topic Re: Is there really a Cybersecurity skills gap? in Career Discussions

Is there really a Cybersecurity skills gap?

gidyn — Wed, 14 Oct 2020 18:02:18 GMT

People often talk about a cybersecurity skills gap, but I haven't seen much evidence of it. Interest from recruiters and job boards, when compared to other IT positions, seems pretty weak. (Disclaimer - this could be a regional thing.)

Re: Is there really a Cybersecurity skills gap?

rslade — Wed, 14 Oct 2020 19:17:52 GMT

> gidyn (Newcomer I) posted a new topic in Career on 10-14-2020 02:02 PM in the

> Is there really a Cybersecurity skills gap?

OK, first response, no. I've heard about the supposed skills gap for over forty
years, and I haven't yet seen security salaries go through the roof, as supply and
demand would mandate if there actually was one.

Second response: it depends upon what you mean by "skills gap." First off, I have
worked with a number of security professionals whom I consider woefully ignorant
on a lot of what I would consider basic areas of knowledge. On the other hand,
one of the reasons that I dearly love security is that *ANYTHING* you learn can
contribute to your understanding of security, so *all* of us have a perpetual skills
gap.

So, final answer: maybe.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
We want things to be easier. How badly we want it can be measured
by the size of Bill Gates's fortune.
- Neal Stephenson, 'In the Beginning was the Command Line'
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

Re: Is there really a Cybersecurity skills gap?

CISOScott — Thu, 15 Oct 2020 13:48:03 GMT

I think the gap is between what companies are willing to pay for highly skilled security professionals and what salary the professionals are willing to work for. I know I lost one CISO job because they could bring in someone cheaper and younger. Now the employees still there, hate working there, and several people have already left the company or moved internally, but HEY! The new guy was cheaper! And also less experienced. And had no real leadership experience. Or vast background in the field. Or had any big company experience (only worked at small companies). Or had good people skills. Or had any experience training his subordinates. Or etc., etc. But he was cheaper...............

Re: Is there really a Cybersecurity skills gap?

tmekelburg1 — Thu, 15 Oct 2020 18:54:38 GMT

Skills Gap = IDK what I want + IDK how to write a proper job description + Must include CISSP in the description + I just lost my SOC III Analyst and I must find someone with the same skill set + We don't train here + I hope you like 3rd shift

Sorry, I couldn't help myself lol.

Again, just doing a quick Indeed search for 'Cyber' in my area and here's a snippet of an entry level position according to the job duties. The SSCP or CompTIA's CySA+ would be more than sufficient.

Cyber Security Specialist

Preferred: CISSP, CEH, SANS, GIAC or other industry-recognized certification related to vulnerability scanning/management, Centralized log management, firewalls, IPS/IDS, or incident response.

Re: Is there really a Cybersecurity skills gap?

emb021 — Fri, 16 Oct 2020 13:19:28 GMT

Am a bit of a doubter as well.

I will accept that maybe for SOME skill sets and in SOME areas, there is a lack of talent. But not universal across the board.

When I hear of people struggling to even GET a job (and I include myself who has been spending 7-8 trying to find a new job), I am doubtful. These people should be snapped up in such an environment.

I DO see the nonsense of bad job descriptions. And dealt with companies with unreasonable expectations (pull out a particular skill as a drop-dead, must have skill and reject you, etc). I've seen roles go unfilled for MONTHS when I know several qualified people applied (and interviewed) for it. And dealt with the idiot recruiters and hiring managers who can't seem to figure what I CAN do and why I am an excellent fit for the positions *I* want and not come to me for roles that I am NOT a good fit for.

I more think what the problem is is the whole system of finding talent and filling roles is broken. The nonsense like hiring the cheaper person who drives people away is the result of a broken system. Or go after the wrong talent and not the right talent and letting people grow into a role that are best fit for.

Re: Is there really a Cybersecurity skills gap?

