Cyber security field has 0% unemployement

TheFORCE · October 2016

I got an email in my inbox yesterday from a website i subscribe stating that there is now 0% unemployment in the cyber security field. Had to search online and confirm so i found multiple article, below is the link. I guess good news for those who are searching, get your confidence level up. There are 2 job openings for every candidate.

Quote from the article

While zero-percent unemployment rates sounds optimal, it creates a lot of challenges for organizations including retention issues, salary inflation, and sub-par candidates getting jobs they are not qualified for. Companies are going to have to invest heavily in training young cybersecurity professionals who have a combination of technical, business, and soft skills as the talent gap widens

Zero-percent cybersecurity unemployment, 1 million jobs unfilled | CSO Online

tpatt100 · October 2016

Yeah I am studying up to move back into security, auditing and compliance doesn't seem to have near as many opportunities and it seems like 99 percent of the calls I get are for my security background not auditing.

EANx · October 2016

The key point from the article, which matches with what I've seen, is the collision between under-qualified candidates and under-funded organizations. Reminds me a lot of the late 90s where companies were trying to hire people with 5 - 7 years of experience with a product that was released the year before and you had a bunch of people who wanted jobs but were rather new to the industry. There will be growing pains on both sides.

Danielm7 · October 2016

Wasn't it considered negative unemployment? Either way, I agree with the others, there is a big gap between the ton of people who want to get into the field and the qualified people that are needed.

Afaque · October 2016

Ok right but what are the qualifications and certs required for a candidate to be a Cyber security soldier?.

EANx · October 2016

Afaque wrote: »

Ok right but what are the qualifications and certs required for a candidate to be a Cyber security soldier?.

That depends on what you mean by "cyber security soldier." Did you read the article? The following quote lays it out very well:

"The kind of person who is comfortable sitting in a Security Operations Center (SOC) monitoring sensors and looking for attacks in real time is different from a forensic analyst who enjoys poring through log files in search of signs of an adversarial presence in the network. Similarly, those who enjoy attacking web apps to help the developers see if they left anything unsecured are not likely to be interested in (or capable of) analyzing the source code itself for patterns of weakness. These and many other disciplines are all within the realm of cyber security; anyone interested in a career in this area needs to understand the differences and choose a path that suits them."

Going into cyber is a lot like going into network admin. In a small organization, that one person is it but elsewhere, there are specialties. My organization is very large, we have compliance personnel and pen-testers and everything in-between. The art you need to figure out is, what part of cyber makes you read when you aren't at work. That's your passion, follow it. Once you know your passion, you can figure out degrees and certs.

Danielm7 · October 2016

EANx, completely agree. These articles throw "cyber security" around like it's a specific job title. People interview for a job they think is entry level and ask for 100K because they heard that's what security people get paid. There are a ton of different specialties and trying to say "how do I get ready for them" is wide open because you're likely never going to be an expert in all of them. Figure out what you're interested in and then you can build a path to get there.

TheFORCE · October 2016

Also another good point from the article and is also what many pf us here have brought up is that organizations have 3 job tasks/ roles to fill but only want to hire 1 person or are only able to fund for 1. That leads them to a unicorn chase. Companies need to start spending money in proper training and provide learning opportunities to their hires. Something that is not even counted towards the budget for many companies.

alias454 · October 2016

It is an interesting situation. In many cases, expectations are unrealistic on both sides. Security is a diverse field, it is hard to pinpoint specific skills that can guarantee one a job. However, that statement rings true for any IT job.

Cyberscum · October 2016

On another interesting note I am starting to see more and more burnout in the infosec field. Just in the last few months I have seen five senior infosec managers split because of the workload and stress level.

Some of these infosec guys are managing 10-15 C&A packages, sys admin work and training new "cyber security" guys all at once. The field is nuts.

The pay is nice, but the work is insane and for every new "cyber security" guy we get we have to spend about 4-6 months just getting them spun up enough to actually contribute.

...I think it will only get worse....

