An infosec job market observation here
gespenstern
Member Posts: 1,243 ■■■■■■■■□□
Just an anecdote, not a thorough research, no stats, just a single observation.
The company I work for recently had an opening for a security engineer. Just your typical position for a guy with 4+ years of experience to do a little bit of everything: configuring tools, responding to incidents. No cert/education reqs, just desired.
HR got back with roughly two dozens of resumes that passed their sanity checks. I believe that all the applicants were required to go over the process on taleo.net and those of you who are familiar with that know that it's quite a task and requires to spend some time filling tons of fields. Roughly ~15-30 minutes to just apply, which could be considered a challenge compared to just hitting two buttons on linkedin or indeed or whatever. There was a field asking the applicants on their salary expectations. This ranged from 80K to 120K. The area is Chicagoland.
So, almost all of them are CISSPs. A few are OSCPs and/or other OffSec certs. >2/3 have various GIAC certs. Experience differs from 5-20+ years in IT Security (not just IT!!!). Big name companies in work experience. We had to pick on things to filter out candidates, like, threw away a resume that mentioned "HIPPA" instead of "HIPAA", but otherwise was perfect. Because how else do you narrow down your search?
The company I work for is a good place, "best places to work", "forbes", "fortune" and other ratings.
My perception is it's quite depressing. Two reasons: too many qualified applicants and they don't ask a lot. Maybe it's just Chicago? Because I'm reading articles everywhere about 0% unemployment rate in this field and a talent shortage. Well, from what I'm gathering from this it's all BS.
The company I work for recently had an opening for a security engineer. Just your typical position for a guy with 4+ years of experience to do a little bit of everything: configuring tools, responding to incidents. No cert/education reqs, just desired.
HR got back with roughly two dozens of resumes that passed their sanity checks. I believe that all the applicants were required to go over the process on taleo.net and those of you who are familiar with that know that it's quite a task and requires to spend some time filling tons of fields. Roughly ~15-30 minutes to just apply, which could be considered a challenge compared to just hitting two buttons on linkedin or indeed or whatever. There was a field asking the applicants on their salary expectations. This ranged from 80K to 120K. The area is Chicagoland.
So, almost all of them are CISSPs. A few are OSCPs and/or other OffSec certs. >2/3 have various GIAC certs. Experience differs from 5-20+ years in IT Security (not just IT!!!). Big name companies in work experience. We had to pick on things to filter out candidates, like, threw away a resume that mentioned "HIPPA" instead of "HIPAA", but otherwise was perfect. Because how else do you narrow down your search?
The company I work for is a good place, "best places to work", "forbes", "fortune" and other ratings.
My perception is it's quite depressing. Two reasons: too many qualified applicants and they don't ask a lot. Maybe it's just Chicago? Because I'm reading articles everywhere about 0% unemployment rate in this field and a talent shortage. Well, from what I'm gathering from this it's all BS.
Comments
I don't think so, all of them are most likely employed, but that would be a not so strong argument in favor of good market for infosec prospects as it implies that all of them aren't satisfied at where they are at currently despite working for big name companies and aren't paid well.
The place I work at isn't anything special, overall all this "fortune 500" or "best places to work" doesn't hold much value either, at any place you are given a computer, a cube and have to put up 40 hours/week of solid work.
The pay is what matters but for 95% of positions out there the pay is on "market" level.
Also, (JUST A PERSONAL OPINION), filtering out candidates who misspelled HIPAA isn't a great way of filtering candidates, what if the candidate is great but for whatever reason they misspelled a letter or MS word did that. Human errors, they happen. Their experience and qualifications should matter more.
I agree with OP.... seems a bit strange.
Maybe OP works for an amazing employer; i guess i could check his linkedin and find out for myself.... but i dont care.
Anecdotally, that sounds like a LOT of resume for a field that is supposedly "short on talent".
80k strikes me as really low for the qualifications they appear to have and a major metro area. Personally I wouldn't bother to apply for anything less than 100k.
Because there simply aren't jobs that require 20 yrs of experience? most jobs will ask for 3-5 yrs or 10+ for *SOME* architecture
What was there 20 yrs ago? Experience with Novel? what do people do with 20 yrs of experience, they gotta apply somewhere. Some people are in contracts and are looking for perm or the opposite, some want a change. Also, your pay doesn't keep on increasing in a linear manner, so 20+ yrs of experience won't be earning much more than 5-10 yrs...depends on so many factors
Companies should stop focusing on who looks good on paper and start focusing on the person who makes the best overall fit for the organization. I could care less if you have 20+ years experience and multiple certs. If you don't understand the needs of the organization, then you aren't the right one for the job.
To be fair, they mean 4 years direct computer security related experience, very few people can claim to have 20 years in computer security.
In Progress: Linux+/LPIC-1, Python, Bash
Upcoming: eJPT, C|EH, CSA+, CCNA-Sec, PA-ACE
Why would a guy with 20 years of infosec XP, two masters, tons of certs and previous positions as an architect in big name companies apply for this position asking for just a mere 120K? I think it's a serious step down according to this guy's resume.
You have to pick on something if the candidates are almost equal. Resume should be proofread, it's your face, if you are sloppy in this chances are you are sloppy in something else, like, work.
When I was hiring for a jr security analyst I got a guy with an MS degree from a good school in info systems, a pile of experience and was already a security engineer. When I asked the recruiter what was up he said "Oh his family is nearby and he currently lives across the country, he wants an anchor job" Um, no thanks, he'd be gone in 10 minutes when he finds a job he was qualified for.
