Cyber Security Hiring Challenges: [Research Request]

Hi TE,

I've been on this board for a few years now and have my own ideas and experiences from working in cyber security. However, I'm doing some research to gather additional data from the perspective of a few different groups of people. I'm hoping this fine group of people might be able to assist.

I am considering creating a survey, but I would have to write my own questions/responses, which would probably include my own bias' or assumptions. I'm hoping to remove myself from these results as much as possible. I may include a survey if I get some good responses from this thread.

That said, most of us are aware of the 1+ million cybersecurity jobs that are still unfilled. I know there is still a lack of skilled talent compared to jobs, which is why the certification and training markets have exploded. But those resources only help you qualify for the job, not find the job. And if you do find the job, how do you secure the job? I have personally witnessed the challenges the job seeker faces as well as the recruiter/hiring manager.

From my perspective, there are 2 main groups (Job Seekers / Employers) with around 4-5 sub groups of people in the cyber security job search circle. There could be more or less, which is why I am posting this, to get your perspective. I will list my thoughts below, but if interested in assisting with this research, can you list 3 - 5 things that you think are the pain (or sticking) points / challenges for each group?

As I said, if I get good feedback, then I may create a more detailed survey to hopefully gather more data and arrive at a consensus.

[JOB SEEKERS]

Group 1: The IT Generalist (non-security IT Professional):

This person has worked in IT in some capacity. He or she may have a solid technical background, certs, and skills and
wants to make the jump from general IT/sys admin to cyber security.

Pain Point / Challenges 1 = ?
Pain Point / Challenges 2 = ?
Pain Point / Challenges 3 = ?
Pain Point / Challenges 4 = ?
Pain Point / Challenges 5 = ?

Group 2: The Skilled Transitional (non-IT / Non-Security)

This person doesn't yet work in IT or Cyber and may not have a technical background at all. However, this person is educated and might be a highly skilled project manager, lawyer, analyst, or otherwise an ideal candidate for the transition from one career field to cyber.

Pain Point / Challenges 1 = ?
Pain Point / Challenges 2 = ?
Pain Point / Challenges 3 = ?
Pain Point / Challenges 4 = ?
Pain Point / Challenges 5 = ?

Group 3: The Recent Grad (Educated / But No Experience)

This person has recently graduated college, either with or without a focus on IT technology or security. They could have a 4-year degree, masters, or even PhD. They've heard that Cyber is the place to land a job that will pay enough to help them pay back their expensive student loans. They are young, hence no real experience yet. They are most likely ideal intern candidates.

Pain Point / Challenges 1 = ?
Pain Point / Challenges 2 = ?
Pain Point / Challenges 3 = ?
Pain Point / Challenges 4 = ?
Pain Point / Challenges 5 = ?

Group 4: The Security Professional

This person is already working in cybersecurity, and may already have some to lots of knowledge, skills, certs and experience. He/She is getting bombarded with emails and cold calls everyday with job opportunities by recruiters and staffing agencies. This person values learning and growing their career. He or she may make a career move for the right opportunity, but is selective and knows their worth.

Pain Point / Challenges 1 = ?
Pain Point / Challenges 2 = ?
Pain Point / Challenges 3 = ?
Pain Point / Challenges 4 = ?
Pain Point / Challenges 5 = ?

[EMPLOYERS]

Group 1: The Hiring Manager

Management is pressuring for an expanded cyber workforce in the company to meet their growing list of security needs. The hiring manager needs skilled professionals doing cyber work, but with a lack of applicants and qualified talent, these positions remain unfilled. The hiring manager has to communicate their needs to the recruiter, who generally does the talent search.

Pain Point / Challenges 1 = ?
Pain Point / Challenges 2 = ?
Pain Point / Challenges 3 = ?
Pain Point / Challenges 4 = ?
Pain Point / Challenges 5 = ?

Group 2: The Recruiter

The recruiter (sometimes staffing agency) has lots of hiring to do every day, but more and more cyber reqs are coming across their plate. If they are a technical recruiter, the search is somewhat easier. But as a generalist, the recruiter must find and screen the right candidate based on what information was provided from the hiring manager. There is pressure to hire quickly before talent gets scooped up by other companies.

