Is There Really a Shortage of Information Security Workers?

What's behind a supposed shortage of cybersecurity workers? Last month cybersecurity professional Ben Rothke questioned whether a "shortage" even existed. Instead Rothke argued that human resources "needs to understand how to effectively hire information security professionals. Expecting an HR generalist to find information security specialists is a fruitless endeavor at best."

Rothke — a founding member of the Cloud Security Alliance — contacted Slashdot this week with "a follow-up piece" arguing there's another problem. "How can you know how many security jobs there are if there's no real statistical data available?" (Most articles on the topic cite the exact same two studies, which Rothke sees as "not statistically defendable.") Which begs the question — how many information security jobs are there? The short answer is that no one has a clue. The problem is that there is no statistically verifiable and empirically researched data on the number of current information security jobs and what the future holds. All data to date is based on surveys and extrapolations, which is a poor way to do meaningful statistical research... Based on LinkedIn job postings, veteran industry analyst Richard Stiennon found 15,849 job openings at 1,433 cybersecurity vendors. As to the millions of security jobs, he notes that the same could be extrapolated for office administrators. There are millions of companies, but it's not like they all will need full-time security people.

Helen Patton is a veteran information security professional and CISO at Cisco Security Business Group, and the author of Navigating the Cybersecurity Career Path. As to the security jobs crisis, she notes that there are plenty of talented and capable people looking for jobs, and feels there's in fact, no crisis at all. Instead, she says part of the issue is hiring managers who don't truly stop to think about the skills required for a role, and how a candidate can demonstrate those skills. What they do is post jobs that ask for false proxies for experience — degrees, certifications, work experience — and as a consequence, they are looking for candidates that don't exist. She suggests that fixing the hiring process will go a lot further to close the skills gap, than training a legion of new people.
Challenging this supposed glut of unfilled positions, Rothke also shares some recent stories from people who've recently looked for information security jobs. ("He tried to explain to the CIO that Agile was not an appropriate methodology for security projects unless they were primarily software-based. The CIO replied, 'oh the CIO at Chase would tell you differently.' Not realizing that most projects at the bank are software-based.") If you want to know how few information security jobs there really are — speak to people who have graduated from security bootcamps and master's degree programs, and they will tell you the challenges they are facing... That's not to say there are not lots of information security jobs. It's just that there are not the exaggerated and hyperbolic amounts that are reported.

Only Shortage

[Anonymous Coward]

The only shortage is the number of workers that want to work for garbage wages, especially when they're expected to be available 24/7.

Re:Only Shortage

[benrothke]

As detailed here, https://brothke.medium.com/the... [medium.com], many of the jobs go unfilled as firms are way too cheap to pay market rates for security pros.

Re: Only Shortage

[ArmoredDragon]

That seems a bit more inline with being an anecdote. Though it's also not that far below my own base rate. And I need to stress, base rate. The stock compensation wasn't (and still isn't) listed for the job I currently hold, and after that you're looking at more like double.

I'm not saying you're wrong, (though my own experience greatly differs here) but there isn't enough information to draw conclusions.

Re:

[benrothke]

Those examples seem to be indicative of the overall problem.
Yes, they are anecdotal.
But the plural of anecdote is indeed data.

Re:

[ArmoredDragon]

Those examples seem to be indicative of the overall problem.

Seem to be how? In what way? You've done nothing at all to show that. All you're doing here is speculating. I guarantee you that if I saw more of your "data" I could easily pick it apart, particularly given you've only provided 13 points. This may as well be a run of the mill "top 13" piece. (Only the first is visible on your page, by the way. And no, I don't want to become a member of that site -- it's mostly useless clickbait junk. Medium should only be considered a source of entertainment and nothing mor

Re:

[woodsonja]

There are actually too few "pros" to hire. Most of the "IA people", and I use that term loosely, I work with don't have a clue what they're doing.

Re:Only Shortage

[Opportunist]

There is a very pronounced shortage of people with 10 years of experience in a technology that only existed for 5 who want to work minimum wage in an all-in job.

There always was, there is, and there always will be a shortage of these kinds of people. There is a very famous post from the inventor of a technology on Xitter [twitter.com], saying that he couldn't apply for the job offered since it required more experience with the technology he invented than even he can possibly have.

That is the problem here. HR asking for things they know fuck all about.

