BSidesSF 2023 - Security Hiring Trends (Erin Barry)

um but please let's welcome Aaron Berry who is the head of talent for code red Partners a person to know she will help you get any job you want so let's kick it off [Applause]

okay hi can you hear me okay okay um so my name is Aaron Berry head of talent for code red partners and I'm going to be talking to you a bit today about security hiring trends um I've been recruiting just cyber security for about four years in my career before that I was recruiting Tech I've been recruiting about eight years um so I feel like I know a bit about security recruiting at this point but I'm very thankful to have you guys let me speak to you all um and I'll kind of kick things off with some uplifting statistics I know over the past six months it's probably just Doom and Gloom every time you jump on

any website um oh it's things are expecting to get better uh you know a spirit of Labor Statistics 35 growth year over year 2023 to 2031 so that feels really nice but what exactly does that mean um one more little statistic I'm sure you guys see these all the time they're a little fluffy right 300 3.5 million open security jobs by 2031 but what kind of jobs what exactly does that mean and that's really what I'll be concentrating on um so this is a bit of a spicy take I do admit um I am humble brag I have helped build a couple of these teams you see up here um so I know how difficult their bars

are and exactly what that Tech looks like um so Fang I'm sure a lot of you hear that a lot mang meta sure but it stands for Facebook Amazon Apple Netflix and Google um over the past couple of years when I started out everybody wanted at least somebody who's worked at one of these companies as things have flipped a bit um we're seeing things change um so one thing I say is take a look at the tech being used around you to overcome day-to-day problems so if you pull out your phone and look at the apps on your phone looking at the apps on your peers phones your family's phones um that's a good indicator of this is

somewhere that I would like to work this is something that people are utilizing um of course everyone uses Apple Amazon meta but there's about a hundred companies I'd say that have just as good engineers and just as hard tech bars also too we're in the age of innovation so the Big Talk lately has been AI last year it was a cryptocurrency machine learning autonomous vehicles drones metaverse Oculus there's a lot going on and a lot has come out in the past year or so uh companies and hiring managers are increasingly looking for Builders so uh what is the Builder right it's somebody that can stay Hands-On in the weeds even if you're a manager Architects Tech lead

um if something needs to be built if there's an issue can you jump in the weeds with an engineer too and remediate it can you fix it or are you somebody that's just been like sitting in silos if a problem happens you can't do it anything so stay Hands-On stay in the know say as build or heavy as you can

okay a heart piggybacking back on that I'm sure if you listen to Sasha yesterday had a security for grammarly he said I don't want people that can't code now I hear a lot from security hiring managers that they want people who can code and build and I usually will follow up with is this production level code or taping together some systems scripting um of course they'll say oh it doesn't have to be production production level code but you at least need to have the ability to complete projects with a few more Engineers is what I always say um also too embedded Hardware security architecting and building secure products within Hardware is in high demand so

um I will say some of the hardest roles I've ever worked on in my career have been embedded Hardware plus software that is the elusive unicorn I would say uh but if you are working for a company and you have the ability to touch different types of products whether it's applications infrastructure of physical product um software Cloud touch as many pieces as you can um and then also too a big uptake in software engineering so back to everyone wants a builder right um so how are these people that are software Engineers or suis Landing their first security position so there are a lot of security adjacent teams that I work with trust and safety privacy identity access

management has been huge lately even like threat Intel detections um and then also to hottest languages I'm seeing are python go rust C C plus plus a lot of scholar coding lately Linux job is a little dated but you get it software engineering's always going to be lovely you can land on a security adjacent team and really maximize your compensation at the end of the day because we work to make money to build great products but a lot of our families are counting on us to support them and that's just how it is Okay so trending roles um Cloud security engineers and product security Engineers are starting to be pushed together um more and more these two pillars excuse

me I already said that so infrastructure as code AWS gcp jack of all trades engineer it's especially if you're a startup this is what people are looking for um threat intelligence huge uptick in roles and pay as the world is more remote not threat than ever um you all know this if you watch the news in the past year everyone feels extremely threatened and everyone is remote and isolated so that intelligence is really upticking um so software engineers and I brought that up security trust safety teams the reason is companies are looking for their Engineers to build Out Security tooling and platforms internally it seemed more secure and cost-saving option so when I first started recruiting

security it was very much like oh I can just buy a product off the shelf implement it and it's done but these top tech companies and companies that are trying to get more rounds of funding cost saving maybe not layoff half their security team they're using cost-saving options they're hiring people that could be a software engineer or honestly like a security engineer in their own right guess what you're going to save money this person can do two things

okay so competition is fierce of course there there's a pretty high number of open jobs and it is getting better I would say every week month after month more openings are coming up but with that there's a lot of competition um I don't know meta just laid off how many people they're all going to be looking a lot of layoffs have happened there are a lot of people that are really freaking good out there interviewing that you're going to be up against um something that has really presented itself is how quickly people are up leveling and upskilling so I would say the biggest pushback on why people uh don't want to interview a candidate um is zero progression in their career

