Re: Cyber Workforce Shortfalls - Page 2

jmccumber · ‎11-26-2017

OK - we've all seen the statistics, projections, and analyses.

How do you feel about the projected shortfalls in our cybersecurity workforce? Are there really over 600K position unfilled? How is this number assessed? Do "most" CISOs and other senior security talent rake in salaries north of US$500K per annum?

I fear some of what we are seeing in the media is rehashed FUD statistics reminiscent of the days when every virus outbreak or insider threat was costing business billions in losses.

What say you?

Mc

jmccumber · ‎11-26-2017

vistauxx,

For those with shorter attention spans, I wanted to highlight the astute last sentence in your post:

vistauxx: "Let's recognize that it is easy and realistic to make 110K - 120K (top 16% of salaries nationwide) with 2-3 years of experience in a challenging, interesting, lifelong learning (or you don't "get it"), nationally important, leading edge of "work anywhere you want" profession."

Well stated, and quite accurate.

Mc

jmccumber · ‎11-26-2017

I just now read a post by a big cyber security product $vendor espousing advice from their employees on whether or not women should enter the cybersecurity field. The title turned out to be click-bait, because, of course, no sane person would advise against it if someone felt the calling, man or woman.

One of these employees said she was targeting her remarks at student in their last year at university. That right there is a BIG part of the problem. We assume the accession process only works for a four-year university graduate.

We need to ensure we reach out to the entire range of new recruits: non-college technical people, junior college students, veterans, retraining older workers, and under served communities. There are hundreds of thousands of potential new cybersecurity entrants who are ignored when you start with the premise that new cybersecurity folks are only coming from four-year institutions.

We need to knock down these faulty preconceptions and barriers to more effectively address the work skills shortage.

Mc

vistauxx · ‎11-26-2017

Altonac correctly points out my parochial use of US salaries and percentage. I seek forgiveness. Clearly these numbers will be different worldwide, and this is a worldwide problem (with some possible notable exceptions where access to the international asset "the Internet" is blocked, or at least an attempt is made to do so).

This is an international problem, and an international critical infrastructure (Air Traffic Control is largely dependent on the Internet, even if it is only the non private VOIP circuits used by over 90 countries).

It is reported that DDOS is often implemented by using machines that are outside of national boundaries (I have specific personal experience with 2 examples where this was true).

I could go on . . . . . . .

bobrayner · ‎11-26-2017

Universities have been slow to adapt to the new needs of this industry; I very rarely work with people who have an infosec degree, though there are lots of people with a STEM background.

Many security consultants are on their second or third career. That's fine; many 18-year-olds make bad career decisions (I certainly did) but those who come to security later in life have a bit more breadth and can resist the temptation to focus on one technical detail.

JenD · ‎11-27-2017

I am currently hunting for my first IT Security job, transitioning from a role that has only part of the job focused on security. There may well be a shortfall but what I'm noticing is that employers want someone already fully experienced. I'm not *quite* sure how I'm going to get the requisite 5 years experience they all seem to want - in my mind someone who is motivated could easily cross-train and transfer their skills.

jmccumber · ‎11-27-2017

JenD,

Shameless pitch: if you think you have the skillz, but not the five years, consider our Associates program.

That said, you concerns are, for better or worse, are shared by many. Our profession is multi-disciplinary, and depending on where you begin your journey, it may take a significant amount of effort to shore up your resume. When I am teaching, and students present that problem, I always suggest they consider reaching out to their current employer or school and volunteer their support to those who perform cybersecurity functions within their organization. It's often a great place to start gaining in-demand skills.

CISOScott · ‎11-28-2017

I have yet to see CISO salaries approaching 600K. In my recent CISO searches the highest ones I have seen mention 250K and they are usually in high cost of living areas and in heavily metropolitan areas (U.S. California, New York, Texas).

I agree that it is not unreasonable to expect to find work in the 80-120K range in the US.

Hacker · ‎11-28-2017

Agree.

Sometimes this survey is not accurate compare to real world payroll.

Cyber Security Officer
Web: QUE.com

CISOScott · ‎12-28-2017

@JenD wrote:
I am currently hunting for my first IT Security job, transitioning from a role that has only part of the job focused on security. There may well be a shortfall but what I'm noticing is that employers want someone already fully experienced. I'm not *quite* sure how I'm going to get the requisite 5 years experience they all seem to want - in my mind someone who is motivated could easily cross-train and transfer their skills.

One of the key things to gain the experience needed is to volunteer. Even if you do not get compensated for it. Too many people I have worked with only want to do the job if they get paid WHILE they are doing it. I would equate it to the players on a bench on a basketball team saying "Well when I get paid like a starter, I will put in the hard work required to increase my skills to be good enough to be a starter." I agree, most companies want to be able to find the person who already has the "starter" skills and not the "bench warmer" type person, but I moved successfully from the bench warmer role to starter role because of stories like this:

In one interview the panel could see I did not have the experience performing the IT duties they were requiring because I had never held a paid position performing those duties. However when I said "Yes I have not performed these duties at work, but I have performed these duties in my home lab." the interviewer asked about the details of my home lab. When I told them I had 14 computers, a router and KVM switch to connect it all. I had 3 servers and 11 computers (This was before virtualization was a big thing, and yes it was noisy but my spouse let me keep all of my 'toys' running in the basement!)" They said that was impressive. I showed them a picture of it and they said "If you took that much initiative to set that all up, I believe we can teach you the rest. When can you start?"

I am sure there are jobs going undone at your workplace. Look for those and ask your boss if you can do them or shadow those people who are doing security.

JenD · ‎01-02-2018

Thanks so much for the really interesting reply, CISOScott! I've now put my hand up at my company to see if anyone can give me some 'menial tasks' in the area that I need experience - to help them out too! 🙂