s new. Nobody knows how to do anything probably. There’s probably a lot of questions about, “Hey, what’s our process for buying a laptop or whatever, or do we even buy the same laptops this year that we bought last year? Or do we have any standardization at all? Like I see Dells, I see ThinkPads, but then somebody just put in an order for a bunch of Acers. As a cyber security analyst, how do I standardize? How do I deal with this?” And so very, very different experience than you would probably have at Bank of the West.

Jason Dion: 
Do they even have processes? When you’re dealing with a small company like that, a lot of times processes don’t even exist because they’re still developing them, and you’re kind of building the airplane as you fly.

Kip Boyle: 
Yep.

Jason Dion: 
All right. With that said, let’s go ahead and wrap up this episode. Hopefully you guys out there have found this helpful as we kind of looked at these five different positions to see what the difference is between these jobs even though they all have the same job title. Remember, as you’re looking at these different job titles, the job title does matter when you’re figuring out what field inside cybersecurity you want to point at, but the actual job title on the position you’re applying for isn’t nearly as important as the sub bullets they’re going to list as your responsibilities and the culture of that company. As you figure that out, that’s going to help you determine are you going to be an army of one doing all these different things, or are you going to be doing a single function the entire time because you’re in a larger organization. That said, Kip, do you have any parting words for us?

Kip Boyle: 
Job titles mean everything and job titles mean nothing. So just remember that.

Jason Dion: 
I love things like that. Don’t you, Kip?

Kip Boyle: 
Yup.

Jason Dion: 
All right. With that said, until next time, this has been Your Cyber Path. Thanks for joining us.

Kip Boyle: 
See you next time.

Headshot of Kip BoyleYOUR HOST:

   Kip Boyle
    Cyber Risk Opportunities

Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!

Headshot of Jason DionYOUR CO-HOST:

   Jason Dion
    Dion Training Solutions

Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.

Wait,

before you go…

Don’t forget to sign up for our weekly Mentor Notes so you can break into the cybersecurity industry faster!