Is the shortage perhaps because all the job postings require a CISSP? I'm an architect and a coder. If I spend any time at all getting certs, they will be cloud-related.
Meh, I got a CISSP a few years ago to help pass HR filters. Nobody cared I had it and I found no value in being an ISC2 member, so I let it lapse.
It is listed as a requirement (or similar) on a lot of info sec jobs, but as far as I can tell it's like a lot of other job spec items; nice to have but not required.
Maybe there are companies who insist on it, but I'm not sure I would want to work for anyone that had such a rigid idea of its value. Could always get it again if I really needed to, only took me 2 weeks of study to pass originally. Possibly it has more value for more junior people.
I ran into the same thing more than a decade ago. The problem for me was that I was looking at software jobs, not security jobs. In hindsight that was a colossal mistake. I should have focused only on security and taught myself advanced programming on personal projects.
I am being pushed to get one and I dont see how it helps other our director selling the fact we have one more CISSP on the team. The certification and education bit of infosec is wildly profitable with good marketing to boot. I wonder if that is the driving force behind ISC2’s popularity.
I didn't even realise there was such a thing as a devsecops engineer! I thought the point of DevSecOps was to integrate security into DevOps, but not necessarily in the form of one person who does it all. Not surprised there isn't time to be able to handle the entire thing.
Having said that, I've never worked anywhere that actually did it, or even claimed to, so I'm speaking from a position of ignorance...
As the article points out, there is a real shortage of good people with technical security skills, not so much managers.
I've always been an architect who can code, and I haven't had any problems getting work. Everywhere I've worked has had problems finding technically skilled security people. As I move towards more management roles I am feeling a bit more insecure...
Schneier is on the money again and it's painfully true.
Elsewhere I've said why cybersecurity is a losing battle and a
significant part of the problem is the educational and HR side of
things [0].
There's a motivation and engagement problem. Generally, people have no
idea what cybersecurity is. It scares them, and they either don't
want to talk about it or will let any random "expert" assuage or
distract them. That's made fertile ground for a flourishing
certificate and compliance racket of clueless gatekeepers who only
make things worse, because the field is so deep and dynamic this stuff
is ossified before the ink is dry.
I also see that it's an entirely reactive affair. People and companies
will spend zero attention and money on cybersecurity until they get
hacked, then run around spending their fortune like there's no
tomorrow of stupid things. This attracts opportunists who are often
as bad as the ransom-ware gangs that preyed on them in the first place.
Unpleasant as it is to say, it's the fault of the companies who do not
value the deep and hard won knowledge of those who could help
them... a cohort who are growing older and giving up caring.
And frankly, universities are fucked, to put it as politely as I
can. At least in Britain, nobody who can do this stuff wants to be
within a clear country mile of these crumbling institutions with their
awful pay and working conditions and total lack of vision.
Elsewhere we have military and intelligence groups playing at 1980s
"cyberwars", completely missing that the real war is going on within
our culture.
So what we're left with is a technologically over-extended society
that cannot meet the maintenance needs of its structure.
As educators, sadly we might set many young people up for failure and
struggle since the expectations and demands of "the industry" don't
match what they can deliver. Consequently the high churn leads to even
more disaffection and panic in the industry.
Worse still is the fate of women in cybersecurity. Again and again
I've seen equally qualified candidates go into a firm on the same pay
grade, the guy gets out on "pen-testing" and the woman gets put on
front line support (read: stress and abuse hell). The women are almost
universally demeaned and given "agreeable" public facing work, while
the men are streamed into "technical" roles. The tragedy is, it's
usually the females who seem to understand the higher-level strategic
and operational wisdom that is so desperately missing.
My only disagreement is with the culture aspect and treatment of women. I'm just not seeing what you're describing. Our industry is so starved for talent that anyone who shows interest and competence is immediately welcomed and allowed to choose the path that most interests them.
Not to say bad apples don't exist, but they're the exception, not the rule.
I didn't see it myself until I got much more interested in the
outcomes and employment journeys of students. And I can only attest to
the microcosm of reality I see with my own limited eyes.
For what it's worth, 10 years ago I wouldn't have seen gender
disparity because we simply wouldn't have had those women on the
programme in the first place - so progress of course, but in small
steps.
I suppose it's also amplified by being in an area where we're so
desperate to grow good people that it feels galling and frustrating to
see anyone left by the wayside in such times. Maybe I am not
noticing the young lads who are similarly sidelined, but are less
vocal.
Nit: it's not a jobs shortage, it's a talent shortage.
And as soon as you mention cyber security, there will be confusion over whether you're referring to front line SoC analysts, application security engineers, malware analysts, threat hunting, DFIR specialists, vulnerability researchers, security architects, etc. The skills, knowledge and barrier to entry are wildly different among various sub-domains.
