https://brothke.medium.com/is-there-really-an-information-security-jobs-crisis-a492665f6823
From the article:
... there is not a shortage of security generalists, middle managers, and people who claim to be competent CISOs. Nor is there a shortage of thought leaders, advisors, or self-proclaimed cyber subject matter experts. What there is a shortage of are computer scientists, developers, engineers, and information security professionals who can code, understand technical security architecture, product security and application security specialists, analysts with threat hunting and incident response skills ...
Many of the people exiting security boot camps expect there to be a plethora of entry level information security jobs waiting for them. But ... there are very few truly entry-level jobs in cybersecurity.
I got your back on that one :-).
@ericgeater wrote:In my opinion, I believe the "millions of unfilled positions" are not in companies which are actively seeking CS people. I believe it's the millions of companies who are slowly learning that they have no corporate position on information security.
I think this is a good observation. I think it also skews because if you ask someone "how many people do you need?" they'll always say "more." Even if they don't really have a handle on the situation, the specter of ransomware and other attacks will have them wanting to throw more people at the problem.
Fundamentally, you need people who understand policy and procedures leading your business. If you have good policy and procedures, you can efficiently secure an organization. It takes the upfront governance work, but it pays off. Most organizations, however, are more loose. As you say, they are "slowly learning" their deficiencies as they go along. They're the ones inclined to throw waves of people at the problem.
@Beads wrote:
Really, most of the so called "cybersecurity" people I interview, really have very little clue, no development skills and little in the way of learning. Most demand constant mentoring and teaching and overall shouldn't be in the field in the first place.
I agree up until the "shouldn't be in the field in the first place" although I have probably mumbled it a few times myself. I think those of us of an older vintage evolved into security. We were developers, administrators, etc. With time we learned how to do things right, and because of that, we then became the ones making sure the operation was doing the right thing. But part of that is also disposition. You have to be able to see both the trees and the forest and be willing and able to communicate across business levels and units.
Perhaps due to the alarms over a "lack of jobs," what I have seen, probably starting 10-12 years ago, are people with very limited experience trying to step into a security role. They may have the certs and academic degrees, but no real experience with the tools. And that disposition is simply untested. They're a great looking house but they have no foundation. One good storm blows them over. But, it's not their fault. They were sold a misleading bill of goods by their institutions. I worked with this one guy, great personality, curious, willing. He had his certs and even a masters in cybersecurity, but he couldn't apply any of that knowledge and was just timid in a work environment (probably due to lack of confidence). I wish I had come across him years earlier. I think he could have grown into the role. But his resume made him overqualified for an entry role, but his lack of experience and confidence made him unqualified for the roles his resume wanted.
@JoePete wrote:
...His resume made him overqualified for an entry role, but his lack of experience and confidence made him unqualified for the roles his resume wanted.
This is a hugely important observation. Balance matters.
Express it as Kudos Squared then.....
Regards
Caute_Cautim