Cybersecurity Jobs

Tips for Certified Cybersecurity Professionals to Find Jobs

cybersecurity jobThere are many ways to land a job that requires the CISSP (Certified Information Systems Security Professional) or any other cybersecurity certification. In this post, I share three methods to empower you to find your ideal job, leveraging your CISSP (or any other) certification. I hope these techniques enable you to land a job in cybersecurity that resonates with you.

I use CISSP throughout this example. You can easily use this tactic with other cybersecurity certifications, such as the Security+.

#1: Research CISSP Job Openings

cissp jobs

You should research CISSP job openings for where you are considering moving or the location you are seeking a job. According to CyberSeek, there are currently 77,492 open jobs in the United States that require the CISSP certification. Of the 77,492 open CISSP jobs, 2,031 are in the Public Sector, and 75,465 are in the Private Sector.


Job openings in the United States that require the CISSP certification. The orange number represents CISSP certification holders.

The blue number represents openings requesting the CISSP.

If you live in Arkansas and want to stay in Arkansas, as an example, there are 265 open CISSP jobs in the entire state of Arkansas.

If you want to move to Texas, for example, there are 6,333 open CISSP jobs in Texas.

#2: Determine Which Organizations Hire People with the CISSP Certification

This technique involves you actively seeking a CISSP job.

There are several paths you can take:

  1. you can work for the DoD as an actual DoD employee (civilian or military)

  2. you can work for the DoD as a contractor

  3. you can work in the private sector

Steps to become part of the DoD as a DoD civilian or member of the military are beyond the scope of this article. I will focus on numbers two and three above. If you are seeking a job as a DoD contractor or in the private sector, the process is the same because private companies that have DoD contracts hire DoD contractors. Private companies also hire CISSPs for private sector work.

A good place to determine which companies are hiring CISSPs is indeed.com. As of this writing, there are 13,469 open CISSP jobs in the United States.

According to indeed.com, the company Deloitte has 514 open CISSP jobs, and Washington, DC has 765 openings for people with the CISSP certification.

Another source to determine which organizations are hiring CISSPs is LinkedIn. Search “CISSP” on LinkedIn and set the focus of the results to “Jobs.”

As you can see from the screenshot, there are 25,997 open jobs in the United States that required the CISSP certification.

#3: Update your LinkedIn profile with your CISSP certification

This technique involves you passively seeking a CISSP job.

Many employers, recruiters, and headhunters use LinkedIn to search for people with the CISSP certification. Listing your CISSP certification on your LinkedIn profile will make you show up in searches for “CISSP.”

In the screenshot above, I searched for CISSP, then switched the results to “People.” As you notice, one guy even listed “Studying for CISSP Exam” in his LinkedIn “Headline” and he showed up. The second person put it after their name, like “John Smith, CISSP”. The third person listed the CISSP certification as their LinkedIn Headline. Any of these approaches work to get the attention of employers, recr

uiters, and headhunters. Just be prepared to be bombarded with “incredible opportunities” and lots of new connection requests.


I hope you find these strategies useful in your hunt for your ideal cybersecurity job. Best of luck!

The Urban Legend of the Cybersecurity Skills Gap

cybersecurity skills gapAccording to the Information Systems Security Association (ISSA), we’re facing a cybersecurity skills crisis. Their recent report calls the gap in qualified individuals a “rapidly widening business problem,” claiming businesses are investing their resources in the wrong places when it comes to cybersecurity.

ISSA partnered with Enterprise Strategy Group (ESG) to look at the state of qualified cybersecurity professionals in the workforce. Around 70% of respondents to their survey said they felt a lack of cybersecurity skills within their organization was affecting their company. According to the cybersecurity organization (ISC)², almost three million cybersecurity jobs needed to be filled globally as of 2018.

Most people agree that this is a serious problem. The lack of qualified professionals at major businesses with knowledge in cybersecurity is exacerbating data breaches, and has been called an “existential threat to our national security.” What there doesn’t seem to be a consensus on is how that problem should be solved.