Re:

[AmiMoJo]

And who want to live within commuting distance of the office.

Re:

[Anonymous Coward]

I saw these same announcements in the early 1990s, 2000 and 2008. Often with some shadow cast at US workers about how overpriced and lazy they are. In 1992, it was that US workers don't die at their desk like Japanese workers. Then in 2000, it was how good Chinese workers were. 2008, it was all about India.

Now we are back to companies hiring... but only from Bangalore. Yes, there are a shortage of InfoSec people, but that is just in India. Meanwhile, in the US, a decent job at a CISSP tier has 500+ ap

Re:

[Opportunist]

There's no shortage of infosec people in India. Faking it is way, way easier in infosec than in, say, development or tech support, so you'll have no problem hiring for infosec in India.

And they'll be just as productive and qualified as anyone else you hired there, so you won't even notice the difference.

Re:

[ole_timer]

+1

Shortage of experts

[Njovich]

There is a shortage of highly technical people that identify sophisticated issues in a code base or network setup. There is a limited amount of jobs and research positions there, but there is definitely space for more.

'information security workers' that click some checkboxes, run Nessus, or check some patch statuses... companies generally will happily hire a monkey to do that. 99% of companies are willing to do only the bare minimum for quality/security and there is no shortage of monkeys to hire to click some buttons.

Re:

[mjwx]

There is a shortage of highly technical people that identify sophisticated issues in a code base or network setup. There is a limited amount of jobs and research positions there, but there is definitely space for more.

'information security workers' that click some checkboxes, run Nessus, or check some patch statuses... companies generally will happily hire a monkey to do that. 99% of companies are willing to do only the bare minimum for quality/security and there is no shortage of monkeys to hire to click some buttons.

There isn't a shortage of people like that, people who just run scans and email reports... there is a shortage of people who know what those reports mean, what the implications are, what needs to be tackled first (and what can realistically be ignored/kept on the back burner) but more importantly, are also capable of rectifying those faults.

Re:

[sjames]

That's the real issue. Many scanning tools will spit out a long list of false positives and things that may technically be a leak, but not of anything that isn't already publicly available with one or two real critical security flaws that must be patched NOW.

Re:

[ole_timer]

precisely

Re:

[Opportunist]

In security, this bites you in the ass really, really badly.

In development, in support, in engineering, you name it, it's fairly easy to quickly see whether someone's capable of doing his job. If you get crappy code from a developer that doesn't even compile without tweaking and that falls apart as soon as you run into an edge case because unit testing is something they think is edible, you'll find that very quickly. Even in support you can easily gauge whether or not who you hired can get tickets done, sim

There IS a crisis

[Bruce66423]

The number of cyber attacks that are causing major grief shows that companies are not getting it right. Clearly we need to ensure that attacks result in LARGE payouts to victims - and possibly a ban on dividends and buying back of shares - to make companies pay attention.

Re:There IS a crisis

[ShanghaiBill]

Clearly we need to ensure that attacks result in LARGE payouts to victims - and possibly a ban on dividends and buying back of shares

Most security failures are never reported.

Harshly punishing the companies who do the right thing will mean even more will go unreported.

Re:

[Opportunist]

Depending on your business, not reporting a security incident may well end your business. Take SWIFT for example. If you have a major security breach and you don't report it, you'll wish you were Russia. Because there is a nonzero chance that Russia will eventually be allowed back onto the network.

Re:

[ctilsie242]

There is a big difference between what a law can do versus how it is really enforced. For example, Sarbanes Oxley never sent bad businesspeople to jail. Instead it was used to lock up a fisherman who went over their bag limit. With many laws, at most it results in a "don't do that again", and a slap on the wrist. For example, how long since the articles of incorporation of a company been yanked as punishment?

The only real exception to this are MPA regs. Some contractor slips up while a film is in produ

Re:

[Opportunist]

The difference is that this is not enforced by some government but by some organization. In other words, they just tell you to fuck off if they don't like you and they don't give a damn about whether that is bad for some economy.

Re:

[ctilsie242]

Ironically, that is the only way things get enforced. Government doesn't really care... stuff can be appealed forever. However, if there is fear that someone can be denied a seat at the feeding trough... people will toe that line. MPA regs, but to a lesser extent, PCI-DSS. Even SWIFT comes to mind.

