There Is No Cyber Labor Shortage

Caute_cautim · ‎05-15-2024

Hi All

The title is disruptive, many will agree or may actually disagree? What do you think?

The unfortunate truth is, if you're looking for an entry-level position in the cybersecurity field, there aren't many on-ramps. The wide-ranging security certification bodies and training organizations that dominate the industry have convinced many — maybe even most — cybersecurity leaders that "number of certifications" or "years of formal training" are the only metrics by which potential job candidates should be judged. What's more, the emergence of both undergraduate and graduate-level cybersecurity degrees has placed another arbitrary barrier between otherwise qualified individuals and the jobs they want. Don't have the right degree? Too many organizations will tell you not to bother applying.

https://www.darkreading.com/cybersecurity-operations/there-is-no-cyber-labor-shortage

Regards

Caute_Cautim

Early_Adopter · ‎05-15-2024

Quite, in some senses I think that while there at vacancies there probably isn’t the budget to absorb all the aspirational hires, plus there’s a lot of layoffs(from profitable companies getting ready for AI). Just look at good old MS closing games studious, they don’t really need to fire those developers, however they don’t need to keep them either. If there are folk coming out of Uni with computer science and security(or just pure security) then that becomes the entry level.

ericgeater · ‎05-15-2024

Why does cybersecurity also seem to get this type of side-eye scrutiny? No one seems to complain so vociferously that there's too many technicians, network admins, or sysadmins. And quite frankly, anyone who thinks that a cert or two earns a climb on the golden rope should not expect to be yanked to heaven.

If your employer has regulatory requirements or intellectual property, cybersecurity is de rigueur. If you're a landscape company that bills through a SaaS package, nobody cares. But in reality, they both require cybersecurity. One of them just happens to benefit from having a greater awareness of threats, risk management, and good governance.

Who cares if there ain't any openings in the SOC?! Good leadership from companies should encourage their employees to brush up on their cybersecurity acumen and buttress their disciplines. The beauty of SSCP, CC, CEH and Security+ is that they show people a whole spectrum of things they'd probably never seen before.

And quite frankly, if your IT leadership isn't instructing people to turn due care and due diligence security disciplines into muscle memory for their staff, then they should also earn a cert or two.

-----------
A claim is as good as its veracity.

SarahC · ‎05-15-2024

(Quotes from the article in italics)

Understandably, [recruiters] look for shorthand ways to help them narrow down candidates: Degrees, certifications, training, and other measurable factors obviously are attractive. They become de facto indicators of value, and their absence is treated as an indicator that a candidate is unqualified — or at least not a fit for a technical role.

The above quote echoes the debate in all of IT--do you need certs and/or degrees to break into the industry? To move up?

Any security organization worth its salt should have a strong training program in place, and entry-level positions should be treated as just that. Candidates with the right traits and skills are qualified — whatever their résumé may say. Helping them make the most of those skills is up to the organization.

Would that all organizations prioritized training and professional development for staff. I think the worry from the org's point of view is why spend money on developing an entry level position if they're going to leave in 1-2 years. If your company culture is vibrant enough, that shouldn't be a big worry.

By narrowing down candidate pools based on a small number of arbitrary qualifications, organizations and recruiters end up self-selecting candidates who are good at acquiring credentials and taking tests — neither of which necessarily correlate to long-term success in the cybersecurity field.

I'm one of those who is good at taking tests and acquiring credentials. Since I don't have a degree in IT, my motivation for getting certs is two fold. One is to fill the gaps in my knowledge since I've been mostly self-taught and I don't know what I don't know. Two is the confidence boost--doing the work to study and pass the cert helps to dampen the imposter syndrome that creeps up.

Interesting article - thanks for posting it!

Caute_cautim · ‎05-15-2024

Hi All

Thanks for the updates and comments very interesting.