there's zero growth they've been a senior for years like why are they not a staff why would I want to talk to them um so honestly if you're in a situation where you cannot up level things are extremely stagnant you're pigeonholed it's gonna be time to take a look out outside of where you are people are really paying attention to this um also too candidates with transferable skills moving into cyber security a lot of people are coming right out of school right up out of sweet rolls and getting on security teams security adjacent teams um and then also too I know Zach talked about uh personal branding stand out from the crowd So speaking engagements put them out

there passion projects also count so something else I've noticed um that's been trending is passion projects and projects that you complete outside of your nine to five or your work right um I'd say a year or two to go if you didn't do that work for a company managers didn't really want to hear about it um nowadays I have people that land positions from a night project where they built this product themselves that has nothing to do with what they're doing because they hate what they're doing but guess what they can build this put it on your resume put it on your LinkedIn if you are comfortable with some of the work that you are doing

um not specifically for the company you're working for please get it out there it's ju much just as valuable if not the same level of value um and like people are caring about passion nowadays like why do you want to work here um if it is your passion to be in that certain industry maybe you're interviewing for like a cryptocurrency company if you're passionate about that like make that absolutely known um if you're on the fence fake the passion I've seen way too many talented Engineers um get nose because yes they can do the job but they have no no passion for our product and I'm like they don't know your product they're freaking interviewing

but research the company get excited pump yourself up if we're interviewing for this product we freaking love this product think about it love it um and then remain relevant in the know uh honestly month after month things change you have to up skill and prioritize your your professional development um if the company you're working for doesn't give you anything to develop you please find it there are so many tools like pre-lengthened pieces um groups to join discord's plot the jump on GitHub and see what's trending see what people are doing um I'll admit I am one of those GitHub recruiters uh so I'm always looking there so if you're talented coder push that GitHub out if you have created a

website or something with all your passion projects and you're excited about that push that out like everything that you do it matters not just the nine to five job you're working every aspect of your life matters okay and back to why you need to really just be yourself put yourself out there um I kind of want to close things on a pretty positive note um diversity things are getting better people are taking more time to build their teams um and also diversity a lot of companies will look at it differently whether it's building diverse teams bringing different perspectives different experiences to the table um I'm very rarely seeing companies now just higher from one company or maybe oh

I want only Googles only Amazon people these big orgs if every security engineer you have on your team is from these big giant organizations um that's also not diverse we need people from all walks of life all backgrounds all areas of the world it is so freaking important to really just build a smart team honestly whether it's a culture fits different areas of the country I'm a big remote Pusher so that that's big for me um but it's not only going to make for stronger Workforce but it also helps to create a more inclusive and Equitable industry um why would you want to go work somewhere where nobody thinks like you and like nobody looks like you uh

inclusivity it's important people do their best work when they're comfortable um and companies are starting to recognize this so it is a plus um industry is constantly evolving so is the Herring landscape um so there's much in the note newsletters I'm big on newsletters for example um staying in the know as much as possible even like I know we're not stock Brokers but when it comes to job searching and closing big deals that stock actually means a lot um take a look at the stock market take a look at also too like where are your peers going um if you've worked at a certain company in your past and you notice all these people are going to a certain industry

where are the most talented people in this industry going to work you want to work there you want to work with the best people you want to work with people that can make you better and you want to go somewhere where you can make the people around you better um that's a big push for the trend that we've been seeing which is a big plus and I wanted to keep things short and sweet honestly um but things are on the up and up when it comes to security hiring it's trending upward uh feel free to ask me about anything at all um but yeah questions [Applause] today awesome thank you Aaron questions

hello um you mentioned uh coding skills and infrastructure as code skills do you see a lot of terraform like appetite or like looking for like terraform skills or other like cash Corps tools I do so uh I wouldn't say the past two or three Cloud security engineering positions I worked on were terraform heavy um so a hundred percent uh any Cloud skills um are good of course the most I see is AWS gcp I know I've got a lot of Microsoft Azure folks LinkedIn that's great too but um multi-cloud is the uh what everyone wants ideally or at least two of the three major clouds uh terraform I feel like last year maybe the year before it

was everyone won kubernetes uh now everything's terraform but honestly the more tools and languages you touch uh the better things hi uh what questions would you recommend candidates as they ask employers like I'm pretty much trying to go through done a bunch of different lists and it's hard to remember

by case um each company is so different each industry is so different um a large company is going to look different than a small company so something I always tell my candidates that I work with is like we are going to take every role on a case-by-case basis one position that you're working on and interviewing for it might be your dream job and you're gonna um probably have different questions for your dream job and your dream head of security or CSO to work with um than you are if maybe you're just Dustin uh dusting yourself off and starting to interview so take it Case by case do some research on the company um companies are always pushing out

blogs um honestly just do your research and due diligence on the company and the role how you can impact um and spin it that way because that's kind of digging into like that passion piece um fake it till you make it if you don't have passion for the product like at least figure out what the product is what the company does spend about at least 30 minutes whip out a note I'm a big notebook paper pin person and like write down some key pieces you noticed about the company because hiring managers um when you ask about the company and the product that's a plus one for them they're like oh you care about our company you care

about the product you're passionate about this um it's going to be more significant than just a what's your favorite part of working here but take it Case by case every company's absolutely different

all right if that is it let's give Aaron another round of applause thank you