CISOScott — Mon, 19 Oct 2020 14:48:13 GMT

And I have had several blunt discussions during the interview where I tell them the salary range I am looking for and they say "We can't afford you.". After speaking with a colleague who interviewed for the same position but had a salary range about 30K lower than mine (around 100K) and he was told the same thing.

The agency had just suffered a cybersecurity breach, had fired their CIO, had no security people on staff and expected the CIO to be the CISO as well, but they couldn't afford to pay for a highly qualified individual to do both. So is this a cyber skills gap or a CFO not wanting to pay for what they actually need? I mean if you can't pay for a CIO and a CISO, why not combine those salaries and pay a highly qualified individual to do both? It amazed me that, after suffering a cybersecurity breach, they did not want to add security staff but expected to hire a CIO that could do both roles and not pay over $100K for someone that was going to do both. Good luck finding someone who can do both and is willing to be that exposed to the consequences for less than 100K. I'm sure they CAN find someone to fill the role at that low salary, but pretty sure they are just setting themselves up for another failure. P.S they take in 20+ millions per year as revenue.

Re: Is there really a Cybersecurity skills gap?

tmekelburg1 — Mon, 19 Oct 2020 18:18:25 GMT

@CISOScott wrote:

The agency had just suffered a cybersecurity breach, had fired their CIO, had no security people on staff and expected the CIO to be the CISO as well, but they couldn't afford to pay for a highly qualified individual to do both.

And you wanted to work for them...why? I'm not sure of the events surrounding the breach or how much negligence was involved for them to feel like the CIO/CISO needed to be fired but I probably would have ended the interview during that part if they couldn't give a very good reason for it. If you want to use the C-Suite as a scape goat for anything that goes wrong, your Organization is not the right fit for me. Does their need to be ownership for the breach at their level? Absolutely, but we all know it's not a matter of if but when.

Re: Is there really a Cybersecurity skills gap?

rslade — Mon, 19 Oct 2020 18:53:52 GMT

> tmekelburg1 (Contributor I) posted a new reply in Career on 10-19-2020 02:18 PM

> And you wanted to work for them...why?

Very often the ad has such limited details that you might apply just out of idle
curiosity ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
What you see and hear depends a good deal on where you are
standing; it also depends on what sort of person you are.
- Clive Staples Lewis
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

Re: Is there really a Cybersecurity skills gap?

tmekelburg1 — Mon, 19 Oct 2020 19:16:05 GMT

@rslade wrote:

Very often the ad has such limited details that you might apply just out of idle
curiosity ...

I agree but as soon as they told me about how they treated the previous employees, it wouldn't have made it to the salary negotiation stage. Would you have accepted the position if they did pay the right amount of money @CISOScott ? Just curious because I'm looking at this from a position of privilege because I'm currently employed. My perspective may be different if I really needed a job.

Re: Is there really a Cybersecurity skills gap?

CISO-Italiano — Mon, 19 Oct 2020 21:49:00 GMT

Let's summarise some good points here, and maybe add some new:

- Recruiters very often cannot distinguish between a CISSP and a Cisco CCSP or a CSSP (cloud). Let alone differences between CISSP, CRISC, CISA or CISM. For many recruiters that is just a soup of 'the security thing'.

- Sector experience: Agency recruiter telling that "Your CV is a perfect match.. Except.. The client insists on someone who has 'banking experience'" . Well, explain them that people are not born with that. Maybe if they start with hiring a security-competent and experienced person, they can bet that in around one or two years they will certainly have also that 🙂 -Is it born first the experience or the candidate?

- Language (cultural?) barriers In some countries (e.g. Switzerland) some company may search for many months (over 9 months!!) for experienced security candidates, although they insist on a fluent German-speaking mandatory requisite even when the role is clearly going to be working in an international setting. Doesn't the recruiter realise that maybe there are not so many Security experienced interested candidates speaking German...? And no, one should not be tempted to think that asking for fluent German is a veiled form of racism. (Note that in Europe German is spoken in: Germany, Austria and Switzerland - plus a couple of countries adding to the same inhabitants of Denver. English speakers in comparison are incomparably easier to find.)

