2011 (ISC)² Global Information Security Workforce Study

docrice

This report comes from a certification-related organization, so take it as you will.

https://www.isc2.org/uploadedFiles/Industry_Resources/FS_WP_ISC%20Study_020811_MLW_Web.pdf

JDMurray

A study sponsored by the National Coffee Marketing board finds that drinking coffee (seems to) cure baldness.

A study sponsored by the Very Big Chocolate Company of America finds that eating chocolate every day fights tooth decay.

A study sponsored by PepsCokInc find that 4 out of 5 people surveyed prefer High Fructose Corn Syrup be fed to them intravenously.

A study sponsored by Polyester Manufactures Unlimited finds that most people who die in automobile accidents are, in fact, wearing cloths made mostly of cotton.


But seriously...

Shouldn't the outlook for employment as a security professional be rather bleak if we were actually doing a good job of designing, implementing, and maintaining effective security policies, processes, and technologies?

cisco_certs

Its amazing how much CISSP are getting paid.


RANT warning!

The sad thing is most people in security doesnt even have the slightest idea how network works and doesnt even have security certs at all.

Its funny how most of the "security" guys that i know only does is scan the system with a third party software that they dont even really understand and does risk assessment . They dont even know how to set up and config IDS/IPS. Also, doesn't know what to do when getting attacked. Doesnt even know how to check logs on switches and routers.

docrice

Really? Is this issue with the majority of (seemingly incompetent and well-paid) CISSPs a common thing in the industry? I'm not asking this rhetorically since I had the impression that most CISSPs were generally very capable in their line of work. I'm planning on attempting that exam this year mainly because it seems to be the common denominator HR requirement for most security-related positions, but it's also an exam that I'm lacking motivation for since 1) it's not as technically-oriented compared to the rest of the ones I've done and 2) if the an exam requires me to go beyond three hours, my attention span drops off quickly and failure potential increases exponentially.

I've known one CISSP in my company that I knew from a distance but didn't have a lot of confidence in, and I've interviewed a CISSP years ago for a position my company had open and I didn't get a good feeling about his abilities. Other than that, I surmised that most CISSPs deserve their keep.

Or are you just referring to infosec workers in general?

Bl8ckr0uter

cisco_certs wrote: »

Its funny how most of the "security" guys that i know only does is scan the system with a third party software that they dont even really understand and does risk assessment . They dont even know how to set up and config IDS/IPS. Also, doesn't know what to do when getting attacked. Doesnt even know how to check logs on switches and routers.

Out company recently went through an audit. I laughed at the CISSP who had not heard of a Host based intrusion detection system. I have only met a few but every CISSP I have met has been super cocky and less than impressive.

cisco_certs

I think the issue here is HR or Security in general doesnt know what CISSP really is for. Like everybody said that CISSP is as wide as the sea and only a few inches deep. Also, majority of CISSP says that its more for management rather than being technical.

I dont know, maybe its the ISC marketing, maybe its the company that doesnt really know shi* about security and network.


My point is if you are a CISSP or work in "security", you should have in depth understanding of the network. Most guys that are in a security position doesn't know what to do when the network is being attacked, doesn't know how to set up and configure ids/ips, doesn't know how to secure a switch/ routers, doesnt know how to create an ACL, doesnt know how to check logs and etc.

Im not saying infosec in general but the infosec that i bumped into are sadly like this.

The question is "How can these guys protect/secure a network if they don't know the network or doesn't know how to hack?"

I believe a person should have the knowledge on how to hack a network to be able to defend a network.

No wonder companies/corporations/gov't get hacked/attacked easily. Dont get me wrong, Im not bashing CISSP. Im planing to take CISSP sometime next year.

docrice

I think it's the classic misinterpretation on what a particular certification represents, similar to the "CCNA" brand and how HR and some hiring managers think it's something more than it really is. Unfortunately, you'll get the HR / recruiter types recognizing that over a CCNP. Or a better example in the security space would be accepting a Security+ while dismissing / downplaying the GSEC / GCIA / [fill in your favorite trophy cert]. It's just the nature of the game.

