You Want to Get Into Security?

To summarize, there are opportunities just about everywhere. More experience will mean more pay. Physical location and job titles should be taken into
consideration too because certain locations and certain titles might mean more opportunity and/or salary.

If you have no experience, you might not have much choice in job title, location or pay. You will probably have to take what you can get. The information that I’ve presented to you thus far should be considered as you decide what path you’ll take in your information security career journey. It’s exciting to be someone who’s just starting out because you’ll have so many options along the way!

What’s the starting salary, and can I afford it?

This will depend on some additional factors such as how much (if any) experience you have, your education level, the type of organization that you choose to work for, and the industry your potential employer operates within. In general, the entrylevel salary range is $38,000 – $68,000 for someone with no experience and without a degree. That’s a wide range because there are a wide range of different opportunities available.

The entry-level salary range for someone who has a few security skills (but not much) and a Bachelors degree is $49,214 – $92,285, with a median of $65,338.  Again, this is a wide range for the same reason that I cited previously. If you have more experience and/or education, you might expect more salary.

Now that you know more about the abundance of opportunity, we’ll get honest with ourselves and see if you’re the right person for the job.

Chapter 2 – The Right Person

There is plenty of opportunity in the information security industry, especially for jobs. The job market looks good far into the future.

Great, now what? There are two types of people asking this question, maybe three:

1. People working in the industry who want a change.
2. People not working the industry who want to explore the possibility.
3. People who don’t care one way of the other about #1 or #2.

Type 1: You might find this chapter interesting, but I’m not writing it specifically for you. You’ll find more benefit in the fourth and fifth chapters of this eBook; “Becoming Good” and “Staying Healthy”.

Type 2: This is your chapter. I’m writing this for you, giving you the best advice I can.

Type 3: You should care. You’re either missing out on a possible opportunity for you and your family, or you know someone who could use some advice. People who don’t care about things seem like miserable people to me.

There. I’ve explicitly defined the audience and set expectations. Now, let’s get on with it. Back to our question, now what?

The ‘Now What’

If you’re still reading, you must be interested in getting an information security job, or you know someone who is. The first thing you should know is what it takes to be a security person. There are common traits that good security people have. Rather than trying to build specific security skills, first focus on the traits you possess that will translate well into security roles.

Please don’t overlook these traits or take them for granted. They’re very important.

I’ll share the approach we use at FRSecure because it’s what I know best and it’s served us very well over the past 10 years.

FRSecure’s Approach

We hire for the intangibles, the things we can’t teach. As a business, there are three things that we must establish with each one our customers before we ever do work with them, and these three things translate directly to our Security Analysts who do all our work:

1. Trust – People trust us and we must never betray their trust. Are you trustworthy? Do you consistently do what you say you’re going to do? Can people count on you? Do you put other people’s best interests above your own? (very important for consulting)
2. Credibility – Directly related to trust, are you believable? Credible doesn’t mean you know everything, but it does mean that you know what you know and you’re willing to stand by your words and actions.
3. Likeability – Nobody wants to work with a jerk, not co-workers and certainly not clients. Are you pleasant, friendly, and easy to like?

You must do well in these three things if you want to work here. Next comes our non-negotiable core values:

• We tell the truth.
• We are collaborative.
• We are supportive and driven to serve.
• We do whatever it takes.
• We are committed to constant improvement.
• We have balance. We work hard and play hard.
• We all buy in to who we are, what we do, and where we’re going

The non-negotiable traits that make people a good fit here are; truth, collaboration, support, service, doing, commitment, consistency, improvement, balance, and being bought in. These aren’t traits that we negotiate on, we live up to these values always.

Other bonus traits that work:

• Humble – The best information security professionals are humble people who are willing to help others. Ego takes a back seat to building others up. If you’re full of pride and you like to feed your ego, please (for the sake of all of us) don’t become a security professional, you’ll just make everyone’s job more difficult.
• Learner – You will never learn everything there is to learn about information security, and things change very fast. If you don’t like to learn, you’re probably not going to make it far.
• Persistent – I swear I’ve said the same things a million times, and many of the things that I say today, I said 20 years ago. People are slowly getting some of the things we’ve been preaching for years. Persistence will serve you well in all sorts of problem-solving scenarios.
• Aware – Another word for this would be perceptive.
• Logical – There are reasons for just about everything. You’ll need to use logic often. Computers and other digital things are discrete, meaning everything is on or off, a one or a zero. Things can get confusing when there are millions of ones and zeros because what was black and white becomes gray. No matter, there’s logic in all of it. Human beings are a different case altogether, they’re analog.
• Moral – You must be able to discern right from wrong, always. Integrity is a very big deal, do wrong, and you could ruin your career.
• Comfortable with discomfort – Most information security experts are always in some degree of discomfort. If you can’t get comfortable being uncomfortable, you’ll be less happy in this business.

