cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Community Champion

Is it really this bad?

Hi All

 

What are your thoughts on this ?

 

https://techcrunch.com/2019/10/03/lack-cybersecurity-professionals-threat-dhs/

 

Regards

 

Caute_cautim

5 Replies
Highlighted
Contributor II

Re: Is it really this bad?

I think there are a couple of things leading to the conclusion that we lack cybersecurity professionals. A large one is the government surge in this discipline over the past several years. Here in the U.S., this is on federal, state, and we are even beginning to see local level. We create these agencies and positions rather than modifying existing ones to be better. For example, we don't have a perceived lack "HR coordinators" even though the area of human resources has expanded exponentially over the years thanks to various tax, insurance, and legal requirements. Maybe these departments have grown, but by in the large we take existing positions (in HR and management) and we train them to be on top of this. But security, we think of as a commodity. I use to give a talk "Security is not butter." You can't just buy more and spread it on where it is lacking. It has to be integral to be effective; it's really a measure of quality. That is what we haven't figured out. 

 

The other thing that is going on is that our technology products have expanded geometrically. 25 years ago. Maybe there was a computer per home. Now, we're talking dozens of devices per home connected to the Internet. Here's the absurdity in the U.S. - we have all these devices regulated by the FCC in terms of radio frequencies used but no one is paying attention to the quality of the software/firmware being used. Now, I loathe government regulation, but my point is imagine the auto industry where auto safety amounted to a test of the volume of the horn or maybe depth of the tire tread, and no one was looking at brakes, seatbelts, steering, etc. As has been established crappy software (actually the same software that the government tends to buy) can shut down hospitals when attacked. I'm not advocating for a computing version of the FDA, but I think we have to ask are we going about this the wrong way? We are essentially trying to fix a problem at the worst end of it, and this naturally is a more resource intensive approach. At the least, if federal, state, county, and municipal agencies raised the bar for the quality of their own software, maybe we would see the marketplace address the issue (again, I loathe regulation).

 

My  last point is we experience the same phenomenon with our schooling and professional training. We don't teach how to purchase and use these things securely. In my experience, despite all the lip service we pay to security awareness, most schools and organizations aren't interested in real training. At best they want to check a box. Like buying crappy software, it is not even an issue of price. A CISSP will offer to do Safe and Secure for free, but they prefer to stick with some presentation they pay for.

 

So if we are experiencing a shortage of cybersecurity professionals, it's for the same reason that the town who has experienced a season of drought but has bon fires every night and hands out matches to kindergarteners finds itself with a shortage of firefighters.

Highlighted
Community Champion

Re: Is it really this bad?

> Caute_cautim (Community Champion) posted a new topic in Industry News on

> Hi All   What are your thoughts on this ?  

To quote the President of the United States, ... (well, maybe I'd better not).

Anyway, no. It's not that bad.

I've been hearing this sort of tripe about a lack of talent for more than three
decades. At the same time, what I've seen is recruiters and HR people who know
nothing about how to hire tech people. Also companies (and government
agencies) that refuse to put money into training or provide time for research.
(How many companies even have a tech library any more?)

We had almost a dozen students out at our last SIG meeting. I also know one
who's been working for two years now and still hasn't been able to get a serious
security job. (She's still looking.) We've got lots of talent. What we don't have is
people who will realistically take "trained, experienced, and willing to work"
rather than wait for "absolutely perfect for our specific hole."

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Education: the path from cocky ignorance to miserable uncertainty
- Mark Twain
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Highlighted
Community Champion

Re: Is it really this bad?

> JoePete (Contributor II) posted a new reply in Industry News on 10-05-2019 08:25

>     The other thing that is going
> is that our technology products have expanded geometrically. 25 years ago. Maybe
> there a computer per home. Now, we're talking dozens of devices per home
> connected to the Internet. Here's the absurdity in the U.S. - we have all these
> devices regulated by the FCC in terms of radio frequencies used but no one
> paying attention to the quality of the software/firmware being used.

Amen and amen. We're giving people devices and they are bringing their own,
using things both at work and home (and elsewhere). Are we giving them any
security awareness training? Are we building any security champions at work?

>   My  last point is we experience the same phenomenon with
> our schooling and professional training. We don't teach how to purchase and use
> these things securely. In my experience, despite all the lip service we pay to
> security awareness, most schools and organizations aren't interested in real
> training. At best they want to check a box.

Well, there's a lot of that, no doubt. There's also governments that, to say that
they are "supporting" education, mandate that schools open more places, but don't
raise the money they provide to education (and sometimes even cut it). That's a
good way to ensure that you turn out tons of English majors but nobody in
science, technology, or engineering. (It's fairly cheap to teach English: it costs a
lost more to teach science, technology, or engineering.) (Math is somewhere in
the middle, but if you keep giving your kids toys that tell them "Math is hard!"
you can't be surprised when they avoid it ...)

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
In a real dark night of the soul it is always three o'clock in
the morning, day after day. - F. Scott Fitzgerald
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Highlighted
Community Champion

Re: Is it really this bad?

Don't think I could have said it better than Rob or JoePete.

 

I recently came across someone who is claiming to be a Security professional and after closer review find their only experience was generating reports out of ServiceNow for Audits......but they did get hired by someone to practice security......so those folks doing the hiring (whether it be HR or the department or whoever) are not educated.  

 

Highlighted
Contributor III

Re: Is it really this bad?


@rslade wrote:

We had almost a dozen students out at our last SIG meeting. I also know one
who's been working for two years now and still hasn't been able to get a serious
security job. (She's still looking.) We've got lots of talent. What we don't have is
people who will realistically take "trained, experienced, and willing to work"
rather than wait for "absolutely perfect for our specific hole."


This is more of what I am seeing, which is due to a broken hiring system then lack of talent.

 

I will accept that in some markets, for some skills, there may not be enough.  But I don't believe its true across the board everywhere.  And I think a lot of this is due to very superficial surveys that don't dig into the problem.

 

Instead you have a lot of companies (include their recruiters, both internal and external) who don't understand security, so they don't understand what they should be looking for.  This leads to unrealistic expectations (the "looking for unicorn" nonsense) with ridiculous job posting (wanting senior level skills for junior positions, wanted a long laundry list of "must have skills") and treating people like porridge (don't want you because you are 'too much' this or 'not enough' that).

I see this in my area with people who have worked hard to get skills and knowledge, but can't get their foot in the door.  Companies which flounder with filling roles for months where I KNOW they had several qualified candidates apply (and hopefully interview).  I've experienced it with companies either ignoring me for roles I'm clearly qualified for, or given me ridiculous excuses not to continue the process with me (too much/not enough, etc).

 

Not to say the insulting behavior I've had to deal with.  Being put down by peers for not having certs (really???).  Being put down by some recruiter for not have hands on experience when its a management role (really???).

 

Problem is you'd have to really dig in.  Like, say, have qualified people to review job descriptions and show that they were poor.  More interesting would be to ask for the resumes of the people these companies were rejecting for interviews.  You might get results like:  "We found that 80% of job descriptions were poorly constructed and not in line with realistic roles.  Titles were inflated, such that what should really be a lead security engineer role was called a security manager or ISO.  Further, we found that the vast majority of the resumes received should have been interviewed for the roles they applied for, but were rejected due to those reviewing not having a good understanding of information security."  or something similar.

 

 

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, GSLC, GSTRT, ISSA Fellow