topic Re: Is there really an information security jobs crisis? in Industry News

Is there really an information security jobs crisis?

gidyn — Sun, 22 Oct 2023 06:16:12 GMT

https://brothke.medium.com/is-there-really-an-information-security-jobs-crisis-a492665f6823

From the article:

... there is not a shortage of security generalists, middle managers, and people who claim to be competent CISOs. Nor is there a shortage of thought leaders, advisors, or self-proclaimed cyber subject matter experts. What there is a shortage of are computer scientists, developers, engineers, and information security professionals who can code, understand technical security architecture, product security and application security specialists, analysts with threat hunting and incident response skills ...

Many of the people exiting security boot camps expect there to be a plethora of entry level information security jobs waiting for them. But ... there are very few truly entry-level jobs in cybersecurity.

Re: Is there really an information security jobs crisis?

gidyn — Sun, 22 Oct 2023 06:22:15 GMT

Follows an earlier article demonstrating how the skills and experience required by hiring managers greatly exceeds the compensation offered.

Re: Is there really an information security jobs crisis?

dcontesti — Sun, 22 Oct 2023 14:55:24 GMT

A really good question. I often wonder when I see the number of people looking for jobs (both experienced and unexperienced). On quite a regular basis, we see folks here looking for employment.

Folks due need to start somewhere, however, many to most of the positions that I see regularly are for VERY experience people (those folk that have extensive knowledge in many arenas), and not folks just entering the field.

The creators of the CISSP, saw a need for multiple skills hence the Class B CPEs that are available. I believe in its original inception, the thought for the CISSP was that it was for a Senior person and that is why the SSCP was created, to bring new folks into the fold. The SSCP was originally built as a stepping stone for folks that were already experience IT people (those folks with Networking, UNIX, M$ experience) to help them step into Security.

I believe there is a shortage but I agree with the author that the number is over inflated.

Re: Is there really an information security jobs crisis?

denbesten — Sun, 22 Oct 2023 16:59:55 GMT

Bruce Schneider, a highly respected security technologist, has weighed in basically saying "Hear, hear."

Re: Is there really an information security jobs crisis?

dcontesti — Sun, 22 Oct 2023 18:05:15 GMT

So who's stretching the truth?

Re: Is there really an information security jobs crisis?

Early_Adopter — Mon, 23 Oct 2023 02:17:36 GMT

I think that a lot of this is down to your perception where you sit - from a candidate standpoint if you have usable skills there are plenty of jobs, if you’re trying to break in with a CC and six months experience in Madame Thrifty’s Digital Carwash then you’ll struggle.

Low salaries/compensation is a thing and this will lead to higher turnover/retention issues - it’s bad not to be able to hire - it’s even worse to hire and have them quit.

Lastly if you have current technology skills - popping boxes, secure coding, policy authoring( documents and systems) then you’ll command a very nice salary and folk looking for you can’t find your profile easily.

If employers are willing to train in and build skill sets, plus offer decent remuneration then there is less of a security shortage as long as they can keep their people.

Re: Is there really an information security jobs crisis?

JoePete — Mon, 23 Oct 2023 12:20:41 GMT

@dcontesti wrote:
So who's stretching the truth?

I think the real answer is there is no truth. This is fortune telling. The future only becomes the truth when it becomes the present.

Probably the single biggest mistake I've seen with technology over a lifetime of work is purchasing at the wrong interval - too often people try to future proof and spend too much and too long. Or they seek to solve only the problem in front of them. If you're talking more than two years out with technology, you might as well be talking interstellar travel. Even 18 months is a far horizon. As such, when people to predict the workplace it's hazardous.

So what will work? Good critical reading and thinking skills will always be in demand. So too will be the creativity to problem solve and the discipline to write and follow procedures. I could turn a carpenter into a system administrator because they understand measure twice cut once. But I probably can't turn someone who majored in "entrepreneurism" into any entry level role because they've probably been taught to run before they can walk. That's really the challenge I find (although I don't do as much hiring as I once did) is that young employees simply have unrealistic expectations and even demands. A lot of that reflects that higher ed is simply too disconnected the work it supposedly prepares students for (and I used to work in higher ed.).

Re: Is there really an information security jobs crisis?

ericgeater — Mon, 23 Oct 2023 13:04:11 GMT

Just like liberal and conservative, it seems there's a lot of chatter about "overblown demand for CS workers" and "millions of unfilled positions". So if there's two opinions, there's likely truth with both narratives.

For a moment, let's set aside the "overblown demand" argument, because that's the easy take. "We literally don't have anywhere for all these untrained CCs and Sec+'s and CEHs to go."

In my opinion, I believe the "millions of unfilled positions" are not in companies which are actively seeking CS people. I believe it's the millions of companies who are slowly learning that they have no corporate position on information security. I think it's orgs who go through a ransomware event and suddenly learn how exposed they are. It's leadership in evolving businesses who are learning to threat model.

Whether or not it's evolving to the tune of "3.5 million unfilled positions!!1!one!" is yet to be determined. But as a skeptic, I tend to ignore such headlines because they could play into the Law of Large Numbers.

Re: Is there really an information security jobs crisis?