Love People

My favorite trait in a good security person is their love of people. The best information security professionals know that information security isn’t as much about information or security as it is about people. People from all walks, all faiths, all colors, all genders, etc., etc. Information security doesn’t discriminate, neither should its professionals.

If you don’t have these traits, we probably don’t want to hire you. If you do, then start researching job roles.

Job Roles

You read in chapter one that there were more than 800 variations of different job titles in our industry. Not to make this any more overwhelming, but there are 1,000s of variations of job roles and responsibilities to fit these job titles. Start researching the roles that seem interesting to you and take note of educational and skill requirements. Keep researching until you feel comfortable and convinced about where you want to take your security journey. Research entry-level positions and research expert-level positions. See if you can draw out your career path for yourself beyond landing your first security
job. Just because you draw it out doesn’t mean you can’t change it later, after you know more.

Places to review information security job roles, education, and skills:

• LinkedIn – the site (or the app) has really good search filters, so you can look by experience level, location, type, and several other criteria.
• Google – Google has a nice search function, with many filtering options, built right into the search engine. Just Google “information security jobs’ and you’ll see what I mean.
• Indeed.com – A solid job site with many options.
• CareerBuilder – Another pretty good site.

Bonus: A Mentor

Navigating the waters of the information security industry is always better with someone who’s been there, done that. If you know someone who’s been in the industry for a while, ask them if they’d be willing to be a mentor for you. If you don’t know anyone, ask around. If that still doesn’t yield any results, you can try other resources like your local Information Systems Security Association (ISSA) or International Information Systems Security Certification Consortium (ISC2) chapter. There are always good and helpful security pros at the chapter meetings. Another resource that I just ran across recently is MentorCruise. I’ve never used this service before, and I don’t personally know anyone who has. I can’t really recommend it,
but I can’t not recommend it either. Worth checking out.

A good mentor makes a big difference. I’ve always had a mentor, and they have been invaluable to my career.

Skills

Now you know what traits are important (sort of), you know what role you want (sort of), and you know what skills you need (sort of). You won’t be certain of any of these things until you get going, if ever.

You don’t have to be a technical genius to get a security job. You don’t even need have strong technical skills. Some people disagree with me on this, but it’s usually because we’re not saying the same thing. Let me explain.

People who are new to our industry, and even some who are already in our industry, are easily confused by the words and terms that we use. Don’t let the confusion lead to intimidation and don’t become too easily discouraged. Take the terms “information security” and “cybersecurity” for instance.

Information Security and Cybersecurity

You will encounter times when the term information security and the word cybersecurity are used interchangeably. They are two different things, and this is important to know. Information security deals with administrative (people and process), physical and technical controls (or safeguards), whereas cybersecurity only deals with technical controls. Further proof of this is the definition of the word “cyber” by itself:

relating to electronic communication networks and virtual reality.

So, when I say you don’t need to be a technical genius, I’m talking about for the information security field. Cybersecurity jobs are ones where more technical acumen is required. It’s important for you to understand this. The misconception that you must be a “techie” or a “geek” to get into this industry is false and shuts the door on good people. There are many jobs in our industry that don’t require an in depth, expert-level understanding of technology. Having said that, you will need to learn basic technical concepts.

The advice I received from my mentor when I first started out in technology (before information security was formally a thing) was to read anything and everything I could get my hands on about the subjects I was interested in. This is good advice.

My advice to you is to follow industry news, read books, take courses, and learn everything you can. Learn, learn, learn, but DON’T RUSH. Rushing yourself creates undue pressure and steals the enjoyment. Everyone has their own healthy pace. Find yours and commit to it.

Resources

Here are some resources that I use, or have used in the past. This is not an all-inclusive list, so don’t get bent out of shape if your favorite isn’t listed, OK?