Are There Really Not Enough Qualified People to Fill the Cybersecurity Skills Gap?

The short answer seems to be no. Rather, the problem seems to lie with the paths made available to talent looking to get into the cybersecurity industry.

For a long time, the university path has been the main place students get recruited into cybersecurity jobs. Organizations recruit from universities, and many require a college degree as part of their job descriptions for cybersecurity roles. But there are thousands of talented people that miss out on these job opportunities simply because they don’t choose to go to college.

In an article for Forbes, cybersecurity contributor and CEO of Immersive Labs James Hadley argues that the cybersecurity skills gap won’t be mitigated through the classroom. He argues that self-taught, talented people should be recruited and trained by organizations before they take their talents to the wrong side. He writes:

“The world is desperate for cybersecurity talent, yet the sector limits entrants and clings to obsolete training methods. As the skills gap grows and organizations become increasingly vulnerable to ever-more-complex threats, the need for a diverse pool of cybersecurity experts to learn in real-time, rather than a classroom, strengthens.”

Hadley uses the example of 22-year-old Daniel Kelley, who hacked the telecom company TalkTalk, stole the data of thousands of users, and used it for blackmail as an example of what could happen if people who feel snubbed by the system use their talents for ill. Kelley didn’t make the grade required for a computer course and attacked TalkTalk out of a desire for revenge. He could’ve ended up using his skills to help instead of hurt, Hadley argues, had that path not been closed off to him.

Companies don’t want to train employees, preferring that they come to the job with the skills they need already, but the nature of cybersecurity work demands constant retraining and maintenance of those skills. There are qualified people ready to help stop the next cybersecurity threat if companies are willing to adapt to them.

How Can Companies Fill The Gap?

The threat of cyberattacks and hacking isn’t going away. In fact, they’re likely to increase as time goes on and the technology both companies and hackers use becomes more sophisticated. That’s why businesses should do everything they can to make themselves resilient to cyber threats. How can they do that?

First, hire and train the right people. Provide them with the time and resources they need to continually develop their skills to match the changing threat and technological landscape. Devote more of the company budget to cybersecurity. Currently, 49% of companies say that cybersecurity is a budget priority, but pros say that figure should be closer to 60%.

A shift away from the traditional job requirements of a university degree path would allow for the scouting, hiring, and training of the right people. Instead of academic background, those in the cybersecurity field would be better served by looking at a candidate’s skill sets. Do they have the skills needed for the job, even if they don’t have the degree? If they do, invest in that talent.

A few of the skills necessary for cybersecurity jobs:

  • Relevant past work experience,

  • Ability to understand advanced cybersecurity concepts,

  • Cybersecurity certifications,

  • Strength in non-technical soft skill areas.

University education can help, but it shouldn’t be the only factor in determining whether a potentially promising candidate in the cybersecurity field gets turned away, especially if that candidate could broaden the diversity of the field. Women represent only 23% of the cybersecurity workforce, according to (ISC)², and that number is after they broadened the definition of who works in cybersecurity.

It isn’t just companies that can help close the gap and guide more capable people into a cybersecurity career. Government initiatives like the UK’s Cyber Discovery free training program can help people explore their interest in IT, and ultimately decide that it’s a good career for them. State and federal governments in the U.S. should implement their own programs to seek out and support talent in a similar fashion.

Part of solving this problem will be getting the word out. Careers in IT and cybersecurity aren’t talked about as widely as more traditional paths like doctors or nurses, or trendier digital careers like YouTuber or Instagram influencer. But the fact is that people who have these jobs hold them a long time, are satisfied with the work they do and are compensated very well for their efforts. If more people knew that, starting at a younger age, they might find a place for their skills where they didn’t think one existed.

Companies can put themselves at the front of the pack by taking the initiative to find and recruit top talent outside the conventional pipeline. And they can do it by being willing to invest the time and money in proper, ongoing training. The cybersecurity skills shortage isn’t all that frightening if you know where to look to close the gap and are willing to take action.


