cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
CISOScott
Community Champion

Where is the Infosec jobs shortage really at?

We keep hearing about the cybersecurity job shortages but I am starting to wonder where the shortages are really? Is the expectation set so high that everyone wants the CISO job starting out at 150K and we have no one to fill the junior analyst type jobs? Is that where they are hurting? I know I could use some more analysts. I also work with people who have IT skills but lack InfoSec skills. Are we facing a crisis of not really shortages but under skilled or unknowledgeable IT workers in the ways of InfoSec?

 

Tell me where your shortages are or what you see as the gap left unfilled.

17 Replies
rslade
Influencer II

> CISOScott (Advocate I) posted a new topic in Career on 10-15-2018 09:29 AM in the (ISC)² Community :

> Are we facing a crisis of not really shortages but under
> skilled or unknowledgeable IT workers in the ways of InfoSec?

I've been seeing the same types of "we have no skilled workers" articles, stories,
and complaints for over 30 years.

Over the same time I've seen lots of skilled and competent workers who can't get
(proper or appropriate) jobs. I've never been unable to fill positions when I've
needed to.

I don't think there is any particular lack of skilled infosec workers. I do strongly
think there is a lack of skilled or knowledgeable HR staff. And also a lack of
willingness on the part of companies to pay for any kind of training ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Nothing in this world can take the place of persistence. Talent
will not; nothing is more common than unsuccessful people with
talent. Genius will not; unrewarded genius is almost a proverb.
Education will not; the world is full of educated derelicts.
Persistence and determination alone are omnipotent. The slogan
`press on' has solved and always will solve the problems of the
human race. - Calvin Coolidge
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
CISOScott
Community Champion


@rslade wrote:
I don't think there is any particular lack of skilled infosec workers. I do strongly
think there is a lack of skilled or knowledgeable HR staff. And also a lack of
willingness on the part of companies to pay for any kind of training ...

And we have a winner! I have seen more incompetence in the HR field than any other. I know there are competent ones out there within the HR field, but they are few and far between.

 

Now how do we bridge that gap. I know I have been attempting to work with HR depts. to help them and I know that they are usually (at least in the federal and state space) held back by archaic laws and regulations.

JayCee
Newcomer II

In my experience it is down to a lack of flexibility in the remuneration package/s on offer and as stated above, insufficient training budget or desire to provide that training for new staff or even the current ones!

 

It really doesn't need that much investment to make a change for the better, but there are always so many calls on what little budget exists.

Flyslinger2
Community Champion

Here in the DC area the Feds are clueless at the salaries that cleared certified talent is requiring.  Feds want to pay McDonald's wages and that won't buy you anything. The cost of living is too high, commutes are too long and one year commitments with possible renewable options is not enticing.  

I bypass HR by going direct to LinkedIn and other recruiting resources.  Once I have the candidate that will make the team successful I will say "this is the person I want".  It ruffles feathers but I'm not very lenient when it comes to the overhead that HR has grown to be. 

agroll
Newcomer I

I do not  think there is a shortage. I think the real issue is unrealistic expectations on the employer side. The other thing is they don't know what they are looking for. Take a look at the job descriptions!

The job title says Information Security Analyst. But when you read you realize quickly they are looking for a seasoned Cisco Engineer (with all the certs), an experienced Pen Tester (with all the certs again), and an analyst that has experience with all SIEM tools out there. And of course, every possible certification)

No problem.....until you talk about the salary! You will be lucky if the range is $85,000 to $90,000.

What they are really looking for is someone that has all the above, and is willing to work for no more than $85,000 a year. Oh yeah....I forgot....they also want you to commute every day.

rslade
Influencer II

> agroll (Viewer II) posted a new reply in Career on 10-23-2018 09:01 AM in the (ISC)² Community :

> I do not  think there is a shortage. I think the real issue is unrealistic
> expectations on the employer side.

Amen!

> The other thing is they don't know what
> they are looking for. Take a look at the job descriptions!

Preach it, brother!

> The job title
> says Information Security Analyst. But when you read you realize quickly
> they are looking for a seasoned Cisco Engineer (with all the certs), an
> experienced Pen Tester (with all the certs again), and an analyst that has
> experience with all SIEM tools out there. And of course, every possible
> certification) No problem.....until you talk about the salary! You will be
> lucky if the range is $85,000 to $90,000. What they are really looking for
> is someone that has all the above, and is willing to work for no more than
> $85,000 a year. Oh yeah....I forgot....they also want you to commute every
> day.

Yup.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
doonwind
Newcomer I

I am in the UK and I completely agree with you, I am NOT in London, and I truly believe there is a small shortage but nowhere near as bas a press articles are making out it to be. I believe there is a decent sized demand in large international capital cities but outside of that, I don't believe the issue to be as spectacular as some headlines are making it out to be. Also the job description for some of these positions of so-called Cyber Security are ridiculous in themselves, there is no real expectation of the time involved and dedication in learning such skills and companies come along wishing you to be "Full Stack Engineers" of all InfoSec domains. However I am just a mere minion in the InfoSec world, with a small voice....
Krisboike
Newcomer II

I would concur that the balance on ongoing training, certification, and education with current base staff is critical so that the current staff with knowledge of the company, their products, services, processes and technologies can maintain pace with IT security and information security skills, competencies, skills, and the ability to recommend, build, operation, and maintain the security controls and technologies to prevent, identify, detect, respond, remediate (well you get the drill) and eventually establish plans and budgets (the full lifecycle) to ensure data maintains confidentiality, integrity, and availability. 

Badfilemagic
Contributor II

Just like the "shortage" of development talent, it seems to come down to an inability to find people with 15 years of experience willing to work for entry-level wages and pay for their own training.  In the development world, this is used to push two cost-saving agendas: One is the import of H1B labor on-shore, coupled with pushing much development (and certainly most testing) off-shore. 

 

It is harder to outsource security due to regulatory issues, but not impossible. I think from the technical security/security engineering aspect, we'll continue to see more contractors and/or the use of MSSP, just as a lot of in-house IT jobs beyond the helpdesk/change-the-printer-ink level are removed and those roles picked up at the cloud service providers. Many of the internal jobs will be more policy based.

 

The degree to which that happens is probably vertical-specific. There is less of it in companies tightly coupled to the defense and intelligence spaces (although one could make the argument that is because those companies exist because the government already outsourced that work to the private sector, and working for a Lockheed or Northrop Grumman in a cyber space IS working for an MSSP) or highly-regulated industries, and more of it in the commercial space due to cost savings.

 

Of course, maybe I'm just cynical.

 

 

-- wdf//CISSP, CSSLP