Trends in InfoSec Skills Employers Find the Most Valuable
It’s a given that employers searching for a new InfoSec specialist for their team are going to be looking for someone who has the qualifications, the experience and the expertise to protect their business from outside attacks. But what else are they looking for? Newly trained graduates, or seasoned professionals? Someone with a wealth of industry-specific experience, or someone who can cover lots of potential bases and has a wider field of expertise?
Jack of all trades…
What they’re not looking for is someone who has tried to master every field, without realising the need for specialisation. It’s a common concern among employers that graduates often try to be a Jack of all trades, but master of none. While a broad knowledge of various disciplines is important, what is even more highly regarded among bosses is the ability to apply a deep expertise in a specialist field that is relevant to the employer.
So, if you’re planning a new foray into the world of work, make sure your skills set fits the ‘tick list’ set out by your potential employer.
A common complaint among employers is that newly qualified InfoSec specialists may have plenty of up-to-date knowledge of the latest best practice in InfoSec systems, but they have little or no understanding of the principles of social engineering. This is the psychological manipulation of individuals, rather than systems, to gather information, datamine, or otherwise gain systems access. It could be regarded as a ‘confidence trick’, but it is often far more complex, and relies on the lack of understanding of the target. From baiting to phishing, tailgating or a large-scale diversion theft, it utilises the weakest link in any information security system – the operator.
To be an effective InfoSec expert, you need to have a comprehensive understanding of this key element of security. Without it, your skills set is incomplete, and any potential employer will be put off by that factor.
It’s a matter of scale
Another key box that potential employers want ticked is candidates who understand the challenges faced by large organisations, particularly those who have multiple offices or even international bases, all linked by a central system. Candidates applying for information security positions in these instances need to have a thorough understanding of how large infrastructures work, and how their skills can be best utilised. It’s also important to convince a potential employer that your skills can be instantly applied within their existing framework, without them having to adapt it to suit you.
How can I get experience if you won’t employ a newbie?
This is a tough one. Employers will always want the best candidate for the job. But when faced with the choice of a highly qualified graduate with little or no experience, and a less qualified candidate that has several years’ industry experience, the odds are that the employer will always go for the one with experience. It’s not discriminatory, just plain business sense. Building up a portfolio of experience, as long as it’s relevant, is crucial. And that may take time.
Unfortunately for employers, though, that means there’s a glut of newly qualified and inexperienced graduates, and a shortage of ‘old hands’. And the gap is getting wider.
Getting the right qualifications
Have a look at your CV. Are the qualifications you have relevant to the modern workplace? Are they current best practice, or was information security a ‘tag on’ subject designed purely to ensure you get enough credits for a good passing grade? Qualification relevance is a major issue among employers, who complain that the courses taught in many universities don’t have any relevance to the ‘real world’. Generalist IT and computer qualifications, particularly at the upper ends of the education system, sometimes fail to match the realities of what companies are actually looking for when it comes to information security, with a tendency for such courses to lack practical application value.
This can, however, be combated by a process of continual personal development. Online courses that give you an updated understanding of information security and that have been developed by providers in conjunction with businesses are relevant, affordable, and current. Courses such as a CCIE Security (Cisco Certified Internetwork Expert Security), CISSP (Certified Information Systems Security Professional), or even a Certified Ethical Hacker training course can bring you up to speed on a huge range of topics not covered by conventional IT courses. They include forensic investigation, cryptography, compliance, and defensive techniques – skills that employers hold in high regard.
Further training not only increases your skills set considerably, it makes you more attractive to potential employers too. And while you may not land that ideal job straight away, if you’re a newly qualified graduate then it can certainly help to get your foot on that first rung of the career ladder.