Cybersecurity Paper Tigers are Killing Us

cybersecurity certifications

A paper tiger is a fake tiger, made of paper. It may appear to be a real tiger, but it has no substance, is unable to stand up to challenge, and can’t perform any other tiger duties.

Wikipedia defines a paper tiger as this:

“Paper tiger” is a literal English translation of the Chinese phrase zhilaohu (纸老虎/紙老虎). The term refers to something or someone that claims or appears to be powerful and/or threatening, but is actually ineffectual and unable to withstand challenge.

comptia security+ logo

CompTIA has made the Security+ exam more difficult by adding “performance-based questions” to help with the paper tiger issue.

How do paper tigers relate to cybersecurity?

In my mind, the “paper” is often a cybersecurity certification and the “tiger” is the person holding the certification. A person with a CompTIA Security+ certification, for instance, may appear to be a real cybersecurity tiger. If this person just memorized exam questions, didn’t learn any material, and passed the CompTIA Security+ certification exam, they are a cybersecurity paper tiger though.

My company, Alpine Security, gets routine inquiries about our cybersecurity training. Many people assume we will just “teach the test”. Some people have even mentioned to us that other cybersecurity training providers offer onsite exams allowing people to take the exam “open book” and “as a group”, even though the exam is supposed to be taken solo, closed book. These behaviors breed more paper tigers. Is it any wonder why we have so many data breaches?

Cybersecurity Paper Tigers are Killing Us

Cybersecurity paper tigers are killing us for a number of reasons:

  • They don’t know enough to actually help with cybersecurity defense. Paper tigers are often responsible for cybersecurity controls, plans, policies, training, etc. The paper tigers don’t actually know much though, so the risk of them doing something wrong or ineffectively is very high. This is sort of like asking your 5 year old if he can drive your car. He says “yes”, so you let him drive to the grocery store. The outcome will not end up well.
  • They hire other paper tigers. People tend to want to be around people like them. Also, paper tigers typically have fragile egos, so hiring someone that knows less than them is often what they do. Fragile egos stem from incompetence and being “found out”.
  • They devalue cybersecurity certifications. Cybersecurity certifications still have a worth, but they used to mean more before the influx of the paper tigers. In the past, if you hired someone with the Certified Ethical Hacker (CEH) certification, you knew they had a certain level of knowledge, skills, and abilities. Now, you may see someone certified that doesn’t really know anything. I’ve interviewed people with penetration testing certifications that couldn’t tell me what nmap was…
  • They are not passionate about cybersecurity. This is sort of the elephant in the room. People that are passionate about a topic, industry, career, etc., make efforts to master these areas. Paper tigers are dabblers. They dabble just enough to give the appearance of expertise. If they are dabblers in their careers, the chance is they are dabblers in everything in their life.

Cybersecurity criminals are masters of their trade – not dabblers. A dabbler will always lose to a master.

ceh master

The CEH Master requires a practical. Paper tigers need not apply.

What can we do about the cybersecurity paper tiger issue?

There are two areas to focus on to get rid of paper tigers:

  1. Cybersecurity certifications that require a practical. Many certifications are moving towards having practical components to them. The CEH, for example, has two programs. The first is “Certified Ethical Hacker”, where you have to pass a multiple-choice exam. The second is “Certified Ethical Hacker Master” where you have to pass both the CEH multiple-choice exam and a CEH practical exam. Paper tigers may be able to pass a multiple-choice exam, but they will likely fail a practical exam, unless they actually learn some stuff. Learning some stuff may strip them from the paper tiger status!

  2. Hiring procedures. We need to do better at interviewing and screening cybersecurity applicants. Just because someone has multiple cybersecurity certifications, doesn’t mean they know the material. It’s an employer’s duty to screen applicants appropriately. The people doing the interview need to know about the certifications or be certified in those areas themselves in order to discern the paperness of the tiger. For instance, if I’m interviewing someone with a Security+ certification, I should know the basics covered in Security+ so I can validate the candidate’s knowledge.

Let’s do the cybersecurity industry a favor and work to get rid of the paper tigers.