It'll take a while for companies to start recognizing the CCNP Security, like how many are still looking for MCSE and not MCITP. There are too many certifications and related tiers for managers to really make sense of them.

But hey, DoD 8570 puts the CISSP in the Tech III bracket so I can understand why many would assume it's technical. To be honest, I've gone through the CISSP materials and while I can appreciate the knowledge it imparts, I don't see myself needing to be intimately familiar with concepts like the Clark-Wilson or Bell-LaPadula models at my day job. I only want the cert for the potential paycheck increase, although I'd hate to admit that.

JDMurray

docrice wrote: »

I don't see myself needing to be intimately familiar with concepts like the Clark-Wilson or Bell-LaPadula models at my day job. I only want the cert for the potential paycheck increase, although I'd hate to admit that.

This falls dangerously close to the thinking of people in college who are only looking for a degree to get a better job, and complain about having to take classes they see as non-essential, such as history, literature, and most electives. Schools is meant to broaden your ability to understand what has come before and too see what may come (opportunities) in the future. This requires learning a lot of things that you won't take the time to learn once you are out of school.

The information in the CBK domains also contains a lot of things you won't take the time to learn after you have passed the exam(s). Having attained these certs allow InfoSec professionals to demonstrate their knowledge and understanding of a wide range of InfoSec topics, including the history of how InfoSec has evolved. The assumption is that best best employers to work for will want this kind of knowledge and background in their best (that is, difficult to replace) employees. Otherwise, employers will just go to the local security tech trade school and hire less-capable people who have been trained only to perform a few specific jobs (that is, people who are easily replaceable).

docrice

JDMurray wrote: »

This falls dangerously close to the thinking of people in college who are only looking for a degree to get a better job, and complain about having to take classes they see as non-essential, such as history, literature, and most electives. Schools is meant to broaden your ability to understand what has come before and too see what may come (opportunities) in the future. This requires learning a lot of things that you won't take the time to learn once you are out of school.

Yes, I do agree with this. Don't get me wrong, in the long-term I can appreciate the knowledge and in some ways I found the CBK topics interesting since they provide context for what I do. What I meant to convey was that from a daily hands-on perspective in my current job, it's not always immediately relevant from an operational must-know perspective (although everything is relevant to some degree) and my efforts to catch-up to other peoples' technical abilities is causing me impatience. Every time I take another course or read the daily news I feel way behind, and sometimes it just seems like job descriptions list the CISSP because HR knows that's what's popular without taking specific skill sets into account.

Or maybe I'm just ranting because I'm a slow learner. Probably the latter.

CrapMasterZero

docrice wrote: »

I think it's the classic misinterpretation on what a particular certification represents, similar to the "CCNA" brand and how HR and some hiring managers think it's something more than it really is. Unfortunately, you'll get the HR / recruiter types recognizing that over a CCNP. Or a better example in the security space would be accepting a Security+ while dismissing / downplaying the GSEC / GCIA / [fill in your favorite trophy cert]. It's just the nature of the game.

It'll take a while for companies to start recognizing the CCNP Security, like how many are still looking for MCSE and not MCITP. There are too many certifications and related tiers for managers to really make sense of them.

But hey, DoD 8570 puts the CISSP in the Tech III bracket so I can understand why many would assume it's technical. To be honest, I've gone through the CISSP materials and while I can appreciate the knowledge it imparts, I don't see myself needing to be intimately familiar with concepts like the Clark-Wilson or Bell-LaPadula models at my day job. I only want the cert for the potential paycheck increase, although I'd hate to admit that.

Let's understand that InfoSec (IA or whatever you want to call it) is a big field. I deal with crypto systems, key management etc. and not with "networks" so knowing Bell-LaPadula, Biba, security models is immensly helpful to me. I agree, however, that DoD 8570 is screwed up and CISSP shouldn't be a Tech III cert.