topic Re: Shortage of Cyber Security Professionals ... in Industry News

Shortage of Cyber Security Professionals ...

rslade — Mon, 09 Oct 2023 09:12:39 GMT

Best bet for commodity futures? Buy security professionals. Apparently there is a world wide shortage.

Yeah, right. As I have noted elsewhere, and frequently, there's been a shortage my whole career. I ain't rich yet. There's a bit of a disconnect.

OK, so first off, recently, there was Trump's "executive order," which, as I noted, is mostly about getting staff for (relatively low paying) government jobs, and probably isn't going to change much of anything.

Now, in Canada, another group has been formed "to craft a plan for cyber security education and workforce development." Yeah, good luck with that.

Returning to the US, the Marines are asking for civilian volunteers to make up a new computer task force cyber security unit. According the the General responsible, "If anybody wants to join, you can sign up." (Sounds a bit desperate, if you ask me ...)

Re: Shortage of Cyber Security Professionals ...

Caute_cautim — Tue, 21 May 2019 19:41:17 GMT

A lot of us have been through the mill, yes, we were once young impressionable people, put into secure rooms, or indoctrinated with some form of military security regime, or discipline. Given the current shortage, the key thing really is ensuring the correct ethics and skills and how to use them appropriately can be applied - this takes time. Yes, I have seen situations whereby people with an aptitude have been made security analysts on the front desk - but they have been assisted with Augmented Intelligence and Machine Learning, to assist them to analyse new situations quickly and to make recommendations - but not to take away the decision making process at all. People learn by mistakes, but the will they operate in the way, we expect under pressure? Will they know the difference between right and wrong or whether to conduct a vulnerability scan on a 10 Gigabit network segment without going gunho and then asking why things were breaking? Or ensuring the correct authorisation is in place and the right parameters are set up before hitting the go button?

This needs some form of coaching, mentoring relationship to be created, to guide - or these new recruits could find themselves on the wrong side of the legislation, and not realising why? Or the fact they find it more lucrative to move to the bad side, and make money on the Dark Web because they have the skills sets?

Lets focus on the getting the new recruits, but at least ensuring they understand the ethics, and the level of trust required daily to conduct themselves in this business?

Regards

Caute_cautim

Re: Shortage of Cyber Security Professionals ...

Chuxing — Tue, 21 May 2019 19:56:40 GMT

Well, my experience tells me that the better statement is: There is a shortage of competent security leadership, and there is a shortage of competent IT leadership that really recognizes the importance of security.

Once we solve these shortages, then we can actually say "there is a shortage of security professionals", or the shortage does not even exist ?

Re: Shortage of Cyber Security Professionals ...

Caute_cautim — Tue, 21 May 2019 20:01:01 GMT

Perhaps there is another way to put this - all C level should be cyber security professionals, in order to run their businesses efficiently, effectively and keep them financially viable. They are the key to understanding the level of Governance, Risk and Compliance that needs to be applied to maintain the health and welfare of their organisations. They are ultimately responsible and can be struck off Directorship boards etc.

Lets start at the top,rather than the bottom?

Regards

Caute_cautim

@Chuxing wrote:
Well, my experience tells me that the better statement is: There is a shortage of competent security leadership, and there is a shortage of competent IT leadership that really recognizes the importance of security.

Once we solve these shortages, then we can actually say "there is a shortage of security professionals", or the shortage does not even exist ?

Re: Shortage of Cyber Security Professionals ...

j_M007 — Tue, 21 May 2019 20:00:28 GMT

The 'chicken-and-the-egg conundrum!'

Re: Shortage of Cyber Security Professionals ...

emb021 — Tue, 21 May 2019 20:05:08 GMT

Keep hearing there is a shortage, but I apply for positions that I don't get call backs on, and no one is making job offers to me. Plus, I know of others struggling to find work while the "skill gap/shortage" is being pushed and people are being encouraged to take training, get certified, and get well paid jobs.

What I do see are jobs that have unrealistic requirements, that more fit someone with the skills/knowledge/experiences of 3 people. Then you have recruiters and even hiring managers who don't seem to understand infosec, so reach out to people for jobs that aren't a good fit for them, or turn people away for silly reasons.

(ex: I spent time trying to explain to a recruiter that an information security manager is not the same as an information security project manager. Sigh.)

