Info Security .2% Unemployment Rate

jerspornjersporn Registered Users Posts: 1 ■□□□□□□□□□
For the IT professionals looking through this thread, there are truly limitless opportunities in the Information Security side of IT. Security consultants are reaping the benefits of low supply and high demand as the Info Sec industry is outpacing the talent growth and will continue to do so for the foreseeable future.

.2% unemployment for Info Sec consultants is real.

If you would like a good overview of the types of services in the information security world, check out this link to our site Pivot Point Security. https://www.pivotpointsecurity.com/
«1

Comments

  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    I don't buy it.

    That's just a personal feeling I get from talking to colleagues and wannabes wanting to break in I talk to on meetup gatherings. Periodically we see some of these here on TE, like just recently a guy in Texas with CISA or CISM and other decent certs asked for advice on landing a job, including readiness to move anywhere because of staying without a job for too long.

    I personally was looking for a job in 2015 and it took me 6 months to find something decent (i.e. not working for a staffing agency temporarily for a substandard wage).
  • dmoore44dmoore44 Member Posts: 646
    ...like just recently a guy in Texas with CISA or CISM and other decent certs asked for advice on landing a job, including readiness to move anywhere because of staying without a job for too long.

    Then there must be some other mitigating circumstance... The market here is desperate for InfoSec professionals; we've finally managed to persuade higher level management to recruit outside the area and bring in talent from other markets with a glut of InfoSec professionals.
    Graduated Carnegie Mellon University MSIT: Information Security & Assurance Currently Reading Books on TensorFlow
  • alias454alias454 Member Posts: 648 ■■■■□□□□□□
    I seem to be running into the same thing kinda. I don't have "security" in my current title, so technically, I guess I'm not a security professional. It seems the previous 15 years of experience doesn't count for much either. I'm not that much of a policy guy and I don't count a lot of the security related activities I do as anything special. To me, most of it is just being a good sys admin.

    So call me ;) I'll move to Texas.
    “I do not seek answers, but rather to understand the question.”
  • Danielm7Danielm7 Member Posts: 2,310 ■■■■■■■■□□
    dmoore44 wrote: »
    Then there must be some other mitigating circumstance... The market here is desperate for qualified InfoSec professionals; we've finally managed to persuade higher level management to recruit outside the area and bring in talent from other markets with a glut of InfoSec professionals.
    Fixed that for you. There are tons of people who want to get in, but it seems like most of them aren't qualified, and most companies now aren't big on hiring people who need to be completely trained. Many companies don't know what they want either so they put up some listing for what equates to a purple team engineer who also has 10 years in management, networking, systems and policy writing and will run an entire department on their own.
  • Danielm7Danielm7 Member Posts: 2,310 ■■■■■■■■□□
    alias454 wrote: »
    I seem to be running into the same thing kinda. I don't have "security" in my current title, so technically, I guess I'm not a security professional. It seems the previous 15 years of experience doesn't count for much either. I'm not that much of a policy guy and I don't count a lot of the security related activities I do as anything special. To me, most of it is just being a good sys admin.

    So call me ;) I'll move to Texas.
    FWIW, "just being a good sysadmin" covers many security duties in some companies. If yours did as well then you should be able to highlight those in your resume. That's exactly what I did when I moved into security from a long time as a sysadmin.
  • BlackBeretBlackBeret Member Posts: 683 ■■■■■□□□□□
    For the lower unemployment rate, I believe it. I have recruiters calling 2-3 times a week. It seems everyone is hiring non-stop. The two things they want are a clearance, certifications, and a warm body. .gov contracting standards aren't amazingly high. That being said, I've never been turned down for an interview in a non-cleared position either.

    Having previously been involved in the resume reading/interviews for some net sec analyst positions I can provide comments. One company would take anyone with a pulse, clearance, sec+, and CEH. They would then "train" people to use ArcSight and some other tools to look through alerts, "analyze" them, and close them out. The pay was low, most of the people had no idea what they were doing. If you knew what Wireshark was before showing up they were overly impressed. The big thing with them, within a week I started meeting people that were trying to recruit me for another company that paid a LOT better, had more experienced people, etc. I kept turning it down to get experience where I was, 4 months later I ended up working there after meeting one of the managers at a conference.

    I had people on this forum, people I knew from other places, and random people I met at conferences ask me about getting them a job to break in to infosec. I would give them the details, tell them the salary (average $55k), and they'd complain about it not being enough money for a security job and never apply. If you want to get in to security, realize that you probably have to come in as entry level for the job and use it as a stepping stone. If you know what you're doing it doesn't take long to move on. No one is going to hire you for an "expert" position if you've never worked in a strictly security role.

