An infosec job market observation here

Just an anecdote, not a thorough research, no stats, just a single observation.

The company I work for recently had an opening for a security engineer. Just your typical position for a guy with 4+ years of experience to do a little bit of everything: configuring tools, responding to incidents. No cert/education reqs, just desired.

HR got back with roughly two dozens of resumes that passed their sanity checks. I believe that all the applicants were required to go over the process on taleo.net and those of you who are familiar with that know that it's quite a task and requires to spend some time filling tons of fields. Roughly ~15-30 minutes to just apply, which could be considered a challenge compared to just hitting two buttons on linkedin or indeed or whatever. There was a field asking the applicants on their salary expectations. This ranged from 80K to 120K. The area is Chicagoland.

So, almost all of them are CISSPs. A few are OSCPs and/or other OffSec certs. >2/3 have various GIAC certs. Experience differs from 5-20+ years in IT Security (not just IT!!!). Big name companies in work experience. We had to pick on things to filter out candidates, like, threw away a resume that mentioned "HIPPA" instead of "HIPAA", but otherwise was perfect. Because how else do you narrow down your search?

The company I work for is a good place, "best places to work", "forbes", "fortune" and other ratings.

My perception is it's quite depressing. Two reasons: too many qualified applicants and they don't ask a lot. Maybe it's just Chicago? Because I'm reading articles everywhere about 0% unemployment rate in this field and a talent shortage. Well, from what I'm gathering from this it's all BS.

Find more posts tagged with

Comments

NetworkNewb

Were these people actually unemployed though? Like you said, you do work for a top company and people probably want to work there.

Danielm7

NetworkNewb wrote: »

Were these people actually unemployed though? Like you said, you do work for a top company and people probably want to work there.

That was my first thought too. Saying they all had CISSPs, 20 years in infosec, etc, doesn't mean they're all home and unemployable. If I had a local place that was a closer commute and everyone considered a great place to work I'd probably apply there too even though my workplace is fine. I bet most of the people that apply at Google are already working somewhere else.

gespenstern

NetworkNewb wrote: »

Were these people actually unemployed though? Like you said, you do work for a top company and people probably want to work there.

I don't think so, all of them are most likely employed, but that would be a not so strong argument in favor of good market for infosec prospects as it implies that all of them aren't satisfied at where they are at currently despite working for big name companies and aren't paid well.

The place I work at isn't anything special, overall all this "fortune 500" or "best places to work" doesn't hold much value either, at any place you are given a computer, a cube and have to put up 40 hours/week of solid work.

The pay is what matters but for 95% of positions out there the pay is on "market" level.

UnixGuy

I'm not following, so the company you work at is "best place" to work, it's expected that good people will apply? or is 80K-120K considered low range in Chicago and you expected qualified candidates to ask for more?

Also, (JUST A PERSONAL OPINION), filtering out candidates who misspelled HIPAA isn't a great way of filtering candidates, what if the candidate is great but for whatever reason they misspelled a letter or MS word did that. Human errors, they happen. Their experience and qualifications should matter more.

volfkhat

That "best" label is Garbage.

I agree with OP.... seems a bit strange.

Maybe OP works for an amazing employer; i guess i could check his linkedin and find out for myself.... but i dont care.

Anecdotally, that sounds like a LOT of resume for a field that is supposedly "short on talent".

TechGromit

gespenstern wrote: »

There was a field asking the applicants on their salary expectations. This ranged from 80K to 120K. The area is Chicagoland.

80k strikes me as really low for the qualifications they appear to have and a major metro area. Personally I wouldn't bother to apply for anything less than 100k.

TechGuru80

The pay people require can be a representation of how qualified they actually are. I've known people that had a CISSP and supposedly 15-20 years of InfoSec yet they literally know very little and their explanation of experience isn't very technical. You can see how many people have GIAC certifications and overall there aren't a ton for each one outside of like GSEC and GCIH so if you are getting a lot of people with them...it's kind of an anomaly. Also, if you have 20 years experience why would you apply to a job that says 4+? The pay in relation will be way lower than somebody with legitimate experience would desire.

