Security Job Requirements (Degrees and Certifications)

Just some basic compiled numbers for security positions, certifications and degrees.

Find more posts tagged with

Comments

Another look at the numbers a little bit. Certification % relative to the amount of jobs with a rolled up percentage for each certification regardless of position.

FInal v2.jpg

Danielm7

Interesting, but not surprising, goes to show that most HR people creating job listings don't really know what they want or how to get it. I'd be curious to see other requirements like years of experience or BS degrees in there as well.

DatabaseHead

I'll try to look at some different angles like degree etc.

That should be easy, years of service not sure.....

TheFORCE

How are you getting this information? Are you gathering the data manually or are you pulling the data via a script or tool?

If you are using a script or tool to scrape the data from the profiles I'd be very careful if I was you. That is considered an illegal activity and you might get in trouble without proper authorization to do so.

beads

@DatabaseHead;

Naw, your findings align closely with what I see in the field, particularly the CISSP and degree thing. I've meet one person without a degree but questionably had the CISSP. Everyone else had or has a degree in something, usually IT related.

PenTesters are kind of a rogue group not overly concerned with either degrees or certs in general as its much easier to prove you do or do not know what your talking about real fast. In other words either you know how to write the custom exploit to get in/by the objective or you don't. Money talks and bs walks in that field so its easy to separate the wheat from the chaff.

Infrastructure, support, GRC and the rest are all harder to qualify thus people rely on certifications to determine skill over substance or even (gasp!) ability to perform the work at hand. So that sounds scary and must be avoided at all costs.

Breaking your chart down a bit more by adding GRC and maybe Security Architect (overall design, PPGS, Risk Management, et al) and other more specialized brackets would only prove you first assumptions correct but with more detail.

The field needs people with applicable skills not just paper tigers. Sorry folks but you have to be able to actually do the work beyond passing an exam. Two different things here. One is not an acceptable substitute for ability.

- b/eads

Remedymp

The field needs people with applicable skills not just paper tigers. Sorry folks but you have to be able to actually do the work beyond passing an exam. Two different things here. One is not an acceptable substitute for ability.

It's the job postings that are creating the paper tigers though...

DatabaseHead

@ Beads thanks

I'll work on this tonight, I am hoping to uncover some questions to help you all out in the security world. Obviously this first set is very basic, but you have to start somewhere.

Dealing with procurement and supply chain data all day LONG, it's nice to look at some easy data and come up with some answers.

CIO

Remedymp wrote: »

It's the job postings that are creating the paper tigers though...

I have seen entry level SOC type of roles asking for the CISSP. It is a serious issue on how HR is disconnected about what some roles really require.

PocketLumberjack

I work on the Help Desk at a large hospital right now and you would be shocked at the questions I get from our Security analysts and engineers. It's depressing how bad their troubleshooting skills are. Same can be said about our programmers too. I think a lot of people see a decent paying job and decide that they are going to get a college degree in that field and they aren't really interested in security or programming. Whereas some of us enjoy playing with our home labs even when work is done.

DatabaseHead

Overview of total roles per role type and a second axis showing the percentage of certifications either being required or preferred for that role.

Security Jobs _ Degrees.jpg

DatabaseHead

Layed a heat map over the percentages and the total number of jobs requiring or preferring these certifications. I also listed Top Cert and Second (if there was a bimodal distribution I consolidated them together).

If the cell is green there is a high probability the role you will be applying for will require that cert, if the cell is red the chances are that certification (per the role) will not be required or preferred.

Added a recommended certification per role column, based off the demand of HR (or who ever the heck wrote the job req).

At the bottom I used data bars to represent the grouping of all jobs and all certifications required or preferred for those jobs.

Certification Job Review.jpg

DatabaseHead

Here I am showing certs either being required or preferred for these particular roles. Again using data bars to represent the demand for the certification by percentage per role. The deeper the data bar the more in demand the certification is per job.

