cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
gidyn
Contributor III

Is there really an information security jobs crisis?

https://brothke.medium.com/is-there-really-an-information-security-jobs-crisis-a492665f6823

 

From the article:

 

... there is not a shortage of security generalists, middle managers, and people who claim to be competent CISOs. Nor is there a shortage of thought leaders, advisors, or self-proclaimed cyber subject matter experts. What there is a shortage of are computer scientists, developers, engineers, and information security professionals who can code, understand technical security architecture, product security and application security specialists, analysts with threat hunting and incident response skills ...

 

Many of the people exiting security boot camps expect there to be a plethora of entry level information security jobs waiting for them. But ... there are very few truly entry-level jobs in cybersecurity.

15 Replies
denbesten
Community Champion

I got your back on that one :-).

Early_Adopter
Community Champion

@gidyn the new link is paywalled, but the gist is clear. Employers do tend to have champagne tastes and lemonade wallets.

On the one hand there are a group with little to no usable capabilities who would suck in resources to manage, mentor etc who are probably the folk turning up to @Beads interviews and at the other we have plenty of capable guys and gals who have genuine skills, experience and ability and know their worth and would like six figure multiples please with RSUs on the side.

The way I see it is the problem is to take the first group and make them into the second, if you make enough capable people from the folk starting out then they end up being less like “purple squirrels” and you can afford to hire folk who are better fits for the roles you have. Conversely, if we have less people in the industry upskilling in the right way our purple squirrels make out like bandits and all the middle managers are sitting around with open reqs bemoaning lack or cost of candidates…

If you’re ISC2 selling the dream of the purple squirrel job you’ll want to help them all with as many CCs, SSCPs, CISSPs as you can and sell second chances, training etc but will face headwinds for those candidates without experience of hands on tools. “Paper Tiger” was a fine Sichuan restaurant in South Kensington that was named for a phrase to illustrate a similar point in previous centuries, and we’ve been through similar cycles in the past with MCSEs and CCNAs(while not aimed at Cybersecurity both tested skills with simulation and you would be trained in running AD or switching and routing).

Moving away from ISC2, ISACA etc you can see SANS and Offensive security who provide quality hands on training that’s still vendor neutral and then you move into vendor land where operators are trained in tools.

Beyond this it’s developers and secure coding practices in your own applications and these are fundamentals rolling their own and have lots of scope to mess up.

Just a few slices of a great deal of complexity however given all the multifaceted dimensions feeding in we can probably consider that our most cherished intellectuality sacrosanct objectivity is in reality highly subjective.



JoePete
Advocate I


@ericgeater wrote:

In my opinion, I believe the "millions of unfilled positions" are not in companies which are actively seeking CS people.  I believe it's the millions of companies who are slowly learning that they have no corporate position on information security. 


I think this is a good observation. I think it also skews because if you ask someone "how many people do you need?" they'll always say "more." Even if they don't really have a handle on the situation, the specter of ransomware and other attacks will have them wanting to throw more people at the problem.

 

Fundamentally, you need people who understand policy and procedures leading your business. If you have good policy and procedures, you can efficiently secure an organization. It takes the upfront governance work, but it pays off. Most organizations, however, are more loose. As you say, they are "slowly learning" their deficiencies as they go along. They're the ones inclined to throw waves of people at the problem.

JoePete
Advocate I


@Beads wrote:
Really, most of the so called "cybersecurity" people I interview, really have very little clue, no development skills and little in the way of learning. Most demand constant mentoring and teaching and overall shouldn't be in the field in the first place.

I agree up until the "shouldn't be in the field in the first place" although I have probably mumbled it a few times myself. I think those of us of an older vintage evolved into security. We were developers, administrators, etc. With time we learned how to do things right, and because of that, we then became the ones making sure the operation was doing the right thing. But part of that is also disposition. You have to be able to see both the trees and the forest and be willing and able to communicate across business levels and units.

 

Perhaps due to the alarms over a "lack of jobs," what I have seen, probably starting 10-12 years ago, are people with very limited experience trying to step into a security role. They may have the certs and academic degrees, but no real experience with the tools. And that disposition is simply untested. They're a great looking house but they have no foundation. One good storm blows them over. But, it's not their fault. They were sold a misleading bill of goods by their institutions. I worked with this one guy, great personality, curious, willing. He had his certs and even a masters in cybersecurity, but he couldn't apply any of that knowledge and was just timid in a work environment (probably due to lack of confidence). I wish I had come across him years earlier. I think he could have grown into the role. But his resume made him overqualified for an entry role, but his lack of experience and confidence made him unqualified for the roles his resume wanted.

denbesten
Community Champion


@JoePete wrote:
...His resume made him overqualified for an entry role, but his lack of experience and confidence made him unqualified for the roles his resume wanted.

This is a hugely important observation.  Balance matters.

Caute_cautim
Community Champion

Express it as Kudos Squared then.....

 

Regards

 

Caute_Cautim