UnixGuy

TechGuru80 wrote: »

.. Also, if you have 20 years experience why would you apply to a job that says 4+? The pay in relation will be way lower than somebody with legitimate experience would desire...

Because there simply aren't jobs that require 20 yrs of experience? most jobs will ask for 3-5 yrs or 10+ for *SOME* architecture

What was there 20 yrs ago? Experience with Novel? what do people do with 20 yrs of experience, they gotta apply somewhere. Some people are in contracts and are looking for perm or the opposite, some want a change. Also, your pay doesn't keep on increasing in a linear manner, so 20+ yrs of experience won't be earning much more than 5-10 yrs...depends on so many factors

ITSec14

Hire the one who has had the longest tenure at their last job. IT professional's seem to always be looking for their next jump.

Companies should stop focusing on who looks good on paper and start focusing on the person who makes the best overall fit for the organization. I could care less if you have 20+ years experience and multiple certs. If you don't understand the needs of the organization, then you aren't the right one for the job.

TechGromit

TechGuru80 wrote: »

Also, if you have 20 years experience why would you apply to a job that says 4+?

To be fair, they mean 4 years direct computer security related experience, very few people can claim to have 20 years in computer security.

p@r0tuXus

Based on some other noted experiences that are detailed on this site, I'd imagine that either the job provides experience, benefits, pay, environmental conditions, closer commute opportunities or other similar pros that would be attractive to those in the information security field. I've seen many accounts on this site that refer to jumping companies just to get fair market pay since it wasn't available in their current positions. A job with those listed requisites that has advertised 80-120K in the midwest is a good paying gig, per my researching, so i'm not surprised you had so many bites on it. Being "best places" might attract people who want a better work-place environment with a company that values training and team-building. I know I would.

gespenstern

UnixGuy wrote: »

I'm not following, so the company you work at is "best place" to work, it's expected that good people will apply? or is 80K-120K considered low range in Chicago and you expected qualified candidates to ask for more?

Why would a guy with 20 years of infosec XP, two masters, tons of certs and previous positions as an architect in big name companies apply for this position asking for just a mere 120K? I think it's a serious step down according to this guy's resume.

UnixGuy wrote: »

Also, (JUST A PERSONAL OPINION), filtering out candidates who misspelled HIPAA isn't a great way of filtering candidates, what if the candidate is great but for whatever reason they misspelled a letter or MS word did that. Human errors, they happen. Their experience and qualifications should matter more.

You have to pick on something if the candidates are almost equal. Resume should be proofread, it's your face, if you are sloppy in this chances are you are sloppy in something else, like, work.

Danielm7

gespenstern wrote: »

Why would a guy with 20 years of infosec XP, two masters, tons of certs and previous positions as an architect in big name companies apply for this position asking for just a mere 120K? I think it's a serious step down according to this guy's resume.

We had a glut of them about a year ago, all a ton of experience, turned out a huge company nearby was going under and they planning massive layoffs. At one point 3/4 of our first round of resumes were all from the same company. I guess it could be anything.

When I was hiring for a jr security analyst I got a guy with an MS degree from a good school in info systems, a pile of experience and was already a security engineer. When I asked the recruiter what was up he said "Oh his family is nearby and he currently lives across the country, he wants an anchor job" Um, no thanks, he'd be gone in 10 minutes when he finds a job he was qualified for.

UnixGuy

gespenstern wrote: »

Why would a guy with 20 years of infosec XP, two masters, tons of certs and previous positions as an architect in big name companies apply for this position asking for just a mere 120K? I think it's a serious step down according to this guy's resume.

To be honest, I'd be really curious what InfoSec stuff they were doing 20 yrs ago...they used to be called Sysadmins/Network engineers....

