Cybersecurity skills shortage, is it real?

So you in Cybersecurity, and your company has been trying so hard to find qualified Cybersecurity candidates but without much success. Your company is frustrated by the lack of qualified candidates, and the qualified candidates seem to ask for unrealistic $$$

You even interviewed some candidates and you did not like what you see.

My question is....

1) What skills are you actually looking for? Splunk? Nessus? Risk assessment? Penetration testers with OSCP? Candidates who passed GCFA and can do Memory Forensics?

2) How hard do you think it is to get a candidate and give them time to get proficient with Splunk? How is it different than, say, Network engineering where you give a candidate time to get familiar with a certain network gear? Why is Splunk so hard to master? Is Splunk the problem?

3) How crucial are those skills? Are you being unrealistic? How often do you have to do Memory Forensics (as an example) ? Do you think it's a transferable skill that a good experienced Systems/Network Engineer can pickup?

I'm just trying to understand, because I spent time in Systems Engineering and various parts of Security, and I didn't find Cybersecurity particularly harder so I'm trying to identify the source of the problem here.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

EANx

Supply and demand. Everyone is told to go to college to the point that you need a BA in Gender Studies in order to ask "Do you want whip with that?" Someone who enjoys working with their hands and likes machinery can make a lot of money in many fields.

UnixGuy

EANx wrote: »

Supply and demand. Everyone is told to go to college to the point that you need a BA in Gender Studies in order to ask "Do you want whip with that?" Someone who enjoys working with their hands and likes machinery can make a lot of money in many fields.

Good point. Another one of those if knew then what I know now...

live and learn

kiki162

+1 beads

Gonna throw another question to consider here.

If your company is posting a position where the job is only located in X city, and there's ZERO mention of "remote candidates" in the description, don't you think that could be part of the problem? Companies are selling themselves short with getting good candidates. I get that some positions will have to be in the office, or the company doesn't support a "remote workforce." I've seen cases where HR depts post multiple jobs in 5 or 6 cities where they don't have offices, and there's only 1 or 2 spots available.

Setting the potential during the interview process is key. Giving the candidate a test or two to see their potential can help, plus asking the right questions. Anyone at the end of the day just need the opportunity. Having employees that are willing to mentor and a continuous learning mindset goes a long way.

Danielm7

kiki162 wrote: »

there's ZERO mention of "remote candidates" in the description, don't you think that could be part of the problem?

That could be part of the problem with any job, security being remote isn't much different than most other IT functions, or many other business functions as well. That all comes down to company culture as well. Many companies believe that if they can't see you working, then you're not working. While that's stupid, and I'm WFH often myself, it's the way they are. I think if all security jobs were remote you'd just fill more of them in the big cities for the higher salaries and then all the small/med businesses and the rest of the country couldn't find anyone.

LonerVamp

Still attempting to read and digest this excellent thread.

I can at least say that security is a weird place. You have to know what you're doing to be effective. This means the newbies have an even harder road up than even normal technical IT folks. But, it's also easier to fake it or slip in, for two reasons. First, it's hard to understand, so it's hard for a client/customer/employer to know you're doing a good job or not. Second, it's hard to prove security without a devastating event, and hard to prove the value of security. Sure, you bounce off 1000 attacks a day, but ....

UnixGuy

kiki162 wrote: »

...

Setting the potential during the interview process is key. Giving the candidate a test or two to see their potential can help, plus asking the right questions. Anyone at the end of the day just need the opportunity. Having employees that are willing to mentor and a continuous learning mindset goes a long way.

