Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
gidyn
Contributor III
‎10-22-2023 02:16 AM
‎10-22-2023 02:16 AM

Is there really an information security jobs crisis?

https://brothke.medium.com/is-there-really-an-information-security-jobs-crisis-a492665f6823

 

From the article:

 

... there is not a shortage of security generalists, middle managers, and people who claim to be competent CISOs. Nor is there a shortage of thought leaders, advisors, or self-proclaimed cyber subject matter experts. What there is a shortage of are computer scientists, developers, engineers, and information security professionals who can code, understand technical security architecture, product security and application security specialists, analysts with threat hunting and incident response skills ...

 

Many of the people exiting security boot camps expect there to be a plethora of entry level information security jobs waiting for them. But ... there are very few truly entry-level jobs in cybersecurity.

Reply
15 Replies
gidyn
Contributor III
‎10-22-2023 02:22 AM
‎10-22-2023 02:22 AM

Follows an earlier article demonstrating how the skills and experience required by hiring managers greatly exceeds the compensation offered.

Reply
dcontesti
Community Champion
‎10-22-2023 10:55 AM
‎10-22-2023 10:55 AM

A really good question.  I often wonder when I see the number of people looking for jobs (both experienced and unexperienced).  On quite a regular basis, we see folks here looking for employment.

 

Folks due need to start somewhere, however, many to most of the positions that I see regularly are for VERY experience people (those folk that have extensive knowledge in many arenas), and not folks just entering the field.  

 

The creators of the CISSP, saw a need for multiple skills hence the Class B CPEs that are available.  I believe in its original inception, the thought for the CISSP was that it was for a Senior person and that is why the SSCP was created, to bring new folks into the fold.  The SSCP was originally built as a stepping stone for folks that were already experience IT people (those folks with Networking, UNIX, M$ experience) to help them step into Security.

 

I believe there is a shortage but I agree with the author that the number is over inflated.

 

d

 

Reply
denbesten
Community Champion
‎10-22-2023 12:59 PM
‎10-22-2023 12:59 PM

Bruce Schneider, a highly respected security technologist, has weighed in basically saying "Hear, hear."

Reply
dcontesti
Community Champion
‎10-22-2023 02:01 PM
‎10-22-2023 02:01 PM

So who's stretching the truth?

Reply
Early_Adopter
Community Champion
‎10-22-2023 10:17 PM
‎10-22-2023 10:17 PM

I think that a lot of this is down to your perception where you sit - from a candidate standpoint if you have usable skills there are plenty of jobs, if you’re trying to break in with a CC and six months experience in Madame Thrifty’s Digital Carwash then you’ll struggle.

Low salaries/compensation is a thing and this will lead to higher turnover/retention issues - it’s bad not to be able to hire - it’s even worse to hire and have them quit.

Lastly if you have current technology skills - popping boxes, secure coding, policy authoring( documents and systems) then you’ll command a very nice salary and folk looking for you can’t find your profile easily.

If employers are willing to train in and build skill sets, plus offer decent remuneration then there is less of a security shortage as long as they can keep their people.
Reply
JoePete
Advocate I
‎10-23-2023 08:20 AM
‎10-23-2023 08:20 AM

@dcontesti wrote:

So who's stretching the truth?

I think the real answer is there is no truth. This is fortune telling. The future only becomes the truth when it becomes the present. 

 

Probably the single biggest mistake I've seen with technology over a lifetime of work is purchasing at the wrong interval - too often people try to future proof and spend too much and too long. Or they seek to solve only the problem in front of them. If you're talking more than two years out with technology, you might as well be talking interstellar travel. Even 18 months is a far horizon. As such, when people to predict the workplace it's hazardous. 

 

So what will work? Good critical reading and thinking skills will always be in demand. So too will be the creativity to problem solve and the discipline to write and follow procedures. I could turn a carpenter into a system administrator because they understand measure twice cut once. But I probably can't turn someone who majored in "entrepreneurism" into any entry level role because they've probably been taught to run before they can walk. That's really the challenge I find (although I don't do as much hiring as I once did) is that young employees simply have unrealistic expectations and even demands. A lot of that reflects that higher ed is simply too disconnected the work it supposedly prepares students for (and I used to work in higher ed.). 

Reply
ericgeater
Community Champion
‎10-23-2023 09:04 AM
‎10-23-2023 09:04 AM

Just like liberal and conservative, it seems there's a lot of chatter about "overblown demand for CS workers" and "millions of unfilled positions".  So if there's two opinions, there's likely truth with both narratives.

 

For a moment, let's set aside the "overblown demand" argument, because that's the easy take.  "We literally don't have anywhere for all these untrained CCs and Sec+'s and CEHs to go."

 

In my opinion, I believe the "millions of unfilled positions" are not in companies which are actively seeking CS people.  I believe it's the millions of companies who are slowly learning that they have no corporate position on information security.  I think it's orgs who go through a ransomware event and suddenly learn how exposed they are.  It's leadership in evolving businesses who are learning to threat model.

 

Whether or not it's evolving to the tune of "3.5 million unfilled positions!!1!one!" is yet to be determined.  But as a skeptic, I tend to ignore such headlines because they could play into the Law of Large Numbers.

-----------
A claim is as good as its veracity.
Reply
Beads
Advocate I
‎10-23-2023 09:46 AM
‎10-23-2023 09:46 AM

I think you should be interviewing candidates before asking this question. Really, most of the so called "cybersecurity" people I interview, really have very little clue, no development skills and little in the way of learning. Most demand constant mentoring and teaching and overall shouldn't be in the field in the first place.

Outside of that, nothing above contradicts anything I have said for years.

- B/Eads
Reply
dcontesti
Community Champion
‎10-23-2023 04:10 PM
‎10-23-2023 04:10 PM

Wishing I could double KUDO @Beads 

Reply