Industry News Sources

• Ars Technica
• CIO (IDG Communications)
• Threat Post
• CSO Online (IDG Communications)
• Dark Reading
• The Guardian
• Homeland Security News Wire
• Infosecurity Magazine
• SC Magazine
• Security Watch/PC Mag
• Wired Magazine
• Cybercrime Magazine
• Security Week
• BankInfoSecurity
• The Register

Books

• Unsecurity: Information security is failing. Breaches are epidemic. How can we fix this broken industry? (My book, of course I’d recommend this one!)
• Beginner’s Guide to Information Security: Kickstart your security career with insight from InfoSec experts
• Cybersecurity for Beginners
• Cybersecurity for Executives: A Practical Guide
• CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide

Courses (FREE)

• FRSecure CISSP Mentor Program
• SANS Cyber Aces
• Coursera
• Cybrary
• ICS-CERT Virtual Learning Portal (VLP)

Conclusion

The order you go in, and the specific path you take will be up to you. There is no one way. You’ll notice that I didn’t mention degree programs in this chapter. This doesn’t mean that I don’t believe in them. Most degree programs have job placement and job assistance services included; therefore, many of these students will get what they need to land a job. Although degree programs are good, you don’t have to have a cybersecurity or information security degree to get a job with us.

If you want to get a job in the information security industry, you can. I hope you have the right traits, and I hope you’ll help fix problems in our industry and won’t add to them. Many of us who work in this industry take our jobs very seriously and we welcome new recruits. Don’t take shortcuts, and do the right thing (always), then you’ll do great. If you run into a jerk along the way, ignore them. They’ve got personal problems that you won’t be able to solve anyway.

If you’re still with us, I think you’ve officially become a newbie. Newbie, newb, n00b, noob, nube… Embrace it, don’t fight it. It’s good to be a newb!

Good Luck! Next is Landing Your First Job.

Chapter 3 – Landing Your First Job

I must admit, it’s been a very long time since I landed my first information security job, and it’s been more than 10 years since I’ve hunted for any job at all. This means that my advice will come from somebody who hires more than it will as someone who’s looking for a job. I think the advice is still valid, but you can judge for yourself.

My first information security job came in the early 1990s. I had the pleasure of cleaning boot sector viruses off thousands of Windows 3.0 and 3.1 computers. Back then, information security wasn’t really a thing like it is today. Even though there are more information security jobs today then there were then, I think it’s harder to get jobs now for some reason. Probably unrealistic expectations. Anyway, it’s not easy for most people to land their first information security job.

In this chapter I’ll give you some tips that I hope will help you get your first information security job.

Matchmaking

Getting a job is like finding a girlfriend or boyfriend on a matchmaking site. People post a profile of themselves and all the things they’re looking for in a mate. Then there’s other people who also post a profile, but they’re more active in looking for a date. These people browse profiles, sometimes for hours, looking for the right person to contact. In our analogy, the first person is the company or recruiter, and the second person is the one looking for a job.

The first objective is to get a date with someone. The ultimate objective is to go steady or enter into a committed relationship. Dates are interviews and going steady is landing the job.

A match isn’t likely to happen if either party has unrealistic expectations. Not all jobs are like an exceptionally attractive European noble with billions of dollars and a love for puppies. You might want a unicorn job, and the hiring organization might want a unicorn to work for them, but these things are extremely rare for someone who’s new to this industry. Keep your expectations in check.

The matchmaking analogy applies best to using job sites like Google, Indeed, Monster and others. As we’ll see, this is only one way you can go about finding a date, and it might not be the best.

Getting a date

When you’re trying to get a date, you don’t want a date with just anyone do you? Hopefully not. We want to find the right person, the right job. Hopefully, you’ve done some research and prepared yourself for the job market as we outlined in our previous chapter. If you did the research, you’ve probably found some good job sites.

Where to find dates

There are many ways and places to land a date, and there are many places you can go to try to find an interview. Depending upon your specific circumstances and your specific preferences, choose the right path or paths for you. Here are ways people find us at FRSecure and where we might find you too:

Internships

Internships aren’t for everyone because they don’t usually pay well, if at all. Internships come in all forms. Some are paid, some are not, some require experience, some do not. Paid internships can be a challenge to find, but they’re out there. Unpaid internships are a little easier to find. A simple Google search for “where to find information security internships” will produce many leads for you; however, the best way to find an internship is through someone you know. Ask around.