Pain Point / Challenges 1 = ?
Pain Point / Challenges 2 = ?
Pain Point / Challenges 3 = ?
Pain Point / Challenges 4 = ?
Pain Point / Challenges 5 = ?

Group 3: The Company

The company is growing along with their cyber demands. Depending upon the nature of the company, they might be scared to death of a data breach and following PR backlash. They have many projects, creating either tangibles or software that all require security out of the box. They know that the cyber threats are very real, and the days of bandaid solution security are over. Cyber must be interwoven into their production processes, but talent is scarce and cyber security professionals are expensive.

Pain Point / Challenges 1 = ?
Pain Point / Challenges 2 = ?
Pain Point / Challenges 3 = ?
Pain Point / Challenges 4 = ?
Pain Point / Challenges 5 = ?

Off the top of my head, those are the groups I could come up with. They're could be more, and probably are. I know recent military retirees are often sought based on their backgrounds and access to cyber training. But I'll let the TE crowd add to the list if you can spare a few minutes of your time.

I am doing this research for a writing project that may later get posted on some cyber websites.
I appreciate any help you can provide.

Thank you!

Find more posts tagged with

Comments

jaguaar

I am a bit busy to go through the points you have created but will mention what I have seen and experienced and let you fit the responses to the appropriate category.
It is true that there is a shortage of skilled infosec professionals. But it is even more true that industry wants to whine about problem rather than do anything ANYTHING about it.
"It is true that there is a shortage of skilled infosec professionals." - is a problem. Ask industry what have they done about the solution?
Nothing. They look at a 60+ year old executive retiring or leaving, want to hire a 35 something with 20 years of combined experience in It, IS, Business skills, presentations skills, networks and so. Is it even possible?
Take a look at any job posting portal where infosec jobs are being posted. How many jobs mention that they are willing to train. Zero. How many mention that they want to mentor and groom candidates vs those that are looking for candidates experienced in specific apps and technologies that are in place in these places? 0 vs 100.
That is pretty much about it.

roninkai

Thanks for your response. After I posted this I realized that Thanksgiving may be the wrong day to post something like this. But I finally had the chance to sit down and write it up.

Agreed on your points.

N7Valiant

As an amateur with only an Associate's at the end of this Fall semester, I'm also a bit jaded about this shortage issue. I did jump into InfoSec because of this shortage that my IT instructors touted. The caveat they didn't mention was that this shortage was for qualified individuals in the field, with "qualified" being a Bachelor's or higher. I currently can't afford to go for one financially.

I understand that maybe you don't want to trust the security of your company to a novice, but I would think there might be some way to compromise the need to make sure someone doesn't blow up the security measures with your need to draw in people to the field.

aderon

I've been in Group 1 and Group 4. When in Group 1, depending on what kind of Security jobs you're able to get and what you were doing in IT before (Systems, Networking, etc), you could potentially get in a situation where you're making too much money to make the jump. Not only do you have to add to your skillset and spend a large amount of time learning the new security material, but you also could potentially be getting paid less to do it. I feel like there's a certain point where if you go too far as an "IT Generalist" it can hurt you. You need to make the jump while it's still profitable because even though you're an IT veteran, you're still seen as an entry-level Security employee and the salary will generally reflect that.

From a Group 4 perspective, the hardest part for me has been dealing with offers that could potentially side-line my specialization interests. Once you get enough general security experience, you will get plenty of offers that can potentially take you down a path you don't necessarily want to go but sometimes do, due to the monetary benefits. For example, if you're interested in specializing in reversing and malware analysis, but you're already working as a security architect, you could potentially keep getting security architect offers worth more and more money that sidetrack you from the specialization you really want to work in. I guess this problem is somewhat similar to the issue I had in Group 1, but it's within the different specializations of the security field itself.

N7Valiant

Lol, the offer of too much money sidetracking one's career interest? First world problems XD

McxRisley

I'm in group 4 and I think all 5 of my challenges would be the same thing..... Ignoring the constant barrage of recruiters and job offers when I am perfectly happy where I am.

scaredoftests

What about Equifax? They had a music major of all things in charge of their cybersecurity. LOL

Danielm7

scaredoftests wrote: »

What about Equifax? They had a music major of all things in charge of their cybersecurity. LOL

You do realize lots of top security people out there don't have any degree, or a completely unrelated one? I was listening to a podcast the other day talking about just this, of all the problems, it's funny that people got hung up on her school major.

