topic Re: There Is No Cyber Labor Shortage in Industry News

There Is No Cyber Labor Shortage

Caute_cautim — Wed, 15 May 2024 05:23:59 GMT

Hi All

The title is disruptive, many will agree or may actually disagree? What do you think?

The unfortunate truth is, if you're looking for an entry-level position in the cybersecurity field, there aren't many on-ramps. The wide-ranging security certification bodies and training organizations that dominate the industry have convinced many — maybe even most — cybersecurity leaders that "number of certifications" or "years of formal training" are the only metrics by which potential job candidates should be judged. What's more, the emergence of both undergraduate and graduate-level cybersecurity degrees has placed another arbitrary barrier between otherwise qualified individuals and the jobs they want. Don't have the right degree? Too many organizations will tell you not to bother applying.

https://www.darkreading.com/cybersecurity-operations/there-is-no-cyber-labor-shortage

Regards

Caute_Cautim

Re: There Is No Cyber Labor Shortage

Early_Adopter — Wed, 15 May 2024 14:49:10 GMT

Quite, in some senses I think that while there at vacancies there probably isn’t the budget to absorb all the aspirational hires, plus there’s a lot of layoffs(from profitable companies getting ready for AI). Just look at good old MS closing games studious, they don’t really need to fire those developers, however they don’t need to keep them either. If there are folk coming out of Uni with computer science and security(or just pure security) then that becomes the entry level.

Re: There Is No Cyber Labor Shortage

ericgeater — Wed, 15 May 2024 18:28:39 GMT

Why does cybersecurity also seem to get this type of side-eye scrutiny? No one seems to complain so vociferously that there's too many technicians, network admins, or sysadmins. And quite frankly, anyone who thinks that a cert or two earns a climb on the golden rope should not expect to be yanked to heaven.

If your employer has regulatory requirements or intellectual property, cybersecurity is de rigueur. If you're a landscape company that bills through a SaaS package, nobody cares. But in reality, they both require cybersecurity. One of them just happens to benefit from having a greater awareness of threats, risk management, and good governance.

Who cares if there ain't any openings in the SOC?! Good leadership from companies should encourage their employees to brush up on their cybersecurity acumen and buttress their disciplines. The beauty of SSCP, CC, CEH and Security+ is that they show people a whole spectrum of things they'd probably never seen before.

And quite frankly, if your IT leadership isn't instructing people to turn due care and due diligence security disciplines into muscle memory for their staff, then they should also earn a cert or two.

Re: There Is No Cyber Labor Shortage

SarahC — Wed, 15 May 2024 19:46:00 GMT

(Quotes from the article in italics)

Understandably, [recruiters] look for shorthand ways to help them narrow down candidates: Degrees, certifications, training, and other measurable factors obviously are attractive. They become de facto indicators of value, and their absence is treated as an indicator that a candidate is unqualified — or at least not a fit for a technical role.

The above quote echoes the debate in all of IT--do you need certs and/or degrees to break into the industry? To move up?

Any security organization worth its salt should have a strong training program in place, and entry-level positions should be treated as just that. Candidates with the right traits and skills are qualified — whatever their résumé may say. Helping them make the most of those skills is up to the organization.

Would that all organizations prioritized training and professional development for staff. I think the worry from the org's point of view is why spend money on developing an entry level position if they're going to leave in 1-2 years. If your company culture is vibrant enough, that shouldn't be a big worry.

By narrowing down candidate pools based on a small number of arbitrary qualifications, organizations and recruiters end up self-selecting candidates who are good at acquiring credentials and taking tests — neither of which necessarily correlate to long-term success in the cybersecurity field.

I'm one of those who is good at taking tests and acquiring credentials. Since I don't have a degree in IT, my motivation for getting certs is two fold. One is to fill the gaps in my knowledge since I've been mostly self-taught and I don't know what I don't know. Two is the confidence boost--doing the work to study and pass the cert helps to dampen the imposter syndrome that creeps up.

Interesting article - thanks for posting it!

Re: There Is No Cyber Labor Shortage

Caute_cautim — Wed, 15 May 2024 21:27:54 GMT

Hi All

Thanks for the updates and comments very interesting.

Well for myself, I started out without a degree in IT, but I was fortunate to land myself in a Government role, in which security was intrinsically part and parcel of doing the job whether at home or overseas. I then did an Open University degree, in which to gain qualifications, as the job and role, meant I could not study in a normal University, so it became a part time journey of almost 8 years in total.