Why not? How much should they ask for? 180K? but how many 180K job openings are out there? Also, just because they were working for 20 years doesn't mean they're too advanced. Most people I meet (in IT and elsewhere life) are somewhere between beginner-advanced beginner. Some reach intermediate...but advanced?? Very Few. Human nature. Efforts to reward ratio applies here...A lot of people stay on intermediate level for a long time...and sometime they have no opportunities to grow more because there simply is no need.

Experience vs Salary expectation is NOT A LINEAR path. InfoSec or any other career in the world. It doesn't work this way, or else everyone will make a million dollars after working for 20 years. No.

Also, I really don't know the circumstances of your company, but some people look for a less stressful position. 120K isn't that bad. Not sure that that specific resume is about to be honest, but it doesn't sound too strange if I'm being honest.

gespenstern wrote: »

You have to pick on something if the candidates are almost equal. Resume should be proofread, it's your face, if you are sloppy in this chances are you are sloppy in something else, like, work.

Sure, this is true. My argument is: you WILL lose out on good candidates this way...and that's exactly what HR does. It may or may not be an indicator of a bad candidate..in my personal experience it wasn't.

gespenstern

UnixGuy wrote: »

To be honest, I'd be really curious what InfoSec stuff they were doing 20 yrs ago...they used to be called Sysadmins/Network engineers....

Many, many things still apply, especially on infosec side which tends to be more in-depth than what sysadmins do. NTFS was there, x86 and i386 assembly knowledge, you have to have just a few reads on new instructions and techniques and operate with 32 or 64 bit registers. Win32 is largely the same. cmd/bat shell is the same. Bash or Korn are the same. Hell, Java is still one of the most dominant languages, but it is from 90-s. Everything CPU hungry is written in C. SMTP is still the same with a few new touches that are easy to learn, like DMARC or DKIM. All PKI related stuff relies on old math and old tech from 70-s and 80-s. HTTP. TCP/IP.

Plus general IT metaknowledge on how things work and how people behave, it always counts.

UnixGuy wrote: »

some people look for a less stressful position. 120K isn't that bad

One or two could be outliers. But what surprised me is we have too many, which shouldn't be happening, what should be happening, according to media reports, is head hunting to fill any open position besides entry-level.

UnixGuy

That's true, technology was there, but how many dedicated InfoSec positions were there? It was mostly part of the job.

Either way, my point was, there is a lot of random reasons like wanting a job change, better working conditions, wanting exposure to new tech, closer to home, contracts finishing...etc.

gespenstern

Danielm7 wrote: »

We had a glut of them about a year ago, all a ton of experience, turned out a huge company nearby was going under and they planning massive layoffs. At one point 3/4 of our first round of resumes were all from the same company. I guess it could be anything.

Yeah... could be Motorola which is still alive and still losing monies. But they don't have Motorola as their last place of work...

oscp

When I browse around security related listings on indeed and other sites it seems like there is always quite a few senior positions listed and relatively few entry level positions. It is a little curious you have so many experienced applicants for a more entry level position

ITSec14

oscp wrote: »

When I browse around security related listings on indeed and other sites it seems like there is always quite a few senior positions listed and relatively few entry level positions. It is a little curious you have so many experienced applicants for a more entry level position

Two words...human resources.

HR doesn't know how to recruit. Oh entry level security analyst? Let's just require 5 years experience, a CISSP and a bachelors degree, but we will prefer a masters...

Ertaz

gespenstern wrote: »

My perception is it's quite depressing. Two reasons: too many qualified applicants and they don't ask a lot. Maybe it's just Chicago? Because I'm reading articles everywhere about 0% unemployment rate in this field and a talent shortage. Well, from what I'm gathering from this it's all BS.