The nature of skilled cyber security is that it requires a deep understanding of computer architecture and programming as a prerequisite. If you don't understand how computers work at a fairly low level, you're going to have a tough time truly understanding security enough to contribute.
There's also a huge industry around certification and compliance that adds almost no value. I've never known any experienced security professional who places any value in CISSP, CEH, etc. (In fact they're often a negative indicator of competence). They're the security equivalent of a 6-week coding bootcamp. Mostly just a cash grab.
Coincidentally, all the best security minds I know are mostly self taught when it comes to the security aspect, having pivoted into it from a dev background. The types of people who spend their free time reverse engineering anything they can get their hands on or practicing CTFs.
> There's also a huge industry around certification and compliance that adds almost no value. I've never known any experienced security professional who places any value in CISSP, CEH, etc. (In fact they're often a negative indicator of competence). They're the security equivalent of a 6-week coding bootcamp. Mostly just a cash grab.
Preach. The number of times I have had to explain basic computer to a cissp is larger than I’d like to admit.
> I've never known any experienced security professional who places any value in CISSP, CEH, etc. (In fact they're often a negative indicator of competence)
You're tempting me to go on a very long rant about your comment right there. Those two certs are horrible but here are plenty of difficult certs with practical exams like offensive security certs and even SANS these days but damn shame on you if you use someone's certs as a negative indicator or an indicator of anything other than they or their employer paying a large sum of money to validate some knowledge or skill.
> Coincidentally, all the best security minds I know are mostly self taught when it comes to the security aspect, having pivoted into it from a dev background. The types of people who spend their free time reverse engineering anything they can get their hands on or practicing CTFs.
Right, and you will accept github accounts and HTB accounts on a resume? How many company's HR will let you? How do you know people aren't buying those accounts to get a job? (Certs are proctored).
You can teach yourself a lot of things, I did. But there was a crapton of stuff I had to learn responding to incidents and trying to solve real world problems that you just can't learn sitting at home. I don't disagree with what you said about being self taught, but that only means they are motivated and have potential. Certs and experience is how you prove that potential enough to get an interview, it is the manager's job to grill them and make sure their cert isn't b.s. after that.
I have seen talented people with or without degrees and/or certs and with varying backgrounds from school teachers and geologists to masters degrees.
It's rare to have more than 100 applications for security jobs. So my take is that security managers themselves need to learn security well or hire people whose opinion they can rely on. And then use certs and experience to priorize the stack, do phone interviews and practical online tests to filter out applicants and do an extensive in person (or over zoom) technical interview to hire the right talent.
If I may add another perspective, the culture in the US is particilarly horrible. In certain other countries, they have tons of talented hackers who get paid shit (well, at least not as good as the US).
I would love to get into the field, but sadly around here even with MS putting in a new data center just 20 minutes away from me, there is a lack of job postings for one, and two; when there are job postings the "required" skills necessary to even garner a glance are absolutely outrageous. They basically want an entry level with a master's degree. So I agree 100 percent with this article, lower the bar or spots wont be filled.
I have 25 years of experience in security, encompassing both product and I.T. security in technically focused IC roles.
I find it incredibly unrewarding.
On the front lines, most situations tend to be adversarial or highly stressful. This is the case even when your primary intention is to provide teams with the time and resources they need to address problems effectively - it can be an exhausting process to establish trust and camaraderie with your non-security peers given preconceptions about security in many organizations.
Engaging with the business and executive levels is even more challenging. I often wish that all managers were mandated to earn a CISSP. And while I respect the role of the CFO, as they ultimately shoulder all the risk, I just wish CPA’s would stay away from CISO positions, they’re not helping.
My experience is similar. I got drawn into the I. T. security field in the early 1990s Internet era due to my technical background and experience. It was fun and rewarding at first. But by the late 2000s the huge burden of responsibility, general business hostility towards security, expensive credentialisation, a lack of corresponding compensation, and limited career options, led me stop doing it. Programming is still fun and way less stressful.
There’s lots of people who can recite owasp but few people who can actually engineer and show leadership and do mentoring to make a more secure product and service.
I'm a fairly new computer science graduate and it has been hard to find a cyber security job that doesn't require a clearance. I've done a bunch of ctfs and reverse engineering, but I just don't see many roles out there that are meant to train people like me that will give me an interview. So it's being a programmer for me until that changes.
Have you thought about joining the National Guard in a cyber or intel capacity to get the clearance? Outside boot camp, tech school, and deployments you'd be able to work in the private sector simultaneously.
I generally would not do cleared jobs out of ethical concerns. I'm more lamenting that a clearance makes it easy to break into security but otherwise it's not clear how to.
I have been in infosec longer than my HN account and I am a technical person, and that's all I ever want to do.
