topic Re: Schneier on the cybersecurity job market in Industry News

Schneier on the cybersecurity job market

JoePete — Wed, 20 Sep 2023 15:01:38 GMT

This is really Bruce Schneier quoting Ben Rothke, but when one of the icons of our industry makes an observation, it carries weight:

https://www.schneier.com/blog/archives/2023/09/on-the-cybersecurity-jobs-shortage.html

Much of this could be distilled into the premise that security is not an entry-level profession. It's a specialization that relies on a foundation of related experience.

Re: Schneier on the cybersecurity job market

Early_Adopter — Wed, 20 Sep 2023 15:51:42 GMT

Totally, it relies on adjacent experience in Information Technology. ISC2’s CC is a perfect example of a well meaning but frankly overly enthusiastic push that with the free(till AMF) cert offer pulls in a lot of people who don’t have the required experience to fulfil the requirements on the coal face. It’s super important to be specialised and you’re building on programming, networking, systems administration etc to be useful. I think there are bright spots in the space for pea poke building the low level skills such as CompTIA’s simulations, Google’s new certification, OSCP, Microsoft, Amazon and other vendor training.

Word to the wise planning a career, be a tool user, be prepared to script, automate and programme to success - Computer Science for the win.

Re: Schneier on the cybersecurity job market

emb021 — Wed, 20 Sep 2023 16:32:50 GMT

Agree.

I often point out to newbies that I came into infosec/cybersecurity after several years at a sysadmin (first Unix then Windows/AD). This, along with my computer science degrees, gave me my technical knowledge.

Am sure there are others who pivoted into infosec from other IT areas.

Re: Schneier on the cybersecurity job market

dcontesti — Wed, 20 Sep 2023 16:36:49 GMT

Totally agree with the article. Back in the 80s (not a typo), the company I was at was re-organizing/downsizing and were just deciding they needed a Security department (one of the big five offered to fix everything for several million).

At the time, I had spent time in Operations, Office Automation, Networking and Disaster recovery/BCP (not all separate jobs). Unfortunate for me (some say fortunate), I was on the list to be laid off. During this process, everyone that was on the list was interviewed. The one question that I knew the answer to was "What is Kerberos"..........no one else knew the answer, so I was saved and charged with developing the security program....

My years in Ops and Networking helped me enormously as did my experience in DR (I was a CBCP), without that experience, I do not think that I could have been successful.

Yes the industry is lacking in the number of professionals, but then I look at other professions and they are also suffering shortages (try to get a new doctor? or go to hospital and see the shortage of nurses). Our industry like so many others are suffering.

From the article:

In fact, security roles are often not considered entry-level at all. Hiring managers assume you have some other background, usually technical before you are ready for an entry-level security job. Without those specific skills, it is difficult for a candidate to break into the profession. Job seekers learn that entry-level often means at least two to three years of work experience in a related field.

So, while I think that the CC MIGHT be a good thing, I believe it to be marketed incorrectly (MHOO). My thoughts are that it should be marketed to folks already in IT not folks attempting to get into IT (okay folks, throw rocks at me). I could see a Network person who wants to expand their horizons taking this certification, or even someone who has been working in Computer Operations.

Off my soap box

Re: Schneier on the cybersecurity job market

gidyn — Wed, 20 Sep 2023 17:05:22 GMT

There's no shortage of skilled professionals either. There's a shortage of skilled professionals willing to work long hours under high stress for miserable wages.
Same as with almost every other alleged "skills shortage", it's employers wanting to drive up the supply of labour so that they can push down the price.

Re: Schneier on the cybersecurity job market

denbesten — Wed, 20 Sep 2023 18:23:28 GMT

@dcontesti wrote:
... the CC MIGHT be a good thing ... should be marketed to folks already in IT not folks attempting to get into IT....

Amen. I have no objection to the CC, but I do feel it needs an experiential requirement, just like all the other certs. On-the-job training is where theory runs head-first into practice. And that just can not be taught in the classroom.