    Fast forward to doing some of the interviews for this job. Basic requirements were some analysis experience, know how to use Wireshark, and basic Linux knowledge. We trained everyone properly, then there was a testing phase. We'd contact applicants the week before the interview and walk them through the hands on lab, "You'll be given a laptop with Redhat on it, on the desktop will be a packet capture, you will have to open it in Wireshark and answer some questions about the capture." There were basic questions, no analysis required. How many TCP streams are in the packet, What is the 3rd GET request in the capture, What is the image file retrieved in that request a picture of?.

    We had probably 60% of the applicants show up and tell us they didn't know how to use Linux or Wireshark. One guy actually didn't say anything, turned on the laptop, logged in fine, saw the packet capture on the desktop, then looked up and said "I don't know how to use Linux". This was a lead at the previous job above.... The point is, read the job postings, understand what they're asking, and show up prepared.
  • beadsbeads Member Posts: 1,533 ■■■■■■■■■□
    Being a contractor with his ear constantly being talked off by recruiters I have to respectfully disagree with the OP. Seeing a great many positions dealing with R&S (Routing and Switching) referred to as "security" and those positions are in high demand right now. Many Project Management positions for Security are also in the mix but aren't truly security positions. These PM positions are generally staffed by burned out engineers or those who raced into getting the CISSP with no real technical background and hurriedly find something else to do before their careers catch up to them.

    Speaking of the markets here is what is currently pitched. Downtown Chicago is practically on fire with a range of boring if not pedestrian opportunities. Most positions are so inflexible or specific they look to specialized and thus career limiting: Qualys scanning. Trend Micro administration (I could do this in a coma); many R/S positions (Firewall and switching); VPN troubleshooting and of course many DLP positions. Things of this nature. Nothing cutting edge or dare say challenging. Most of these require little more than a CCNA to or 1-2 years of college to actually do but with a plethora of applicants rates are on a downward slide from last year. Don't buy into the trainer's hype. Down here at the ground level reality, much like gravity, take over and pull you back to Earth.

    The suburban Chicago market looks about as lively as a cemetery this month or slightly better. I did talk to one gentleman last week who wasted my time and energy. Had tons of really good problems to solve. Little budget as hes looking for a security manager for no more than 100k but great benefits like 30 days paid time off, etc. How long has he been looking? Oh, over 9 months, going on 10. Great! C'ya! Bye-bye! Typical storyline out in the northern burbs as of recent. The once red hot SW tech crescent of Chicago has all but evaporated as well. Nothing of any real notice from the Downer's Grove/Naperville area that I can see. Usually I could count on getting one or two calls from that area a week - this year - nothing.

    Going outside of Chicago, Milwaukee and Madison Wisconsin have some fair to more interesting positions but because they are in what I refer to as the "tech deserts" of the world tend to want everything to include the kitchen sink but willing to pay top dollar for the privilidge - usually 80-85 per hour right now. Not great but better than the 50-60 I am seeing for similar in the city. Problem is those country folk take forever and a day to get around to making a decision. Seems someone is always off to Florida or busy milking a cow - whatever. Des Moines, Iowa has a couple of outstanding contracts but not only do they want a world class R/S engineer with solid EIGRP and BGP skills but cloud and API programming all in the same package - Good luck!

    Getting alot of calls for New York, Florida and California that immediately get dismissed as well. Most are entry to mid level but recruiters will try anyhow.

    Me? I am still bored to tears maintaining 80 FirePower firewalls and supporting some MobileIron troubleshooting/ForeScout NAC stuff. Not really security but heavy on the R/S side of the house. When support desk, OPS or Administration can't figure out what they are doing it lands on the senior security guy's desk. So, no. Most of what I do has little to do with "security" outside of the occasional disk forensic investigation. Security for my client is now more of less risk management and for 2 billion dollar a year company is pretty nominal.

    Your hype may vary. icon_lol.gif

    - b/eads
  • IronmanXIronmanX Member Posts: 323 ■■■□□□□□□□
    I don't work really work in the security field but I think this is an issue with all the STEM fields.

    Companies complain about a shortage because they can't find someone who has the exact experience they need. The problem is the person with the exact experience you need is already working for you.