There are companies actually and seriously concerned about gettinf hacked, there are companies that are concerned about getting sued when they get hacked (not much care about it otherwise) and then you have the in-betweens where upper management and the board do give a damn but middle management politics gets in the way, security is driven by managers who want to buy products and vendors and then go cheap on talent and whine about talent shortage.
When it comes to hiring talent, actual skills to my surprise are of little consequence. Even managers that know better just fill seats with bodies and they wonder why when they do get the rare talent, that environment where skills/talent isn't rewarded can't retain skilled people.
Another problem is security managers often moved over from IT or they haven't done anything technical in recent decades. They think it's like hiring help desk or network admins.
And don't get me started on the "return to office" bullshit. It wouldn't be so bad if that didn't imply return of office politics. People skilled in inter-personal politics (read: brown-nosing) get ahead and fester a culture hostile to technically passionate people. Best I can put it is, imagine wanting an HN experience but you get an instagram experience but in real life.
At my work I have found talented people and referred them but the whole anti-remote work stuff gets in the way. My self included, I will work for as little as half my current pay, if not less, to be allowed to work remotely full time.
As far as actual talent shortage, I would say there is more of a pay shortage. Plenty of people who can fill a seat but actual hackers are rare.
Most HNers who are into SWE, with a sprinkle of networking knowledge and enough humility to do entry level security work would make a killing in security (which has many sub-fields) in my opinion.
Too comment starts by saying it's a talent shortage. A management talent shortage? Sure. But for skilled workers it is a pay shortage, not that I personally have any complaints but managers prefer getting 10 untalented people over 2, as if it adds up.
23 comments
[ 2.1 ms ] story [ 69.6 ms ] threadIt is listed as a requirement (or similar) on a lot of info sec jobs, but as far as I can tell it's like a lot of other job spec items; nice to have but not required.
Maybe there are companies who insist on it, but I'm not sure I would want to work for anyone that had such a rigid idea of its value. Could always get it again if I really needed to, only took me 2 weeks of study to pass originally. Possibly it has more value for more junior people.
Having said that, I've never worked anywhere that actually did it, or even claimed to, so I'm speaking from a position of ignorance...
I've always been an architect who can code, and I haven't had any problems getting work. Everywhere I've worked has had problems finding technically skilled security people. As I move towards more management roles I am feeling a bit more insecure...
Elsewhere I've said why cybersecurity is a losing battle and a significant part of the problem is the educational and HR side of things [0].
There's a motivation and engagement problem. Generally, people have no idea what cybersecurity is. It scares them, and they either don't want to talk about it or will let any random "expert" assuage or distract them. That's made fertile ground for a flourishing certificate and compliance racket of clueless gatekeepers who only make things worse, because the field is so deep and dynamic this stuff is ossified before the ink is dry.
I also see that it's an entirely reactive affair. People and companies will spend zero attention and money on cybersecurity until they get hacked, then run around spending their fortune like there's no tomorrow of stupid things. This attracts opportunists who are often as bad as the ransom-ware gangs that preyed on them in the first place.
Unpleasant as it is to say, it's the fault of the companies who do not value the deep and hard won knowledge of those who could help them... a cohort who are growing older and giving up caring.
And frankly, universities are fucked, to put it as politely as I can. At least in Britain, nobody who can do this stuff wants to be within a clear country mile of these crumbling institutions with their awful pay and working conditions and total lack of vision.
Elsewhere we have military and intelligence groups playing at 1980s "cyberwars", completely missing that the real war is going on within our culture.
So what we're left with is a technologically over-extended society that cannot meet the maintenance needs of its structure.
As educators, sadly we might set many young people up for failure and struggle since the expectations and demands of "the industry" don't match what they can deliver. Consequently the high churn leads to even more disaffection and panic in the industry.
Worse still is the fate of women in cybersecurity. Again and again I've seen equally qualified candidates go into a firm on the same pay grade, the guy gets out on "pen-testing" and the woman gets put on front line support (read: stress and abuse hell). The women are almost universally demeaned and given "agreeable" public facing work, while the men are streamed into "technical" roles. The tragedy is, it's usually the females who seem to understand the higher-level strategic and operational wisdom that is so desperately missing.
[0] https://www.linuxtoday.com/developer/why-we-cant-teach-cyber...
My only disagreement is with the culture aspect and treatment of women. I'm just not seeing what you're describing. Our industry is so starved for talent that anyone who shows interest and competence is immediately welcomed and allowed to choose the path that most interests them.
Not to say bad apples don't exist, but they're the exception, not the rule.
For what it's worth, 10 years ago I wouldn't have seen gender disparity because we simply wouldn't have had those women on the programme in the first place - so progress of course, but in small steps.
I suppose it's also amplified by being in an area where we're so desperate to grow good people that it feels galling and frustrating to see anyone left by the wayside in such times. Maybe I am not noticing the young lads who are similarly sidelined, but are less vocal.