Liability for software faults

[david.emery]

Once again, I call for software vendors to be liable for products they sell (license) that contain faults and vulnerabilities. Make the vendors pay, and they will start taking software quality much more seriously. And that starts with the behemoth in Redmond...

An appropriate law would contain limits on liability, i.e. the conditions under which the vendor would not be liable, as well as the conditions where the vendor would be liable. And the precedent I cite for this is engineering professional liabilit

Re:

[StormReaver]

Once again, I call for software vendors to be liable for products they sell....

And once again, it's a phenomenally bad idea. Both Spectre and Meltdown are great examples of hardware problems that would have put all but the largest software vendor out of business.

"But that's not a software problem!", I hear you scream. And the obvious response is, "It doesn't matter to the lawyers."

And then there are the CPU management engines that software can't see. A CPU vendor can make a mistake in the software, and people will blame the software vendor downstream.

"But that's not a software problem

Re:

[sjames]

A note on the bridge thing. Who has a bridge built and then may install multiple copies of it anywhere in the world, possibly shimming the ends if it's just a bit too short? In the arctic or the desert, on bedrock, mud, sand, whatever happens to be under the water? What PE would sign off on that?

If you want to pay buckets of cash to have a single application installed on a single PC where the USB ports are removed and the monitor, keyboard, and mouse are permanently attached, your suggestion is the way to g

Re:

[ctilsie242]

This can have two edges. What likely will happen is that the law will be worded to be an effective barrier against open source software, while commercial vendors have a large enough legal team that nothing changes on their end, but can delay, stall, and appeal cases to SCOTUS (who likely will find the law enforcement body unconstitutional). Back when SOX came out after Enron, many consultants used the law to jackhammer Linux installs out of companies, so they can get Windows machines in, saying Linux wasn

Re:There IS a crisis

[DarkOx]

The number of cyber attacks that are causing major grief shows that companies are not getting it right.

I have been in infosec for a long time, almost as long as its been its own thing really.

Companies absolutely get it. The consequences associated with "see no evil hear no evil" as a strategy are generally smaller, than combined cost of proactively detecting, let alone actually fixing no trivial security problems, that exist in deeply rooted infrastructure and business processes.

Once in a while for a very small number of firms this calculation proves to be incorrect but generally speaker, independent if anyone wants to admit it out loud or not the strategy is

1) Do some basic penetration and application security tests
2) Fix the strait forward problems so you don't get caught with your drawers around your ankles and sued or really given a black eye
3) Take what you get from(2) and make darn sure you craft the rules of engagement and talent selection for future (2) activities in a way that will not result in harder questions ever being asked - this way you show 'improvement'
4) Buy the right insurance, control underwriting outcomes with (3)
5) Lawyer up - keeping unknown threat actors out of complex and evolving information systems landscape is uncertain both in terms of costs and outcomes. Isolating yourself from costs and culpability and/or recovering damages in court is also costly and uncertain however other than a moderate retain to keep the right hotshot firms 'available' if you need them you spend the money on the backs side IF something happens rather than on the front side trying to stop something.

The who infosec situation is understandable if you first recognize that "an once of prevention is worth a pound of cure" that applies to daily life is inverted. Outside a few spectacular cases you can name, for the most part Target, Home Depot, TJX, CapitalOne, Equifax... long term did not suffer for their 'limited' approaches to security. Heck even security adjacent companies like Okta who you might think if you are not familiar with how enterprise IT happens, would suffer serious consequences in the market for security failures, don't feel it for to long.. Put another way "once you clear the threshold of jaw dropping negligence better IT security has negative ROI".

If you made some of the policy changes you suggest, well I don't know exactly what would happen but you have realize that after a certain bar 'defensive' investments are always of negative value, a better home owners policy will just cost you more after a certain point you achieve a large enough umbrella of coverage, and low enough deductible more does not make sense. We could say the same thing about Patriot missile batteries. Whatever here is upset about is just where the risk/cost/probabilities currently intersect on the chart. We can move them policy sure, but you can't say "companies don't get it"; because they absolutely do.

Fascinating answer

[Bruce66423]

Thank you.

Re:

[Opportunist]

Same here. 20 years of infosec, malware hunting, security management, risk management... and let's be honest, things did get better. Back when I started, security was the scaredy-cat that sees the big evil lurk behind every corner and you were working on a shoestring budget that you mostly nicked from other departments in exchange for ... I don't want to talk about that.

