https://brothke.medium.com/is-there-really-an-information-security-jobs-crisis-a492665f6823
From the article:
... there is not a shortage of security generalists, middle managers, and people who claim to be competent CISOs. Nor is there a shortage of thought leaders, advisors, or self-proclaimed cyber subject matter experts. What there is a shortage of are computer scientists, developers, engineers, and information security professionals who can code, understand technical security architecture, product security and application security specialists, analysts with threat hunting and incident response skills ...
Many of the people exiting security boot camps expect there to be a plethora of entry level information security jobs waiting for them. But ... there are very few truly entry-level jobs in cybersecurity.
Follows an earlier article demonstrating how the skills and experience required by hiring managers greatly exceeds the compensation offered.
A really good question. I often wonder when I see the number of people looking for jobs (both experienced and unexperienced). On quite a regular basis, we see folks here looking for employment.
Folks due need to start somewhere, however, many to most of the positions that I see regularly are for VERY experience people (those folk that have extensive knowledge in many arenas), and not folks just entering the field.
The creators of the CISSP, saw a need for multiple skills hence the Class B CPEs that are available. I believe in its original inception, the thought for the CISSP was that it was for a Senior person and that is why the SSCP was created, to bring new folks into the fold. The SSCP was originally built as a stepping stone for folks that were already experience IT people (those folks with Networking, UNIX, M$ experience) to help them step into Security.
I believe there is a shortage but I agree with the author that the number is over inflated.
d
Bruce Schneider, a highly respected security technologist, has weighed in basically saying "Hear, hear."
So who's stretching the truth?
@dcontesti wrote:So who's stretching the truth?
I think the real answer is there is no truth. This is fortune telling. The future only becomes the truth when it becomes the present.
Probably the single biggest mistake I've seen with technology over a lifetime of work is purchasing at the wrong interval - too often people try to future proof and spend too much and too long. Or they seek to solve only the problem in front of them. If you're talking more than two years out with technology, you might as well be talking interstellar travel. Even 18 months is a far horizon. As such, when people to predict the workplace it's hazardous.
So what will work? Good critical reading and thinking skills will always be in demand. So too will be the creativity to problem solve and the discipline to write and follow procedures. I could turn a carpenter into a system administrator because they understand measure twice cut once. But I probably can't turn someone who majored in "entrepreneurism" into any entry level role because they've probably been taught to run before they can walk. That's really the challenge I find (although I don't do as much hiring as I once did) is that young employees simply have unrealistic expectations and even demands. A lot of that reflects that higher ed is simply too disconnected the work it supposedly prepares students for (and I used to work in higher ed.).
Just like liberal and conservative, it seems there's a lot of chatter about "overblown demand for CS workers" and "millions of unfilled positions". So if there's two opinions, there's likely truth with both narratives.
For a moment, let's set aside the "overblown demand" argument, because that's the easy take. "We literally don't have anywhere for all these untrained CCs and Sec+'s and CEHs to go."
In my opinion, I believe the "millions of unfilled positions" are not in companies which are actively seeking CS people. I believe it's the millions of companies who are slowly learning that they have no corporate position on information security. I think it's orgs who go through a ransomware event and suddenly learn how exposed they are. It's leadership in evolving businesses who are learning to threat model.
Whether or not it's evolving to the tune of "3.5 million unfilled positions!!1!one!" is yet to be determined. But as a skeptic, I tend to ignore such headlines because they could play into the Law of Large Numbers.