We keep hearing about the cybersecurity job shortages but I am starting to wonder where the shortages are really? Is the expectation set so high that everyone wants the CISO job starting out at 150K and we have no one to fill the junior analyst type jobs? Is that where they are hurting? I know I could use some more analysts. I also work with people who have IT skills but lack InfoSec skills. Are we facing a crisis of not really shortages but under skilled or unknowledgeable IT workers in the ways of InfoSec?
Tell me where your shortages are or what you see as the gap left unfilled.
I don't think there is any particular lack of skilled infosec workers. I do strongly
think there is a lack of skilled or knowledgeable HR staff. And also a lack of
willingness on the part of companies to pay for any kind of training ...
And we have a winner! I have seen more incompetence in the HR field than any other. I know there are competent ones out there within the HR field, but they are few and far between.
Now how do we bridge that gap. I know I have been attempting to work with HR depts. to help them and I know that they are usually (at least in the federal and state space) held back by archaic laws and regulations.
In my experience it is down to a lack of flexibility in the remuneration package/s on offer and as stated above, insufficient training budget or desire to provide that training for new staff or even the current ones!
It really doesn't need that much investment to make a change for the better, but there are always so many calls on what little budget exists.
Here in the DC area the Feds are clueless at the salaries that cleared certified talent is requiring. Feds want to pay McDonald's wages and that won't buy you anything. The cost of living is too high, commutes are too long and one year commitments with possible renewable options is not enticing.
I bypass HR by going direct to LinkedIn and other recruiting resources. Once I have the candidate that will make the team successful I will say "this is the person I want". It ruffles feathers but I'm not very lenient when it comes to the overhead that HR has grown to be.
I do not think there is a shortage. I think the real issue is unrealistic expectations on the employer side. The other thing is they don't know what they are looking for. Take a look at the job descriptions!
The job title says Information Security Analyst. But when you read you realize quickly they are looking for a seasoned Cisco Engineer (with all the certs), an experienced Pen Tester (with all the certs again), and an analyst that has experience with all SIEM tools out there. And of course, every possible certification)
No problem.....until you talk about the salary! You will be lucky if the range is $85,000 to $90,000.
What they are really looking for is someone that has all the above, and is willing to work for no more than $85,000 a year. Oh yeah....I forgot....they also want you to commute every day.
> agroll (Viewer II) posted a new reply in Career on 10-23-2018 09:01 AM in the (ISC)Â² Community :
> I do not think there is a shortage. I think the real issue is unrealistic
> expectations on the employer side.
> The other thing is they don't know what
> they are looking for. Take a look at the job descriptions!
Preach it, brother!
> The job title
> says Information Security Analyst. But when you read you realize quickly
> they are looking for a seasoned Cisco Engineer (with all the certs), an
> experienced Pen Tester (with all the certs again), and an analyst that has
> experience with all SIEM tools out there. And of course, every possible
> certification) No problem.....until you talk about the salary! You will be
> lucky if the range is $85,000 to $90,000. What they are really looking for
> is someone that has all the above, and is willing to work for no more than
> $85,000 a year. Oh yeah....I forgot....they also want you to commute every
I would concur that the balance on ongoing training, certification, and education with current base staff is critical so that the current staff with knowledge of the company, their products, services, processes and technologies can maintain pace with IT security and information security skills, competencies, skills, and the ability to recommend, build, operation, and maintain the security controls and technologies to prevent, identify, detect, respond, remediate (well you get the drill) and eventually establish plans and budgets (the full lifecycle) to ensure data maintains confidentiality, integrity, and availability.
Just like the "shortage" of development talent, it seems to come down to an inability to find people with 15 years of experience willing to work for entry-level wages and pay for their own training. In the development world, this is used to push two cost-saving agendas: One is the import of H1B labor on-shore, coupled with pushing much development (and certainly most testing) off-shore.
It is harder to outsource security due to regulatory issues, but not impossible. I think from the technical security/security engineering aspect, we'll continue to see more contractors and/or the use of MSSP, just as a lot of in-house IT jobs beyond the helpdesk/change-the-printer-ink level are removed and those roles picked up at the cloud service providers. Many of the internal jobs will be more policy based.
The degree to which that happens is probably vertical-specific. There is less of it in companies tightly coupled to the defense and intelligence spaces (although one could make the argument that is because those companies exist because the government already outsourced that work to the private sector, and working for a Lockheed or Northrop Grumman in a cyber space IS working for an MSSP) or highly-regulated industries, and more of it in the commercial space due to cost savings.
Of course, maybe I'm just cynical.