The Midwest, as a market, is a terrible place to earn for tech. You can be the King Kong of infosec here, but be paid like a Zoo gorilla. I really expected Chicago to be better, but alas, I suppose it's not.

boxerboy1168

Pennsylvania sucks for InfoSec, ZERO opportunity. Maybe at the hospital but good luck getting in if your not the managers cousin.

infosec123

It seems as though a LOT of places suck for InfoSec. This whole thread is interesting because like many of you, I have been hearing about this talent shortage for a few years now. Problem is, when you look into it, its not apparent where this shortage is actually taking place. I did a minor-moderate amount of research on this and could not find any peer reviewed studies showing a shortage of infosec pros. From what I have seen, all peer reviewed journals around this topic always mention the source of the shortage information was always a vendor, usually someone selling a product. Here is one example:

Harvard Business Review states the shortage is real and documented, and refers to an ISC2 report as evidence. Sorry, but last time I checked, ISC2 makes a living off getting people certified in cybersecurity related topics, not exactly a neutral source. And if you read the report (which you cant right now since the site where the report is hosted is "undergoing maintenance"), this is what it says:

"This number is compounded by 45 percent of hiring managers reporting that they are struggling to support additional hiring needs and 62 percent of respondents reporting that their organizations have too few information security professionals." Sounds like its not a shortage of qualified cybersecurity pros, but organizations who cant/wont fund the appropriate security staffing needs (welcome to IT). Just my 2 cents, I very well could be wrong, I just havent seen any evidence that shows I am wrong, though if someone has something out there, send it over!

https://hbr.org/2017/05/cybersecurity-has-a-serious-talent-shortage-heres-how-to-fix-it

ITSec14

boxerboy1168 wrote: »

Pennsylvania sucks for InfoSec, ZERO opportunity. Maybe at the hospital but good luck getting in if your not the managers cousin.

Seems like the jobs in security are shifting in the north east toward Boston. Don't hear much about Philly, Pittsburgh or Baltimore. Washington D.C. is always a big one.

dhay13

boxerboy1168 wrote: »

Pennsylvania sucks for InfoSec, ZERO opportunity. Maybe at the hospital but good luck getting in if your not the managers cousin.

100% agree!

JDMurray

The Verizon Threat Management Center (TMC) is hiring incident detection, incident response, digital forensics, and threat intel people in Ashburn, VA, Tampa, FL, Dallas, TX, and Irvine, CA. Entry-level positions are available. You could get lucky and be assigned to me as your manager!

https://careers.verizon.com/

or you can search on LinkedIn: https://www.linkedin.com/jobs/search/?keywords=verizon%20threat&location=Ashburn%2C%20Virginia&locationId=PLACES.us.8-8-0-67-3

JoJoCal19

infosec123 wrote: »

It seems as though a LOT of places suck for InfoSec. This whole thread is interesting because like many of you, I have been hearing about this talent shortage for a few years now. Problem is, when you look into it, its not apparent where this shortage is actually taking place. I did a minor-moderate amount of research on this and could not find any peer reviewed studies showing a shortage of infosec pros. From what I have seen, all peer reviewed journals around this topic always mention the source of the shortage information was always a vendor, usually someone selling a product. Here is one example:

Harvard Business Review states the shortage is real and documented, and refers to an ISC2 report as evidence. Sorry, but last time I checked, ISC2 makes a living off getting people certified in cybersecurity related topics, not exactly a neutral source. And if you read the report (which you cant right now since the site where the report is hosted is "undergoing maintenance"), this is what it says:

"This number is compounded by 45 percent of hiring managers reporting that they are struggling to support additional hiring needs and 62 percent of respondents reporting that their organizations have too few information security professionals." Sounds like its not a shortage of qualified cybersecurity pros, but organizations who cant/wont fund the appropriate security staffing needs (welcome to IT). Just my 2 cents, I very well could be wrong, I just havent seen any evidence that shows I am wrong, though if someone has something out there, send it over!

https://hbr.org/2017/05/cybersecurity-has-a-serious-talent-shortage-heres-how-to-fix-it