100% agree! If a company is struggling to find a junior 'anything', it's almost always the company's fault. By definition, a junior is someone willing to be trained, and Security is the flavor of the year. I've lost count of the number of IT pros asking me how to get into 'security'. we get plenty posts like this every month on this forum. That's why I think we need to solve this problem from the company side

UnixGuy

LonerVamp wrote: »

.... But, it's also easier to fake it or slip in, for two reasons. First, it's hard to understand, so it's hard for a client/customer/employer to know you're doing a good job or not. Second, it's hard to prove security without a devastating event, and hard to prove the value of security. Sure, you bounce off 1000 attacks a day, but ....

yes, and it makes an unpleasant field to work in at times. Nothing worse than having a colleague who is loud and abrasive. They will talk all day long and try to one up everyone all the time.

Enter Topper!

JDMurray

kiki162 wrote: »

If your company is posting a position where the job is only located in X city, and there's ZERO mention of "remote candidates" in the description

SecOps jobs are often in a centralized in a single facility (SOC) and not in multiple remote facilities like you find with NetOps people working in multiple DCs and NOCs. It's more likely Security Architect & Engineering people will be able to work remotely and be geographically dispersed.

IronmanX

I believe there is a skill gap and alot of the problem is trying to find skilled workers within X amount of KM.

I've noticed companies have no problem hiring vendors whos support will be 100s of KMs away, but hiring someone directly who will work remotly is seen as a big no no.

IronmanX

Funny seeing people posting about software devs getting paid more, must be due to the area.

Quick google search the average in Canada for a Software Dev is 62k and the average for a pen tester is 98k.

Which makes sense to me for nemerous reasons.

NetworkNewb

1 km equals about .62 miles for those unsure.

Comment above just made me smile reading KMs.

gkca

NetworkNewb wrote: »

1 km equals about .62 miles for those unsure.

Comment above just made me smile reading KMs.

Ha, imagine how much fun it is when we discuss the weather with my WGU mentor

hurricane1091

Anyone ever transition from network engineering to cyber security? I don't mean going from configuring routers/switches to firewalls/vpn obviously. Studying for the CySA+ (to re-new my other CompTIA certs) and would consider going further on the knowledge train if it meant a possibility to switch over. Unsure how that would happen and unsure how much of a pay cut that would involve, so I'm curious if anyone here has done it.

UnixGuy

hurricane1091 wrote: »

... Unsure how that would happen and unsure how much of a pay cut that would involve, so I'm curious if anyone here has done it.

No one can answer this question because every situation is unique. You may have to get a paycut or you may get a pay rise. My first jump from system engineering to security I got a slight pay increase, the next job I got a slight cut, then a raise. It depends on the employer. Having a networking background is excellent. Just cert up on more security and apply for security jobs, someone will give you a chance. Plenty of threads around here on this topic

EANx

IronmanX wrote: »

I've noticed companies have no problem hiring vendors whos support will be 100s of KMs away, but hiring someone directly who will work remotly is seen as a big no no.

I would assume the service from those companies comes with a measurable SLA negotiated by someone other than a front-line supervisor.

ITHokie

Regarding compensation for security roles, one thing I noticed is that when UK recruiters reach out to me, rates are significantly lower than what I can command in the US (or most other Western nations). Even for London. I mean, they often weren't even close. What's the deal with that?

Edit: In case there's any confusion, the comparison is based on rates after currency conversion.

PC509

ITHokie wrote: »

Regarding compensation for security roles, one thing I noticed is that when UK recruiters reach out to me, rates are significantly lower than what I can command in the US (or most other Western nations). Even for London. I mean, they often weren't even close. What's the deal with that?

Are there a lot of openings in the UK? I was looking at relocating over there for a couple years, but it looks like the job market is very much aimed at hiring their own before reaching out for work visas. A lot of jobs, but I'm not sure how many for Americans.

For a lot of people, we've worked with security for a long time. Just not with the 'official' title. That looks like it's going to be a burden for me next year when I move positions.

ITHokie

PC509 wrote: »

Are there a lot of openings in the UK?

I've never actively looked so I don't really know - this is just based on when recruiters have contacted me. It used to happen more frequently when I was in Germany. No surprise there.