Anyway, a few points. As for the "no one offers to train" thing. Lots of companies offer training, they don't post it in their job requirements, we all see lots of people here getting company funded training. But, training from the ground up on how to even start in the field? Does any other part of IT past helpdesk even do that? I don't think so. Most of security is very rarely an entry level job, people hiring expect people to have experience already, it might not have to 100% line up exactly but lots of systems/network experience can directly translate to the infosec field.

The most difficulty I've had is in filling spots with people fresh out of school. I'm scheduled to start looking for another security hire in the next month or so, always interesting. Lots of people wanting to get into the field, but getting people actually qualified is really difficult. General passion level was super low. I interviewed maybe 8-10 people from a local highly rated state school all graduated recently with infosec & risk sort of degrees. Most had internships already. Almost none of them could even talk about what was on their resume at all, I wasn't even quizzing them hard, but couldn't even describe projects they listed on their own resume. Didn't read any security news, just not a lot of interest other than "lots of jobs out there!" This was for a Jr analyst level role, paying very well in a medium cost of living area. I eventually caved and just brought someone in from another dept internally who had a lot of interest and wanted to learn.

On the flip side, I interviewed a few people for security director type roles, different experiences but different problems too.

On the company side, I find HR to mostly be more of a hindrance than a help in hiring security folks. They want to do the first level screens, unless it's a contractor then I can, and they let me have the resumes that they like after. I'm concerned they are scratching better people off the list because I always get the ones that have a bad attitude, trumped up/fake resume points but have an MBA and MS from big well known schools. I interviewed a possible director weeks ago who was so bad that people said he was acting like he was going to climb across the table and take a swing at me because I questioned something on his resume. After that, HR wanted reasons why I shot him down because he was their top pick...

N7Valiant

Daniel, I get that experience is king and the major matters little in light of that.

It's just that as someone who will be graduating with an Associate's in IT and has been firing off resumes to several entry-level positions without an interview as of yet(though in fairness, I don't have my degree in hand and I didn't hold any certs when I applied), it seems like a running gag that companies want a Bachelor's Degree.

The Equifax music major thing is the punchline:
It doesn't matter what you have a Bachelor's Degree in, just that you have one.

I used to think that people who took out student loans to get a Bachelor's in Women and Gender Studies probably won't see a good return on their investment. But the Equifax thing to me would probably suggest that companies might be more inclined to give those Gender Study majors more of a shot than someone like me who might have an Associate's in the relevant field, because it says "Bachelor's Degree".

Danielm7

It really depends on the company, the majority of higher level people in my IT group maybe have tech school from 20 years ago and maybe an AS. It's just a different game now. Some places filter by BS degree, some do not. If you're just trying to get in the front door like helpdesk I'd give more credit to someone with an AS who self studied some CompTia certs than someone with a BS and no real interest in technology.

EANx

Any degree has value when companies allow HR to run things but as Daniel alluded to, lack of passion doesn't make up for the fact that someone has a BS in CS. Given someone who has a Masters in CS vs someone with an Associates but talks non-stop about their home lab with an old Dell server running ESXi from VMUG and the VMs with licenses they got from Dreamspark all connecting though VIRL, guess which one I'll pick? If you can get past HR (and I always argue with them about requiring Bachelor's degrees) I will always give someone with passion the benefit of the doubt. You still have to get most of the way there, though. If the requirement is a CCNP and you have CCNA and 1-2 tests passed toward CCNP, that counts. Just CCNA, nope. Passion is bonus points.

TechGuru80

dragonsden wrote: »

[JOB SEEKERS]

Group 1: The IT Generalist (non-security IT Professional):

This person has worked in IT in some capacity. He or she may have a solid technical background, certs, and skills and
wants to make the jump from general IT/sys admin to cyber security.

Has a solid understanding of technology, but lacks a focus on InfoSec.

Fears having to go to a junior position.

