Meet the researcher who wants employers to write better infosec help wanted ads

Alyssa Miller, a security advocate at Snyk and a longtime hacker and researcher, wants to help employers better craft help wanted ads for cyber talent. (Alyssa Miller)

Spot the problem: A job description posts that requires five years experience on software brought to market last year. Or it calls for expertise on every system developed since the Apollo program.

Dozens of help wanted ads are shared and ridiculed among experienced pros looking for new gigs and novices looking to start careers in an industry notorious for a workforce gap. Alyssa Miller, a security advocate at Snyk and a longtime hacker and researcher, wants to save employers the embarrassment. She's researching the phenomenon and what to do about it, even soliciting ads that "suck" for study here.

SC Media spoke to her about all the ways ads go bad, and what to do about it.

When you say you're looking for ads that 'suck,' what exactly does that mean?

You've got tons of people trying to get into the field who can't. You've got companies who say they're looking for skilled people but can't find them. And you've got experienced people who are in the job market and can't find jobs. 

At the beginning of the year I did two surveys with about 1,500 people – one for people who were experienced and one for people who were newer. What I found was a significant number of people looking for a new job for six months to a year or even longer. One of the things coming up I see a lot is that job descriptions are awful. 

You see "10 years of Kubernetes experience" when Kubernetes has only been around seven years. You see entry-level positions that require three to five years of experience. Or you see internships that require a CISSP, which you can't get without five years of experience. There's a lot of different patterns out there. I'm trying to identify what it is people are perceiving as bad job descriptions, analyze those job descriptions and come up with strategies for what needs to be done differently. [This is better than] a bunch of people saying that recruiters and hiring managers are lazy or don't know what they're doing. None of that's helpful. 

It seems like, by listing unrealistic or impossible standards, you would be asking applicants to self-select as the type of person who would lie to you about being qualified.

The reality, based on the stats we've seen, is that one demographic group does that most often. Males. In an industry that's only 20-25 percent women, we know women are more likely to self exclude when they don't check all the boxes whereas men will say "I'll apply, why not." 

Now, I'd struggle to say that's the only problem with the gender gap. But I would say it's probably a contributing factor. 

What's funny about that is what we tell people who want to get into the industry. "Go do CTFs. Go do labs. Go do all of these self-taught things that are not demonstrable in a hiring perspective." 

If we want to see it all documented in work experience, why are we telling people to do all this other stuff we won't acknowledge as valid experience? 

So, why would a company set out unobtainable hiring goals?

That's what I'm trying to get to the heart of, what I'm trying to answer.

Hiring managers have told me that some of the listings, especially in government, are intentionally designed to receive no applications, so they have an application process but hire the person they decided on in advance.

But based on the analysis I've done I think most of the time our expectations in hiring are unrealistic, and I think there is a problem where hiring managers and recruiters don't really consider how their lists of requirements affect job seekers. A lot of times you have someone sit down and write a job description and think about all the technologies in the organization and put all of them in – maybe prioritize them [by saying] "these five technologies are critical."

And I think even at that point, it still isn't the right approach. I've had success as a hiring manager myself by not being so worried about the specific technologies that they come in with and instead understanding those core transferable skillsets that I need for someone to succeed. It may not be technology at all. 

Is it more important that someone understands Splunk or that they can look at a screen, see the information they have to process, prioritize, and execute what they need. 

What about in companies that are not prepared to train a candidate up from scratch? How do they get the candidate they need without overdoing the listing?

Again, it is going to focus on what you absolutely need. But part of the problem, honestly, is that organizations are going onto the job market not wanting to train people up in the first place. It's an unsustainable model that every organization wants that ready made security expert, just bring them in and go.

Security is a $177 billion industry in products alone. There are no two companies that have the same mix of products. Thinking you're going to find a special unicorn that has this exact mix of all the experience that you want them to have doesn't work. It's not going to happen. But very few industries are willing to bring in someone new to bring them up to speed. 

We don't do this anywhere else. We don't hire programmers assuming they will design software free of bugs and flaws. We accept that's going to happen and that they'll work with the enterprise-class people and they'll grow. 

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.