Beads — Mon, 23 Oct 2023 13:46:34 GMT

I think you should be interviewing candidates before asking this question. Really, most of the so called "cybersecurity" people I interview, really have very little clue, no development skills and little in the way of learning. Most demand constant mentoring and teaching and overall shouldn't be in the field in the first place.

Outside of that, nothing above contradicts anything I have said for years.

- B/Eads

Re: Is there really an information security jobs crisis?

dcontesti — Mon, 23 Oct 2023 20:10:11 GMT

Wishing I could double KUDO @Beads

Re: Is there really an information security jobs crisis?

denbesten — Tue, 24 Oct 2023 01:37:24 GMT

I got your back on that one :-).

Re: Is there really an information security jobs crisis?

Early_Adopter — Tue, 24 Oct 2023 02:21:09 GMT

@gidyn the new link is paywalled, but the gist is clear. Employers do tend to have champagne tastes and lemonade wallets.

On the one hand there are a group with little to no usable capabilities who would suck in resources to manage, mentor etc who are probably the folk turning up to @Beads interviews and at the other we have plenty of capable guys and gals who have genuine skills, experience and ability and know their worth and would like six figure multiples please with RSUs on the side.

The way I see it is the problem is to take the first group and make them into the second, if you make enough capable people from the folk starting out then they end up being less like “purple squirrels” and you can afford to hire folk who are better fits for the roles you have. Conversely, if we have less people in the industry upskilling in the right way our purple squirrels make out like bandits and all the middle managers are sitting around with open reqs bemoaning lack or cost of candidates…

If you’re ISC2 selling the dream of the purple squirrel job you’ll want to help them all with as many CCs, SSCPs, CISSPs as you can and sell second chances, training etc but will face headwinds for those candidates without experience of hands on tools. “Paper Tiger” was a fine Sichuan restaurant in South Kensington that was named for a phrase to illustrate a similar point in previous centuries, and we’ve been through similar cycles in the past with MCSEs and CCNAs(while not aimed at Cybersecurity both tested skills with simulation and you would be trained in running AD or switching and routing).

Moving away from ISC2, ISACA etc you can see SANS and Offensive security who provide quality hands on training that’s still vendor neutral and then you move into vendor land where operators are trained in tools.

Beyond this it’s developers and secure coding practices in your own applications and these are fundamentals rolling their own and have lots of scope to mess up.

Just a few slices of a great deal of complexity however given all the multifaceted dimensions feeding in we can probably consider that our most cherished intellectuality sacrosanct objectivity is in reality highly subjective.

Re: Is there really an information security jobs crisis?

JoePete — Tue, 24 Oct 2023 11:27:33 GMT

@ericgeater wrote:
In my opinion, I believe the "millions of unfilled positions" are not in companies which are actively seeking CS people. I believe it's the millions of companies who are slowly learning that they have no corporate position on information security.

I think this is a good observation. I think it also skews because if you ask someone "how many people do you need?" they'll always say "more." Even if they don't really have a handle on the situation, the specter of ransomware and other attacks will have them wanting to throw more people at the problem.

Fundamentally, you need people who understand policy and procedures leading your business. If you have good policy and procedures, you can efficiently secure an organization. It takes the upfront governance work, but it pays off. Most organizations, however, are more loose. As you say, they are "slowly learning" their deficiencies as they go along. They're the ones inclined to throw waves of people at the problem.

Re: Is there really an information security jobs crisis?

JoePete — Tue, 24 Oct 2023 11:56:02 GMT

@Beads wrote:
Really, most of the so called "cybersecurity" people I interview, really have very little clue, no development skills and little in the way of learning. Most demand constant mentoring and teaching and overall shouldn't be in the field in the first place.

I agree up until the "shouldn't be in the field in the first place" although I have probably mumbled it a few times myself. I think those of us of an older vintage evolved into security. We were developers, administrators, etc. With time we learned how to do things right, and because of that, we then became the ones making sure the operation was doing the right thing. But part of that is also disposition. You have to be able to see both the trees and the forest and be willing and able to communicate across business levels and units.

Perhaps due to the alarms over a "lack of jobs," what I have seen, probably starting 10-12 years ago, are people with very limited experience trying to step into a security role. They may have the certs and academic degrees, but no real experience with the tools. And that disposition is simply untested. They're a great looking house but they have no foundation. One good storm blows them over. But, it's not their fault. They were sold a misleading bill of goods by their institutions. I worked with this one guy, great personality, curious, willing. He had his certs and even a masters in cybersecurity, but he couldn't apply any of that knowledge and was just timid in a work environment (probably due to lack of confidence). I wish I had come across him years earlier. I think he could have grown into the role. But his resume made him overqualified for an entry role, but his lack of experience and confidence made him unqualified for the roles his resume wanted.

Re: Is there really an information security jobs crisis?

denbesten — Tue, 24 Oct 2023 12:33:36 GMT

@JoePete wrote:
...His resume made him overqualified for an entry role, but his lack of experience and confidence made him unqualified for the roles his resume wanted.

This is a hugely important observation. Balance matters.

Re: Is there really an information security jobs crisis?

Caute_cautim — Thu, 26 Oct 2023 04:13:38 GMT

Express it as Kudos Squared then.....

Regards

Caute_Cautim