cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
JoePete
Advocate I

Schneier on the cybersecurity job market

This is really Bruce Schneier quoting Ben Rothke, but when one of the icons of our industry makes an observation, it carries weight:

https://www.schneier.com/blog/archives/2023/09/on-the-cybersecurity-jobs-shortage.html

 

Much of this could be distilled into the premise that security is not an entry-level profession. It's a specialization that relies on a foundation of related experience.

16 Replies
dcontesti
Community Champion

@SSR I note that you bracketed the word associate after CISSP.  If you in fact took the exam without the experience (5 Years) then you cannot technically use the CISSP logo, I believe you may only call yourself an Associate of (ISC)2.  I am tagging @tldutton here so that he may validate.

 

Don't give up trying to gain employment or experience in the Security field.  Here are a few suggestions: volunteer for your church or local schools to help with Security, contact/join a local chapter of ISSA/(ISC)2/ISACA/etc. as they are a good way to make contacts and learn of potential opportunities.  A number of software vendors will hire new folks in the industry and train them specifically on their products.  Attend as many webinars as you are able to (this will hopefully increase your depth of knowledge.

 

Regards

 

d

 

JoePete
Advocate I


@SSR wrote:
Whelp, guess I should just give up on trying to break into the profession then. 

I think what Rothke and Schneier are trying to say is that there is no such thing as the "security profession." It's an extension of several other professions. Or maybe put differently, I think it is fair to say that across all industries, we have a shortage of qualified, good upper management. But you can't hop from no experience to management. You have to work your way up. While you can take a business class, it is not as actually doing the job. While there are tons of people who want to be a CEO or elsewhere in the C suite, no one "breaks into" the C-suite. They start at the entry level, and to be blunt about it, not everyone has the disposition and aptitude to be a CEO. Along their journey, they'll learn their comfort level and maybe they will specialize in something else. 

 

Security is the same thing. Most of us start in IT somewhere. Maybe some come in through governance or business improvement. And the path forward rarely is vertical. We might go from system administration to development to architecture, or at least, we wear multiple hats in one job so that we begin to see the forest. Even then, those of us who succeed in security have a developed or innate penchant for system thinking. We seek quality through structure. Again though, some break off into other specializations, but "breaking into" this industry is almost a contradiction.

 

I wouldn't discourage you or anyone from pursuing your long-term goal, but you need to recognize the intermediate steps. As Rothke points out, this industry is full of snakeoil salesmen.

tldutton
ISC2 Team

You are 100% correct.  Excluding our CC exam, if you pass any of our certification exams and don't have the requisite experience, then you are simply known as an "ISC2 Associate" with NO reference to the exam you passed.  Once you have demonstrated to ISC2 through the endorsement process that you have gained the requisite experience, then you can associate the corresponding certification with your name.

SSR
Newcomer I

@Early_Adopter  wrote:

spend a couple of years working at it and pickup sysadmin, but of coding and say basics of incident response then that’s going to be ok to start couple of questions - are working in tech/IT currently?


Know a bit of Python and sysadmin, and I wrote an IRP for the small tech company I work at right now that isn't doing great at the moment. Anything beyond paper knowledge of incident response I'll have to pick up at an enterprise-level role. Oh wait...

 


What made you sit CISSP without the experience?

The head of security at a company I interviewed for recommended it to me (I didn't do great at the interview then but I'd probably ace it now with the knowledge from learning the CISSP exam). They didn't think it needed experience, but maybe I was wrong to take their word for it.

 

Also while I was doing a very brief seasonal security position at a large company doing lowest-level alert management, the manager posted a big chart of certifications and I saw Sec+ near the bottom. So I decided I'd shoot for the highest one I could find that seemed doable and covered a broad scope, and see if I could pass it on the first try. That was CISSP and it was second highest on the list, so I picked that one and started teaching myself everything that was on it. 1.5 months later I got a fancy letter and... well, nothing else really.


@dcontesti wrote:

@SSR I note that you bracketed the word associate after CISSP.  If you in fact took the exam without the experience (5 Years) then you cannot technically use the CISSP logo, I believe you may only call yourself an Associate of (ISC)2.  I am tagging @tldutton here so that he may validate.

I'm so glad that ISC2 wants people to succeed by not letting them say what they demonstrated their knowledge in! As if my resume didn't do enough to say that I don't have enough experience, now I have people from the ISC2 coming down to back that up 😄 Like seriously, no one knows what "Associate" stands for. If they even know what that means, they're just going to assume it's for the lowest level of certification that qualifies. If I can't even say Associate (CISSP) or even Associate (CISSP exam), which still shows off my lowly status compared to my betters, I might as well get the CASP, which is basically the same level and covers practical questions as well as theory, costs less to take, doesn't come for their share every year, and won't gatekeep the right to... say I passed their exam?

 

Don't give up trying to gain employment or experience in the Security field.  Here are a few suggestions: volunteer for your church or local schools to help with Security, contact/join a local chapter of ISSA/(ISC)2/ISACA/etc. as they are a good way to make contacts and learn of potential opportunities.  A number of software vendors will hire new folks in the industry and train them specifically on their products.  Attend as many webinars as you are able to (this will hopefully increase your depth of knowledge.