Most large organizations with security teams and information security companies offer internships. Contact them directly and inquire. This will give you more control and might land you an opportunity with a company you like more.

Job Sites

Using a job site is fast and easy. It should be included in your strategy, but I caution against using job sites as your sole source for dates/interviews. These are some of the job sites you might want to check out:

• Google – Google integrated with ZipRecruiter in 2017 and produces pretty good results. Just type a job title and the word “jobs” into Google search.
• LinkedIn Jobs – There are plenty of jobs and some good job seeking advice on LinkedIn. You will probably want to use LinkedIn for yourself anyway as you build your career, it’s a well known and heavily used networking tool.
• Indeed – A clean, quality job site.
• Monster – A job site that has been around for a long time (1994). It’s still a quality site, even though it’s not as dominant as it used to be.
• ZipRecruiter – A very popular job site, and probably one of the fastest growing.
• CareerBuilder – A popular job site, but not one of my favorites. I have no objective reason for this site not being one of my favorites though, it just isn’t.

These are the major job sites that I know of. Whatever site(s) you use, be sure to document what jobs you’ve applied to and keep track of any/all responses. It probably doesn’t reflect very well if you apply to the same job multiple times through multiple sites.

Networking

Networking is difficult for some people because they don’t feel confident or comfortable in groups or crowds. I get it. I’m one of those people. Go to
local information security events, meetups, chapter meetings, etc. to meet new people. You can network with anybody, and they don’t have to be
security people. If you get good at networking, you’ll find that most people know a security person that they can put you in touch with. Getting referrals
or door openers is a differentiator that could work in your favor.

Mentor

Mentors are great for many things, helping you land a job is just one of those things. Mentors will help you prep for interviews and offer wisdom throughout your career too. Everyone should have a mentor, no matter where you’re at in your career. My mentor and I met in 1995. He was my boss when I worked for Jasc Software (known for Paint Shop Pro). We’ve both moved on in our careers, but we still have a standing coffee meeting every Friday, and his support has been instrumental in my success.

Finding a mentor isn’t easy. You’ll have to take a risk and ask someone, and they might say no. A mentor could be a teacher you had in school, a boss you admire (like my mentor), a friend you respect, a family member, someone from church, or anyone in between. I suggest that you write down the names of five to ten people you respect and admire, then go ask them if they’d be willing to be your mentor. If you strike out, do some online searches for mentorship programs. They come and go all the time.

Once you feel you’re ready, be sure to return the favor by becoming a mentor for someone else.

Local Community Events

There are groups of information security people meeting all over the place, all the time. Chances are very good that there are information security
groups meeting regularly in your area. These are great places to meet and learn from other information security professionals. Building relationships
with others will create a wonderful support group for yourself and open doors to all sorts of opportunities, including jobs.

Where I live, in Minneapolis, there are more than fifteen information security-related groups that meet regularly. This means that I could conceivably attend fifteen or more events every month and meet hundreds of other security professionals. Pure gold!

A simple search on meetup.com, will probably produce some good leads for you. The Information Systems Security Association (ISSA) has local chapters all over the world, and they welcome new visitors. Other organizations that have local chapters all over the United States (and maybe the world) include the Information Systems Audit and Control Association (ISACA), InfraGard, and the International Information Systems Security Certification Consortium (ISC2). Check them out, it’s worth it.

Prep for Dating

Alright, hopefully you’ve got some good leads now. You have a solid resume, right? If you don’t, get one.

Need help? Start with a sample resume. You can ask for one from a friend or see if you like one of these free online samples:

• Sample resume for an information security specialist
• Information Technology (IT) Sample Resume
• Information Security Analyst Job Cover Letter and Resume
• Cyber and Information Security Resume Example and Tips – ZipJob
• Cyber Security Specialist CV Template

Now you need to plug your information into the sample/template resume. If you don’t have any experience, you might not have much to put down. Don’t let that discourage you. There are companies who put a high price on intangibles. Take where I work for example, we always hire for the intangibles first. Intangibles are the things that align with our core values, which were covered previously in chapter two.