I think its more that the hiring process is broken, and no one seems interested in fixing it.

Re: Shortage of Cyber Security Professionals ...

Caute_cautim — Tue, 21 May 2019 20:06:38 GMT

I believe there is sufficient legislation to protect organisations, if only the C level acted responsibly, and acted accordingly? But the courts can only move so far or react within certain time spans, once sufficient evidence is gathered to commit a case. The Chicken evolved like man over time, probably from the same amebic bacteria or derivative, according to the universal chemical rule book. However, often through many vices, cause mankind to evolve into all sorts of monsters, in the hope the less they do, will not affect their immediate chances of becoming famous possibly in the wrong way.

Regards

Caute_cautim

Re: Shortage of Cyber Security Professionals ...

Caute_cautim — Tue, 21 May 2019 20:07:56 GMT

Perhaps the recruiter should be re-trained or we need to do due diligence to ensure the recruiter is in fact themselves credible?

Regards

Caute_cautim

@emb021 wrote:
Keep hearing there is a shortage, but I apply for positions that I don't get call backs on, and no one is making job offers to me. Plus, I know of others struggling to find work while the "skill gap/shortage" is being pushed and people are being encouraged to take training, get certified, and get well paid jobs.

What I do see are jobs that have unrealistic requirements, that more fit someone with the skills/knowledge/experiences of 3 people. Then you have recruiters and even hiring managers who don't seem to understand infosec, so reach out to people for jobs that aren't a good fit for them, or turn people away for silly reasons.

(ex: I spent time trying to explain to a recruiter that an information security manager is not the same as an information security project manager. Sigh.)

I think its more that the hiring process is broken, and no one seems interested in fixing it.

Re: Shortage of Cyber Security Professionals ...

Chuxing — Tue, 21 May 2019 20:22:36 GMT

@emb021 what you experienced is again IMHO the lack of competent leadership who really doesn't understand what the security needs are, but instead, cut and paste a bunch nonsense and load them on the poor recruiter / hiring manager.

@Caute_cautim You are absolutely right on the CxOs roles. As a matter of fact, the latest COBIT and ITIL all have recognized this, and have started incorporate best practices of security up to the executive / governance levels. It is no longer just a management / operation issue, and must be addresses at governance level.

Re: Shortage of Cyber Security Professionals ...

CISOScott — Tue, 21 May 2019 21:10:31 GMT

@j_M007 wrote:
The 'chicken-and-the-egg conundrum!'

Or is it the Cuckoo and the egg conundrum?

For the newbies go read The Cuckoo's Egg by Cliff Stoll.

Re: Shortage of Cyber Security Professionals ...

Caute_cautim — Tue, 21 May 2019 21:25:50 GMT

@CISOScottGrab yourself a copy of the book or Kindle, and keep it on the bookshelf.

Regards

Caute_cautim

Re: Shortage of Cyber Security Professionals ...

Steve-Wilme — Wed, 22 May 2019 10:46:02 GMT

Back when I was a Software Engineer, there was a shortage of those, but that didn't translate into high salary or job security or lots of opportunities due to the scarity. So the fields may simply not have been as attractive as working in Finance, Law or Medicine. It was seen as poor relation to more established fields in terms of pay and status. I suspect InfoSec has a similar image problem.

Back in 2013 at the ISC2 meeting at Warwick University there was a show of hand for women in InfoSec, people under 30, under 40, under 50 and so on. The majority of the audience/membership were white, males in their 40s and 50s. So there is a lack of diversity and aging profession, which is in itself a problem.

Re: Shortage of Cyber Security Professionals ...

Steve-Wilme — Wed, 22 May 2019 11:04:07 GMT

There is often no clear understanding of the different roles and skill sets in InfoSec, so many organisations simply ask for almost everything for every role. It's not too uncommon to find policies, standards development, SETA, compliance, PCI, security architecture, security audits, administering security tooling, forensics, pen testing and incident response all in the same job ad. Whilst experiences in InfoSec can be diverse, very few people have years of experience every single aspect of InfoSec. So perfectly capable candidates get rejected, rather than consider candidates who are a 70% fit, and it limits mobility in the labour market, so even if in InfoSec already staff get stuck in roles and not developed.

