Just came across this on the Cyber Security Hub and thought it was interesting.
It could be that organisations are unwilling to take people in at the bottom and train them up; which generally you have to do in all fields unless you want to pay over the odds on an ongoing basis. Or it could be that they're unwilling to take people in from other IT fields like IT Operations or Networking, and give them some extra training. It's actually remarkably easy to take someone with an existing IT background and teach them security as they already know a reasonable amount.
There certainly is more competition for the best-of-the-best and that makes hiring the exceptionally qualified candidate more difficult.
I'm sure there are people applying for roles where they have a level of expertise lower than needed. For most of the job positions, the answer may be to hire the ones with potential and train them internally. I hope many companies do that.
Regarding the other stats, whether or not there is still a salary gap, if there are more job positions than people out there, the problem is not going to go away soon. Also, my personal opinion is that people with the right combination of information security knowledge and business acumen are still uncommon. That gap will require a much longer time to be filled.
@Steve-Wilme wrote:It could be that organisations are unwilling to take people in at the bottom and train them up; which generally you have to do in all fields unless you want to pay over the odds on an ongoing basis. Or it could be that they're unwilling to take people in from other IT fields like IT Operations or Networking, and give them some extra training. It's actually remarkably easy to take someone with an existing IT background and teach them security as they already know a reasonable amount.
There's no "could be" about it.
In my area (South Florida) there are many people struggling to find work in infosec, but having problems due to the lack of entry-level positions. There is little reason to bring people from outside infosec when we have so many IN infosec looking and not finding.
There is also the problem of companies looking for unicorns. Basically setting unrealistic expectations for positions, and turning away good candidates because they aren't perfect in some way. When I see a company looking to fill a position for months and I know they interviewed several people who could do the job, I have little sympathy for them.
HR folks who have no idea about infosec doesn't help, either. We have a company here with several infosec positions open for months. I know several who have applied and not heard a thing from the company.
So, for me, I think this so called "skills gap" is less there not being enough people and more a broken job placement system.
@rslade wrote:
> dcontesti (Community Champion) posted a new topic in Certifications on
> Just came across this on the Cyber Security Hub and thought it was interesting.
No. No, it's not.
As I have said many times before, the skills gap isn't in security, it's in HR and
recruiting ...
Agree.
My issue with a lot of these kinds of reports is that they don't dig in further to the problem.
They go:
"there are a lot of security positions open"
"they are open for a long time"
"companies say they have a hard time filling positions"
Thus, there must be a skills gap (not enough people to fill the roles).
Uh, how about we dig deeper. Let's take a look at the positions. Are they reasonable? Or are they looking for someone that doesn't exist. You know, like BS such as "Needs 2 years experience and a CISSP", or needs the skills and experience of 3 people.
Or better yet, let's take a look at the candidates they are being rejected and see if they should have been rejected. Maybe they have people making unreasonable demands or asking stupid questions or turning away competent people for the wrong reasons.
But that's too much work.
So must be a skills gap. Let's pump out more infosec folks with no experience who can't get jobs because, well, they have no experience...
It's the 'and the kitchen sink' mentality. You've all seen the ads; CISSP & CISM & CISA & ISO 27001 & CoBIT & hands on technical skills & experience of management & .... They conflate the duties of so many different roles in security and imagine one person can do everything simultaneously with no budget or resources. And then complain that there are no suitable candidates.
I was discussing this with my wife. She is a doctor in psychiatry and she could apply for 8 out of 10 open positions since job descriptions are more streamlined. In infosec I can apply for 2 or 3 out 10 because the requirements are all over.
I do have friends who simply lie on their resume. They say the strategy works because background checks are not deep enough so you can get away with pretending that you did 80% of a unicorn job description.
It is easy to lie about knowing how to manage projects since there isn't a single right way to do it. You can't lie about being fluent in Japanese since it is easy to verify such claim.
I find it interesting to observe how far people will go to deal with unicorn job descriptions + their need to make money....and I won't blame them.