OK - we've all seen the statistics, projections, and analyses.
How do you feel about the projected shortfalls in our cybersecurity workforce? Are there really over 600K position unfilled? How is this number assessed? Do "most" CISOs and other senior security talent rake in salaries north of US$500K per annum?
I fear some of what we are seeing in the media is rehashed FUD statistics reminiscent of the days when every virus outbreak or insider threat was costing business billions in losses.
What say you?
Mc
I just wanted to say that this is a great conversation- I've been asking myself the same question! I've been applying for jobs in the Central Florida region (I live in Indiana) and my (incorrect) assumption was that with such a shortfall in the IT industry as whole, I'd be fending off the offers with a stick. So far, it's been really quiet (and right now is arguably the best time to find work).
Of course, I realize that part of the equation is location- there may be a shortage in hot markets like Texas and California but there likely isn't an unfilled demand in a rural farming town in Indiana. When national statistics are compiled, we tend to assume that those shortfalls are "all around us" when they are more likely concentrated in a dozen or so larger "tech-boom" regions.
Anyways- I'm glad to see I'm not the only one asking "if there is a shortage, where do I sign up?"!
You're far from alone.
I am still sifting through all the studies, but the anecdotes of friends, colleagues, and acquaintances are more like yours.
Also remember that there can also be a shortfall of skills among the currently employed in that field. Speaking for government workers I can vouch that there are skills shortfalls, but sometimes there are people already in those jobs, so even though a shortfall exists, there is not a current opening. Since it is hard to fire the workers AND some of them are not motivated enough to acquire the missing skills, there is a skills gap that exists but will not be "filled" i.e. an active position opening. And please don't think because I used the word "fire" that I am all for cutthroat employment practices. I'm just stating a fact that there are unmotivated government information security workers that are content to stay within their current, underdeveloped InfoSec skill levels. So that may be skewing the "true" shortfall numbers.
So while some people will bemoan the fact that these positions are currently filled, if you get in to the system, this provides ample opportunities to move up quickly.
Here is an interesting blog, is it just bling or a reality? What are your thoughts?
Thanks for posting that- lots of great information in there!
I would agree that one of the issues with the skills gap shortage is a shortage of training and skills growth opportunities. Often, these budget line items are seen as a "nice to have" which usually means "first to get cut when the budget it tight". It's important for management to remember that cybersecurity is not a "set it and forget it" initiative, it takes constant reinvestment in both the technology AND the people to keep security on top of emerging threats- especially with the rapid changes that occur in the security landscape.
Our profession is like that of a corporate tax lawyer.
Recurring training isn't an option or a nice-to-have extra. It's mandatory - every year!
@jmccumber wrote:Our profession is like that of a corporate tax lawyer.
Recurring training isn't an option or a nice-to-have extra. It's mandatory - every year!
Amen!
Every year??????
You do it once a year and you are woefully behind.
It needs to be continuous. If you are not picking up 3 hours a month I probably would not want you on my team.
My best gestimate is that team "other side" is getting better daily.
I totally agree, thank you for pointing our my error. Yes, learning does need to he continuous and relevant.
The other side is of course doing the same thing. Fortunately my organisation as a minimum target of 40 hours per annum, but if we are doing relevant career pathways - then obviously this increases significantly.
Thank you
Totally support CISOScott's reply to JenD - I got my start in Info Sec by pestering my previous employer for a secondment to the Info Sec team, with no pay rise to begin with. Almost 11 years later I'm still in the industry, still learning and still loving it. And I'm not from an IT background. Not quite on the $600k yet though!
Go for it JenD, best of luck and would love to hear how you get on.