There are many openings, in my case I followed my passion for radio communications, which led me to where I am today, so I have no regrets at all. Degrees are not necessary, if you set your heart and mind to the career pathway you want.

However, I will state, having gone on to do an MSc degree, being able to think in different ways, and to maintain motivation to keep self learning and developing is really key to maintaining a healthy respect as a security practitioner. No matter, what your background is, do not be deterred, we can all learn from our experiences and find openings, if you really want too even overseas.

Regards

Caute_Cautim

Re: There Is No Cyber Labor Shortage

JKWiniger — Wed, 15 May 2024 22:04:27 GMT

I guess I'm at the point where I need to start putting myself out there and seeing what help I can get. A lot of these stories talk about entry level, but I am far from it! I have been in IT for 30 years, had my CISSP for 22 years, my CCSP for 5, and a host of others I have gotten over the years. Some of these I have let expire but still list. I came to realize that I have to renew certifications every few years, but a degree I have forever. Don't get me wrong, I still study and keep my skill set up to date. For the past 15 years I have been running my own consulting business and have gotten tired of it and want to go back into a normal corporate job, and yes, I have worked in Fortune 500 companies in the past. What I have been finding is all I have been able to get is that generic rejection email! I have gotten to the point of realizing my resume was not optimized for the application tracking systems so many companies now use. I have been able to speak directly to one recruiter and was told how great my resume looks, but the problem is the employers are looking for people who have working in their sector and have experience with the exact programs that they use! To me, it's like saying you drive a Chevy and we use Ford so it's not a match! Friends have said they have never seen a challenge I couldn't figure out!

So what advice does everyone have for what I am going through? A lot of these job descriptions can't even get it right with what they are looking for...

Thanks-
John-

Ps. My degrees area a BS in Networking, and a MS in Information Security... so they are relevant...

Re: There Is No Cyber Labor Shortage

Caute_cautim — Thu, 16 May 2024 00:43:03 GMT

@JKWiniger My advice, is carefully research the position you want, and find out as much about the organisation as you can, including the use of good AI assisted resources, where possible. Look for the good and the bad, including their Strategic annual and financial reports. Ask around, your colleagues and see what the word is on the ground, validate it. Is there any public reviews or have the reviews been put together to provide a false background to other underlying issues? Rather like "Trip adviser".

Then carefully tailor your CV for the position you desire, which may also include reflecting back on any language they have used to cause you submit an application. You may also have to some industry background research as well.

Regards

Caute_Cautim

Re: There Is No Cyber Labor Shortage

Early_Adopter — Thu, 16 May 2024 06:47:23 GMT

For John - a friend of mine took over a year to find a new role - he’s working for a Japanese automaker in Yokohama now, I think there has certainly been a slowdown in acquisition of folk from self employed( he was consulting for a while). Target your application and I think you’ll get to where you want to go, though I do think there is a lot of planning around the nascent AI capabilities - expensive jobs that can be automated will be targeted by big companies. So maybe we all need to dogpile into AI rather than into cyber security? 😛

The less is more approach I think is better - so highly targeted tailored is good. Also Every job I’ve had since 2007 has come through a personal network recommendation - as you’re wanting to switch from consulting to FTE I’d hit those networks up.

Sarah makes excellent points / for a lot of us who came into the industry it was very much a case of working in IT and moving across. Certifications/certificates were really good and could proxy for a degree, however now the competition has degrees in security plus certification there’s a lot more to choose from, and like any good SOC HR/hiring managers are filtering- unless a role is critical you’ll be happy to Bodyshop with IBM etc. sustained verifiable experience is still much better as an indicator of who can do something - and if you hire a company and use the person specification as a SOW then it’s easier, and they’re much more fungible as they don’t work for you.

The IT Certification industry also has a lot of responsibility here. Our own dear ISC2 marketed CC thusly:

“ See yourself in cybersecurity. You don’t need experience — just the passion and drive to enter a demanding and rewarding field, one that opens limitless opportunities worldwide.
As part of our commitment to help close the cybersecurity workforce gap and diversify those working in the field, ISC2 is offering FREE Certified in Cybersecurity (CC) Online Self-Paced Training and exams to one million people.”

So it moves it's position and focuses on entry level so, so is is less useful and then there’s a storm of CC applicants / the HR filters tune out things - and ISCTwo with its rebrand might take a hit, as its now very associated with overweening optimism. Not bad in of itself, but if the mill you work at/use is doing paper…*

“ I am part of the certification team at EC-Council. Based… ”

Wish I’d keep this LI friend request, it was talking about grandfathering into a new ‘CISO’ certification, and chap though I’d be a good fit even though I’ve never been a CISO nor would I have a desire to be one.