Think we’re the only company who does this? Think again. Just last week (2/21/19) I had the honor of moderating a panel of amazing female security experts for an AnitaB.org event at the University of Minnesota. AnitaB.org is a great organization supporting women in technology. One of the questions for the panel was “What skill sets would you look for in your team?” Each of the panelists gave their answer, but none of the answers had anything to do with technology skills. All the answers were about the intangibles! Good validation for what we already knew.

Fill your resume with information about you, focusing on how you will help your employer. Include your community work (if you have any) and be sure to list these groups you’ve been attending (see above). I used to customize my resume for each job that I applied for. This would ensure that my tangible and intangible skills would align perfectly with what they were looking for.

Additional tips for writing a good resume can be found online:

• How to Create an Awesome Cybersecurity Resume
• Writing a Cybersecurity Resume: The Do’s and Don’ts You Need to Know
• Information security resume do’s and don’ts

Above all, be sure that the resume is true to who you are. We want a company to like you for you.

Your Best Face

Alright, you got a date?! Oh crap. You got a date!

You want to be you, but you also want to be a good fit for the culture of the organization. If you haven’t already, now’s the time to do some research. Find out everything you can about the organization and about their culture. Find out how they dress, because you don’t want to overdress or underdress for the interview. Find out what they believe in, because you’ll want to validate and compliment their mission. Find out about their successes, because you’ll want to acknowledge them and verbalize your commitment to helping them get more similar successes.

Put the address for the interview into a mapping application days before your interview. Figure out your route and how long it will take you to get there. If you don’t feel comfortable with the drive, make the drive yourself a day or two before your interview.

Get to the interview at least 15 minutes early.

Eat something reasonable before you go to the interview. Pee before you get there.

The best advice I can give you in preparing for an interview is to be you. Don’t try to BS or be somebody you’re not. The person you’re interviewing with will probably see through your ruse, and if they don’t, you can’t feel good about starting your relationship being somebody you’re not.

Making a Commitment

You had an interview or two, or twenty. Now you get an actual job offer! Somebody wants to go steady. Yay you! Now you need to make a choice, do you take it or not? This is gut check time. My suggestion is to not take any job that you can’t commit to for at least two years, and ideally five years. Ask yourself if you could see yourself with this organization for two years or more. If the answer is no, I would say no to the offer. This takes a certain amount of discipline, and your circumstances may not permit any choosiness. Most people would take the offer anyway.

The reason why I suggest staying with an organization for two years or more is because it validates your intangibles. It shows that you take commitment seriously, you are loyal, and you understand that you can’t rush experience.

You may decide to negotiate your offer, but if you’re new to the industry, you probably don’t have much to negotiate with. I’d advise against much, if any negotiation.

CONGRATS on the offer and the new job (hopefully)!

Conclusion

Getting your first job in this industry isn’t as easy as some people think. You need to work at it and you need to be creative. Make friends, make connections, and earn a good reputation. Take a pragmatic and formal approach to the process, after all, you are working for you!

Now that you landed your first information security job, how are you going to become a good (and ever-improving) information security expert?

BONUS: What is an “expert” anyway? This was a question that Brad Nigh (co-host of the UNSECURITY Podcast) asked me during our recording of episode 16 (available 2/25/19).

Chapter 4 – Becoming Good

Let’s assume that you’re progressing through things in order, and maybe you’ve landed your first job! Your first gig! Good for you!

If you’re like most* of us, you’re going to progress in your career. Some will progress because it’s just the natural thing as a function of time and opportunity. Some will progress because they deserve it, maybe they’re damn good at what they do!

It’s one thing to be an information security professional, it’s an entirely different thing to be a good information security professional. I say “professional” because we get paid, and I also use it as a generic term to apply to all the various types of jobs we do in this industry. Here’s a small sampling:

• Chief Information Security Officer
• Chief Risk Officer
• Penetration Tester
• Security Researcher
• IT Security Engineer
• Information Assurance Analyst
• Security Systems Administrator
• Senior IT Security Consultant

Every position in our industry, plays a specific role in an organization and comes with specific responsibilities. The specific responsibilities may not be documented (different issue), but that doesn’t mean they don’t exist. They exist, and they’re not the same from position to position. Each role in information security requires the mastery of certain skills.

Are skills all it takes to be “good” though? The answer is NO. There’s more to it than that. Read on.