Thanks for the advice. I tried the ISC2 boards for my area and they're basically a ghost town. I contacted the one person who posted there and got nothing but silence. I'd love to meet locals but I don't think that's happening 🙁

I don't know what software vendors you're referring to but every single place I've looked at seems to want 2-5 years of experience for an "entry-level" position, often requesting very specific enterprise-level tools... tools no small church or school is going to be able to afford (I know this from my attempts to do security work in the small company I'm at currently). I'll happily take any webinars if you know where to look but also I'm not sure how I'd put them on my resume.

 


@Steve-Wilme wrote:

It often easier to get into a general IT role and then transfer into security after a few years, using whatever internal vacancies are advertised by an employer.

I tried to do that while I was at the seasonal role but they didn't have any. And sadly small IT startup running out of money means no open positions period, internal, security, or otherwise. I can try for general IT positions elsewhere, any role names you recommend I search for?

 


@JoePete wrote:

I wouldn't discourage you or anyone from pursuing your long-term goal, but you need to recognize the intermediate steps. As Rothke points out, this industry is full of snakeoil salesmen.


Any in particular you had in mind? I don't know who I should stay clear of so any advice would be appreciated.

@tldutton wrote:

You are 100% correct.  Excluding our CC exam, if you pass any of our certification exams and don't have the requisite experience, then you are simply known as an "ISC2 Associate" with NO reference to the exam you passed.  Once you have demonstrated to ISC2 through the endorsement process that you have gained the requisite experience, then you can associate the corresponding certification with your name.


But what if Credly, official partner of ISC2, said:

SSR_0-1695318974607.png

I am confusion.

Early_Adopter
Community Champion

@SSR thanks for the comprehensive response. I think knowing some Python is a good place to start, especially sysadmin - this allows you to build a base. Don’t know your situation enough to give specificity advice but Python is very useful for analytics and secure folk like monthly metrics on KPIs etc, so there’s a decent plank to pull yourself up on. Try Google’s certified Cybersecurity Professional course it’s self paced and covers a lot of useful stuff plus the first seven days is free. I’d put more stock in certs from vendors with simulation - and it should fit into your sysadmin experience.

Sorry to hear you got roped into CISSP for such small return, congrats on passing the exam though. The chap you interviewed with should have suggested something appropriate that you could consume and would be useful straight away. SSCP is better in this sense, and for what it’s worth the free CC will not add any additional drain on your finances as its 50 USD PUPY is covered by your Associate AMFs. CASP+ is a good option to consider.

On the designation/communication ISC2 isn’t anywhere as competent as its exam writers are, so you will see inconsistencies like the credly issue from time to time. You should follow the agreement so as to not run afoul of the Ts and Cs but this is just another example of “do as I say, not as I do” (I’m assuming here it has different ones for CSSLP etc-though this isn’t a given). Anyway marketing is on heavy rotation and I keep getting ads in my feeds offering me a great discount on CISSP, training, C’n’C in case I want to test the market…

Anyway keep your chin up and feel free to ping folk on the forum for specifics.
emb021
Advocate I

@denbesten wrote:

"Amen. I have no objection to the CC, but I do feel it needs an experiential requirement, just like all the other certs." 

 

Sorry, but NOT all certs have an experiential requirement.

NONE of CompTIA's certs do.  NONE of SANS/GIAC's do.  NONE of IAPP's do.

ISACA has a couple that don't (their newish stackables).

Since the CC, like the Sec+, is aimed at the entry-level person, I don't expect it to have one.

I DO agree that those certs that aren't aimed at entry-level roles should have it.



 

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow
Early_Adopter
Community Champion

So a third view between CC should have experience vs not all certs need experience/CC should be entry level…

I’d argue it should be a certificate rather than a certification. One and done, cheap and cheerful, and therefore actually free for the million Guinea Pigs taking an untested cert to see if it hel… I Mean of course candidates taking the premier IT Security certification where it will surely get them a high paying job with no need for any experience!

Consider there isn’t any Cybersecurity experience to certify, but you’re also looking at an ongoing process with CPEs etc and frankly it either helped you get a job in the first 2-3 years or it didn’t, in any case you moved on so there no need to keep it around.

We also see that ISC2 are planning certificates to replace the CISSP concentr… er, I mean compliment the CISSP concentrations… which are hard sell because they can only be marketed to holders of the CISS… er, I mean exclusionary because there a big addressable market of managers without CISSP want that security management badge as well..? I wonder how they get the 50 or 125 PUPY out of these..?

There’s also the fact that people are full members for fifty bucks a year with CC which has got to be a bit of an eye opener if you’re an associate(you pay the same an sit harder exams for less) or a member with a higher cert(you pay more for the same). At some stage I assume that ISC2 will put the AMF up for CC folk - because if anyone maintains this for a period of time the implication is that AMF fees are fine at fifty bucks(looking forward to my AMF reduction :)) :

“ISC2 certified members pay a single AMF of U.S. $125 which is due each year upon the anniversary of their certification date. Members only pay a single AMF of U.S. $125 regardless of how many certifications they earn. AMFs for members with multiple certifications are due on their earliest certification anniversary.
Associates of ISC2 AMFs

Associates of ISC2 pay an AMF of U.S. $50 which is due each year upon the anniversary of achieving their associate status.”