Re: Schneier on the cybersecurity job market

SSR — Thu, 21 Sep 2023 00:17:47 GMT

Whelp, guess I should just give up on trying to break into the profession then. This explains why I can't get crap despite having Sec+, CISSP (associate), and some seasonal cybersecurity experience. Shame I went almost broke that month scrounging up the funds for those five letters that didn't end up doing anything. Funny, the article specifically calls out stacking shelves, at least that actually offers a clear career trajectory for me!

Well, thanks for posting this article. Know when to hold 'em and when to fold 'em...

Re: Schneier on the cybersecurity job market

Steve-Wilme — Thu, 21 Sep 2023 12:15:22 GMT

It would be fair to say if you see a lot of articles decrying a skills shortage that it may not remain for long. Attracted by the high salary potential, many new entrants to a field get the basic qualification is the hope of getting to those high salaries, however supply and demand operates so over the next cycle salaries get pushed back down by increased supply. And none of that really addresses the issue that security staff are generally a compensation for more rounded skill sets, that include some knowledge of security, that are often lacking in the rest of IT.

Re: Schneier on the cybersecurity job market

Steve-Wilme — Thu, 21 Sep 2023 12:19:13 GMT

It often easier to get into a general IT role and then transfer into security after a few years, using whatever internal vacancies are advertised by an employer.

Re: Schneier on the cybersecurity job market

Early_Adopter — Thu, 21 Sep 2023 12:26:35 GMT

@SSRyou should be able to get a role, depending on your experience- certainly an Security+/CISSP pass puts you in a better position than someone with just a CC - and to Bruce’s point those specialised roles are going to take more than six months but if you spend a couple of years working at it and pickup sysadmin, but of coding and say basics of incident response then that’s going to be ok to start couple of questions - are working in tech/IT currently? What made you sit CISSP without the experience?

Re: Schneier on the cybersecurity job market

dcontesti — Thu, 21 Sep 2023 15:50:04 GMT

@SSR I note that you bracketed the word associate after CISSP. If you in fact took the exam without the experience (5 Years) then you cannot technically use the CISSP logo, I believe you may only call yourself an Associate of (ISC)2. I am tagging @tldutton here so that he may validate.

Don't give up trying to gain employment or experience in the Security field. Here are a few suggestions: volunteer for your church or local schools to help with Security, contact/join a local chapter of ISSA/(ISC)2/ISACA/etc. as they are a good way to make contacts and learn of potential opportunities. A number of software vendors will hire new folks in the industry and train them specifically on their products. Attend as many webinars as you are able to (this will hopefully increase your depth of knowledge.

Regards

Re: Schneier on the cybersecurity job market

JoePete — Thu, 21 Sep 2023 16:15:42 GMT

@SSR wrote:
Whelp, guess I should just give up on trying to break into the profession then.

I think what Rothke and Schneier are trying to say is that there is no such thing as the "security profession." It's an extension of several other professions. Or maybe put differently, I think it is fair to say that across all industries, we have a shortage of qualified, good upper management. But you can't hop from no experience to management. You have to work your way up. While you can take a business class, it is not as actually doing the job. While there are tons of people who want to be a CEO or elsewhere in the C suite, no one "breaks into" the C-suite. They start at the entry level, and to be blunt about it, not everyone has the disposition and aptitude to be a CEO. Along their journey, they'll learn their comfort level and maybe they will specialize in something else.

Security is the same thing. Most of us start in IT somewhere. Maybe some come in through governance or business improvement. And the path forward rarely is vertical. We might go from system administration to development to architecture, or at least, we wear multiple hats in one job so that we begin to see the forest. Even then, those of us who succeed in security have a developed or innate penchant for system thinking. We seek quality through structure. Again though, some break off into other specializations, but "breaking into" this industry is almost a contradiction.

I wouldn't discourage you or anyone from pursuing your long-term goal, but you need to recognize the intermediate steps. As Rothke points out, this industry is full of snakeoil salesmen.

Re: Schneier on the cybersecurity job market

tldutton — Thu, 21 Sep 2023 17:15:41 GMT

You are 100% correct. Excluding our CC exam, if you pass any of our certification exams and don't have the requisite experience, then you are simply known as an "ISC2 Associate" with NO reference to the exam you passed. Once you have demonstrated to ISC2 through the endorsement process that you have gained the requisite experience, then you can associate the corresponding certification with your name.