I added a chart below for additional visuals. Applied 2nd horizontal axis to show the total number of jobs. In addition I added more jobs/roles and certifications.

***Note Penetration Testing degree participation went up after I included senior and pen testing. It was at 44% and went up to 67%. Probably user error on my part but I wanted to call that out just in case.....

Peace

Certification Job Review 2.jpg

xxxkaliboyxxx

I guess my first question would be, why do pen tester ask for a degree? Isn't that the one career field where it's all about skills and prove what you can do?

EDIT: I guess writing reports and giving briefings?

No_Nerd

Great Post !!! Lots of clear and easy to read information here.

alias454

I don't see SEC+ anywhere? It definitely appears that having a CISSP is a good ROI. Here is another http://www.tomsitpro.com/articles/information-security-certifications,2-205.html

Remedymp

alias454 wrote: »

I don't see SEC+ anywhere? It definitely appears that having a CISSP is a good ROI. Here is another Best Information Security Certifications for 2016 - Certs - Tom's IT Pro

Judging by the amount of Security+ registered candidates, it would seem their numbers are much greater as well.

cyberguypr

@xxxkaliboyxxx Pen testers working for consulting outfits may have no need for degrees or certification. However, if you go for a more traditional corporate america employer, all those things will most likely come into play. This is what the "certifications and degrees don't matter" advocates always forget to mention.

mbarrett

The problem I see is that the job title often has little to do with the actual work once they get someone through the door. Always a basic issue with HR. It will be more accurate to poll existing professionals to find out what their work involves, and what certs they obtained in the course of their journey to get to where they are. (Not an easy thing to do.)

tpatt100

Yeah the job title can mean almost anything you have to look at job descriptions. I have had "security" in my job title for the past several jobs and I am more administrative security with some technical work.

DatabaseHead

All good points made.

However, quantitative data is superior than Joe Public saying get this cert because of XYZ. If you roll all those jobs up you can still see the certifications that are sought after by HR. Even if we are +/- 10% it's still very telling.

The Pen Tester data lends credibility to the research. Those particular 3 certifications would be the ones you would expect for that role. (CISSP just from the shear popularity and the other two are aligned with pen testing).

beads

xxxkaliboyxxx wrote: »

I guess my first question would be, why do pen tester ask for a degree? Isn't that the one career field where it's all about skills and prove what you can do?

EDIT: I guess writing reports and giving briefings?

Depends on what you consider a "penetration test" as well. The biggest difference lies somewhere between running Metasploit (skiddie) and using HexRays to disassemble code look for flaws then writing a custom exploit to gain entry, then go write your report and do your screen movie for presentation. Most of the time we get reports from "pen testers" that read like: Someone more skilled than the author of this report might be able to exploit this program as vulnerable but we don't have those skills so we ran Metasploit in "spray and pray" mode and came up with this instead. These are good enough for PCI-DSS quarterlies but tell me next to nothing about how well built the application really is or isn't.

Kali is a simple distro, there are many tools out there that go WAY beyond the free stuff. There is such a wide range of skill within penetration testing it scares me. So its easy to separate the pros from the joes.

- b/eads

beads

alias454 wrote: »

I don't see SEC+ anywhere? It definitely appears that having a CISSP is a good ROI. Here is another http://www.tomsitpro.com/articles/information-security-certifications,2-205.html

These compilations are a little misleading as many JDs stress needing one or more of the following or similar certifications... Or language similar. I haven't seen many if at all JDs stating they would only accept Security+ or GSEC as a requirement - usually attached to other more senior requirements. Yes, I think we all see too many entry level positions demanding mid level to senior level certificates like the CISSP. Really make the person who wrote the JD look either out of touch, clueless or just plain stupid. In the long run those types of JDs only hurt the certificate holder as become so watered down they become a poor differentiation between candidates.