    Companies need to train new employees. Some companies are willing to not get all their hiring requirements met and train but generally they are only willing to do so for low level (low paying) positions. This is problematic with the IT Security field because IT security is not an entry level position. I was just listening to Security Weekly 496. Lesley Carhart was talking about how she gets asked all the time how to get into the security field and she basically said its not an entry level field you need to be out there getting experience for 10 years being a JOAT (or just working in non security related IT fields) before you should be getting into security.

    Some one previously mentioned paying 55K for an entry level security position and having people say that is too much of a pay cut for them and that people wanting to break in to security should take a pay cut. Should they? i dunno.... if i lived in a hot market I probably would be willing to take a pay cut and in a year if my pay is not progressing to where it was before jump ship for higher paying security jobs. Generally from reading around here this seems like what most people do (job hop).

    However if your not in a hot market taking a pay cut and trying to get back to where you were probably wont work out for you.

    Hopefully with remote work taking off these problems with hot and cold markets will go away.
    Canada seems to be way behind in employers embracing remote workers compared to the US.
  • markulousmarkulous Member Posts: 2,394 ■■■■■■■■□□
    Yeah, I get so many hits on LinkedIn every week for jobs that I'm sure the unemployment rate is pretty low for Infosec jobs. Wish they were hitting me up like this a year ago, but of course now that I'm at a place that I can be at for at least 2 years, I'm getting people hounding me for interviews. /firstworldproblems
  • jeremywatts2005jeremywatts2005 Member Posts: 347 ■■■■□□□□□□
    I am starting to get a feeling that some of the problems with jobs in information security are that they are not hiring perm. I get tons of calls a week all for 6-month contracts. Or 1 yr contracts and all for information security. When are companies going to learn if you want talent you have to pay for it and hire perm employees. Enough of this crazy 6 month and 1 yr contract deals. People want perm opportunities.
  • DatabaseHeadDatabaseHead Member Posts: 2,754 ■■■■■■■■■■
    All the articles I have read talked about a massive shortage coming up in the future.
  • mataimatai Member Posts: 232 ■■■□□□□□□□
    I really want to get a new job in IT Security, but there are just no jobs close to where I live. Thinking about moving to Austin, Colo Springs or NoVa.
    Current: CISM, CISA, CISSP, SSCP, GCIH, GCWN, C|EH, VCP5-DCV, VCP5-DT, CCNA Sec, CCNA R&S, CCENT, NPP, CASP, CSA+, Security+, Linux+, Network+, Project+, A+, ITIL v3 F, MCSA Server 2012 (70-410, 70-411, 74-409), 98-349, 98-361, 1D0-610, 1D0-541, 1D0-520
    In Progress: ​Not sure...
  • beadsbeads Member Posts: 1,533 ■■■■■■■■■□
    All the articles I have read talked about a massive shortage coming up in the future.

    But here on the street where paychecks are earned in real life I can tell you the perception is much different from that of the ivory tower of journalism. Yeah I get called 20 times a day but dismiss close to 90 percent of those calls as well. Most of which have nothing to do with my skill set. For example today I got a call for a UI developer. I can safely assure you there is NOTHING on my resume that speaks of full stack development or UI calls.

    Welcome to 'Fantasy Island'.

    - b/eads
  • Mike7Mike7 Member Posts: 1,107 ■■■■□□□□□□
    Security is in all aspects of IT, from network switching to OS to application development and even to company policy. Good IT security is good IT Ops. To be able to secure something, you need to understand how it works.

    Many of the good security roles in demand today requires years of experience. To be a good technical IT security person, you need to be a JOAT that is comfortable and has experience with network admin, sys admin and application development. There is a reason why the median age of security professional is 42.


    The problem is many companies that are setting up new security operations rather hire from outside than train from within. And since companies are unable to get that experienced expert, vendors rush in with services, tools and fixes that promise to automate everything.

    There are a variety of roles in security and some of them are going to be low-paying dead-end roles that BlackBeret mentioned. Some of us enter IT via help-desk. Level 1 SOC is turning out to be the help-desk of security operations.