Lacks attention to detail, or wants to stick to structured areas such as Cisco R&S that are usually consistent...where as security changes all the time.

Group 2: The Skilled Transitional (non-IT / Non-Security)

This person doesn't yet work in IT or Cyber and may not have a technical background at all. However, this person is educated and might be a highly skilled project manager, lawyer, analyst, or otherwise an ideal candidate for the transition from one career field to cyber.

Has no idea how to develop InfoSec or technical skills.

Is unsure of which area of InfoSec to pursue...technical, compliance, etc. Doesn't know how to use their backgrounds to their advantage.

Feeling overwhelmed.

Group 3: The Recent Grad (Educated / But No Experience)

This person has recently graduated college, either with or without a focus on IT technology or security. They could have a 4-year degree, masters, or even PhD. They've heard that Cyber is the place to land a job that will pay enough to help them pay back their expensive student loans. They are young, hence no real experience yet. They are most likely ideal intern candidates.

Similar to Group 2, but has no work experience to judge where to go (company size, team size, etc.).

Unrealistic salary expectations.

Lack of focus, try to learn too many things at once.

Expectation that they should get more than somebody who does not have a degree or certifications (entitlement).

Group 4: The Security Professional

This person is already working in cybersecurity, and may already have some to lots of knowledge, skills, certs and experience. He/She is getting bombarded with emails and cold calls everyday with job opportunities by recruiters and staffing agencies. This person values learning and growing their career. He or she may make a career move for the right opportunity, but is selective and knows their worth.

Has an idea of their legitimate salary worth, but employers aren't willing to pay.

Difficulty narrowing down choices because companies make certain roles seem more glamorous than they are.

Deciding to stay technical or go management.

[EMPLOYERS]

Group 1: The Hiring Manager

Management is pressuring for an expanded cyber workforce in the company to meet their growing list of security needs. The hiring manager needs skilled professionals doing cyber work, but with a lack of applicants and qualified talent, these positions remain unfilled. The hiring manager has to communicate their needs to the recruiter, who generally does the talent search.

Unrealistic qualification expectations in a single candidate.

Lack of proper salary / training / benefits funding to provide to a candidate.

Lack of support from senior management.

Group 2: The Recruiter

The recruiter (sometimes staffing agency) has lots of hiring to do every day, but more and more cyber reqs are coming across their plate. If they are a technical recruiter, the search is somewhat easier. But as a generalist, the recruiter must find and screen the right candidate based on what information was provided from the hiring manager. There is pressure to hire quickly before talent gets scooped up by other companies.

Lack of understanding of the industry.

Have rigid requirements that essentially make items a checkbox (certs, degrees, etc.).

Slow process with several interview levels lead to a loss of candidates.

Group 3: The Company

The company is growing along with their cyber demands. Depending upon the nature of the company, they might be scared to death of a data breach and following PR backlash. They have many projects, creating either tangibles or software that all require security out of the box. They know that the cyber threats are very real, and the days of bandaid solution security are over. Cyber must be interwoven into their production processes, but talent is scarce and cyber security professionals are expensive.

Lack of true financial penalties make it hard to justify expanding infosec.

Unrealistic salary bands to pay highly qualified candidates.

Lack of senior management support.

Not hiring senior level managers who can build the department.

Answers are above.

roninkai

Thank you for your replies. This is helpful and some good insight. Sorry for the length of the 'help request'. The post is longer than the actual response needed. Anything helps actually. I'm wondering if there are additional groups that I haven't listed.

In my own experience, the IT generalist make the best cyber person . They tend to have a solid technical background, and more passion for the field than the person who simply entered the field for the money. They may not yet understand all of the security concepts, but the application of security and troubleshooting of why security didn't work, clicks in their mind. They go home thinking about the problem, and often return to work with the solution.

While I'm not a hiring manager (yet), I've attended a few interviews for my own team. I honestly feel the question "tell me about your home lab" is valid. Even if nothing else is described, for the fact that they have a home lab indicates a curiosity, passion, and willingness to learn. A passion for cyber cannot be understated. I feel hiring managers and recruiters could do well to put more emphasis on someone's passion to learn and thirst for knowledge vs already having X amount of certs, experience, or degrees.