UnixGuy

ITHokie wrote: »

Regarding compensation for security roles, one thing I noticed is that when UK recruiters reach out to me, rates are significantly lower than what I can command in the US (or most other Western nations). Even for London. I mean, they often weren't even close. What's the deal with that?

Edit: In case there's any confusion, the comparison is based on rates after currency conversion.

Don't compare dollar for dollar, anywhere in Europe will seem significantly less than the US. Living costs are different, taxation is different...everything in different. Salaries in UK are low in general though

Sheiko37

The issue as I see it is a lack of overall coherence in security. It's not that there's a lack of skill, more that companies don't know what they need to get to where they want to be.

That's why I see people both wildly over and under paid. The wrong person is put in the seat, and the right person often stagnates somewhere else. There's high demand for certifications that may help someone get hired, but offer almost nothing in tangible results. The job openings are mostly senior positions - they want someone to tell them all the answers. The skilled have high job turnover because they're not being applied properly.

I certainly don't have the answers. I'm equally as lost, where can I train today to be the most relevant and helpful tomorrow?

victor.s.andrei

Sheiko37 wrote: »

The issue as I see it is a lack of overall coherence in security. It's not that there's a lack of skill, more that companies don't know what they need to get to where they want to be.

The lack of coherence that you refer to is not just in security - it's in information technology outright.

Most companies are utterly clueless...I suppose one can't expect much to begin with from a crop of professional bean counters, many of whom have little to no technical acumen (or the humility to admit their shortcomings). In fact, most companies claim that they want people who can do both business and the technology - but then we all know what happens (or rather, what doesn't happen). Then, companies claim there's a skill shortage, except it turns out that they don't want to invest in their people and/or they want to pay as little as possible.

Frankly, the only way companies will wise up is if the government steps in, creates real data and privacy regulations, and enforces the regulations with sharp razor-edged dollar-sign shaped teeth...and not just on the companies but on the professional management, personally. (We all saw the ruckus that the EU's GDPR raised in the not-so-distant past.

)

UnixGuy

victor.s.andrei wrote: »

Most companies are utterly clueless..

We are the 'companies' if you think about it. If we as professionals fail to write proper job descriptions, have expectations that are not clearly stated in job descriptions, or when we as IT pros vent aimlessly to management....that's when problems. I'm sure management didn't wake up one day and decided that there is a shortage of InfoSec profs, it's the InfoSec pros complaining that they can't find someone as qualified and awesome as they are ..and failing to put an effort to actually find someone or train someone. Venting that the candidates are not good enough is a lot easier than coming up with an actionable plan of how to train existing talents, find fresh grads who want to learn, or simply write better job descriptions.

I know that's not the whole problem, but that seems to be well within our control as professionals.

hurricane1091

UnixGuy wrote: »

No one can answer this question because every situation is unique. You may have to get a paycut or you may get a pay rise. My first jump from system engineering to security I got a slight pay increase, the next job I got a slight cut, then a raise. It depends on the employer. Having a networking background is excellent. Just cert up on more security and apply for security jobs, someone will give you a chance. Plenty of threads around here on this topic

Yeah, I looked around a bit. Found a couple blokes over on another site which some input, but was looking for better/more recent experiences.

NiTech-5

I've seen lots of 'entry-level' positions that want 5+ years of experience.

NetworkNewb

NiTech-5 wrote: »

I've seen lots of 'entry-level' positions that want 5+ years of experience.

Not that crazy when talking about security positions. Alot of IT positions will cover security duties to get the experience. Then there is the whole thing about people thinking you actually need to fit all the "requirements" a job ad has... Some might be a little over the top, but bottom line is if you think you can do a position and want it, apply to it.