- Pay & Skills We want Security superman (list here all security certs...), 10+ years management experience, but also hands on, ready to work in a stressful environment (read: handle security incidents) and possibly holding an MBA. Nonetheless, we publish a salary which is 20% less than what we publish for a Cloud Architect with 3 years experience. In other words, we could pay you like an Agile/Scrum newcomer...

- Reporting structure Yes, you will probably not report up to the CISO under the CEO. Most likely if you will ultimately report into IT. To the CIO if you are lucky. If not, below. Or maybe the CFO. Why not the CCO..? Anyway to someone who will not understand what you would need to at least 'attempt' to improve the "organisational security posture". Risk Management? Committees? Mmm.... Let's see... where we are with that? CMMI... 2-3 ? Let re-talk about this another time..

- Team Obviously your Team will be understaffed. So what? Every Team is understaffed, you know? But yours will be MORE understaffed, is it crystal clear?? You know...Security is not a profit center... (Would those be the moments when you would think that you should have studied Economy & Marketing and be in Sales Team..?)

- Skills Gap Hahhahahaha... Ehm, excuse me -I lost the aplomb for a sec :D.. Ok, this one is not serious, right? In average takes anywhere from 3 to 9 months to land a job in Security, not always decently paid. We are talking for people with more than 5 years experience. The higher the experience, the...harder!!! (should not be the reverse?!?!?!). Skills gap seems to be simply a joke. The reality seems to be that a lot of 1st line incident handlers or firewall specialists / SIEM engineers are sought (read: underpaid low-skilled cannon-fodder). But... see next point 🙂

- Career Path The EVPs or the MDs or the CISO itself will be (nearly) always... what they call "non-technical" people. Translation: Almost never they do not hold any kind of Security certification. Not only they are non-technical. They have often no real Information Security background or they have covered few roles and then have been rocketed to the top. Very often they just got the job because of "good social skills". They might sometimes hold an MBA. Plenty of examples on Linkedin - And yes, sure that there are exceptions.

(Favorite Movie Trailer: Maverick).

Now, who would suggest his/her children to work as an Information Security Professional?

Be smart, next time teach your kids how to distinguish between Futures, Hedge Funds and Swaps... 🙂

Re: Is there really a Cybersecurity skills gap?

rslade — Mon, 19 Oct 2020 22:41:52 GMT

> CISO-Italiano (Newcomer I) edited a reply in Career on 10-19-2020 05:38 PM in the (ISC)Â² Community :

> "The client insists on someone who has 'banking experience'"

Actually, banking experience is an interesting example. Obviously, you don't have
any. If you did, you would know that bankers are a very insular bunch. Bank staff
are encouraged to socialize with other bank staff. To the point of "job
requirement." (Since you practically have to be born into a banking family to get
a job in a bank, I suspect that this is so that bank staff will marry bank staff, and
produce little potential bank staffers.) "Banking experience" is not just knowing
the systems and processes, but seems to be a kind of protection against insider
attacks, since the people you work with have to know *ALL* about you.

(Of course, this does mean that if you *do* know the insider jargon, bankers are
some of the easiest people in the world to do social engineering on, since if you
are "one of us" you are automatically accepted. Another such group is law
enforcement.)

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
It was much better to imagine men in some smoky room somewhere,
made mad and cynical by privilege and power, plotting over the
brandy. You had to cling to this sort of image, because if you
didn't then you might have to face the fact that bad things
happened because ordinary people, the kind who brushed the dog
and told their children bedtime stories, were capable of then
going out and doing terrible things to other ordinary people.
- `Jingo,' Terry Pratchett
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

Re: Is there really a Cybersecurity skills gap?