*NOTE – I use the word “most” because it’s generic. This means there are exceptions. Some (the leftovers from most) people have no desire to take on additional responsibilities in their career, they’re content right where they are. Perhaps they’ve reached the top, maybe they’re just OK with their place in the middle, or at the bottom somewhere. If you haven’t reached your potential, it’s sad to leave so much more untapped potential.

Not Good? – You’re A Problem

When you’re not good at your job, there’s a good chance someone else, or many someone else’s, pay the price to compensate for your lack of goodness. Sure, information security is about managing risk, not eliminating it, but your lack of “good” leads to poor risk management, and that costs someone something.

You see, information security isn’t as much about information or security as it is about people. It’s always been about people and it will always be about people. The more you and I suck at our jobs, the more people suffer for it. Sure, we can’t eliminate suffering, but we can do our best we can to make it less likely and less impactful*. If nobody suffered, there wouldn’t ever be a need for what we do.

The less good you are, the more people will suffer (in general).

*Does “less likely” and “less impactful” ring a bell? That’s risk. The likelihood of something bad happening and the impact if it did. That’s the layman’s definition of risk. If you’ve been around long enough, you can think of dozens, even hundreds of examples where bad advice was given, and
an organization suffered for it, and through that, customers also suffered (eventually). If you haven’t been around long enough, here’s a quick example off the top of my head:

You advise an organization to buy an SIEM solution because monitoring and alerting is a good thing to do. They spend $100K+ on the SIEM and struggle over the next 6-12 months to get it working right (operationally). Great. They don’t patch and they have no asset inventory. Two questions then, 1) was SIEM the best place to spend the $100K+, meaning was it the most significant risk, and 2) how effective do you think the SIEM is going to be when the company doesn’t even know what assets they need to protect?

Was there more harm done than good? The devil’s in the details, but yes. There was more harm than good. Money is a limited resource and constraint; therefore, it must be spent wisely. The money spent on SIEM should have been better spent on the organization’s most significant risk(s), not on a technology because it’s “a good thing to do”. The most significant risk still exists, and customers are still more likely to suffer for it.

Simplified example, but you get the gist. Good intentioned security professionals aren’t aware of the harm they cause sometimes, and this might be most obvious in the rapid growth in consulting.

Dangerous Consultants

We see them all the time, and they come in all shapes. Some are good people with great intentions to make a difference. Some consultants are people a little less virtuous, wanting to make as much money as possible, regardless of who they help or harm. Both types of consultants can be dangerous if they’re not good. That’s the truth.

Read some books, passed some tests, bought a laptop, and setup a Web site. You are now an information security  consultant! You’re smart. You have the best intentions. You’re likeable, and you’re inexpensive. You’re ready to advise organizations on what they should do to secure their livelihoods, right?

Mmmm. Maybe, but God I hope not.

There’s more to being good, than that. It takes more than skills and more than good intentions. More than reading books,
and more than passing tests. Smart helps, but there’s still something missing.

If you’re going to be a consultant, get good first. Please.

It’s easy to convince someone who’s more ignorant than yourself that you’re an expert. Use buzzwords, look confident, talk
fast, and you’re well on your way. But you’re not good (yet).

• Good consultants don’t need buzzwords, they can explain things in plain English so that others can learn and apply concepts.
• Good consultants are confident when they’re doing what they’re good at. A good consultant will admit when they’re not good at something, but they usually know someone who is.
• Good consultants talk at the pace of their audience. They’re not only good information security professionals, they’re also good communicators.

I could write all day about good versus bad consultants, but I’ve probably gone too far already.

What about you? Are you already good? We’ll see. Let’s explore how to get good!

How to Get Good

One more thing before we dig in. Are you a sports person? If you are, you’ll get this a little better than those who aren’t. In sports (depending on the sport), there are players, coaches, and player/coaches. Players perform on the field, or behind the keyboard, or wherever the game is being played. Coaches mentor, teach, lead, and prepare their players for the game. Player/coaches do both; they’re typically really good coaches, but they don’t play as much as they used to.

I say these things because I’m a player/coach. I don’t play nearly as much or as well as I used to. It’s important for you to
know that as you consider my advice.

I assume you’re here because you want to get good. So, what does it take to be a good information security professional, or
good at anything really? Like most things in information security, the concept is simple, but the application is hard. There are three simple ingredients; intangibles, education, and experience. Anything else is icing on the cake.