topic Re: Cyber Workforce Shortfalls in Career Discussions

Cyber Workforce Shortfalls

jmccumber — Sun, 26 Nov 2017 14:31:26 GMT

OK - we've all seen the statistics, projections, and analyses.

How do you feel about the projected shortfalls in our cybersecurity workforce? Are there really over 600K position unfilled? How is this number assessed? Do "most" CISOs and other senior security talent rake in salaries north of US$500K per annum?

I fear some of what we are seeing in the media is rehashed FUD statistics reminiscent of the days when every virus outbreak or insider threat was costing business billions in losses.

What say you?

Re: Cyber Workforce Shortfalls

Hacker — Sun, 26 Nov 2017 14:33:52 GMT

@jmccumber

Send me the link to apply 🙂

Care to share the article where you read this information?

Re: Cyber Workforce Shortfalls

jmccumber — Sun, 26 Nov 2017 14:39:17 GMT

Hey, Hack,

Here's an article from Forbes last year that tops out around $380K

https://www.forbes.com/sites/stevemorgan/2016/01/09/top-cyber-security-salaries-in-u-s-metros-hit-380000/#481107ef7ef8

I remember seeing one where the $600K number was floated, and immediately reached out to a US Government CISO friend, and we both had a good laugh. We both were looking where to apply. Let me do some digital archaeology and see if I can dig it up.

Re: Cyber Workforce Shortfalls

Altonac — Sun, 26 Nov 2017 14:44:35 GMT

I think the shortfall is actually subjective. I say this because you have all these vacant positions globally and at the same time there are a low quality of individuals available to fill the positions hence they remain unfilled. I maintain that education and security generalists are what is needed as there’s too many security professionals specializing in too little and only meet the technical requirements and not the business end. If we can address this then we’re on our way to filling those vacancies with quality individuals.

Re: Cyber Workforce Shortfalls

jmccumber — Sun, 26 Nov 2017 14:47:16 GMT

Altonac,

Very interesting perspective. Thanks for posting.

Re: Cyber Workforce Shortfalls

bobrayner — Sun, 26 Nov 2017 14:47:29 GMT

It's certainly a growth industry; there has been strong demand for the skills over the last decade or two.

We work in an industry dominated by FUD (from vendors, for instance) but we learn to sort the wheat from the chaff

Pay rates are price signals; and around the world pay rates show that there's a shortage. Here in the UK I get a fantastic day rate, even though what I do doesn't feel particularly hard.

Re: Cyber Workforce Shortfalls

jmccumber — Sun, 26 Nov 2017 14:54:31 GMT

Bob,

Insightful comments from the UK - thanks. ....and yes, we are in the FUD-driven industry. So many service and product vendors believe they best way to force someone to write them is check is through judicious application of FUD.

I will be in the UK in two weeks at our EMEA offices. Perhaps you could pop on over, if you're in the neighborhood.

I want you all to know, I certainly don't have all the answers. The purpose of this thread is to simply state the issue, and solicit your opinions. I personally feel we place too many barriers to entry in the profession, and are strangling our own pipeline.

Re: Cyber Workforce Shortfalls

Hacker — Sun, 26 Nov 2017 14:59:40 GMT

@jmccumber

With these salaries, I maybe in the wrong industry hahaha.

Re: Cyber Workforce Shortfalls

vistauxx — Sun, 26 Nov 2017 15:15:07 GMT

One of the largest employers in this space is the Federal Government.

Opinion, observation, and NOT academically researched for publication (Please correct me):

Contractors often are paid more in salary than their Federal Supervisors. There is a natural limit of the 170s to 180s for these positions as direct labor as a contractor. There are very few instances where there is a confluence of labor quality and contracting terms / clauses where this type of salary would be permitted. My experience seems to me to be that these rates are more common due to contracting clauses rather than specifically due to labor quality.

There is a cadre of well qualified, motivated federal employees who "get it" and work hard at protecting our national infrastructure (in many ways, not just cyber). They do this a rates well below those suggested in jmmccumber's posit. These rates are published. To get above 130 they are moved to management and are rarely directly involved in a hands on manner.

IMHO there is a significant (I might argue a infrastructure threatening) shortage of qualified "protectors". There are lots of reasons for this, not the least of which is "publication of code is more important than security", "we can fix it in version 2,3,4,5,6,7,8.04 . . . . . ". Is it interesting to you, as it is interesting to me, that the list of "Top 10" (OWASP) vulnerabilities has the top 2 as the SAME for at Least 4 years running? {OWASP_Top_10-2017_(en).pdf.pdf} (the double pdf is correct).

Let's stop looking at the "black swan" salaries (those who lose their job at the first recognized breach of the infrastrucutre they are responsible for -- the word recognized is important here because of the significant number of unrecognized breaches still ongoing). Let's recognize that it is easy and realistic to make 110K - 120K (top 16% of salaries nationwide) with 2-3 years of experience in a challenging, interesting, lifelong learning (or you don't "get it"), nationally important, leading edge of "work anywhere you want" profession.

Re: Cyber Workforce Shortfalls

Altonac — Sun, 26 Nov 2017 15:21:30 GMT

Vistauxx I’m in South Africa and it’s the same here. I myself am a security consultant and find the maturity and skill set of the in-house professionals somewhat lacking hence the position I find myself in. The has to be a collaborative effort and knowledge transfer from consultant to in-house in order to make for a better security posture

Re: Cyber Workforce Shortfalls

jmccumber — Sun, 26 Nov 2017 15:21:47 GMT

vistauxx,

For those with shorter attention spans, I wanted to highlight the astute last sentence in your post:

vistauxx: "Let's recognize that it is easy and realistic to make 110K - 120K (top 16% of salaries nationwide) with 2-3 years of experience in a challenging, interesting, lifelong learning (or you don't "get it"), nationally important, leading edge of "work anywhere you want" profession."