So the certificates that strand in as degrees and proxies for trust proliferate, but there really isn’t co census among providers - so let’s push another cert out the door. Mechanically I’m not sure this can hold up - especially when I can give you a quiz, job task evaluation etc, and AI just makes that easier.

Why Cybersecurity in consideration of Eric’s question? Well the flippant answer is the author of the article needs to sell IAM and he’s connecting with foot over a perceived issue in a way that’s memorable. However in general I think historically cybersecurity was something you did for passion, it was cool(even if mind numbing repetitive sometimes - it rewarded persistence). It also started to attract decent renumeration as it was in some ways hard, and everyone wanted someone who could think around the problems as they talked - Technical plus Management/Interpersonal - therefore you get a lot of takes.

*Aye lad/lass, forget t’ pit com’ dang ti’ te’ mill. ‘Appen ye can get lucky like in me Dae’…” bad phonetic Yorkshireisms…. Ary-up Aye-Ei is te tway t’ go nao so saddle up yet best Wendslydale Cheese-wooler and head for the last frontier t’fore ’‘tis to late!”

So no joking, I think learning AI is critical IAPP have a certificate out now and that and board understanding of modelling, governance of AI etc is the one thing that will differentiate people/candidates as it’s in all the employer strategy books.

Re: There Is No Cyber Labor Shortage

JKWiniger — Thu, 16 May 2024 15:52:21 GMT

@Early_Adopter One of the problems is that many of the people with the CC lack the foundation to go with it. There is not much I can't figure out is because a have a wide strong foundation. I'm sure I'm not the only one who gets overwhelm by these job descriptions where they want everything under the sun and then some. I knew one guy who got a new position and when he asked about on software the told him, oh we don't use that we wanted to know more about it so we just added it to the requirements list. The range of available software that a company has become so massive it's just about impossible to know it all. I still laugh when I see ads that want SSL... umm do you mean TLS?

Coming from a consulting background I'm used to being able to hit the ground running. Do companies give people a little time to ramp up on a few things you have not used or have not used in a while? It's like companies that list (Azure / AWS / GCP) in the description, well which one is it? I really have to laugh at a few companies I applied at and then a short time later they had a data breach! Is it so hard to do your updates, run, test, and secure your backups, and then use something like Azure PIM to detect malicious login attempts?

Speaking of Azure, I see so many posting that basically want people who know every Azure product out there and it just doesn't seem possible. It's like saying you want someone who knows all of Microsoft...

John-

Re: There Is No Cyber Labor Shortage

Early_Adopter — Thu, 16 May 2024 16:03:41 GMT

Yes many people want “purple squirrels” In their jobspecs, and this means you’ll never really get what you want - in fact it might not be a genuine role or it’s going to an outsourcer.

The lack of foundation is a problem, but I don’t think it’s really CC’s fault so much as it’s a V1, narrow and ISC2 have had the first few waves “run onto the guns”. More demand generation would have been great up front - in fairness to ISC2 they’re doing that now with MOUs etc but it’s going to be slow.

Sorry there’s a lot of chaff on the jobsearch, though a successful attacker is nearly always persistent. 😉

Weird one for me, the company I work for only hires people with experience on the specific thing they want in decades - there is almost no entry level, and their philosophy is to get people that they don’t need to train. I have to say it does work for them - but it’s the first time I’ve seen this approach institution wide.

Re: There Is No Cyber Labor Shortage

ericgeater — Thu, 16 May 2024 16:31:07 GMT

One is to fill the gaps in my knowledge

Two is the confidence boost

@SarahC I can't agree with you more. This would be the subject of a much better article, because self-improvement leads to org improvement. I wish these nattering nabobs would write such an article, instead of continuously whinging about "the room is flooded with wannabees, and there's no wannabee jobs here".

Re: There Is No Cyber Labor Shortage

ericgeater — Thu, 16 May 2024 16:35:56 GMT

One of the problems is that many of the people with the CC lack the foundation to go with it.

Why can't -- and I'm just spitballing here -- the CC be the foundation?

Re: There Is No Cyber Labor Shortage

Early_Adopter — Thu, 16 May 2024 18:28:50 GMT

To Eric’s question I think there’s a seed there, however if we’re looking at professionalisation of a particular part of IT there’s a big interest in getting folk through 3/4 year degrees, and that’s a huge vested interest - same as for most degree subjects. Frankly humanity would probably be better if we went “Khan academy, All the time.” And Launched MOOCs for everyone with awsome content and standardised controlled testing. Philosophically I think it’s not great to leave the future of Humanities learning with a bunch of disparate organisations that are all out to make a buck.

