Micro Focus Fortify is proud to be the exclusive sponsor of the TestGuild Security podcast hosted by Joe Colantonio. This weekly podcast, dropping every Thursday, aims to be 30 minutes or less, and is an interview-style series speaking with some of the top Security Testing experts in the field.

This recent episode of the TestGuild Security Podcast, Cyber Security Job Hunting, features Owanate Bestman. Owanate is the founder of Bestman Solutions, a search and selection firm dedicated to meeting the demand for cybersecurity skills. He advises CISOs and heads of security on market factors which could impact their headcount goals. He also designs bespoke solutions to address this.  In this episode, Owanate shares his take on what you need to know to stay employable in troubled times. Discover areas of growth in security, what employers are looking for, and what skills you’ll need in 2020 and beyond. I’ve gathered the highlights of his podcast below:

Cybersecurity Professional: A Promising Field?

“I kept on hearing this figure being handed out: four million, and the figure was that there will be four million unfilled positions in security by 2022. So, when I started doing more research and becoming associated with more associations within security, I realized that there really was a skills gap. And whether that skills gap is translated into actual positions is something else. So, what I found still was that even though it’s an area that’s highly sought after and high-end managers want a lot of talent within that, they still want the best talent, and it’s still tough to place people.”

“What we’re finding is that there are more candidates on the market but for fewer positions. But let’s not forget that security is vast, security is broad. We have the non-technical areas, the GRC governance, risk and compliance, even data protection that falls in the security business continuity, policy assurance and all the way through to the technical side of things from pen testing to security architecture. There are strong areas that do have strong skill shortage and candidates can take their pick over where they go.”

How to Succeed: Certifications

“I think sometimes firms can be a little bit OCD of assertive specifications. Years ago, when you saw job specifications, all they listed was “security certification is necessary”. Now, they mean anything, CISM< C, C#, CSR, S.H. Now, we’re seeing firms being a lot more prescriptive with the qualifications and certifications they’re looking for. But I do not want to put certifications on a pedestal because, let’s face it, I don’t mean to make any enemies by saying this, but it’s a very lucrative industry.”

“What certifications prove from my conversations with hiring managers, is that they evidence that you have working experience in that particular field. […] If you put your hand up at your existing firm and get involved with a project, that will bridge the gap between where you are now and where you want to go. That’s more likely to land you that position, the certification is just the icing on the cake, and it is the ability to demonstrate to the hiring manager that you can back up your experience with sound methodology around that.

How to Stand out: LinkedIn and your Resume

“Standing apart is somewhat challenging because for every application you put into a position, it’s extremely competitive. Applicants, even individuals, have more experience, and yet are looking to take less money because of the current climate. You need to promote yourself; you need to be a salesperson and that starts in your public profile. It starts with your LinkedIn profile. That also starts with your [resume]. There are 63 million decision makers on LinkedIn. Yet, when I look at some LinkedIn profiles of security practitioners, they don’t sell themselves. And sometimes, it’s hard to tell specifically what they do within security.

“You must spell out security over and over again. You must spoon feed the fresh pressing view in your CV [resume] and on your LinkedIn profile without giving too much away. You don’t necessarily need to give out anything confidential to them. But you must be able to sell your skill sets. And, specifically, what you within security. And you can tailor your profile to what you want to do.”

“When you apply for a position, the first person to look at your CV [resume], have the assumption that they don’t know security because [they are] not the decision maker at all. Often, the decision maker will review your CV [resume] at the later stages. […] Instead of CISSP, spell it out: certified information system security practitioner, then put CISSP in brackets. […] You need to spell it out. If you’re starting off in the field and you have a degree in information systems and your dissertation was something to do with security, spell that out.”

“There’s nothing wrong with having three or four different versions of your resume. […] You can have a PM [Product Manager] oriented resume. You have a more managerial related resume. […] You’re either spoon feeding the person that doesn’t know much about security or you’re spoon feeding the algorithm and letting know exactly what they’re looking for. There must be a happy medium on your LinkedIn profile.

How to Stand out: Go beyond the Technical Aspects

“This is niche, but it’s often cliched. I’ve found it for a number of years, and I keep hearing it. That is the ability to relay technical aspects to a non-technical audience, and that is from mid-level positions all the way through to CISO positions. It makes sense because if you were in front of the business or if you’re a CISO in front of your board, they don’t care how many false positives you found in this month’s metrics. What they care about is what does it mean for the organization: How does this affect your risk appetite? Have we been breached? How does that affect our bottom line? How does it affect the shareholders?”

“Have an appreciation for business and an appreciation that security works for the business, and it is in line with their risk appetite. So, that’s a soft skill that has no gone away.”

“The main piece of advice I’d give is get out of your comfort zone and network. The more you network, the more individuals you’ll meet, the more knowledge you will have about the organization’s unique challenges.

Listen to Owanate Bestman’s full interview, Cyber Security Job Hunting.

About Micro Focus Fortify

Fortify lets you build secure software fast with an application security platform that automates testing throughout the CI/CD pipeline to enable developers to quickly resolve issues, strengthening their cyber resilience. Fortify static, dynamic, interactive, and runtime security testing technologies are available on premises or as a service, offering organizations the flexibility needed to build an end-to-end software security assurance program. Protect across your identities, applications and data. See how to become cyber resilience.

Have technical questions about Fortify? Visit the Fortify Community. Keep up with the latest Tips & Info about Fortify. We’d love to hear your thoughts on this blog. Log in or register to comment below. Or go to the Fortify Users Discussion Board to start a conversation.