Why security is not really an entry-level position

jdancer

Interesting article on why it's hard to get an entry-level job in security https://www.tripwire.com/state-of-security/risk-based-security-for-executives/connecting-security-to-the-business/talent-shortage-sanity-check/

adrenaline19

Valid points were made.

The entire industry is still going through some growing pains. The ones stuck in the cracks are the ones feeling it the most.

I do feel bad for eager college grads who want to prove themselves but get screwed over because of the state of the industry.

markulous

Yep, you gotta know what you're securing is really what it comes down to.

But even with experience, certs, and a degree, it isn't always a slam-dunk to get an infosec job because they have unrealistic expectations. E.g. "I want a guy that has 10 years infosec experience, been in an architect role, a master of python/powershell/etc, knows every single thing about security off the top of his head...Oh yeah and we're going to pay him 80k and put him in an analyst role!"

Danielm7

All accurate. I'm not sure that fresh college grads are "getting screwed" really, it's just not typically an entry level position. Most people don't research this and everyone wants to tell them there is a million unfilled jobs. The schools should be better about explaining this to people, but revenue and stuff.

There are also the expectations, some are realistic, but a lot of the listings are goofy. Just yesterday I got a recruiter hitting me for a security engineering role. Wanted many years of policy, and many years of pen testing, and many years of blue team engineer, and many... you get the point. I even emailed him back and said the listing seemed to be all over the place, he agreed and said they did that just to get some people on the phone and feel them out but they wanted people with broad experience in all areas of IT.

636-555-3226

I know tons of people getting entry-level jobs in security. Every company in my region is hiring security people, and they can only get entry-level people, so they get tons of people right out of school and put them in charge of their IPS, SIEM, DLP, etc solutions. The people have absolutely no idea what to do with the tools other than look at the dashboards or run some scripts that the one "senior" level guy put together 5 years ago before he moved on to another job. Infosec's a total mess right now for most orgs, and it aint getting any better any time soon

jcundiff

636-555-3226 wrote: »

I know tons of people getting entry-level jobs in security. Every company in my region is hiring security people, and they can only get entry-level people, so they get tons of people right out of school and put them in charge of their IPS, SIEM, DLP, etc solutions. The people have absolutely no idea what to do with the tools other than look at the dashboards or run some scripts that the one "senior" level guy put together 5 years ago before he moved on to another job. Infosec's a total mess right now for most orgs, and it aint getting any better any time soon

same here... we cant find Sr Analyst/Sr Engineer candidates, but we have had excellent luck hiring jrs and training them into Srs over 4-5 years... not ideal but it works and has been great for the company as well as the people.

Remedymp

markulous wrote: »

I believe this was discussed at the RSA conference in 2016 with ISACA and they were going to address this.

gorebrush

markulous wrote: »

Yep, you gotta know what you're securing is really what it comes down to.

I think this is the key to it all. I think the greatest InfoSec people are going to be the ones who actually understand all the underlying technology that is out there first. You could learn how to hack a Windows 7 box for example, but if you were (for the sake of an example) an MCSE first, you are going to know a boatload more and be automatically aware of a lot of the facets or potential attacks that would be out there. Learning just plain security is fine, but there's a lot to do be learning on the targets as well as the methodologies.

jelevated

636-555-3226 wrote: »

I know tons of people getting entry-level jobs in security. Every company in my region is hiring security people, and they can only get entry-level people, so they get tons of people right out of school and put them in charge of their IPS, SIEM, DLP, etc solutions. The people have absolutely no idea what to do with the tools other than look at the dashboards or run some scripts that the one "senior" level guy put together 5 years ago before he moved on to another job. Infosec's a total mess right now for most orgs, and it aint getting any better any time soon

PREACH.

So many people put in those roles you mention... you ask them what their job is and they tell you its to manage/use the product in question.

What? no, your job is to secure your organizations info assets. you use X tools, frameworks and methods to achieve this state.

powerfool

This has long been my contention. You need experience in how things work. Then, you can focus on security. Certainly, there are things that lie outside of the technology, but they are spheres of knowledge, kind of like layers of the atmosphere, they rest upon lower levels. The security aspects aren't necessarily dependent on just the lower level techs, but to be well-rounded, you need the tech experience and the security body of knowledge.

Danielm7

powerfool wrote: »

This has long been my contention. You need experience in how things work. Then, you can focus on security. Certainly, there are things that lie outside of the technology, but they are spheres of knowledge, kind of like layers of the atmosphere, they rest upon lower levels. The security aspects aren't necessarily dependent on just the lower level techs, but to be well-rounded, you need the tech experience and the security body of knowledge.

I remember my first weeks in infosec. They booked meetings with the server group, networking, desktop engineering, etc. They wall wanted to **** all the info on me and wanted my opinion on their processes. I was meeting with CCIEs, Sr engineers, architects. I don't think any of them had less than 15 years experience. Granted this was a whole new dept, but you don't just get out school and do that. They expected me to understand everything that all of them were doing, thankfully I had a very wide background but it very much fit the idea of having to understand what you're securing.

trojin

Just my 5 cents.

I was lucky, as I moved to info sec with my previous manager. I had not any experience, only number of certs (some info sec related), BSc and post grad info sec diploma. Now I have 1 year exp, few more cert and I'm doing MSc in Applied Sec. I learned a lot in this year and started realize my value. Recently I received email from recruitment asking what kind of money, position, etc. I'm interested. I gave them some info - I did not overvalued myself but asked for decent package. Few days later - response: "package is fine but I need fully certified CISSP". There is only one problem: with CISSP I will ask much more. So. They like CISSP but pay entry level salary??
Very often I saw also absolutely unrealistic expectations like: 10 years in 5 different expertise areas. I'm sure there are people which have this kind of experience, but how many of them may exist...

Raisin

Security shouldn't be entry level, but it all too often is. I see it all the time, hire somebody with no experience, teach them how to run a few tools, and then act shocked when a major incident occurs. A good security team should be made up of people who were network/system/software engineers FIRST. You just can't teach the laziness that comes from working as a system admin who needs to cut corners to get the job done. That's insider only information you have to learn in the trenches.