TechGromit · October 2016

EANx wrote: »

Reminds me a lot of the late 90s where companies were trying to hire people with 5 - 7 years of experience with a product that was released the year before ...

HR at it's finest.

Kalabaster · October 2016

Cyberscum wrote: »

On another interesting note I am starting to see more and more burnout in the infosec field. Just in the last few months I have seen five senior infosec managers split because of the workload and stress level.

Some of these infosec guys are managing 10-15 C&A packages, sys admin work and training new "cyber security" guys all at once. The field is nuts.

The pay is nice, but the work is insane and for every new "cyber security" guy we get we have to spend about 4-6 months just getting them spun up enough to actually contribute.

...I think it will only get worse....

Good. More room for me to move up then

EnderWiggin · October 2016

Oh no, those poor corporations, they're gonna have to pay employees a lot of money, and give them great benefits to keep them!

markulous · October 2016

Cyberscum wrote: »

On another interesting note I am starting to see more and more burnout in the infosec field. Just in the last few months I have seen five senior infosec managers split because of the workload and stress level.

Some of these infosec guys are managing 10-15 C&A packages, sys admin work and training new "cyber security" guys all at once. The field is nuts.

The pay is nice, but the work is insane and for every new "cyber security" guy we get we have to spend about 4-6 months just getting them spun up enough to actually contribute.

...I think it will only get worse....

If it's that competitive out there, the good thing is that people can just bounce or it'll get better because people are leaving for less stress somewhere else.

636-555-3226 · October 2016

Negative unemployment in my area. Most infosec jobs go unfilled for months. Qualified people set their own salaries and the hiring company either bites the pillow real hard and takes it or they give up and don't fill the position with a qualified applicant (if they fill it at all).

InfoSec manager jobs go unfilled for 6 months before the company settles for someone who isn't qualified (usually, but not always, a bad idea). The job description usually puts the schmuck in charge of GRC, but those companies don't even really know what GRC means, other than an auditor said that's who they need to hire. When they settle, they settle for someone who doesn't know what GRC is, either.

Security analyst/admin/engineer/whatever jobs go unfilled for 6 months before the company either gives up & closes out the position or settles for someone who isn't qualified (not as bad of an idea as above, but still not ideal). The job description for these is the same as mentioned in a post above - the unicorn. Most seek an entry-level person with 1-5 years of experience (recent ungrad CS/CIS/infosec degree acceptable) with CISSP preferred (starting to see more asking for GSEC & CEH). The position requires experience with (and puts you in full daily charge of) AV, network & host DLP, FDE, SIEM, network & host IPS, Firewalls, MFA, vulnerability management, forensics, & GRC (yes, most put that in here, usually b/c they don't know what it means but see it in other positions that other clueless people put in their new hire listings). And when it comes down to it they say since they priced it as an entry-level role they're only willing to do 40-50k, equivalent to their level 2/3 support. These postings are more laughable than the infosec manager postings.

This story is true for every single job posting my area (near a major metropolitan region) for at least the last few years.

And, yes, this is part of the reason that companies keep getting hacked.

TranceSoulBrother · October 2016

When I was overseas, I was trying to hire for two contractor positions on the base where I was deployed.
I spent a lot of time creating a comprehensive but not restrictive job description and requirements for all of them. (sharepoint admin, network admin and security spec). Of course, the stupid idiots up top keep gutting the job and the requirements to such an effect that a year later, they had only hired for a sharepoint guy and only because the company was trying to keep the contract or whatever...Performance metrics, degree and experience requirements...they either wanted more or argued for less but kept fighting me on my specific requirements (which were pretty informed and moderate to being with) Just to say, that unemployment or not, managers and HR people should hire people and understand the current market dynamics instead of lamenting about them at the watercooler.
Managers should understand that the field in its current hotness will attract the foklift driver and waitress willing to make a change, or the college student going toward a good field. Heck, if there's such a need, why can't we have corporate initiatives to hire and train these unemployed 45-50 white males (per Business Week) that are being ignored by the current recovering economy?