I honestly think that is a big part of where the shortage narrative has come from. I also think the ACTUAL shortage is being either enough folks with DEEP technical security experience or DEEP high level GRC/management skills, who can stand up or revamp entire security departments and security governance. I say that, because since the Target (and then others following) attacks gained mass MSM exposure, companies started taking security seriously, and all rushed out to hire the afore mentioned people, which there just aren't enough to go around for everyone who wants to hire now, hence the shortage.

volfkhat

^ I think you're on to something here...

dustervoice

infosec123 wrote: »

It seems as though a LOT of places suck for InfoSec. This whole thread is interesting because like many of you, I have been hearing about this talent shortage for a few years now. Problem is, when you look into it, its not apparent where this shortage is actually taking place. I did a minor-moderate amount of research on this and could not find any peer reviewed studies showing a shortage of infosec pros. From what I have seen, all peer reviewed journals around this topic always mention the source of the shortage information was always a vendor, usually someone selling a product. Here is one example:

Harvard Business Review states the shortage is real and documented, and refers to an ISC2 report as evidence. Sorry, but last time I checked, ISC2 makes a living off getting people certified in cybersecurity related topics, not exactly a neutral source. And if you read the report (which you cant right now since the site where the report is hosted is "undergoing maintenance"), this is what it says:

"This number is compounded by 45 percent of hiring managers reporting that they are struggling to support additional hiring needs and 62 percent of respondents reporting that their organizations have too few information security professionals." Sounds like its not a shortage of qualified cybersecurity pros, but organizations who cant/wont fund the appropriate security staffing needs (welcome to IT). Just my 2 cents, I very well could be wrong, I just havent seen any evidence that shows I am wrong, though if someone has something out there, send it over!

https://hbr.org/2017/05/cybersecurity-has-a-serious-talent-shortage-heres-how-to-fix-it

Agree 100% I dont know where the shortage is. A job gets posted and you have 5000 applicants.

infosecs

I would agree with OP 100% based on what I have experienced in Toronto area. There are way too manu CISSPs, GIACs, CISAs and other well qualified and experienced guys in the market who are switching jobs every few months and at least every other year. This massive flux is causing a glut of resumes for the jobs that are showing up. There are lots of jobs being posted everyweek, no doubt about it BUT there is no skills or talent shortage. There is rather oversupply as so many are jumping ship in order to rise fast. I know of at least two CISSPs with 4+ years experience who have not landed a single job offer in 4 months.
I have not seen a single job ad. where employers are willing to train and accept sysadmin or even network security professionals for jobs that require some GRC or risk assessment work. Everyone is looking for 5+ years of specific experience and claiming talent shortage.

LionelTeo

I think I am getting where TC is coming from in terms of cert + experience vs salary scaling (ignore me if I am wrong). However, think we all can agree that cert and experience do little to nothing to help a candidate to ace an interview other than giving a better impression prior to the interview and to help beat applicant tracking systems. Some certs will end up doing more harm than good as the interview may ask deep technical questions relevant to the cert.

Based on my experience, I had worked with some new graduates who I can swear that they have the technical capabilities better than me or any other professionals with more than 10 years of experience. I am not sure if you what is your feel like after interviewing some of the candidates. As I can firmly says that while there are so many professionals out there having good relevant certs and experience, a good portion of them are nowhere near in being suitable for even T1 roles in a high-end high skill environment. Some barely make it and only 1 out of about 100 fits the criteria to be suitable for a T2 support. Note that the role I am talking about is not restricted to local candidates only.

Even though most infosec professionals had good certs and experience on paper, it may not be relevant at all. Although it depends on what candidates you are looking at. As a handful of them are from the audit compliance side and had no idea how to troubleshoot a problem they are looking at. Another handful does not just have the relevant experience after considering the diversity of technical work in infosec, and they may not be suitable for the role you are opening up at all.