Well for myself, I started out without a degree in IT, but I was fortunate to land myself in a Government role, in which security was intrinsically part and parcel of doing the job whether at home or overseas. I then did an Open University degree, in which to gain qualifications, as the job and role, meant I could not study in a normal University, so it became a part time journey of almost 8 years in total.

There are many openings, in my case I followed my passion for radio communications, which led me to where I am today, so I have no regrets at all. Degrees are not necessary, if you set your heart and mind to the career pathway you want.

However, I will state, having gone on to do an MSc degree, being able to think in different ways, and to maintain motivation to keep self learning and developing is really key to maintaining a healthy respect as a security practitioner. No matter, what your background is, do not be deterred, we can all learn from our experiences and find openings, if you really want too even overseas.

Regards

Caute_Cautim

JKWiniger · ‎05-15-2024

I guess I'm at the point where I need to start putting myself out there and seeing what help I can get. A lot of these stories talk about entry level, but I am far from it! I have been in IT for 30 years, had my CISSP for 22 years, my CCSP for 5, and a host of others I have gotten over the years. Some of these I have let expire but still list. I came to realize that I have to renew certifications every few years, but a degree I have forever. Don't get me wrong, I still study and keep my skill set up to date. For the past 15 years I have been running my own consulting business and have gotten tired of it and want to go back into a normal corporate job, and yes, I have worked in Fortune 500 companies in the past. What I have been finding is all I have been able to get is that generic rejection email! I have gotten to the point of realizing my resume was not optimized for the application tracking systems so many companies now use. I have been able to speak directly to one recruiter and was told how great my resume looks, but the problem is the employers are looking for people who have working in their sector and have experience with the exact programs that they use! To me, it's like saying you drive a Chevy and we use Ford so it's not a match! Friends have said they have never seen a challenge I couldn't figure out!

So what advice does everyone have for what I am going through? A lot of these job descriptions can't even get it right with what they are looking for...

Thanks-
John-

Ps. My degrees area a BS in Networking, and a MS in Information Security... so they are relevant...

Caute_cautim · ‎05-15-2024

@JKWiniger My advice, is carefully research the position you want, and find out as much about the organisation as you can, including the use of good AI assisted resources, where possible. Look for the good and the bad, including their Strategic annual and financial reports. Ask around, your colleagues and see what the word is on the ground, validate it. Is there any public reviews or have the reviews been put together to provide a false background to other underlying issues? Rather like "Trip adviser".

Then carefully tailor your CV for the position you desire, which may also include reflecting back on any language they have used to cause you submit an application. You may also have to some industry background research as well.

Regards

Caute_Cautim

Early_Adopter · ‎05-16-2024

For John - a friend of mine took over a year to find a new role - he’s working for a Japanese automaker in Yokohama now, I think there has certainly been a slowdown in acquisition of folk from self employed( he was consulting for a while). Target your application and I think you’ll get to where you want to go, though I do think there is a lot of planning around the nascent AI capabilities - expensive jobs that can be automated will be targeted by big companies. So maybe we all need to dogpile into AI rather than into cyber security? 😛

The less is more approach I think is better - so highly targeted tailored is good. Also Every job I’ve had since 2007 has come through a personal network recommendation - as you’re wanting to switch from consulting to FTE I’d hit those networks up.

Sarah makes excellent points / for a lot of us who came into the industry it was very much a case of working in IT and moving across. Certifications/certificates were really good and could proxy for a degree, however now the competition has degrees in security plus certification there’s a lot more to choose from, and like any good SOC HR/hiring managers are filtering- unless a role is critical you’ll be happy to Bodyshop with IBM etc. sustained verifiable experience is still much better as an indicator of who can do something - and if you hire a company and use the person specification as a SOW then it’s easier, and they’re much more fungible as they don’t work for you.

The IT Certification industry also has a lot of responsibility here. Our own dear ISC2 marketed CC thusly:

“ See yourself in cybersecurity. You don’t need experience — just the passion and drive to enter a demanding and rewarding field, one that opens limitless opportunities worldwide.
As part of our commitment to help close the cybersecurity workforce gap and diversify those working in the field, ISC2 is offering FREE Certified in Cybersecurity (CC) Online Self-Paced Training and exams to one million people.”