Mike7 · October 2016

TranceSoulBrother wrote: »

Managers should understand that the field in its current hotness will attract the foklift driver and waitress willing to make a change, or the college student going toward a good field.

I suspect we will see more of such folks trying to get into cyber security. For many people, this is because their jobs are being automated by technology.

From Automation and anxiety | The Economist

In a widely noted study published in 2013, Carl Benedikt Frey and Michael Osborne examined the probability of computerisation for 702 occupations and found that 47% of workers in America had jobs at high risk of potential automation. In particular, they warned that most workers in transport and logistics (such as taxi and delivery drivers) and office support (such as receptionists and security guards) “are likely to be substituted by computer capital”, and that many workers in sales and services (such as cashiers, counter and rental clerks, telemarketers and accountants) also faced a high risk of computerisation. They concluded that “recent developments in machine learning will put a substantial share of employment, across a wide range of occupations, at risk in the near future.”

The "problem" is that your typical cybersecurity job requires a certain level of knowledge and mindset. A cybersecurity person is not only capable of doing what the normal IT person does; he is able to improve and defend the it as well. He knows how things work and also how to make it fail.

LinuxRacr · October 2016

Mike7 wrote: »

I suspect we will see more of such folks trying to get into cyber security. For many people, this is because their jobs are being automated by technology.

From Automation and anxiety | The Economist

The company I work for now started a huge initiative last year toward automation with tools like Ansible, Puppet, and other Dev Ops tools. Learning of this my first week on the job, helped me to see the handwriting on the wall. As a result, I dove in and learned Ansible, and became familiar with using GIT repo tools. Having automation knowledge will be key going forward. You can either be automated out of a job, or do the automating.

Mike7 wrote: »

The "problem" is that your typical cybersecurity job requires a certain level of knowledge and mindset. A cybersecurity person is not only capable of doing what the normal IT person does; he is able to improve and defend the it as well. He knows how things work and also how to make it fail.

This is certainly true. I've been in I.T. for over 15 years, and in 2010, started making moves into the security-focused jobs. Since then, I've worked for two security companies, in a cloud engineer capacity, but was able to learn a bunch of security-focused knowledge. The company I work for now specializes in PKI, and other identity and authentication tools. This helped me to realize what I didn't know, and that I shouldn't just jump into taking the CISSP exam, and that I should take my time to develop deeper understanding. I recently finished up my B.S. in I.T. (security), and now have more time to focus on the deeper learning, and labbing. Yes, I intend to take the CEH. I mean, I may as well on my way to my ultimate goals, right? I also intend to take on the OSCP. Even if I do not do pen-testing, the understanding gained is worth it to me.

SaSkiller · October 2016

Many of you bring up good points. I think it is fair to say there is low unemployment for the field as a whole for qualified candidates, but there is a serious lack of positions that are technical that have an impact. So many compliance positions, so many positions where you deal with incidents but have no capability to fix the root cause.

UnixGuy · October 2016

636-555-3226 wrote: »

...

InfoSec manager jobs go unfilled for 6 months before the company settles for someone who isn't qualified (usually, but not always, a bad idea). The job description usually puts the schmuck in charge of GRC, but those companies don't even really know what GRC means, other than an auditor said that's who they need to hire. When they settle, they settle for someone who doesn't know what GRC is, either.

.....

Is it just me or is the solution to this 'problem' an obvious and a straightforward one? Hire an auditor (with brains) and train them for GRC?

Remedymp · October 2016

We're a multi-billion dollar company and they still don't want to pay for training and they need a resource for a second shift and they also don't want to pay for that either. So, they're making all the L1's work one night a week to fill the second shift responsibilities.

$63 billion and they don't want to spend money on training nor hire an actual resource for a dedicated shift.

I don't feel sorry for any company that gets bitten by some insider threat or an outside actor who are too stingy to fund their operations properly.

Priston · October 2016

Obviously, if you don't have a job, you don't work in cyber security...

Cyber security field has 0% unemployement

Comments