Don't judge me, the field was young and I needed the budget.

The problem is that even with the improvement, with most companies the main rea

Re:

[ctilsie242]

I have been in InfoSec as well, and I would say that in some respects, things have gotten better. With Flash and third party browser addons kicked to the curb, we are seeing fewer browser-based holes and attacks done via malvertising. A lot of attacks have been mitigated by SSL/TLS everywhere, as well as 2FA.

However, the landscape is changing. Some areas, we have won the war. However, other places, the battle has changed from browser stuff to supply chain attacks and looking for stuff an unwary develope

Re:

[Opportunist]

We need to make C-Levels personally responsible for these blunders. Wanna bet security budgets explode by magnitudes as soon as these fuckers feel the pinch in their own wallet?

Hire me

[rabbirta]

I'm an unemployed information security worker.

It's really hard finding a job because people are still looking for college degrees and experience at big names like Google, but some of us just got into IT at a young age and never stopped working.

I never really felt like I had time to pursue a degree alongside work, and even when I did it seemed like experience was held in equal regard.
I had no problem getting an interview 2 years ago, my LinkedIn inbox was full of recruiters reaching out.

Now it's dead.
Supposedly the market is flooded with IT professionals, but I think in reality people are just using cloud services instead of running things in-house.
The last place I worked had 20+ devs and no sysadmins - who needs them right?? Granted, they had weekly outages, but I think this is where the future is heading.

After 10 years of IT as a sysadmin, developer, devops, yesterday I went into an interview at Petland.

Re:Hire me

[FictionPimp]

This is why I went to college in my 30s. I saw the gatekeeping of a degree. I have no shortage of recruiters hitting me up. I suggest considering going to school. There are cheap online schools like WGU where you can test out of 90% of the classes and pay a flat rate no matter how many courses you can complete in a semester.

No one cares where you went to school, you need the degree to get past the robots.

Re:

[ctilsie242]

Even with a degree, what really matters are certificates, and the Holy Grail of things... the security clearance. Pretty much you will be told to pound sand for any SRE-tier position if you don't have a RHCA, CCIE, or CISSP. Just six months ago, experience is what mattered, now, the only thing that matters to employers is the alphabet soup by your name, and even a degree doesn't really matter, compared to the shiny, glittery ribbons.

Right now, next to personal contacts, certs are what get you in the door.

Re:

[rabbirta]

This guy nailed it.

We're buried pretty deep in the comments so we won't be fixing the world's problems here, but:

1. Certs
2. College Degree
3. Security Clearance

... all seem like must haves if you want to get a really good tech job.
The problem is these things all cost money, sometimes a lot of money.

Some people will have private tutors and nice colleges, and others don't and will have to work harder because of it.

Re:

[wierd_w]

Remember that if you stay out of the job loop for more than 2 years (such as, you take that job at petco) you are now completely "Unhirable" because you are "Not qualified."

Since you know; you might have forgotten how to divide up a subet, how to minimize attack surface, how to look at a stack trace, set up a structured regression test, or how to analyze a packet capture.

Just totally forgot. Your brain cannot possibly retain that knowledge after 2 years! /s

You worked at petco for two whole years! Clearly th

Re:

[mmdurrant]

LOL fuckin internet tough guys. I promise you that you're not as cool as you think you are.

Re:

[Tony Isaac]

I disagree that degrees are critical for finding good IT and IS jobs. They might give you a slight advantage, especially in your younger years. But as a hiring manager who has hired a dozen senior developers this year, I can tell you that I don't even look at the degree. I look at relevant experience. In fact, somebody with more than a BS degree raises questions in my mind, because often people with advanced degrees and lots of certificates, are better at school than they are at getting things done.

Re:Hire me

[FictionPimp]

I find the people who bash me for my certifications and/or degrees never seem to have the thing they are bashing themselves. I've been told I'm a "paper warrior" because I have dozens of certifications, yet the guy telling me that:

1. Didn't realize I was a consultant previously and these certifications were required by my employer to get better deals from technology partners.
2. Never held the certification they were calling worthless.

Gee why did the guy working at a consulting firm have multiple Cisco and Microsoft certs? And we all know those Cisco certified network engineers can't handle a layer 2 network.