Blucodex

I have recent experience as a job seeker and then watching my employer recruit for talent.

As a job seeker with a 4 year degree, CISSP, and over 10 years in the field I found getting calls from recruiters and landing interviews pretty easy. Being a low-level network admin (jack of all trades) it was difficult landing the job I wanted. I didn't have a experience with SIEM, threat hunting, or incident response (I did have firewall, AV, web-filtering, vuln. assessment). Ultimately, I was able to land a job at a huge company based upon one of the two hiring managers taking a shot. Job searching would have been easier if I was okay with any job but I had certain criteria I needed to keep my personal progression.

Now as I watch my employer vet candidates the talent pool seems pretty meager. We've lost 2-3 "unicorns" after they agreed to come on board then rescinded. We've had candidates who lied on their resumes or their staffing agency edited their resumes. What has stood out is passion. We have hired people with less experience but have passion and are working on home projects over those will long resumes and aren't passionate. Our team has people from all kinds of backgrounds and we seem to feed of each other so their is some good chi.

Academia isn't really doing the field any favors either. That's another discussion.

So, we have 2+ million open jobs but "nobody" to fill them. I believe the answer is finding the right culture fit with the aptitude to learn, and then develop in-house. The talent that everyone wants seems to already be happy where they are at.

roninkai

Anyone else have a few mins to contribute their thoughts? (even if you don't want to go through each point). Any input helps in my research. I hope to be developing a solution very soon that I will share with the TE community.

Accurs3D

dragonsden wrote: »

Anyone else have a few mins to contribute their thoughts? (even if you do want to go through each point). Any input helps in my research. I hope to be developing a solution very soon that I will share with the TE community.

How much is this solution gonna cost, dragonsden?

roninkai

Well I intend it to be free for people on the job hunt. Paid for the agencies.

cbdudek

I will chime in as someone who was a hiring manager in the past and also a company leader.

Group 1: The Hiring Manager

Pain Point / Challenges 1 = Finding customer service focused security people. IT typically attracts introverted people who have no interest in customer service. The biggest pain point I have found is getting good technical people with good customer service skills.

Pain Point / Challenges 2 = Finding well rounded candidates. I have seen the resumes, and many of them are lacking in one area or another. Cyber security positions require experience, education, and certifications, and many people do not have all three of these areas covered.

Pain Point / Challenges 3 = Finding motivated security people. These are the ones that have experience, education, and certifications covered. If they are fresh graduates, what are they doing in school to help prepare them for the workforce? Are they getting lower end certifications like the security +? Are they getting work experience on campus? At least show us you are motivated for the job. After you get the job, show us you are motivated by continuing your education at home and at work. The passionate security candidates are hard to find.

Group 3: The Company

Pain Point / Challenges 1 = Finding business smart security people. Budgets do exist, and the company cannot afford to buy everything on the market. We need security people who can evaluate the risks of the organization and come up with the appropriate level of protection for assets depending on their value. Help the company reduce risk to a manageable level, not implement 10 products in an attempt to eliminate risk.

Pain Point / Challenges 2 = False sense of security. Just because you have products to protect yourself doesn't mean you are protected. Security is a process and a product. You have to have good processes as well as good products. If you don't have both, then you have a false sense of security.

Pain Point / Challenge 3 = Lack of budget. This is a major issue and some of it is on the executives and some of it is on IT. There are people in IT that cannot explain the necessity to purchase or implement security products. Just like there are executives that don't see it as a necessity. In order for IT to be successful, you have to have both in an organization. If there is a loss of communication or desire on either side, then IT can take steps backwards.

roninkai

Thank you for your feedback. I agree with your points under hiring manager. I tend to see a big gap between what the resume says vs what the candidate actually knows in terms of cyber. Also the motivation and passion are huge criteria. Gimme the guy who geeks out and secures his own home LAN just for fun and practice. He’ll go far in this field.

In my opinion and experience, a really good cyber person comes from taking someone technical in IT and turning them into a security expert. It's much hard to take the 'cert/edu/cyber head knowledge' person, and turn them into a technical person. Not that technical people are all we need, but if you have no idea on the basics of Windows OS / or Linux for example, it's not exactly easy for you to become an advisor on things like security architecture, requirements, etc.

roninkai

This post is a bit dated now. I'm considering re-working/re-posting (maybe with an actual survey) to get a fresh set of answers. I really enjoyed the responses I received before.

