cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
JoePete
Advocate I

Schneier on the cybersecurity job market

This is really Bruce Schneier quoting Ben Rothke, but when one of the icons of our industry makes an observation, it carries weight:

https://www.schneier.com/blog/archives/2023/09/on-the-cybersecurity-jobs-shortage.html

 

Much of this could be distilled into the premise that security is not an entry-level profession. It's a specialization that relies on a foundation of related experience.

16 Replies
Early_Adopter
Community Champion

Totally, it relies on adjacent experience in Information Technology. ISC2’s CC is a perfect example of a well meaning but frankly overly enthusiastic push that with the free(till AMF) cert offer pulls in a lot of people who don’t have the required experience to fulfil the requirements on the coal face. It’s super important to be specialised and you’re building on programming, networking, systems administration etc to be useful. I think there are bright spots in the space for pea poke building the low level skills such as CompTIA’s simulations, Google’s new certification, OSCP, Microsoft, Amazon and other vendor training.

Word to the wise planning a career, be a tool user, be prepared to script, automate and programme to success - Computer Science for the win.
emb021
Advocate I

Agree.

I often point out to newbies that I came into infosec/cybersecurity after several years at a sysadmin (first Unix then Windows/AD).  This, along with my computer science degrees, gave me my technical knowledge.

Am sure there are others who pivoted into infosec from other IT areas.


---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow
dcontesti
Community Champion

Totally agree with the article.  Back in the 80s (not a typo), the company I was at was re-organizing/downsizing and were just deciding they needed a Security department (one of the big five offered to fix everything for several million).

 

At the time, I had spent time in Operations, Office Automation, Networking and Disaster recovery/BCP (not all separate jobs).  Unfortunate for me (some say fortunate), I was on the list to be laid off.  During this process, everyone that was on the list was interviewed.  The one question that I knew the answer to was "What is Kerberos"..........no one else knew the answer, so I was saved and charged with developing the security program....

 

My years in Ops and Networking helped me enormously as did my experience in DR (I was a CBCP), without that experience, I do not think that I could have been successful.

 

Yes the industry is lacking in the number of professionals, but then I look at other professions and they are also suffering shortages (try to get a new doctor? or go to hospital and see the shortage of nurses).  Our industry like so many others are suffering.  

 

From the article:

 

In fact, security roles are often not considered entry-level at all. Hiring managers assume you have some other background, usually technical before you are ready for an entry-level security job. Without those specific skills, it is difficult for a candidate to break into the profession. Job seekers learn that entry-level often means at least two to three years of work experience in a related field.

 

So, while I think that the CC MIGHT be a good thing, I believe it to be marketed incorrectly (MHOO).  My thoughts are that it should be marketed to folks already in IT not folks attempting to get into IT (okay folks, throw rocks at me).  I could see a Network person who wants to expand their horizons taking this certification, or even someone who has been working in Computer Operations.

 

Off my soap box

 

d

 

 

 

 

gidyn
Contributor III

There's no shortage of skilled professionals either. There's a shortage of skilled professionals willing to work long hours under high stress for miserable wages.
Same as with almost every other alleged "skills shortage", it's employers wanting to drive up the supply of labour so that they can push down the price.
denbesten
Community Champion


@dcontesti wrote:

... the CC MIGHT be a good thing ... should be marketed to folks already in IT not folks attempting to get into IT....


Amen.   I have no objection to the CC, but I do feel it needs an experiential requirement, just like all the other certs.  On-the-job training is where theory runs head-first into practice. And that just can not be taught in the classroom.

SSR
Newcomer I

Whelp, guess I should just give up on trying to break into the profession then. This explains why I can't get crap despite having Sec+, CISSP (associate), and some seasonal cybersecurity experience. Shame I went almost broke that month scrounging up the funds for those five letters that didn't end up doing anything. Funny, the article specifically calls out stacking shelves, at least that actually offers a clear career trajectory for me!

Well, thanks for posting this article. Know when to hold 'em and when to fold 'em...
Steve-Wilme
Advocate II

It would be fair to say if you see a lot of articles decrying a skills shortage that it may not remain for long.  Attracted by the high salary potential, many new entrants to a field get the basic qualification is the hope of getting to those high salaries, however supply and demand operates so over the next cycle salaries get pushed back down by increased supply.  And none of that really addresses the issue that security staff are generally a compensation for more rounded skill sets, that include some knowledge of security, that are often lacking in the rest of IT.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Steve-Wilme
Advocate II

It often easier to get into a general IT role and then transfer into security after a few years, using whatever internal vacancies are advertised by an employer.
-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Early_Adopter
Community Champion

@SSRyou should be able to get a role, depending on your experience- certainly an Security+/CISSP pass puts you in a better position than someone with just a CC - and to Bruce’s point those specialised roles are going to take more than six months but if you spend a couple of years working at it and pickup sysadmin, but of coding and say basics of incident response then that’s going to be ok to start couple of questions - are working in tech/IT currently? What made you sit CISSP without the experience?