Re: Shortage of Cyber Security Professionals ...

rslade · ‎05-21-2019

Best bet for commodity futures? Buy security professionals. Apparently there is a world wide shortage.

Yeah, right. As I have noted elsewhere, and frequently, there's been a shortage my whole career. I ain't rich yet. There's a bit of a disconnect.

OK, so first off, recently, there was Trump's "executive order," which, as I noted, is mostly about getting staff for (relatively low paying) government jobs, and probably isn't going to change much of anything.

Now, in Canada, another group has been formed "to craft a plan for cyber security education and workforce development." Yeah, good luck with that.

Returning to the US, the Marines are asking for civilian volunteers to make up a new computer task force cyber security unit. According the the General responsible, "If anybody wants to join, you can sign up." (Sounds a bit desperate, if you ask me ...)

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468

Caute_cautim · ‎05-21-2019

A lot of us have been through the mill, yes, we were once young impressionable people, put into secure rooms, or indoctrinated with some form of military security regime, or discipline. Given the current shortage, the key thing really is ensuring the correct ethics and skills and how to use them appropriately can be applied - this takes time. Yes, I have seen situations whereby people with an aptitude have been made security analysts on the front desk - but they have been assisted with Augmented Intelligence and Machine Learning, to assist them to analyse new situations quickly and to make recommendations - but not to take away the decision making process at all. People learn by mistakes, but the will they operate in the way, we expect under pressure? Will they know the difference between right and wrong or whether to conduct a vulnerability scan on a 10 Gigabit network segment without going gunho and then asking why things were breaking? Or ensuring the correct authorisation is in place and the right parameters are set up before hitting the go button?

This needs some form of coaching, mentoring relationship to be created, to guide - or these new recruits could find themselves on the wrong side of the legislation, and not realising why? Or the fact they find it more lucrative to move to the bad side, and make money on the Dark Web because they have the skills sets?

Lets focus on the getting the new recruits, but at least ensuring they understand the ethics, and the level of trust required daily to conduct themselves in this business?

Regards

Caute_cautim

Chuxing · ‎05-21-2019

Well, my experience tells me that the better statement is: There is a shortage of competent security leadership, and there is a shortage of competent IT leadership that really recognizes the importance of security.

Once we solve these shortages, then we can actually say "there is a shortage of security professionals", or the shortage does not even exist ?

____________________________________
Chuxing Chen, Ph.D., CISSP, PMP

Caute_cautim · ‎05-21-2019

Perhaps there is another way to put this - all C level should be cyber security professionals, in order to run their businesses efficiently, effectively and keep them financially viable. They are the key to understanding the level of Governance, Risk and Compliance that needs to be applied to maintain the health and welfare of their organisations. They are ultimately responsible and can be struck off Directorship boards etc.

Lets start at the top,rather than the bottom?

Regards

Caute_cautim

@Chuxing wrote:
Well, my experience tells me that the better statement is: There is a shortage of competent security leadership, and there is a shortage of competent IT leadership that really recognizes the importance of security.

Once we solve these shortages, then we can actually say "there is a shortage of security professionals", or the shortage does not even exist ?

j_M007 · ‎05-21-2019

The 'chicken-and-the-egg conundrum!'

emb021 · ‎05-21-2019

Keep hearing there is a shortage, but I apply for positions that I don't get call backs on, and no one is making job offers to me. Plus, I know of others struggling to find work while the "skill gap/shortage" is being pushed and people are being encouraged to take training, get certified, and get well paid jobs.

What I do see are jobs that have unrealistic requirements, that more fit someone with the skills/knowledge/experiences of 3 people. Then you have recruiters and even hiring managers who don't seem to understand infosec, so reach out to people for jobs that aren't a good fit for them, or turn people away for silly reasons.

(ex: I spent time trying to explain to a recruiter that an information security manager is not the same as an information security project manager. Sigh.)

I think its more that the hiring process is broken, and no one seems interested in fixing it.

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow

Caute_cautim · ‎05-21-2019

I believe there is sufficient legislation to protect organisations, if only the C level acted responsibly, and acted accordingly? But the courts can only move so far or react within certain time spans, once sufficient evidence is gathered to commit a case. The Chicken evolved like man over time, probably from the same amebic bacteria or derivative, according to the universal chemical rule book. However, often through many vices, cause mankind to evolve into all sorts of monsters, in the hope the less they do, will not affect their immediate chances of becoming famous possibly in the wrong way.

Regards

Caute_cautim

Caute_cautim · ‎05-21-2019

Perhaps the recruiter should be re-trained or we need to do due diligence to ensure the recruiter is in fact themselves credible?

Regards

Caute_cautim

@emb021 wrote:
Keep hearing there is a shortage, but I apply for positions that I don't get call backs on, and no one is making job offers to me. Plus, I know of others struggling to find work while the "skill gap/shortage" is being pushed and people are being encouraged to take training, get certified, and get well paid jobs.

What I do see are jobs that have unrealistic requirements, that more fit someone with the skills/knowledge/experiences of 3 people. Then you have recruiters and even hiring managers who don't seem to understand infosec, so reach out to people for jobs that aren't a good fit for them, or turn people away for silly reasons.

(ex: I spent time trying to explain to a recruiter that an information security manager is not the same as an information security project manager. Sigh.)

I think its more that the hiring process is broken, and no one seems interested in fixing it.

Chuxing · ‎05-21-2019

@emb021 what you experienced is again IMHO the lack of competent leadership who really doesn't understand what the security needs are, but instead, cut and paste a bunch nonsense and load them on the poor recruiter / hiring manager.

@Caute_cautim You are absolutely right on the CxOs roles. As a matter of fact, the latest COBIT and ITIL all have recognized this, and have started incorporate best practices of security up to the executive / governance levels. It is no longer just a management / operation issue, and must be addresses at governance level.

____________________________________
Chuxing Chen, Ph.D., CISSP, PMP

CISOScott · ‎05-21-2019

@j_M007 wrote:
The 'chicken-and-the-egg conundrum!'

Or is it the Cuckoo and the egg conundrum?

For the newbies go read The Cuckoo's Egg by Cliff Stoll.