Kapital

I can add to this thread from my limited experience with job hunting. I can confirm what many have mentioned here that the skills shortage is a myth and utter BS - essentially the companies want to acquire ready to deploy and milk employee rather than impart basic training. In many cases people who are rejected dont even need much of a training, just a basic job shadowing for few days. But the long wish list of skills, HR, hiring managers make it impossible for someone to even get a chance to make the pitch during interview.
victor's post above is right on the ball and so is Unixguy's. The new positions are trying to fill several skills gaps with 1 employee resulting in needless resume falsifying.
Sometimes I really wonder why hiring managers are unable to see potential in a candidate as against his past expereince. Is it because they don't want to take a chance with their own job or are they utterly incompetent in this aspect?

paul78

Interesting thread. There's definitely a demand for infosec professionals and I suspect that in some industries, the perceived lack is likely a combination of supply at an affordable cost and talent quality.

Most of the hype around lack of talent supply is usually self-serving. And you can find that in pretty much every profession. For example, in some parts of the US, there's a shortage of qualified plumbers. And I've heard that there's generally a shortage in skilled trades such as electricians. And for the past decade, there's been impending doom in the US repeated due to the shortage of qualified nurses.

There's also been talks about the shortage of software engineers and devops engineers among tech startups in the US.

And I've read that Japan has a massive shortage of network engineers.

It seems like every time I read one of these shortage reports on security, it seems to come from places like recruiting companies, training firms, certification companies, etc.

There's probably a little truth is all of it. Right now, I don't see that hiring security people takes any longer or harder than hiring any other technology area in my little part of the world.

TechGuru80

Well let's take a look at possible areas that could cause a shortage:
-Companies not willing to pay high wages....some companies still see an entry security job, similar to an entry IT job in general. I see postings all the time for security jobs paying $50-70k with a few years of experience required. Honestly, for an entry level security job that isn't terrible, but the higher jobs don't always increase at the same level as a network engineer as an example. I mean really...you want to pay a network engineer $150k and a senior security manager $115k? Give or take some on either side of the number but I have seen gaps similar to this and the responsibility is not equal.

-A lot of the compliance regulations and frameworks are relatively new and have become more and more complex. So complex that to be considered truly skilled, you need at least 5+ years practicing in a compliance environment. Also some compliance regulations translate easier to other environments. I would say if you are proficient in government/defense compliance, you probably will have an easier time in general transitioning to private sector.

-A huge emphasis especially in recent years has been for people trying to always be in a red team role. This helps a lot with finding issues that exist but mitigation becomes a struggle because a pen tester might know something is wrong but not know how to recommend a fix...especially when it comes to specific technologies (ex. Cisco) and not general knowledge (don't permit any any in firewall rules).

-For training, companies are either a. not willing to pay for training, b. will pay a little for what technologies are specifically deployed, or c. will provide a lot of funding. This forces a lot of the advanced knowledge to be heavily weighted towards the companies with big budgets because driven people in this profession want to get lots of training. Additionally, although people can learn a lot of information with less expensive resources, there is a significant time gap when you have to learn things on your own versus going to a SANS course where you get the heavy hitter techniques condensed into several books.

-One of the last reasons I can think of off the top of my head is that companies make job postings that include every single technology and aspect of security and are unreasonable when it comes to compromise. This tends to happen in small to mid size companies more often because people are required to wear multiple hats, unlike large organizations where they can have several teams doing different work......but the longer you take because somebody isn't exactly perfect can result in significant risk to the organization.

Kapital

if a shortfall truly exists then don't you think industry leaders and employers will be embracing and chasing applicants who have 75% of skill set they are looking for.
But is that happening at all?
I have sent out a few resumes so far, despite having multi year experience, the talks breakdown when it comes to me not having experience in a financial institute. As if it is somethign that will take me years to achieve.
If there was a shorage, these employers would have been tripping over each others' heels to grab applicants but I dont know of a single case where an employer actually picked up a phone and talked to applicant to try to meet in the middle.

hurricane1091

Job market is great right now but the experience companies want versus the pay they provide has not really improved I have found.