Well stated, and quite accurate.

Re: Cyber Workforce Shortfalls

jmccumber — Sun, 26 Nov 2017 15:44:00 GMT

I just now read a post by a big cyber security product $vendor espousing advice from their employees on whether or not women should enter the cybersecurity field. The title turned out to be click-bait, because, of course, no sane person would advise against it if someone felt the calling, man or woman.

One of these employees said she was targeting her remarks at student in their last year at university. That right there is a BIG part of the problem. We assume the accession process only works for a four-year university graduate.

We need to ensure we reach out to the entire range of new recruits: non-college technical people, junior college students, veterans, retraining older workers, and under served communities. There are hundreds of thousands of potential new cybersecurity entrants who are ignored when you start with the premise that new cybersecurity folks are only coming from four-year institutions.

We need to knock down these faulty preconceptions and barriers to more effectively address the work skills shortage.

Re: Cyber Workforce Shortfalls

vistauxx — Sun, 26 Nov 2017 15:48:16 GMT

Altonac correctly points out my parochial use of US salaries and percentage. I seek forgiveness. Clearly these numbers will be different worldwide, and this is a worldwide problem (with some possible notable exceptions where access to the international asset "the Internet" is blocked, or at least an attempt is made to do so).

This is an international problem, and an international critical infrastructure (Air Traffic Control is largely dependent on the Internet, even if it is only the non private VOIP circuits used by over 90 countries).

It is reported that DDOS is often implemented by using machines that are outside of national boundaries (I have specific personal experience with 2 examples where this was true).

I could go on . . . . . . .

Re: Cyber Workforce Shortfalls

bobrayner — Sun, 26 Nov 2017 16:03:51 GMT

Universities have been slow to adapt to the new needs of this industry; I very rarely work with people who have an infosec degree, though there are lots of people with a STEM background.

Many security consultants are on their second or third career. That's fine; many 18-year-olds make bad career decisions (I certainly did) but those who come to security later in life have a bit more breadth and can resist the temptation to focus on one technical detail.

Re: Cyber Workforce Shortfalls

JenD — Mon, 27 Nov 2017 10:48:50 GMT

I am currently hunting for my first IT Security job, transitioning from a role that has only part of the job focused on security. There may well be a shortfall but what I'm noticing is that employers want someone already fully experienced. I'm not *quite* sure how I'm going to get the requisite 5 years experience they all seem to want - in my mind someone who is motivated could easily cross-train and transfer their skills.

Re: Cyber Workforce Shortfalls

jmccumber — Mon, 27 Nov 2017 19:13:38 GMT

JenD,

Shameless pitch: if you think you have the skillz, but not the five years, consider our Associates program.

That said, you concerns are, for better or worse, are shared by many. Our profession is multi-disciplinary, and depending on where you begin your journey, it may take a significant amount of effort to shore up your resume. When I am teaching, and students present that problem, I always suggest they consider reaching out to their current employer or school and volunteer their support to those who perform cybersecurity functions within their organization. It's often a great place to start gaining in-demand skills.

Re: Cyber Workforce Shortfalls

CISOScott — Tue, 28 Nov 2017 15:23:02 GMT

I have yet to see CISO salaries approaching 600K. In my recent CISO searches the highest ones I have seen mention 250K and they are usually in high cost of living areas and in heavily metropolitan areas (U.S. California, New York, Texas).

I agree that it is not unreasonable to expect to find work in the 80-120K range in the US.

Re: Cyber Workforce Shortfalls

Hacker — Tue, 28 Nov 2017 15:26:49 GMT

Agree.

Sometimes this survey is not accurate compare to real world payroll.

Re: Cyber Workforce Shortfalls

CISOScott — Thu, 28 Dec 2017 15:26:19 GMT

@JenD wrote:
I am currently hunting for my first IT Security job, transitioning from a role that has only part of the job focused on security. There may well be a shortfall but what I'm noticing is that employers want someone already fully experienced. I'm not *quite* sure how I'm going to get the requisite 5 years experience they all seem to want - in my mind someone who is motivated could easily cross-train and transfer their skills.

One of the key things to gain the experience needed is to volunteer. Even if you do not get compensated for it. Too many people I have worked with only want to do the job if they get paid WHILE they are doing it. I would equate it to the players on a bench on a basketball team saying "Well when I get paid like a starter, I will put in the hard work required to increase my skills to be good enough to be a starter." I agree, most companies want to be able to find the person who already has the "starter" skills and not the "bench warmer" type person, but I moved successfully from the bench warmer role to starter role because of stories like this:

In one interview the panel could see I did not have the experience performing the IT duties they were requiring because I had never held a paid position performing those duties. However when I said "Yes I have not performed these duties at work, but I have performed these duties in my home lab." the interviewer asked about the details of my home lab. When I told them I had 14 computers, a router and KVM switch to connect it all. I had 3 servers and 11 computers (This was before virtualization was a big thing, and yes it was noisy but my spouse let me keep all of my 'toys' running in the basement!)" They said that was impressive. I showed them a picture of it and they said "If you took that much initiative to set that all up, I believe we can teach you the rest. When can you start?"

I am sure there are jobs going undone at your workplace. Look for those and ask your boss if you can do them or shadow those people who are doing security.

Re: Cyber Workforce Shortfalls

JenD — Tue, 02 Jan 2018 15:37:59 GMT

Thanks so much for the really interesting reply, CISOScott! I've now put my hand up at my company to see if anyone can give me some 'menial tasks' in the area that I need experience - to help them out too! 🙂