cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

Shortage of Cyber Security Professionals ...

Best bet for commodity futures?  Buy security professionals.  Apparently there is a world wide shortage.

 

Yeah, right.  As I have noted elsewhere, and frequently, there's been a shortage my whole career.  I ain't rich yet.  There's a bit of a disconnect.

 

OK, so first off, recently, there was Trump's "executive order," which, as I noted, is mostly about getting staff for (relatively low paying) government jobs, and probably isn't going to change much of anything.

 

Now, in Canada, another group has been formed "to craft a plan for cyber security education and workforce development."  Yeah, good luck with that.

 

Returning to the US, the Marines are asking for civilian volunteers to make up a new computer task force cyber security unit.  According the the General responsible, "If anybody wants to join, you can sign up."  (Sounds a bit desperate, if you ask me ...)


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
21 Replies
Caute_cautim
Community Champion

A lot of us have been through the mill, yes, we were once young impressionable people, put into secure rooms, or indoctrinated with some form of military security regime, or discipline.   Given the current shortage, the key thing really is ensuring the correct ethics and skills and how to use them appropriately can be applied - this takes time.   Yes, I have seen situations whereby people with an aptitude have been made security analysts on the front desk - but they have been assisted with Augmented Intelligence and Machine Learning, to assist them to analyse new situations quickly and to make recommendations - but not to take away the decision making process at all.   People learn by mistakes, but the will they operate in the way, we expect under pressure?   Will they know the difference between right and wrong or whether to conduct a vulnerability scan on a 10 Gigabit network segment without going gunho and then asking why things were breaking?  Or ensuring the correct authorisation is in place and the right parameters are set up before hitting the go button?

 

This needs some form of coaching, mentoring relationship to be created, to guide - or these new recruits could find themselves on the wrong side of the legislation, and not realising why?  Or the fact they find it more lucrative to move to the bad side, and make money on the Dark Web because they have the skills sets?

 

Lets focus on the getting the new recruits, but at least ensuring they understand the ethics, and the level of trust required daily to conduct themselves in this business?

 

Regards

 

Caute_cautim

Chuxing
Community Champion

Well, my experience tells me that the better statement is: There is a shortage of competent security leadership, and there is a shortage of competent IT leadership that really recognizes the importance of security.

 

Once we solve these shortages, then we can actually say "there is a shortage of security professionals", or the shortage does not even exist ? 

 


____________________________________
Chuxing Chen, Ph.D., CISSP, PMP
Caute_cautim
Community Champion

Perhaps there is another way to put this - all C level should be cyber security professionals, in order to run their businesses efficiently, effectively and keep them financially viable.  They are the key to understanding the level of Governance, Risk and Compliance that needs to be applied to maintain the health and welfare of their organisations.  They are ultimately responsible and can be struck off Directorship boards etc. 

 

Lets start at the top,rather than the bottom?

 

Regards

 

Caute_cautim


@Chuxing wrote:

Well, my experience tells me that the better statement is: There is a shortage of competent security leadership, and there is a shortage of competent IT leadership that really recognizes the importance of security.

 

Once we solve these shortages, then we can actually say "there is a shortage of security professionals", or the shortage does not even exist ? 

 


 

j_M007
Community Champion

The 'chicken-and-the-egg conundrum!'

emb021
Advocate I

Keep hearing there is a shortage, but I apply for positions that I don't get call backs on, and no one is making job offers to me.  Plus, I know of others struggling to find work while the "skill gap/shortage" is being pushed and people are being encouraged to take training, get certified, and get well paid jobs.

 

What I do see are jobs that have unrealistic requirements, that more fit someone with the skills/knowledge/experiences of 3 people.  Then you have recruiters and even hiring managers who don't seem to understand infosec, so reach out to people for jobs that aren't a good fit for them, or turn people away for silly reasons.

 

(ex: I spent time trying to explain to a recruiter that an information security manager is not the same as an information security project manager.  Sigh.)

 

I think its more that the hiring process is broken, and no one seems interested in fixing it.

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow
Caute_cautim
Community Champion

I believe there is sufficient legislation to protect organisations, if only the C level acted responsibly, and acted accordingly?   But the courts can only move so far or react within certain time spans, once sufficient evidence is gathered to commit a case.  The Chicken evolved like man over time, probably from the same amebic bacteria or derivative, according to the universal chemical rule book.   However, often through many vices, cause mankind to evolve into all sorts of monsters, in the hope the less they do, will not affect their immediate chances of becoming famous possibly in the wrong way.

 

Regards

 

Caute_cautim

Caute_cautim
Community Champion

Perhaps the recruiter should be re-trained or we need to do due diligence to ensure the recruiter is in fact themselves credible?

 

Regards

 

Caute_cautim


@emb021 wrote:

Keep hearing there is a shortage, but I apply for positions that I don't get call backs on, and no one is making job offers to me.  Plus, I know of others struggling to find work while the "skill gap/shortage" is being pushed and people are being encouraged to take training, get certified, and get well paid jobs.

 

What I do see are jobs that have unrealistic requirements, that more fit someone with the skills/knowledge/experiences of 3 people.  Then you have recruiters and even hiring managers who don't seem to understand infosec, so reach out to people for jobs that aren't a good fit for them, or turn people away for silly reasons.

 

(ex: I spent time trying to explain to a recruiter that an information security manager is not the same as an information security project manager.  Sigh.)

 

I think its more that the hiring process is broken, and no one seems interested in fixing it.


 

Chuxing
Community Champion

@emb021 what you experienced is again IMHO the lack of competent leadership who really doesn't understand what the security needs are, but instead, cut and paste a bunch nonsense and load them on the poor recruiter / hiring manager. 

 

@Caute_cautim  You are absolutely right on the CxOs roles. As a matter of fact, the latest COBIT and ITIL all have recognized this, and have started incorporate best practices of security up to the executive / governance levels. It is no longer just a management / operation issue, and must be addresses at governance level. 

 


____________________________________
Chuxing Chen, Ph.D., CISSP, PMP
CISOScott
Community Champion


@j_M007 wrote:

The 'chicken-and-the-egg conundrum!'


Or is it the Cuckoo and the egg conundrum?

 

For the newbies go read The Cuckoo's Egg by Cliff Stoll.