And as soon as you mention cyber security, there will be confusion over whether you're referring to front line SoC analysts, application security engineers, malware analysts, threat hunting, DFIR specialists, vulnerability researchers, security architects, etc. The skills, knowledge and barrier to entry are wildly different among various sub-domains.
The nature of skilled cyber security is that it requires a deep understanding of computer architecture and programming as a prerequisite. If you don't understand how computers work at a fairly low level, you're going to have a tough time truly understanding security enough to contribute.
There's also a huge industry around certification and compliance that adds almost no value. I've never known any experienced security professional who places any value in CISSP, CEH, etc. (In fact they're often a negative indicator of competence). They're the security equivalent of a 6-week coding bootcamp. Mostly just a cash grab.
Coincidentally, all the best security minds I know are mostly self taught when it comes to the security aspect, having pivoted into it from a dev background. The types of people who spend their free time reverse engineering anything they can get their hands on or practicing CTFs.
Preach. The number of times I have had to explain basic computer to a cissp is larger than I’d like to admit.
If you want that, hire a hacker.
You're tempting me to go on a very long rant about your comment right there. Those two certs are horrible but here are plenty of difficult certs with practical exams like offensive security certs and even SANS these days but damn shame on you if you use someone's certs as a negative indicator or an indicator of anything other than they or their employer paying a large sum of money to validate some knowledge or skill.
> Coincidentally, all the best security minds I know are mostly self taught when it comes to the security aspect, having pivoted into it from a dev background. The types of people who spend their free time reverse engineering anything they can get their hands on or practicing CTFs.
Right, and you will accept github accounts and HTB accounts on a resume? How many company's HR will let you? How do you know people aren't buying those accounts to get a job? (Certs are proctored).
You can teach yourself a lot of things, I did. But there was a crapton of stuff I had to learn responding to incidents and trying to solve real world problems that you just can't learn sitting at home. I don't disagree with what you said about being self taught, but that only means they are motivated and have potential. Certs and experience is how you prove that potential enough to get an interview, it is the manager's job to grill them and make sure their cert isn't b.s. after that.
I have seen talented people with or without degrees and/or certs and with varying backgrounds from school teachers and geologists to masters degrees.
It's rare to have more than 100 applications for security jobs. So my take is that security managers themselves need to learn security well or hire people whose opinion they can rely on. And then use certs and experience to priorize the stack, do phone interviews and practical online tests to filter out applicants and do an extensive in person (or over zoom) technical interview to hire the right talent.
If I may add another perspective, the culture in the US is particilarly horrible. In certain other countries, they have tons of talented hackers who get paid shit (well, at least not as good as the US).
I find it incredibly unrewarding.
On the front lines, most situations tend to be adversarial or highly stressful. This is the case even when your primary intention is to provide teams with the time and resources they need to address problems effectively - it can be an exhausting process to establish trust and camaraderie with your non-security peers given preconceptions about security in many organizations.
Engaging with the business and executive levels is even more challenging. I often wish that all managers were mandated to earn a CISSP. And while I respect the role of the CFO, as they ultimately shoulder all the risk, I just wish CPA’s would stay away from CISO positions, they’re not helping.
I have been in infosec longer than my HN account and I am a technical person, and that's all I ever want to do.
There are companies actually and seriously concerned about gettinf hacked, there are companies that are concerned about getting sued when they get hacked (not much care about it otherwise) and then you have the in-betweens where upper management and the board do give a damn but middle management politics gets in the way, security is driven by managers who want to buy products and vendors and then go cheap on talent and whine about talent shortage.
When it comes to hiring talent, actual skills to my surprise are of little consequence. Even managers that know better just fill seats with bodies and they wonder why when they do get the rare talent, that environment where skills/talent isn't rewarded can't retain skilled people.
Another problem is security managers often moved over from IT or they haven't done anything technical in recent decades. They think it's like hiring help desk or network admins.
And don't get me started on the "return to office" bullshit. It wouldn't be so bad if that didn't imply return of office politics. People skilled in inter-personal politics (read: brown-nosing) get ahead and fester a culture hostile to technically passionate people. Best I can put it is, imagine wanting an HN experience but you get an instagram experience but in real life.
At my work I have found talented people and referred them but the whole anti-remote work stuff gets in the way. My self included, I will work for as little as half my current pay, if not less, to be allowed to work remotely full time.
As far as actual talent shortage, I would say there is more of a pay shortage. Plenty of people who can fill a seat but actual hackers are rare.
Most HNers who are into SWE, with a sprinkle of networking knowledge and enough humility to do entry level security work would make a killing in security (which has many sub-fields) in my opinion.
Too comment starts by saying it's a talent shortage. A management talent shortage? Sure. But for skilled workers it is a pay shortage, not that I personally have any complaints but managers prefer getting 10 untalented people over 2, as if it adds up.