    alias454 wrote: »
    It seems the previous 15 years of experience doesn't count for much either. I'm not that much of a policy guy and I don't count a lot of the security related activities I do as anything special. To me, most of it is just being a good sys admin.
    As Danielm7 mentioned, highlight security experience in your resume. And go for that CISSP certification if you have not; it is not difficult and covers familiar areas especially if you have been a proficient IT Ops person. And security is a mindset; you need to have that desire to learn, to understand how things work, and how to break and fix them. We are always learning new things.
  • dhay13dhay13 Member Posts: 580 ■■■■□□□□□□
    There is very little in my area. Indeed search using CISSP within 50 miles of my zip shows 7 jobs posted in the past 7 days. Very hard to find anything in the security sector around here and 90% of the ones that you can find related to security are short term contract with no benefits. There are other keywords I use to find others but many of those results are not related to the security sector. Would love to move to a better area but due to family that isn't an option at this time.
  • UnixGuyUnixGuy Mod Posts: 4,570 Mod
    A lot of security demand seem to be for 'risk' or 'audit' sort of work, where you get to be part of a team that implements the project and you just tell them that they should use encryption or restrict access to users or something.
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Learn GRC! GRC Mastery : https://grcmastery.com 

  • jcundiffjcundiff Member Posts: 486 ■■■■□□□□□□
    matai wrote: »
    I really want to get a new job in IT Security, but there are just no jobs close to where I live. Thinking about moving to Austin, Colo Springs or NoVa.

    Add Cincinnati to your list to look at, InfoSec professionals' unemployment rate for mid/senior level is about -5% we have been hiring college grads as junior levels and building them into that analyst II to senior analyst/engineer roles... we have gotten some great people that way but still have numerous open reqs to fill
    UnixGuy wrote: »
    A lot of security demand seem to be for 'risk' or 'audit' sort of work, where you get to be part of a team that implements the project and you just tell them that they should use encryption or restrict access to users or something.

    there is way more to Risk/GRC than this... and the demand is only going to grow
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke
  • dmoore44dmoore44 Member Posts: 646
    Danielm7 wrote: »
    Fixed that for you.

    Indeed; that's definitely part of the problem. I've interviewed numerous people here, and they generally fall in to two buckets - (1) those who don't have the requisite knowledge, and for which the job would be too big a stretch (2) those who are qualified, but want senior manager level pay [this is by far the smaller pool of people].
    Graduated Carnegie Mellon University MSIT: Information Security & Assurance Currently Reading Books on TensorFlow
  • Mike7Mike7 Member Posts: 1,107 ■■■■□□□□□□
    Danielm7 wrote: »
    Many companies don't know what they want either so they put up some listing for what equates to a purple team engineer who also has 10 years in management, networking, systems and policy writing and will run an entire department on their own.
    IronmanX wrote: »
    Lesley Carhart was talking about how she gets asked all the time how to get into the security field and she basically said its not an entry level field you need to be out there getting experience for 10 years being a JOAT (or just working in non security related IT fields) before you should be getting into security.
    beads wrote: »
    Going outside of Chicago, Milwaukee and Madison Wisconsin have some fair to more interesting positions but because they are in what I refer to as the "tech deserts" of the world tend to want everything to include the kitchen sink but willing to pay top dollar for the privilidge - usually 80-85 per hour right now.

    So if you want to be really in demand and not worry about unemployment, gain experience in everything. Master the 8 OSI network layers where layer 8 is people. :) That's IT.
  • Hammer80Hammer80 Member Posts: 207 ■■■□□□□□□□
    matai wrote: »
    I really want to get a new job in IT Security, but there are just no jobs close to where I live. Thinking about moving to Austin, Colo Springs or NoVa.


    Take Austin,TX off your list, the market here is supersaturated. Considering it's the most expensive city in Texas ($1500 per month for 1 bedroom)the pay here sucks due to what we call "UT Babies". Essentially folks that graduated from UT the largest university in North America and they never ever leave and are willing to take lower salaries to stay so they can be hip and cool. This translates to folks with master degrees applying for entry level jobs with low pay. If my wife did not have a very good job here we would be gone from this place by now.
  • TechGromitTechGromit Member Posts: 2,156 ■■■■■■■■■□
    Enough of this crazy 6 month and 1 yr contract deals. People want perm opportunities.

    Ahem to that, I work for a major utility now, no way I'm going to give that off to work for some ******* staffing agency with crappy benefits for 6 months no matter how much your paying. I want perm positions with benefits and stable employers.
    dhay13 wrote: »
    There is very little in my area. Indeed search using CISSP within 50 miles of my zip shows 7 jobs posted in the past 7 days.