As a hiring manager today, I do not look at certifications are degrees as 'they are experts' or as 'they are better at school'. I look at them as 'they have a common baseline knowledge that should be expected of someone at that level'. Knowledge does not equal skill or experience, that's what the job history tells you. I'd treat a guy with 10 years experience and no certs/degees as more skillful than a guy fresh out of college with a master degree, but the guy with both is probably better. In the end, that's what the technical interview is used to discover.

Re:

[Tony Isaac]

My apologies, I did not mean to "bash" you. My only intent was to state that these degrees and certifications are not requirements to get a good IT job. For some people like you, they can be a useful tool.

Re:

[Opportunist]

Certs are not degrees. Big difference.

A certificate tells me that someone has training with a particular technology or a particular area. All a degree tells me is that the person has the basic training for a job down.

Certs actually show me the person is willing and able to keep learning, which is an absolute MUST in this field. A degree without anything afterwards only tells me that the person thought that learning is finally over when he's done with that stupid degree and now he can relax.

Re:

[sjames]

I wouldn't say that a cert or degree is a negative, just that doesn't say a lot either way.

Re:

[JackieBrown]

I think the problem is that people without a degree might not make it to your inbox as recuriters or even the software companies use to automate parts of that job filter these people out.

You may know that the degree isn't as important as experience but teh steps before you probably do not.

Re:

[Tony Isaac]

This is true. For those just starting their career, the lack of a degree might keep them from being noticed. But as one's career progresses, a degree matters less and less.

Also, degrees matter more for large corporations that use automated resume analysis. Smaller shops do so less frequently, and care more about ability than credentials.

Re:

[HBI]

People fail to consider what the pool of people without degrees looks like. Sure, you'll find people who are excellent fits for the job. And you'll find people who are barely fluent in their native language and functionally illiterate, also. Ask for a 4 year degree, and a lot of that disappears.

Re:

[DarkOx]

THIS - the problem isn't that you don't have a degree. The problem is that posted the job and got 400 resumes. 300 of which are from people without a degree and common industry certs. 150 of which persons who can't find their arse with both hands.

The pool of 100 who do have the usual degree + certs combo, is composed about 25 people that are also dumb a bag of rocks but some how found someone to do their homework for them, 70 people that you can probably work with, and five or so true stand outs.

However its

Re:

[Opportunist]

Seriously, someone with 10 years of professional xp is by some margin beyond anyone who has a master's.

A degree is something that gets you your first job. Your prior jobs are what get you your next ones. Quite bluntly, I've seen more good security people without degrees than with. Granted, the ones without are the old ones who simply had to learn this before it was cool and a legal way to print money.

I.e. these are the people who did it because they had the interest and the drive, not the people who just fo

Re:

[rabbirta]

"[...]what would make anyone think you can do a regular job?"

What exactly are you suggesting instead?
Do you have a suggestion?
Or anything useful to say?

Re:

[Tony Isaac]

I can't tell much without looking at your resume, but as a hiring manager who has hired a dozen programmers in the last year, I can tell you that the market is indeed very challenging for businesses. We pay good salaries, but still sometimes loose good candidates because they have multiple offers on the table.

If you are struggling to find work, and you are indeed skilled at information security, I'd suggest that you might need to change your approach. Have you gone through a recruiter or five? Is your salar

Re:

[Anonymous Coward]

We pay good salaries, but still sometimes loose good candidates because they have multiple offers on the table.

How do you loose them? Spray WD-40 on their armpits?

Re:

[drinkypoo]

After 10 years of IT as a sysadmin, developer, devops, yesterday I went into an interview at Petland.

You're aging, it happens to all of us but HR departments don't want to hire people with their own ideas. They want people who will faithfully execute the bad ideas of management and then take the fall when they don't work out, because security (or quality, etc etc) is not the goal. The goal is to appease shareholders.

The root problem is that shareholders are separated from responsibility for what they are funding. That's literally the whole point of public companies, so that bad people (defined in this case

Or just be a whore

[HBI]

Accept it. You're paid to do shit you wouldn't do yourself.

Recipe for a happy life, take the money and run.

Detachment is the best. Why care?

Re:

[drinkypoo]

Accept it. You're paid to do shit you wouldn't do yourself.

Yeah, they call that a "job". If you get near a point, make it.

Detachment is the best. Why care?

Because people like you not caring is how we got here to shitsville in the first place.

Re:

[HBI]

Mhmm. I'm sure my lack of caring is the reason why shit goes wrong.