LordQarlyn

jaguaar said:

I am a bit busy to go through the points you have created but will mention what I have seen and experienced and let you fit the responses to the appropriate category.
It is true that there is a shortage of skilled infosec professionals. But it is even more true that industry wants to whine about problem rather than do anything ANYTHING about it.
"It is true that there is a shortage of skilled infosec professionals." - is a problem. Ask industry what have they done about the solution?
Nothing. They look at a 60+ year old executive retiring or leaving, want to hire a 35 something with 20 years of combined experience in It, IS, Business skills, presentations skills, networks and so. Is it even possible?
Take a look at any job posting portal where infosec jobs are being posted. How many jobs mention that they are willing to train. Zero. How many mention that they want to mentor and groom candidates vs those that are looking for candidates experienced in specific apps and technologies that are in place in these places? 0 vs 100.
That is pretty much about it.

Agree with your point in bold wholeheartedly. Especially in the US but even to a lesser extent in other countries. Often times it's not even full blown training that's required, just some hands on OJT and showing of the ropes can get the person comfortable in the job to perform it adequately. Meanwhile experienced infosec personnel keep getting poached and bigger and bigger salaries because of the artificial scarcity.

JDMurray

One dimension I see missing from this survey is the scale (size) of the hiring organization. The requirements and resources of companies vary greatly based on their size and scale. I have worked in businesses with as little as 5 employees and others with more than 150K employees. Smaller companies typically have fewer resources to train junior people on complex tasks while larger orgs can have internship programs for people right out of college or the military. Smaller businesses usually require people to be able to perform multiple job functions while larger businesses can silo people into specialized job categories and functions. Smaller orgs have fewer people at the top determining the goals and culture of the company while larger orgs have many people giving input on what the most optimal goals and culture of the org should be.

What this means is that organizations have problems finding specific types of employees for many different reasons specific to the organization, which includes the size of the org and its public popularity, geographical work location(s) offered, and how competitive the salaries and benefits offered are with the current job marketplace. If an org isn't finding acceptable people, it's quite possible the org is not an attractive enough prospect for job seekers who have many opportunities in a very strong economy.

DatabaseHead

scaredoftests said:

What about Equifax? They had a music major of all things in charge of their cybersecurity. LOL

That never gets hold.

OBTW she had a masters in Music as well

LordQarlyn

JDMurray said:

One dimension I see missing from this survey is the scale (size) of the hiring organization. The requirements and resources of companies vary greatly based on their size and scale. I have worked in businesses with as little as 5 employees and others with more than 150K employees. Smaller companies typically have fewer resources to train junior people on complex tasks while larger orgs can have internship programs for people right out of college or the military. Smaller businesses usually require people to be able to perform multiple job functions while larger businesses can silo people into specialized job categories and functions. Smaller orgs have fewer people at the top determining the goals and culture of the company while larger orgs have many people giving input on what the most optimal goals and culture of the org should be.

What this means is that organizations have problems finding specific types of employees for many different reasons specific to the organization, which includes the size of the org and its public popularity, geographical work location(s) offered, and how competitive the salaries and benefits offered are with the current job marketplace. If an org isn't finding acceptable people, it's quite possible the org is not an attractive enough prospect for job seekers who have many opportunities in a very strong economy.

In my own personal experience, it has been the smaller companies that paid for my training, either sending me to courses or extensive on the job training, at least in the telecoms field. They can't afford the big boys, they can't offer enticing pay to newbs either, so they would make up for it by providing training.

TechGromit

I would like to know where the "1+ million cyber security jobs that are still unfilled" figure comes from, I've seen this number toted on other websites as well, but if you look at the department of labor statics, a total of 4.7 million people work in the IT industry in the united States, and only 112,000 work in information security, while I admit some cyber security positions could be miss classified in the survey, this is still a far cry from 1 million. If this is a world wide figure, why do I care if 950,000 of these openings are in china? I don't live in China and the commute is a ****.

Quick Links

All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of