> JoePete (Contributor II) posted a new reply in Industry News on 10-05-2019 08:25

>     The other thing that is going
> is that our technology products have expanded geometrically. 25 years ago. Maybe
> there a computer per home. Now, we're talking dozens of devices per home
> connected to the Internet. Here's the absurdity in the U.S. - we have all these
> devices regulated by the FCC in terms of radio frequencies used but no one
> paying attention to the quality of the software/firmware being used.

Amen and amen. We're giving people devices and they are bringing their own,
using things both at work and home (and elsewhere). Are we giving them any
security awareness training? Are we building any security champions at work?

>   My  last point is we experience the same phenomenon with
> our schooling and professional training. We don't teach how to purchase and use
> these things securely. In my experience, despite all the lip service we pay to
> security awareness, most schools and organizations aren't interested in real
> training. At best they want to check a box.

Well, there's a lot of that, no doubt. There's also governments that, to say that
they are "supporting" education, mandate that schools open more places, but don't
raise the money they provide to education (and sometimes even cut it). That's a
good way to ensure that you turn out tons of English majors but nobody in
science, technology, or engineering. (It's fairly cheap to teach English: it costs a
lost more to teach science, technology, or engineering.) (Math is somewhere in
the middle, but if you keep giving your kids toys that tell them "Math is hard!"
you can't be surprised when they avoid it ...)

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
In a real dark night of the soul it is always three o'clock in
the morning, day after day. - F. Scott Fitzgerald
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Don't think I could have said it better than Rob or JoePete.

 

I recently came across someone who is claiming to be a Security professional and after closer review find their only experience was generating reports out of ServiceNow for Audits......but they did get hired by someone to practice security......so those folks doing the hiring (whether it be HR or the department or whoever) are not educated.  

 

---

@rslade wrote:

We had almost a dozen students out at our last SIG meeting. I also know one
who's been working for two years now and still hasn't been able to get a serious
security job. (She's still looking.) We've got lots of talent. What we don't have is
people who will realistically take "trained, experienced, and willing to work"
rather than wait for "absolutely perfect for our specific hole."

---

This is more of what I am seeing, which is due to a broken hiring system then lack of talent.

 

I will accept that in some markets, for some skills, there may not be enough.  But I don't believe its true across the board everywhere.  And I think a lot of this is due to very superficial surveys that don't dig into the problem.

 

Instead you have a lot of companies (include their recruiters, both internal and external) who don't understand security, so they don't understand what they should be looking for.  This leads to unrealistic expectations (the "looking for unicorn" nonsense) with ridiculous job posting (wanting senior level skills for junior positions, wanted a long laundry list of "must have skills") and treating people like porridge (don't want you because you are 'too much' this or 'not enough' that).

I see this in my area with people who have worked hard to get skills and knowledge, but can't get their foot in the door.  Companies which flounder with filling roles for months where I KNOW they had several qualified candidates apply (and hopefully interview).  I've experienced it with companies either ignoring me for roles I'm clearly qualified for, or given me ridiculous excuses not to continue the process with me (too much/not enough, etc).

 

Not to say the insulting behavior I've had to deal with.  Being put down by peers for not having certs (really???).  Being put down by some recruiter for not have hands on experience when its a management role (really???).

 

Problem is you'd have to really dig in.  Like, say, have qualified people to review job descriptions and show that they were poor.  More interesting would be to ask for the resumes of the people these companies were rejecting for interviews.  You might get results like:  "We found that 80% of job descriptions were poorly constructed and not in line with realistic roles.  Titles were inflated, such that what should really be a lead security engineer role was called a security manager or ISO.  Further, we found that the vast majority of the resumes received should have been interviewed for the roles they applied for, but were rejected due to those reviewing not having a good understanding of information security."  or something similar.