Wouldn't have anything to do with the futility of tilting at windmills and the overall lack of enlightened self-interest across society. So be a whore. People aren't going to change.

Re: Or just be a whore

[drinkypoo]

It's tilting at windmills specifically BECAUSE people like you gave up instead of ratcheting up.

Re:

[pete6677]

Got to start prepping and looking for SRE jobs. That's basically what you do, but more modern buzzword compliant. You'll be amazed how much better luck you have when looking with the latest buzzwords. Plenty of companies don't give a shit about lack of degree when looking at experienced candidates.

Re:

[OrangeTide]

A degree doesn't really vital for an IT job. And really any degree will help a small amount. Philosophy, English, whatever. But human resources and hiring managers are risk adverse, and if they only hire people with impressive degrees then when things don't work out they can avoid most of the blame. It's a sad little metagame that offers no benefit to the business.

Re:

[Opportunist]

Can you work in the EU?

Re:

[rabbirta]

Yes, I can get a work visa if I have an employment contract residing in the Schengen territory

Re:

[Opportunist]

And you can't get a job as a security pro? I get at least a call a day from some company trying desperately to hire security personnel, what did you do, sell some missile plans to North Korea?

Re:

[ctilsie242]

I've seen that myself. I'm just glad I had a contact that got me somewhere stable. This is why one should never burn bridges.

The tech job market right now is a bloodbath. Nobody will be hiring until at least January, and no significant hiring will be done until likely 2025 after all the fervor of the election year insanity subsides. Of course, people will say that "Oh, the job market is at 3% unemployment. Liar!" BS. Just look at any job site and look at the hundreds to thousands of jobs for L1 contr

"Labor shortages" are made up by corporations.

[Eunomion]

In a free market, higher demand results in higher prices until the situation stabilizes. I.e., they offer more money until they fill the position. If they refuse to offer more money, then by definition there is no greater demand and therefore no shortage.

What they're really saying is that workers are refusing to accept positions at the salary they're being offered, and companies have so much power they would rather just not hire than pay more. They then lie and say there's a "shortage" as a way to get politicians to authorize more H-1Bs or give them subsidies.

Re:

[NotEmmanuelGoldstein]

... they offer more money ...

Just as there's a limit to the number of goods,a factory can make. There's a limit to how much a business can charge for its services. An increase in price usually means a drop in demand (elastic). That means wages can't increase as supply decreases (inelastic). Technically this is a choice: The employer can control its employees and thus refuse to respond to the changing market. The consequence is, hyper-inflation is avoided and employees leave the now-underpaid job.

Re:

[Eunomion]

The key point there is that it's a choice, at least on the part of the employer. A shortage by definition is when prices are below market equilibrium and prevented from rising for some reason, resulting in a demanded quantity being greater than supply can provide at the price point. If the power of the buyer is responsible for prices being inefficiently low, they aren't experiencing a shortage, they're just not willing to pay for what they claim to want. That's just monopsonism or whatever.

Yes, there is.

[gweihir]

This has been discussed _really_ long enough and only the ignorant deny it. It is not on all levels though.

Here is a good summary:
https://www.schneier.com/blog/... [schneier.com]

Chief Security Officer

[bill_mcgonigle]

There's really no point unless the job reports to the CEO, CSO, or the Board or is directly subsidiary.

A job like this that reports to middle management under a CIO is 99% a scapegoat job so that when they ignore your advice they have someone to fire.

Security cuts across domains. Who cares about FDE when your door locks are a joke and your janitors are paid illegal wages? The guy running a database doesn't negotiate with insurance companies. Etc.

A company with everything to lose has everything to gain.

Ap

The position not for Network Engineers Anymore.

[nevermindme]

Walking through Scan Reports, Firewall rules, Endpoint protection, Rule Change and Audit are all stuff for people with either an automation bent or a data science bent. That most enterprises are short in application ownership and definitions in the cmdb is where the projects explode. I have found more than a few positions listed for security engineers that end up being people riding ticket ques and massaging tickets into actionable rulesets. And there is a push to onshore most of the work called secur

Information Security Workers?

[klipclop]

What do they even do? Where I work they only seem to forward cve emails and send out poorly made departmental IT review questionnaire to cover their lazy and useless butts. The whole field is like if uncertified lawyers made babies with government bureaucrats!