Re: Shortage of Cyber Security Professionals ...

j_M007 — Wed, 22 May 2019 14:32:41 GMT

So many fowl problems occur when we bury our head in the sand!

https://www.cbc.ca/news/canada/british-columbia/peacock-nuisance-animals-beauty-beast-1.4649532

Re: Shortage of Cyber Security Professionals ...

emb021 — Wed, 22 May 2019 14:41:35 GMT

@Steve-Wilme wrote:
There is often no clear understanding of the different roles and skill sets in InfoSec, so many organisations simply ask for almost everything for every role. It's not too uncommon to find policies, standards development, SETA, compliance, PCI, security architecture, security audits, administering security tooling, forensics, pen testing and incident response all in the same job ad. Whilst experiences in InfoSec can be diverse, very few people have years of experience every single aspect of InfoSec. So perfectly capable candidates get rejected, rather than consider candidates who are a 70% fit, and it limits mobility in the labour market, so even if in InfoSec already staff get stuck in roles and not developed.

Hence why you have work with the NICE framework to establish more clearly job roles/duties. Otherwise we get the nonsense of companies saying they want an "Information Security Officer" when what they really want is an Analyst or Engineer (yeah, seen that...).

I had heard something recently that in IT (and to extension infosec) that often times people have more and more dumped on their plate, sometimes stuff that maybe they shouldn't be responsible for.

And then those people quit, and their company is left scrambling to fill that role.

So I have to wonder if some of these ridiculous job descriptions are due to this? They are trying to fill a role that had a lot of stuff dumped on them, and they think they can find someone with the same skills/experience to fill the role. Sadly, of course, they quest for someone to "hit the ground running" and do all those things makes that a losing proposition.

Re: Shortage of Cyber Security Professionals ...

Steve-Wilme — Wed, 22 May 2019 14:55:01 GMT

Yes quite possibly; it's often sink or swim. The dumped on employee is seen as more capable and 'passionate', so gets more and more given to them over time. If you want something doing give it to someone who's already very busy. And you know where this can lead; to burn out and unexpected resignations. Only then is it realised that there was a 'key man' dependency and the organisation looks for someone else to take on the lot, usually without sufficient budget and without authority within the organisation.

Re: Shortage of Cyber Security Professionals ...

rslade — Wed, 22 May 2019 17:32:53 GMT

> j_M007 (Community Champion) posted a new reply in Industry News on 05-22-2019

> So many fowl problems occur when we bury our head in the sand!

I think you're thnking of ostriches, not peacocks.

But, yes, you're right. Peacocks can be a nuisance, but only if not controlled
properly. They seem to be able to thrive just about anywhere and always seem to
get into trouble (at Royal Roads they killed off a set of pollarded trees that had
been around for decades), but it's hard to call them an invasive species because
they *can* be controlled if only you take the proper action.

A good example of a risk management problem ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Of all things, good sense is the most fairly distributed:
everyone thinks he is so well supplied with it that even those
who are the hardest to satisfy in every other respect never
desire more of it than they already have.
- Rene Descartes (1596-1650), Discours de la Methode (1637)
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: Shortage of Cyber Security Professionals ...

j_M007 — Wed, 22 May 2019 19:49:01 GMT

I'm glad you caught the mixed meta force my fine feathered friend. An eagle-eyed kiwi found tracks of a many-splendored bird of another feather. I reckon the mega bird would have made a mega mess. Not unlike some of the turkeys we have seen hereabouts.

https://www.vice.com/en_us/article/zmpm7y/new-zealand-man-goes-swimming-finds-footprints-of-extinct-mega-bird

Re: Shortage of Cyber Security Professionals ...

Caute_cautim — Wed, 22 May 2019 20:18:42 GMT

@j_M007Yes indeed - the Wellington Museum was not amused, as University of Otago, followed it up and they missed out on the find. Indeed, mixed metaphors - lets hope we do not end up extinct like the "Moa".

https://en.wikipedia.org/wiki/Moa, Unfortunately the colonists f(Polynesians) found them tasty and caused their demise very quickly in 1280 on wards.

Regards

Caute_cautim

Re: Shortage of Cyber Security Professionals ...

j_M007 — Wed, 22 May 2019 20:56:31 GMT

From birds to songbirds .... Moa moa moa, how do you like it?

https://www.youtube.com/watch?v=RlJGrIyt-X8