CISOScott — Tue, 20 Oct 2020 11:23:28 GMT

I wanted to work for them because I (or someone with my skill set) was exactly what they needed. It was a CIO position which I have past CIO experience. Yet they also needed a CISO but had zero security staff. I have experience with that as well. I also know how to train up security staff. As far as being made the fall guy, I have ways of documenting security lapses and getting either management's buy-in or their written and signed acceptance of the risk. That way they can either choose to fund it or be liable if the risk they accepted comes back to bite them. They needed someone who knew how to run the place, while also improving their security posture. They needed an IT leader not just an IT doer. Lots of candidates can run or manage an IT shop, but it takes a leader to truly make it efficient. That is what I do, lead. I don't go into positions worrying about being made the scapegoat. You can be sure that I will inform management of the security risks we face and give them the opportunity to remediate or accept the risk.

My current role has me taking less of a leadership role and more of a managerial role so I missed the opportunity to lead and make a difference. That is what really drew me to the position. I know some may say, well if you are so good why did you lose your previous position? Simple answer. Management changed and went from being receptive/supportive of my ideas to trying to control me. They changed out the CIO and 2nd in command due to retirements. They moved the CISO position from being a direct line to the second in the agency to under the CIO's control (which by the way I have more CIO experience that the person selected to replace the retiring CIO). The new CIO knew he couldn't control me and figured I would be a problem to his tyrannical reign. Plus they could get someone who was not as strong as I was, get them cheaper, and be able to control them as they were looking to get their start in the CISO role (they had only had 1.5 years of being a CISO at a small company of 200 people). So sometimes you can do all the right things and then management changes on you and you become an outsider. Life happens. You prepare yourself and keep looking for better opportunities.

Re: Is there really a Cybersecurity skills gap?

CISO-Italiano — Tue, 20 Oct 2020 13:21:10 GMT

In Recruiters' eyes one loses its job just because he/she is not a good worker. How far from reality...There are number of reasons why Management might want to get rid of a Head of Security and Risk. He/She might point out bad IT practices, reveal hidden risks, forcing them to make uncomfortable choices. Also a proper CISO should challenge IT Governance, when it's not accounting for a proper mix with Information Security Governance. Real example? Structure of IT Dept Teams, Admins groups and Segregation of Duties. Ultimately this does affects how AD Groups are implemented and how the security controls will work and possibly even which relevance and usability the the logs will have in case of a Security Incident. Basically a bad IT Governance can hinder -or completely impede- the CISO job.

Sometimes the CIO could not want to even try to understand those issues, as they are not HIS (her) top list issues. Plus fixing those would require structural changes in the IT Dept. (e.g. Org. changes, teams compositions) which the CIO might not be interested in. Following ITIL guidance means to delegate power: not many CIOs are able/interested to go that way. Much easier to replace an 'intrusive' CISO with a less experienced and more malleable one. That is a peek on the many reasons why the Information Security function should NEVER report into IT structure. Reporting to the CEO is where it belongs, regardless from the sector in which the organisation operates.

Re: Is there really a Cybersecurity skills gap?

tmekelburg1 — Tue, 20 Oct 2020 13:27:25 GMT

@CISOScott wrote:
That is what I do, lead. I don't go into positions worrying about being made the scapegoat. You can be sure that I will inform management of the security risks we face and give them the opportunity to remediate or accept the risk.

And I don't think we should have to either and it's a shame that's what some Organizations do. In my opinion, they have glaring cultural issues around Cybersecurity and probably in other business functions as well.

My current role has me taking less of a leadership role and more of a managerial role so I missed the opportunity to lead and make a difference. That is what really drew me to the position. I know some may say, well if you are so good why did you lose your previous position? Simple answer. Management changed and went from being receptive/supportive of my ideas to trying to control me. They changed out the CIO and 2nd in command due to retirements. They moved the CISO position from being a direct line to the second in the agency to under the CIO's control (which by the way I have more CIO experience that the person selected to replace the retiring CIO).