Now, I don’t see ISC2 as any different there and as time has gone it has become Les transparent, probably as a result of chasing members and candidates it didn’t have while focusing less on its existing membership - I do wonder if ISC2 hasn’t somewhat ceded the space CISSP occupies to ISAC/IAPP/CompTIA as it pursues CC, which is a clear loss leader to try to prime pumps for lots more, we’ll need to see candidate to member conversions, and then to test its worth how many people got the job after.

I think that the approach ISC2 takes is very useful for seeing if folk with experience can apply the core conveyors and can select least bad/best from option presented. But everyone’s used to ISC2 certified people having that experience. If everyone entering the market, has a shiny degree in how to be very bored in a SOC, then I’m not sure an online course plus multi-guess exam helps all that much.

Now I think IT Certification, bodies can really help, but they can’t do it in their own - ISC2 has great mid/late career tests but it’s training isn’t that great - money no object would you prefer t train with SANS or ISC2? Exactly, no contest. Presumptuous I know but hands on skills are critical in this industry.

So if all the certification bodies came to gether and built an evolving curriculum for a MOOC that had cost effective degree options - working with a Carnegie or a Royal Holloway then I think that’s potentially gold as you get scale and something accessible and you still go to a controlled environment for testing/finals. A team up like that would be a big shake up and you’d end up with something everyone would understand.

Anyway TL;DR - I think the problem is scale, coverage, methodology, entry level needs lots of hands on. Universities are bad, because of how they make money etc - and ISC2 probably won’t be able to go it alone - SSCP was its entry level and that didn’t get huge uptake - to really fix the foundations all of the certification orgs should collaborate to build an unbeatable cybersecurity degree delivered via the cloud.

Re: There Is No Cyber Labor Shortage

JKWiniger — Thu, 16 May 2024 18:59:05 GMT

With degrees I always saw timing as a big problem. A product needs to be created, accepted into the community, a book needs to be written, the school needs to adopt the book and work it into the curriculum. By this point things are outdated. I remember that with the CISCO CCNA they wanted to spread the classes over four semesters! I self studied and did it in a few weeks.

With the issue of needing a good foundation I am reminded of the old Microsoft MCSE. It required 7 tests to achieve it, and after you were done you were well rounded. One thing that I have noticed, which I don't know how to deal with is what the expected depth of knowledge is expected since is is rarely stated. Take the CC for example, the depth of things is not very deep, so when say IR is listed how do you know if they want an understanding or the ability to run the full response?

John-

Re: There Is No Cyber Labor Shortage

Early_Adopter — Thu, 16 May 2024 23:30:32 GMT

So regards degrees it’s highly possible to do quicker and better at least in terms of what goes into them. I feel that as long as there is a lead institution and it scales higher education is pretty ready for disruption( in general not just cyber security). Yeah, it’s very true a lot of the vendor certs CCNA for example were used for the programme due to lack of content. The MCSE was fun and my vehicle to break into IT / lots of modules/exams and it was big on how and short on why, but it did teach the whole MS ecosystem as it was - is Contoso still a thing? Who remembers P@ssw0rd? 🙂 At the end of it you could design, build and run an AD and all the trimmings - all in support of MS ecologies everywhere, Cisco was very similar and the ubiquity of solutions and the quality of the labs/examples means you had a very decent if not academically honest training.

Vs these behemoths and degrees CC is going to struggle in scope breadth and depth, and in the entry level it’s not the dominant predator in the ecosystem that say CompTIA is due to being very well known and having more hands on. I think broadly there is a lot of content out there - I’m mentoring a chap and he did CC, struggled with finding a test centre, then started the Google cert leading up to CompTIA security+ - he’s also doing a degree. So he'll come onto the market with a fair amount of book learning, knowledge and paper but he still needs the role and the experience. Would he have sat CC if it wasn’t nearly free? Very unlikely.

That’s not to say it couldn’t grow and fill that space, but it’s going to need a bit more, and the market with need better data on how useful it is in securing infosec roles.

As for IR… I’m sure it is effective in pointing out that the radiation we feel as heat…;) No, you need to learn that in depth, then do the job for quite some time, it can provide conceptual familiarity I guess.

One good thing about a degree vs a certification is there’s time to look at a wide range of texts and even primary sources. Beyond that there is a large section of the economy that has a vested interest in selling its educational products and I don’t think any single cybersecurity certification vendor will challenge that on their own.