One of the biggest problems the UK security testing industry is facing today is a shortage of skilled staff. Qualified and experienced penetration testers are in great demand, both by pentest companies and also for internal testing teams, but there are just not enough testers to go round.
There’s no shortage of people wanting to get into the industry. In fact there are a huge number of people who want a pentesting career including graduates and those that want to cross-train from a related discipline, such as system administration or software development.
NTA Monitor recruits a few trainee pentesters every year, but for each one we hire we are rejecting around thirty. The problem is not that pentesting is more difficult than other professions, it’s that other businesses are just not prepared to give them a chance. Since I started NTA Monitor fifteen years ago, I’ve recruited and trained around fifty staff from a variety of backgrounds and with a range of academic qualifications. Just about everyone with an interest in the subject has gone on to have a successful career in pentesting, and many are now senior or principal consultants.
However, there are very few routes to get into pentesting. Many - maybe most - pentesting companies only take on experienced testers, preferring to hire people who can hit the ground running, and who won’t use their senior testers’ time to train up. The result is that hiring in the industry is quite incestuous, and it’s difficult for people with potential but no experience to get in. I hear again and again ‘everyone tells me they’re only looking for experienced testers’ and ‘I just need someone to give me a break’. I can understand the business reasons behind this, but what may be in each company’s own self-interest is in danger of hurting the industry as a whole: you can’t just forage, you need to plant as well, so I want to see more companies recruiting trainees.
Relevant training and qualifications will help newcomers take their first step on the industry ladder, so it is good to see more courses that are aligned with the CREST syllabus becoming available. This will give students the knowledge they need to work towards a recognised professional certification.
Those keen to enter the industry can enrol on the pentesting short course or the accredited MSc module, which I have been working with the University of Greenwich to create and deliver. A number of people have already successfully participated in the course and passed the CREST CRT, which has enabled them to secure placements in their chosen field. I’m also setting-up a practical, skills-based pentesting academy, which will give people an opportunity to gain the high-quality, comprehensive training and professional exposure they need to obtain certification and start a successful career in pentesting.