That's an odd move as well, unless they felt like they need to contract for business reasons. As an example, we're growing so we have to separate the C-Suite more into specialized roles if that makes sense. If I was the CIO, there would be no chance I'd advocate on having the CISO report to me. There are so many benefits to keeping that role separate from IT, it's an unfortunate predicament you're in (or were in).

Re: Is there really a Cybersecurity skills gap?

tmekelburg1 — Tue, 20 Oct 2020 13:38:12 GMT

@CISO-Italiano wrote:
Also a proper CISO should challenge IT Governance, when it's not accounting for a proper mix with Information Security Governance. Real example? Structure of IT Dept Teams, Admins groups and Segregation of Duties. Ultimately this does affects how AD Groups are implemented and how the security controls will work and possibly even which relevance and usability the the logs will have in case of a Security Incident. Basically a bad IT Governance can hinder -or completely impede- the CISO job.

I'd add one caveat, don't go into the room waving a big stick around. This is where our soft skills, I prefer essential skills, come into play here. If we're new to the role or it's a new position created, we have to learn the office politics and culture before we start making sweeping changes.

Sometimes the CIO could not want to even try to understand those issues, as they are not HIS (her) top list issues.

I second this, security is everyone's responsibility but is typically not at the top of a CIO's priority list.

Re: Is there really a Cybersecurity skills gap?

CISOScott — Tue, 20 Oct 2020 16:15:22 GMT

@tmekelburg1 wrote:

My current role has me taking less of a leadership role and more of a managerial role so I missed the opportunity to lead and make a difference. That is what really drew me to the position. I know some may say, well if you are so good why did you lose your previous position? Simple answer. Management changed and went from being receptive/supportive of my ideas to trying to control me. They changed out the CIO and 2nd in command due to retirements. They moved the CISO position from being a direct line to the second in the agency to under the CIO's control (which by the way I have more CIO experience that the person selected to replace the retiring CIO).
That's an odd move as well, unless they felt like they need to contract for business reasons. As an example, we're growing so we have to separate the C-Suite more into specialized roles if that makes sense. If I was the CIO, there would be no chance I'd advocate on having the CISO report to me. There are so many benefits to keeping that role separate from IT, it's an unfortunate predicament you're in (or were in).

The new CIO's management style was tyrannical. He has to be in control and uses fear to keep his people "in line". My style is collaboration and working together for the best needs of the agency. He knew that I wouldn't just take orders from him without questioning him. He could not afford to have a strong leader under him, nor could he have a strong leader as a peer. So he convinced the new agency director to move the position back under him and reopen it to bring it back in house (I was a contracted CISO). The saddest part of it all is that he didn't even understand the organizational culture that was present in his organization. The organizational culture was one of fear. So tyrannical leaders do not perform well in cultures of fear. He doesn't realize that and probably will never recognize his own faults. Did I mention that they were several years behind on patches because IT was scared of getting a blue screen of death from patches?

Re: Is there really a Cybersecurity skills gap?

CISO-Italiano — Thu, 22 Oct 2020 17:43:26 GMT

@tmekelburg1 wrote:
I second this, security is everyone's responsibility but is typically not at the top of a CIO's priority list.

Completely agree 🙂 That's why Information Security should NEVER be put under a CIO 🙂

Re: Is there really a Cybersecurity skills gap?

RRoach — Thu, 29 Oct 2020 14:28:30 GMT

Couple possibilities depending on the situation.

1. Basically like others hinted at its a failure of company leadership and management. Areas to include: lack of budget, mis-aligned structure (staff function/roles), lack of internal training, lack of succession planning, reduced staff, outdated/insufficient technologies.

2. Interest in multinational companies (recruitment/staffing) who make their profits off hiring foreign nationals as a cheap labor force. When that labor force obtains citizenship then they are competing against the same labor force they were apart of.

3. Education is expensive, not every student wants to work in IT, education programs are not structured for IT (its more like a computer club). Of course there are some good schools just limited for all.

4. Experience. You cant get experience from education. Little exposure but most experience comes from different job roles and access to different technologies.