    I only show 3 jobs for my GAIC certs and 7 for CISSP in my area, but if I expand my my search radius to 100 miles I get 150+ jobs for CISSP in the last 7 days, this included New York City and Washington DC.
    Still searching for the corner in a round room.
  • dhay13dhay13 Member Posts: 580 ■■■■□□□□□□
    TechGromit wrote: »
    I only show 3 jobs for my GAIC certs and 7 for CISSP in my area, but if I expand my my search radius to 100 miles I get 150+ jobs for CISSP in the last 7 days, this included New York City and Washington DC.
    Yeah but who wants to drive 100 miles each way every day? 50 miles for me includes downtown Pittsburgh. I would think there would be more opportunity there?
  • OfftopicOfftopic Member Posts: 37 ■■□□□□□□□□
    Things are not so rosy in Toronto for sure. almost all infosec jobs are asking for cissp or cisa and 20 other types of hands on experiences and certs. God forbid if industry will ever be willing to train someone.
    I have ben to 2 networking events and met many guys looking for job for past few minths.
    And jdt this morning a job ad showed up offering a whole $105 CAD per day for a contract job gor few months.
  • IronmanXIronmanX Member Posts: 323 ■■■□□□□□□□
    Offtopic wrote: »
    Things are not so rosy in Toronto for sure. almost all infosec jobs are asking for cissp or cisa and 20 other types of hands on experiences and certs. God forbid if industry will ever be willing to train someone.
    I have ben to 2 networking events and met many guys looking for job for past few minths.
    And jdt this morning a job ad showed up offering a whole $105 CAD per day for a contract job gor few months.

    Cyber Security in Canada just is not taken seriously.
    Horizon Utility ( St. Catharines hydro) last month had almost $700,000 stolen and they are unsure if insurance will cover it.
    Besides the initial press release there has been no news on it.

    Hydro One was also connected to the Vermont utilities "Russian" hacking.
    Hydro One says it was an old no longer used IP address and there has been no other details released.
  • markulousmarkulous Member Posts: 2,394 ■■■■■■■■□□
    Funny you guys were saying about short contracts. Just got another person hitting me up for a $45-$55 an hour (which would be a pretty big pay increase), but it's for a 6 month contract. I don't really want to leave this place either since we're getting so many new tools deployed this year that I've never worked with and they're putting me through SANS courses and other stuff.
  • DatabaseHeadDatabaseHead Member Posts: 2,754 ■■■■■■■■■■
    jcundiff wrote: »
    Add Cincinnati to your list to look at, InfoSec professionals' unemployment rate for mid/senior level is about -5% we have been hiring college grads as junior levels and building them into that analyst II to senior analyst/engineer roles... we have gotten some great people that way but still have numerous open reqs to fill



    there is way more to Risk/GRC than this... and the demand is only going to grow

    Work in a fortune 500 here and we are hiring, software engineers and security engineers for 80 + with bonus out of school. Major shortage here in the midwest.....

    I'm not pro degree, but like anything there are always exceptions. If you can stomach a CS degree and understand development you can make a lot of money in development or security.
  • ChitownjediChitownjedi Member Posts: 578 ■■■■■□□□□□
    Interesting. We are looking for about 4 Security professionals.. going into this year and I was made Security Manager after barely 1 year in. Get 5-10 calls that are legit a week from all over the county, but about 15-20 that are trash.

    If the person has the qualifications, 1-2 years doing security related task (access control minded permission allocation, authentication, authorization auditing, some incident response, malware triage, with a little bit of regulatory/compliance knowledge,) we would hire them in a blink of an eye. But most important is workethic and passion to learn. But honestly, its been tough.
  • DatabaseHeadDatabaseHead Member Posts: 2,754 ■■■■■■■■■■
    @Jedi

    If you walk around the corporate building and the other building where I work, they have pictures offering finders fee's for security and developers in every building. We aren't talking off the printer, we are talking high dollar stock designed by a designer and printed by a print vendor.

    There is clearly a shortage of developers and security professionals........
  • dhay13dhay13 Member Posts: 580 ■■■■□□□□□□
    ^^ Geeesshhhh. I need to move to where you guys are
  • xxxkaliboyxxxxxxkaliboyxxx Member Posts: 466
    @Jedi

    If you walk around the corporate building and the other building where I work, they have pictures offering finders fee's for security and developers in every building. We aren't talking off the printer, we are talking high dollar stock designed by a designer and printed by a print vendor.

    There is clearly a shortage of developers and security professionals........

    Is this why more and more professionals who are not recruiters willing to recommand me? I always wonder why people in my area would contact me through LinkedIn who I did not know.

    Sounds like a great way to recruit talent.
    Studying: GPEN
    Reading
    : SANS SEC560
    Upcoming Exam: GPEN
Sign In or Register to comment.