Re: Schneier on the cybersecurity job market

SSR — Thu, 21 Sep 2023 18:05:44 GMT

@Early_Adopter wrote:
spend a couple of years working at it and pickup sysadmin, but of coding and say basics of incident response then that’s going to be ok to start couple of questions - are working in tech/IT currently?

Know a bit of Python and sysadmin, and I wrote an IRP for the small tech company I work at right now that isn't doing great at the moment. Anything beyond paper knowledge of incident response I'll have to pick up at an enterprise-level role. Oh wait...

What made you sit CISSP without the experience?

The head of security at a company I interviewed for recommended it to me (I didn't do great at the interview then but I'd probably ace it now with the knowledge from learning the CISSP exam). They didn't think it needed experience, but maybe I was wrong to take their word for it.

Also while I was doing a very brief seasonal security position at a large company doing lowest-level alert management, the manager posted a big chart of certifications and I saw Sec+ near the bottom. So I decided I'd shoot for the highest one I could find that seemed doable and covered a broad scope, and see if I could pass it on the first try. That was CISSP and it was second highest on the list, so I picked that one and started teaching myself everything that was on it. 1.5 months later I got a fancy letter and... well, nothing else really.

@dcontesti wrote:
@SSR I note that you bracketed the word associate after CISSP. If you in fact took the exam without the experience (5 Years) then you cannot technically use the CISSP logo, I believe you may only call yourself an Associate of (ISC)2. I am tagging @tldutton here so that he may validate.

I'm so glad that ISC2 wants people to succeed by not letting them say what they demonstrated their knowledge in! As if my resume didn't do enough to say that I don't have enough experience, now I have people from the ISC2 coming down to back that up 😄 Like seriously, no one knows what "Associate" stands for. If they even know what that means, they're just going to assume it's for the lowest level of certification that qualifies. If I can't even say Associate (CISSP) or even Associate (CISSP exam), which still shows off my lowly status compared to my betters, I might as well get the CASP, which is basically the same level and covers practical questions as well as theory, costs less to take, doesn't come for their share every year, and won't gatekeep the right to... say I passed their exam?

Don't give up trying to gain employment or experience in the Security field. Here are a few suggestions: volunteer for your church or local schools to help with Security, contact/join a local chapter of ISSA/(ISC)2/ISACA/etc. as they are a good way to make contacts and learn of potential opportunities. A number of software vendors will hire new folks in the industry and train them specifically on their products. Attend as many webinars as you are able to (this will hopefully increase your depth of knowledge.

Thanks for the advice. I tried the ISC2 boards for my area and they're basically a ghost town. I contacted the one person who posted there and got nothing but silence. I'd love to meet locals but I don't think that's happening 🙁

I don't know what software vendors you're referring to but every single place I've looked at seems to want 2-5 years of experience for an "entry-level" position, often requesting very specific enterprise-level tools... tools no small church or school is going to be able to afford (I know this from my attempts to do security work in the small company I'm at currently). I'll happily take any webinars if you know where to look but also I'm not sure how I'd put them on my resume.

@Steve-Wilme wrote:
It often easier to get into a general IT role and then transfer into security after a few years, using whatever internal vacancies are advertised by an employer.

I tried to do that while I was at the seasonal role but they didn't have any. And sadly small IT startup running out of money means no open positions period, internal, security, or otherwise. I can try for general IT positions elsewhere, any role names you recommend I search for?

@JoePete wrote:
I wouldn't discourage you or anyone from pursuing your long-term goal, but you need to recognize the intermediate steps. As Rothke points out, this industry is full of snakeoil salesmen.

Any in particular you had in mind? I don't know who I should stay clear of so any advice would be appreciated.

@tldutton wrote:
You are 100% correct. Excluding our CC exam, if you pass any of our certification exams and don't have the requisite experience, then you are simply known as an "ISC2 Associate" with NO reference to the exam you passed. Once you have demonstrated to ISC2 through the endorsement process that you have gained the requisite experience, then you can associate the corresponding certification with your name.

