People often talk about a cybersecurity skills gap, but I haven't seen much evidence of it. Interest from recruiters and job boards, when compared to other IT positions, seems pretty weak. (Disclaimer - this could be a regional thing.)
I think the gap is between what companies are willing to pay for highly skilled security professionals and what salary the professionals are willing to work for. I know I lost one CISO job because they could bring in someone cheaper and younger. Now the employees still there, hate working there, and several people have already left the company or moved internally, but HEY! The new guy was cheaper! And also less experienced. And had no real leadership experience. Or vast background in the field. Or had any big company experience (only worked at small companies). Or had good people skills. Or had any experience training his subordinates. Or etc., etc. But he was cheaper...............
Skills Gap = IDK what I want + IDK how to write a proper job description + Must include CISSP in the description + I just lost my SOC III Analyst and I must find someone with the same skill set + We don't train here + I hope you like 3rd shift
Sorry, I couldn't help myself lol.
Again, just doing a quick Indeed search for 'Cyber' in my area and here's a snippet of an entry level position according to the job duties. The SSCP or CompTIA's CySA+ would be more than sufficient.
Cyber Security Specialist
Am a bit of a doubter as well.
I will accept that maybe for SOME skill sets and in SOME areas, there is a lack of talent. But not universal across the board.
When I hear of people struggling to even GET a job (and I include myself who has been spending 7-8 trying to find a new job), I am doubtful. These people should be snapped up in such an environment.
I DO see the nonsense of bad job descriptions. And dealt with companies with unreasonable expectations (pull out a particular skill as a drop-dead, must have skill and reject you, etc). I've seen roles go unfilled for MONTHS when I know several qualified people applied (and interviewed) for it. And dealt with the idiot recruiters and hiring managers who can't seem to figure what I CAN do and why I am an excellent fit for the positions *I* want and not come to me for roles that I am NOT a good fit for.
I more think what the problem is is the whole system of finding talent and filling roles is broken. The nonsense like hiring the cheaper person who drives people away is the result of a broken system. Or go after the wrong talent and not the right talent and letting people grow into a role that are best fit for.
And I have had several blunt discussions during the interview where I tell them the salary range I am looking for and they say "We can't afford you.". After speaking with a colleague who interviewed for the same position but had a salary range about 30K lower than mine (around 100K) and he was told the same thing.
The agency had just suffered a cybersecurity breach, had fired their CIO, had no security people on staff and expected the CIO to be the CISO as well, but they couldn't afford to pay for a highly qualified individual to do both. So is this a cyber skills gap or a CFO not wanting to pay for what they actually need? I mean if you can't pay for a CIO and a CISO, why not combine those salaries and pay a highly qualified individual to do both? It amazed me that, after suffering a cybersecurity breach, they did not want to add security staff but expected to hire a CIO that could do both roles and not pay over $100K for someone that was going to do both. Good luck finding someone who can do both and is willing to be that exposed to the consequences for less than 100K. I'm sure they CAN find someone to fill the role at that low salary, but pretty sure they are just setting themselves up for another failure. P.S they take in 20+ millions per year as revenue.
The agency had just suffered a cybersecurity breach, had fired their CIO, had no security people on staff and expected the CIO to be the CISO as well, but they couldn't afford to pay for a highly qualified individual to do both.
And you wanted to work for them...why? I'm not sure of the events surrounding the breach or how much negligence was involved for them to feel like the CIO/CISO needed to be fired but I probably would have ended the interview during that part if they couldn't give a very good reason for it. If you want to use the C-Suite as a scape goat for anything that goes wrong, your Organization is not the right fit for me. Does their need to be ownership for the breach at their level? Absolutely, but we all know it's not a matter of if but when.
Very often the ad has such limited details that you might apply just out of idle
I agree but as soon as they told me about how they treated the previous employees, it wouldn't have made it to the salary negotiation stage. Would you have accepted the position if they did pay the right amount of money @CISOScott ? Just curious because I'm looking at this from a position of privilege because I'm currently employed. My perspective may be different if I really needed a job.
Let's summarise some good points here, and maybe add some new:
- Recruiters very often cannot distinguish between a CISSP and a Cisco CCSP or a CSSP (cloud). Let alone differences between CISSP, CRISC, CISA or CISM. For many recruiters that is just a soup of 'the security thing'.
- Sector experience: Agency recruiter telling that "Your CV is a perfect match.. Except.. The client insists on someone who has 'banking experience'" . Well, explain them that people are not born with that. Maybe if they start with hiring a security-competent and experienced person, they can bet that in around one or two years they will certainly have also that 🙂 -Is it born first the experience or the candidate?
- Language (cultural?) barriers In some countries (e.g. Switzerland) some company may search for many months (over 9 months!!) for experienced security candidates, although they insist on a fluent German-speaking mandatory requisite even when the role is clearly going to be working in an international setting. Doesn't the recruiter realise that maybe there are not so many Security experienced interested candidates speaking German...? And no, one should not be tempted to think that asking for fluent German is a veiled form of racism. (Note that in Europe German is spoken in: Germany, Austria and Switzerland - plus a couple of countries adding to the same inhabitants of Denver. English speakers in comparison are incomparably easier to find.)
- Pay & Skills We want Security superman (list here all security certs...), 10+ years management experience, but also hands on, ready to work in a stressful environment (read: handle security incidents) and possibly holding an MBA. Nonetheless, we publish a salary which is 20% less than what we publish for a Cloud Architect with 3 years experience. In other words, we could pay you like an Agile/Scrum newcomer...
- Reporting structure Yes, you will probably not report up to the CISO under the CEO. Most likely if you will ultimately report into IT. To the CIO if you are lucky. If not, below. Or maybe the CFO. Why not the CCO..? Anyway to someone who will not understand what you would need to at least 'attempt' to improve the "organisational security posture". Risk Management? Committees? Mmm.... Let's see... where we are with that? CMMI... 2-3 ? Let re-talk about this another time..
- Team Obviously your Team will be understaffed. So what? Every Team is understaffed, you know? But yours will be MORE understaffed, is it crystal clear?? You know...Security is not a profit center... (Would those be the moments when you would think that you should have studied Economy & Marketing and be in Sales Team..?)
- Skills Gap Hahhahahaha... Ehm, excuse me -I lost the aplomb for a sec :D.. Ok, this one is not serious, right? In average takes anywhere from 3 to 9 months to land a job in Security, not always decently paid. We are talking for people with more than 5 years experience. The higher the experience, the...harder!!! (should not be the reverse?!?!?!). Skills gap seems to be simply a joke. The reality seems to be that a lot of 1st line incident handlers or firewall specialists / SIEM engineers are sought (read: underpaid low-skilled cannon-fodder). But... see next point 🙂
- Career Path The EVPs or the MDs or the CISO itself will be (nearly) always... what they call "non-technical" people. Translation: Almost never they do not hold any kind of Security certification. Not only they are non-technical. They have often no real Information Security background or they have covered few roles and then have been rocketed to the top. Very often they just got the job because of "good social skills". They might sometimes hold an MBA. Plenty of examples on Linkedin - And yes, sure that there are exceptions.
(Favorite Movie Trailer: Maverick).
Now, who would suggest his/her children to work as an Information Security Professional?
Be smart, next time teach your kids how to distinguish between Futures, Hedge Funds and Swaps... 🙂