This is really Bruce Schneier quoting Ben Rothke, but when one of the icons of our industry makes an observation, it carries weight:
Much of this could be distilled into the premise that security is not an entry-level profession. It's a specialization that relies on a foundation of related experience.
I often point out to newbies that I came into infosec/cybersecurity after several years at a sysadmin (first Unix then Windows/AD). This, along with my computer science degrees, gave me my technical knowledge.
Am sure there are others who pivoted into infosec from other IT areas.
Totally agree with the article. Back in the 80s (not a typo), the company I was at was re-organizing/downsizing and were just deciding they needed a Security department (one of the big five offered to fix everything for several million).
At the time, I had spent time in Operations, Office Automation, Networking and Disaster recovery/BCP (not all separate jobs). Unfortunate for me (some say fortunate), I was on the list to be laid off. During this process, everyone that was on the list was interviewed. The one question that I knew the answer to was "What is Kerberos"..........no one else knew the answer, so I was saved and charged with developing the security program....
My years in Ops and Networking helped me enormously as did my experience in DR (I was a CBCP), without that experience, I do not think that I could have been successful.
Yes the industry is lacking in the number of professionals, but then I look at other professions and they are also suffering shortages (try to get a new doctor? or go to hospital and see the shortage of nurses). Our industry like so many others are suffering.
From the article:
In fact, security roles are often not considered entry-level at all. Hiring managers assume you have some other background, usually technical before you are ready for an entry-level security job. Without those specific skills, it is difficult for a candidate to break into the profession. Job seekers learn that entry-level often means at least two to three years of work experience in a related field.
So, while I think that the CC MIGHT be a good thing, I believe it to be marketed incorrectly (MHOO). My thoughts are that it should be marketed to folks already in IT not folks attempting to get into IT (okay folks, throw rocks at me). I could see a Network person who wants to expand their horizons taking this certification, or even someone who has been working in Computer Operations.
Off my soap box
... the CC MIGHT be a good thing ... should be marketed to folks already in IT not folks attempting to get into IT....
Amen. I have no objection to the CC, but I do feel it needs an experiential requirement, just like all the other certs. On-the-job training is where theory runs head-first into practice. And that just can not be taught in the classroom.
It would be fair to say if you see a lot of articles decrying a skills shortage that it may not remain for long. Attracted by the high salary potential, many new entrants to a field get the basic qualification is the hope of getting to those high salaries, however supply and demand operates so over the next cycle salaries get pushed back down by increased supply. And none of that really addresses the issue that security staff are generally a compensation for more rounded skill sets, that include some knowledge of security, that are often lacking in the rest of IT.
@SSRyou should be able to get a role, depending on your experience- certainly an Security+/CISSP pass puts you in a better position than someone with just a CC - and to Bruce’s point those specialised roles are going to take more than six months but if you spend a couple of years working at it and pickup sysadmin, but of coding and say basics of incident response then that’s going to be ok to start couple of questions - are working in tech/IT currently? What made you sit CISSP without the experience?