But what if Credly, official partner of ISC2, said:

I am confusion.

Re: Schneier on the cybersecurity job market

Early_Adopter — Thu, 21 Sep 2023 22:49:15 GMT

@SSR thanks for the comprehensive response. I think knowing some Python is a good place to start, especially sysadmin - this allows you to build a base. Don’t know your situation enough to give specificity advice but Python is very useful for analytics and secure folk like monthly metrics on KPIs etc, so there’s a decent plank to pull yourself up on. Try Google’s certified Cybersecurity Professional course it’s self paced and covers a lot of useful stuff plus the first seven days is free. I’d put more stock in certs from vendors with simulation - and it should fit into your sysadmin experience.

Sorry to hear you got roped into CISSP for such small return, congrats on passing the exam though. The chap you interviewed with should have suggested something appropriate that you could consume and would be useful straight away. SSCP is better in this sense, and for what it’s worth the free CC will not add any additional drain on your finances as its 50 USD PUPY is covered by your Associate AMFs. CASP+ is a good option to consider.

On the designation/communication ISC2 isn’t anywhere as competent as its exam writers are, so you will see inconsistencies like the credly issue from time to time. You should follow the agreement so as to not run afoul of the Ts and Cs but this is just another example of “do as I say, not as I do” (I’m assuming here it has different ones for CSSLP etc-though this isn’t a given). Anyway marketing is on heavy rotation and I keep getting ads in my feeds offering me a great discount on CISSP, training, C’n’C in case I want to test the market…

Anyway keep your chin up and feel free to ping folk on the forum for specifics.

Re: Schneier on the cybersecurity job market

emb021 — Fri, 22 Sep 2023 14:03:54 GMT

@denbesten wrote:

"Amen. I have no objection to the CC, but I do feel it needs an experiential requirement, just like all the other certs."

Sorry, but NOT all certs have an experiential requirement.

NONE of CompTIA's certs do. NONE of SANS/GIAC's do. NONE of IAPP's do.

ISACA has a couple that don't (their newish stackables).

Since the CC, like the Sec+, is aimed at the entry-level person, I don't expect it to have one.

I DO agree that those certs that aren't aimed at entry-level roles should have it.

Re: Schneier on the cybersecurity job market

Early_Adopter — Fri, 22 Sep 2023 23:53:32 GMT

So a third view between CC should have experience vs not all certs need experience/CC should be entry level…

I’d argue it should be a certificate rather than a certification. One and done, cheap and cheerful, and therefore actually free for the million Guinea Pigs taking an untested cert to see if it hel… I Mean of course candidates taking the premier IT Security certification where it will surely get them a high paying job with no need for any experience!

Consider there isn’t any Cybersecurity experience to certify, but you’re also looking at an ongoing process with CPEs etc and frankly it either helped you get a job in the first 2-3 years or it didn’t, in any case you moved on so there no need to keep it around.

We also see that ISC2 are planning certificates to replace the CISSP concentr… er, I mean compliment the CISSP concentrations… which are hard sell because they can only be marketed to holders of the CISS… er, I mean exclusionary because there a big addressable market of managers without CISSP want that security management badge as well..? I wonder how they get the 50 or 125 PUPY out of these..?

There’s also the fact that people are full members for fifty bucks a year with CC which has got to be a bit of an eye opener if you’re an associate(you pay the same an sit harder exams for less) or a member with a higher cert(you pay more for the same). At some stage I assume that ISC2 will put the AMF up for CC folk - because if anyone maintains this for a period of time the implication is that AMF fees are fine at fifty bucks(looking forward to my AMF reduction :)) :

“ISC2 certified members pay a single AMF of U.S. $125 which is due each year upon the anniversary of their certification date. Members only pay a single AMF of U.S. $125 regardless of how many certifications they earn. AMFs for members with multiple certifications are due on their earliest certification anniversary.
Associates of ISC2 AMFs

Associates of ISC2 pay an AMF of U.S. $50 which is due each year upon the anniversary of achieving their associate status.”