So it moves it's position and focuses on entry level so, so is is less useful and then there’s a storm of CC applicants / the HR filters tune out things - and ISCTwo with its rebrand might take a hit, as its now very associated with overweening optimism. Not bad in of itself, but if the mill you work at/use is doing paper…*

“ I am part of the certification team at EC-Council. Based… ”

Wish I’d keep this LI friend request, it was talking about grandfathering into a new ‘CISO’ certification, and chap though I’d be a good fit even though I’ve never been a CISO nor would I have a desire to be one.

So the certificates that strand in as degrees and proxies for trust proliferate, but there really isn’t co census among providers - so let’s push another cert out the door. Mechanically I’m not sure this can hold up - especially when I can give you a quiz, job task evaluation etc, and AI just makes that easier.

Why Cybersecurity in consideration of Eric’s question? Well the flippant answer is the author of the article needs to sell IAM and he’s connecting with foot over a perceived issue in a way that’s memorable. However in general I think historically cybersecurity was something you did for passion, it was cool(even if mind numbing repetitive sometimes - it rewarded persistence). It also started to attract decent renumeration as it was in some ways hard, and everyone wanted someone who could think around the problems as they talked - Technical plus Management/Interpersonal - therefore you get a lot of takes.

*Aye lad/lass, forget t’ pit com’ dang ti’ te’ mill. ‘Appen ye can get lucky like in me Dae’…” bad phonetic Yorkshireisms…. Ary-up Aye-Ei is te tway t’ go nao so saddle up yet best Wendslydale Cheese-wooler and head for the last frontier t’fore ’‘tis to late!”

So no joking, I think learning AI is critical IAPP have a certificate out now and that and board understanding of modelling, governance of AI etc is the one thing that will differentiate people/candidates as it’s in all the employer strategy books.

JKWiniger · ‎05-16-2024

@Early_Adopter One of the problems is that many of the people with the CC lack the foundation to go with it. There is not much I can't figure out is because a have a wide strong foundation. I'm sure I'm not the only one who gets overwhelm by these job descriptions where they want everything under the sun and then some. I knew one guy who got a new position and when he asked about on software the told him, oh we don't use that we wanted to know more about it so we just added it to the requirements list. The range of available software that a company has become so massive it's just about impossible to know it all. I still laugh when I see ads that want SSL... umm do you mean TLS?

Coming from a consulting background I'm used to being able to hit the ground running. Do companies give people a little time to ramp up on a few things you have not used or have not used in a while? It's like companies that list (Azure / AWS / GCP) in the description, well which one is it? I really have to laugh at a few companies I applied at and then a short time later they had a data breach! Is it so hard to do your updates, run, test, and secure your backups, and then use something like Azure PIM to detect malicious login attempts?

Speaking of Azure, I see so many posting that basically want people who know every Azure product out there and it just doesn't seem possible. It's like saying you want someone who knows all of Microsoft...

John-

Early_Adopter · ‎05-16-2024

Yes many people want “purple squirrels” In their jobspecs, and this means you’ll never really get what you want - in fact it might not be a genuine role or it’s going to an outsourcer.

The lack of foundation is a problem, but I don’t think it’s really CC’s fault so much as it’s a V1, narrow and ISC2 have had the first few waves “run onto the guns”. More demand generation would have been great up front - in fairness to ISC2 they’re doing that now with MOUs etc but it’s going to be slow.

Sorry there’s a lot of chaff on the jobsearch, though a successful attacker is nearly always persistent. 😉

Weird one for me, the company I work for only hires people with experience on the specific thing they want in decades - there is almost no entry level, and their philosophy is to get people that they don’t need to train. I have to say it does work for them - but it’s the first time I’ve seen this approach institution wide.