Cybersecurity startups are fumbling the ball with their obsessive demand for experience in the field. Obviously, I’m arguing for my own benefit here, but I’d maintain that I’m being objective.
If you work in tech and need to hire someone who isn’t a developer/engineer, the best way to hire someone is based on potential in conjunction with experience. You have to.
Every startup uses different types of software, builds different types of software, accomplishes different kinds of goals, etc etc etc the list goes on. Even direct competitors will often take different approaches to the same solution.
But I consistently hit a wall when it comes to cyber. It is more often than not that a negative response to an application is *specifically* that I don’t have enough cybersecurity experience. It’s absurd, it’s bizarre, and it’s shortsighted.
It’s also wrong, by the way.
Years ago, I thought I had no chance in hell to become a journalist at Geektime.com – I didn’t have a tech background. But I crushed it. I told myself to make the effort the only way I could, explain the tech in your reporting like you would want someone to explain it to you:
- Straight to the point
- Cut through the jargon
- Clarify what each technology is and why it’s important
Somehow, I passed the two-month trial period. I needed a job badly. I needed a higher salary. I needed something fast.
DESPITE all those stressors, I got the job and was there for two years. I wrote 700 articles and covered every active vertical in the tech economy. I interviewed dozens of people.
Better yet, I learned how to interview an assortment of people. I researched constantly. I looked for unique angles to make sure my content and SEO were in turn unique. I fielded questions to entrepreneurs, devs, and even literal rocket scientists that they’d never gotten before.
We, as a three-person team, managed to out-write bigger publications like TechCrunch more than once. We had to delve deeper into every topic to make sure what we chose to write about was worth readers’ time.
And that included cybersecurity. I asked the questions knowing that – most of the time – this stealth startup or that under-the-radar company couldn’t describe their products. They couldn’t print what made them different in how they provided security, how they built their solutions – NOTHING.
And despite all of that, I still asked about it.
Why?
At some point, we were going to encounter a bigger cyber story or a new trend. By then, I had to know what the hell I was talking about. My editor and my co-journo took the same approach.
Logging my Personal Cybersecurity Experience in “non-Cyber” Startups
After the site went on a brief hiatus, I took the same approach to the other startups. And when those jobs ended, I kept going, getting better at picking up new tech along the way.
Start of 2018 – I start at a blockchain company. Learned the ins and outs of crypto, blockchain, and learned convoluted use cases. And what else? Security use cases.
Then, BOOM. Crypto-bust. Time to move on.
End of 2018 – I join a consumer-profiling company that uses psychology, personality theory, NLP, and security. In this case, security comes in protecting internal info from employees. I wrote proposal after proposal, blog posts, read academic papers, and sat for hours with project/product managers.
Then, BOOM. The company goes bankrupt. Time to move on.
End of 2019 – I join Logz.io. I learn Elasticsearch and Kibana. I write about open-source software we use and that we DON’T use to make sure our blog is one of the strongest in the DevOps world (thanks to the team before I arrived for building that powerhouse from scratch).
I cover logs, metrics, traces, and cybersecurity for the four main products we’re selling. I work with each product lead on relevant posts and make sure to get that content double-checked (and triple-checked for security-relevant content).
I go through the launches of our tools for:
- Distributed Tracing tool by prepping and editing content on Jaeger in different languages
- Metrics tool by using and preparing tutorials on Prometheus
- SIEM tool and subsequent integration announcements for multiple cyber products
- Relaunches of our tools when we switch from Jaeger and Elasticsearch to OpenTelemetry and OpenSearch
But after 2.5 years, with my writing all over the place, I saw a different kind of writing on the wall: I needed to move up. I had so much under my belt, and I needed to show it.
2022 – I have been at Rookout covering debugging and writing tutorials and code comparisons for Python, Go, Rust, Java, Node.js, Nest.js, Spring Boot, and Clojure of all things. I take this stuff seriously and make sure that our marketing team knows what the “Six-Eye Rule” is – two eyes from the writer, two eyes from the editor, and two eyes from the dev that checks and edits technical elements.
Then, BOOM.
Sunday morning, sitting at a morning presentation by my son’s entire 4th grade class, I get a text asking to chat. Rookout has been hit. By what?
The Great Tech Layoff of 2022.
This is a week after Twitter’s and still three days before Meta’s. Rookout isn’t laying off 7,000 or 11,000 people, but they still have to let people go.
And I am one of them.
Startups are fun but volatile. It’s tiring to seemingly be in job-search mode all the time. But as I’m thinking that thought again, I remember that I don’t have to worry. And that’s because of a personal policy I set for myself a long time ago.
I demand the best from myself and make it my business to do good work. I prepare for the next challenge in advance by insisting on doing more than my job description demands.
A chance to learn a coding trick? Mine.
Asking to get involved with a project that could be more tied in with what I’m doing in product marketing? No doubt.
We need to push out a case study, but our normal go-to is on vacation? Give it to me.
And cyber?
Read up on that new certification we got or compliance that we have that our competitor doesn’t? Definitely. – Reviewing the differences among SOCs and SIEMs and SIMs and SEMs and 2FA and being scrupulous with cold emails to make sure we don’t get him by phishing emails? Obviously. – Check for contrasting security concerns with different languages as I’m comparing use cases or tutorials for configuring debugging? Yes.
The list goes on.
I’ve dealt with cybersecurity throughout my career. It’s part and parcel of everything. I can’t even make a clean separate section about it in this long LinkedIn rant.
Cybersecurity is Just Another Technology to Learn
Am I special? Well, I hope recruiters think I am. Am I unique when it comes to this kind of experience with cybersecurity when I don’t actually work as a security engineer? Not at all.
Non-developer roles throughout the tech industry encounter security integrations all the time. Writers and non-writers don’t approach the subject much differently than they do any other intimidating technical topic!
The best of us read and learn, research and churn through the info about these things constantly. If you can’t be sure if we really do get it the way we need to, then actually talk to us. That’s what the interview is for. That’s what those assignments are for.
I find the penchant to thin out the CV pile based on cybersecurity experience to be a bottomless pit. It’s a reductio ad absurdum – if we demand cyber experience even from the most experienced veteran professionals, then there must be even less tolerance for younger workers at the beginning of their careers, and thus there is no clear point of entry into the cybersecurity sector of the tech industry.
There are oh so many talented people out there, *especially* after this week’s mass layoffs. Many will pivot as, interestingly, certain parts of the tech sector are more exposed to this economy than others. Cybersecurity companies will inevitably receive more CVs than usual, including from some prospects that are undisputedly inexperienced on security. But many of them could learn the ropes for their jobs in weeks if not days, just like they have had to in order to do good work in the tech world.
Give them a damn chance. Don’t be shortsighted. “They couldn’t possibly be able to handle something as complex as our security specs.” What a grand assumption.