Re:

[MTEK]

Oh, that's harmless-- other than waste your time. My issue is with the incompetent check-the-box types who make untested configuration changes to security software and firewalls without know the effects on a production system. Over the past 10yrs, their actions (not an adversary), have been the cause of every single Denial of Service.

The Cybersecurity Minor

[TraumaFox]

In the past few years, I've noticed a huge uptick in the proportion of applicants for virtually any type of IT position who now have some sort of certification or minor in cybersecurity on their resume, regardless of the nature of the position. This suggests whole cohorts of recent graduates have been told that cybersecurity is the "next big thing" and that they must get these certifications/minors to get a leg up on the job market, whether or not cybersecurity is actually their targeted profession. I would

How is "work experience" a "false proxy"?

[mnemotronic]

Is this a typo???

Helen Patton is a veteran information security professional and CISO at Cisco Security Business Group ... she says part of the issue is hiring managers who ... post jobs that ask for false proxies for experience — degrees, certifications, work experience

What else can a candidate have but degrees, certifications and work experience?

Re:

[gweihir]

Obedience, aversion to "rock the boat", works for peanuts. That are things that come to mind. Unless and until we start to hold CEOs and board members personally accountable for major IT security incidents, they will not take things seriously.

I think this "false proxies" statement is a lie of the 2nd order, i.e. trying to legitimize a lie.

Re:

[benrothke]

Good catch. ‘Work experience’ should be edited out.
I updated the article.

I escaped... sort of...

[Petersko]

There isn't a shortage of IT workers (or ISec in this case). There's a shortage of IT workers that people want to hire, at the price they wish to pay them. Difference.

While I'm not directly in the field, I think my story is aligned enough to be on topic. After decades as a developer, back in 2012 I began to craft my escape route. By then I already knew the future was grim for my field. The pressures of offshoring and outsourcing put a definite end date on my immediate career. And since I had no degree, it w

This is easy stuff folks

[Alascom]

I've been doing Security since the early 90s. I've worked on satellites, banks, DoD C&C, 20 years at Google, and 3 years doing AI work.

A strong security leader can review 100 resumes by giving each one just 30 seconds of review, and tell you with close to 95% certainty which ones will be qualified and which ones are a waste of time interviewing. Let me assure you, there are a huge number of security positions that cannot be filled by qualified individuals. Let me also assure you there are millions of

Re:

[ole_timer]

exactly

Same story as everywhere, IMO....

[King_TJ]

They're constantly claiming there's a shortage of I.T. professionals in pretty much any area you can think of (except maybe entry-level help desk).

The reality is, there's a shortage of people willing to apply for (or stay at) the jobs where your knowledge and hard work isn't sufficiently rewarded.

One of my best friends works in cybersecurity and he's changed jobs at least 4 times in the last few years. At least twice, it was because of management making ridiculous demands and holding him responsible for eit

I don't believe in this shortage

[sizzlinkitty]

I was laid off back in October as a Lead Security Engineer. I spent 5 years at this place, promoted twice and never had any negative review. Just one day my boss tells me that my services are no longer needed. Since then, I've applied to at least 30 places, spent more than 40 hours interviewing and still don't have a job. I did a lot of things at my last job, managed our pci and soc compliance, wrote policy | guidelines | standards, managed the vulnerability program, automated security incident handling, ma

Contradicting thoughts

[NotEmmanuelGoldstein]

... think about the skills required for a role ...

HR people get the job role description (which should already have future-proofing), then seem to think "what else can we demand for this salary": It's like they copy-n-paste crap from other job-vacancy listings. Then, every HR is demanding 3-7 years experience for this year's software. Of course, no-one has the experience and no-one wants to work for HR's inflated ego at a lower salary.

... than training a legion of new people.

Meaning: Businesses no longer organize the workplace so employees stay and training is no longer in-house. Universitie

CS not IT sec

[LostMyBeaver]

Give me an engineer with a solid understanding of computer science over a room of IT sec professionals any day.

A computer scientist can easily learn security and specialize in it. IT sec professionals are rarely more computer savvy than people wearing blue shirts calling themselves geeks

Wallowing over the 'shortage' should go to spam

[Lauriy]

If highly-developed, richest-country-in-the-world with 332 million people doesn't have enough experts, or rather can't pay enough to make people become said experts, who the f can.