As for the paper tiger thing. Its been around since the 1990s and has always been a boat anchor for people trying to skip college if not the industry as a whole. Understand people want to pass an exam and suddenly have a career - or not. Folks, it rarely works that way for the vast majority of careers. Once in a great while we see someone come up through the ranks without any specialized/formal training but we can't all be savants in the field. Rare but check in with the same people mid career when they rarely progress beyond the work a day analyst position. If that's your thing - great! If not find a degree.

Most of us have to go to school. Learn to think, analyze, write competent reports, code and eventually apply all this good stuff to IT and beyond. Remember most people don't actually work in the fields in which they received there degrees. Hence I have meet people with degrees in Music and Communications working as developers and infrastructure analysts.

Certificates should never be a substitute for experience or academic education.

-b/eads

OctalDump

I'm going to tag on to what the good beads just said.

Education (degrees, diplomas etc) gives you a good, broad base of knowledge and skills. Certifications give you skills in specific technologies or domains in depth. Work experience gets you to tie all that together in the real world, dealing with multiple technologies, people, politics, policies, business needs, strategy etc. Work experience, ideally, allows you to demonstrate that you can use that knowledge and those skills from your qualifications to deliver value to an organisation.

The other reality is that every job role is different. The mix of tools and people you work with, the end goals you are trying to achieve, technologies, standards, and other constraints make the comparison more difficult. Some pen tester roles might be very heavy on network skills, others might be all about web skills. So what you inevitably will see in large aggregations like this, is that the more generic certifications are more common. The more you break it down, the less clear it is.

It's the general problem with statistical evidence: it's talking about groups, but your lived experience is always an individual perspective. It might be true for 99% of people, but it is possible that you are in that 1%. Generic statistics will lead to generic advice.

Remedymp

You also have to factor in skill set in terms of what's in demand.

gespenstern

Great info, thx DatabaseHead!

DatabaseHead

This is fun for me so I appreciate the feedback and hope it can help.

TechGromit

I'm not surprised by the CISSP being a dominate certification in the IT Security industry, it's been around for the longest and is the most recognized. Also the requirements for obtaining a CISSP are fairly low, you just need to pass a test and have five years experience. While the test is certainty difficult, you can go to any book store and pick yourself up a text book or two fairly cheaply, study it and pass the exam for well under $1,000. GIAC certifications on the other had, do not have any official study materials available without paying 6 grand for a course. While it's possible to cobble together study material from other sources, it's more of an uphill battle.

DatabaseHead

@ TechGromit - (A little off topic). A friend of mine has a buddy who is in security and he has the CISSP. We were out having drinks and I asked him about his CISSP. He said he read some popular book and that was it to pass the exam.

Does this sound right to you? Reading one book and passing an exam? Not knocking the cert, but that would be pretty sweet if that's all you needed.

beads

I have known two people who never stepped foot in a college classroom who basically read a book or two and past the exam with no problem. They are rare but it happens.

Now, I tell clients if they want a related security credential to buy the books/materials and I will take it next week (and pass). Reason being is that I have taken so many exams that I don't necessarily have to be a SME on whatever subject to read through the exam and understand the "right" or "best" answer any more. Its almost obvious with the way most exam questions are written. Scenario based questions are the killer questions to this method of examination making your (gasp!) work your way to the correct answer.

I have close to 40 of these under my skinny belt and still take one or two every year. Easy but it does force me to learn some junk.

- b/eads

mbarrett

Remedymp wrote: »

You also have to factor in skill set in terms of what's in demand.

Another point is that HR is hiring people based on what they get approved at higher levels, often there is an executive-type who is just going down a list of potential positions, and anything in IT with "Security" in the title might be more likely to be approved...so HR ends up with a lot of "Security" positions to fill, because that's what they were able to push through for approval. After a couple tries, a pattern starts to emerge and they begin to adjust accordingly and label everything "Security" so they can keep getting new hires through the front door...