To be honest, I'd be really curious what InfoSec stuff they were doing 20 yrs ago...they used to be called Sysadmins/Network engineers....
Why not? How much should they ask for? 180K? but how many 180K job openings are out there? Also, just because they were working for 20 years doesn't mean they're too advanced. Most people I meet (in IT and elsewhere life) are somewhere between beginner-advanced beginner. Some reach intermediate...but advanced?? Very Few. Human nature. Efforts to reward ratio applies here...A lot of people stay on intermediate level for a long time...and sometime they have no opportunities to grow more because there simply is no need.
Experience vs Salary expectation is NOT A LINEAR path. InfoSec or any other career in the world. It doesn't work this way, or else everyone will make a million dollars after working for 20 years. No.
Also, I really don't know the circumstances of your company, but some people look for a less stressful position. 120K isn't that bad. Not sure that that specific resume is about to be honest, but it doesn't sound too strange if I'm being honest.
Sure, this is true. My argument is: you WILL lose out on good candidates this way...and that's exactly what HR does. It may or may not be an indicator of a bad candidate..in my personal experience it wasn't.
Many, many things still apply, especially on infosec side which tends to be more in-depth than what sysadmins do. NTFS was there, x86 and i386 assembly knowledge, you have to have just a few reads on new instructions and techniques and operate with 32 or 64 bit registers. Win32 is largely the same. cmd/bat shell is the same. Bash or Korn are the same. Hell, Java is still one of the most dominant languages, but it is from 90-s. Everything CPU hungry is written in C. SMTP is still the same with a few new touches that are easy to learn, like DMARC or DKIM. All PKI related stuff relies on old math and old tech from 70-s and 80-s. HTTP. TCP/IP.
Plus general IT metaknowledge on how things work and how people behave, it always counts.
One or two could be outliers. But what surprised me is we have too many, which shouldn't be happening, what should be happening, according to media reports, is head hunting to fill any open position besides entry-level.
Either way, my point was, there is a lot of random reasons like wanting a job change, better working conditions, wanting exposure to new tech, closer to home, contracts finishing...etc.
Yeah... could be Motorola which is still alive and still losing monies. But they don't have Motorola as their last place of work...
Two words...human resources.
HR doesn't know how to recruit. Oh entry level security analyst? Let's just require 5 years experience, a CISSP and a bachelors degree, but we will prefer a masters...
The Midwest, as a market, is a terrible place to earn for tech. You can be the King Kong of infosec here, but be paid like a Zoo gorilla. I really expected Chicago to be better, but alas, I suppose it's not.
Harvard Business Review states the shortage is real and documented, and refers to an ISC2 report as evidence. Sorry, but last time I checked, ISC2 makes a living off getting people certified in cybersecurity related topics, not exactly a neutral source. And if you read the report (which you cant right now since the site where the report is hosted is "undergoing maintenance"), this is what it says:
"This number is compounded by 45 percent of hiring managers reporting that they are struggling to support additional hiring needs and 62 percent of respondents reporting that their organizations have too few information security professionals." Sounds like its not a shortage of qualified cybersecurity pros, but organizations who cant/wont fund the appropriate security staffing needs (welcome to IT). Just my 2 cents, I very well could be wrong, I just havent seen any evidence that shows I am wrong, though if someone has something out there, send it over!
https://hbr.org/2017/05/cybersecurity-has-a-serious-talent-shortage-heres-how-to-fix-it
Seems like the jobs in security are shifting in the north east toward Boston. Don't hear much about Philly, Pittsburgh or Baltimore. Washington D.C. is always a big one.
100% agree!
https://careers.verizon.com/
or you can search on LinkedIn: https://www.linkedin.com/jobs/search/?keywords=verizon%20threat&location=Ashburn%2C%20Virginia&locationId=PLACES.us.8-8-0-67-3
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
I honestly think that is a big part of where the shortage narrative has come from. I also think the ACTUAL shortage is being either enough folks with DEEP technical security experience or DEEP high level GRC/management skills, who can stand up or revamp entire security departments and security governance. I say that, because since the Target (and then others following) attacks gained mass MSM exposure, companies started taking security seriously, and all rushed out to hire the afore mentioned people, which there just aren't enough to go around for everyone who wants to hire now, hence the shortage.
Currently Working On: Python, OSCP Prep
Next Up: OSCP
Studying: Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
Agree 100% I dont know where the shortage is. A job gets posted and you have 5000 applicants.
I have not seen a single job ad. where employers are willing to train and accept sysadmin or even network security professionals for jobs that require some GRC or risk assessment work. Everyone is looking for 5+ years of specific experience and claiming talent shortage.
Based on my experience, I had worked with some new graduates who I can swear that they have the technical capabilities better than me or any other professionals with more than 10 years of experience. I am not sure if you what is your feel like after interviewing some of the candidates. As I can firmly says that while there are so many professionals out there having good relevant certs and experience, a good portion of them are nowhere near in being suitable for even T1 roles in a high-end high skill environment. Some barely make it and only 1 out of about 100 fits the criteria to be suitable for a T2 support. Note that the role I am talking about is not restricted to local candidates only.
Even though most infosec professionals had good certs and experience on paper, it may not be relevant at all. Although it depends on what candidates you are looking at. As a handful of them are from the audit compliance side and had no idea how to troubleshoot a problem they are looking at. Another handful does not just have the relevant experience after considering the diversity of technical work in infosec, and they may not be suitable for the role you are opening up at all.