Operations // Careers & People
5/27/2014
06:00 AM
Sara Peters
Sara Peters
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Dark Reading Radio: The Real Reason Security Jobs Remain Vacant

Join us Wednesday, May 28, at 1:00 p.m. Eastern, to learn why good security staff really are not hard to find, if you know what to look for.

Woe is you. You're desperately looking for someone to fill that vacant security position -- to protect your company and to soothe the other hellishly overworked security staff -- but you cannot find anyone qualified for the position.

You may be feeling bad for yourself, but here's the thing: It's all your fault.

Want to know why it's your fault and how to fix it? Then join us tomorrow -- Wednesday, May 28 -- at 1:00 p.m. Eastern Time for the next episode of Dark Reading Radio: "The Real Reason You Can't Fill Vacant Security Jobs."

My guests will be Julie Peeler, head of the ISC(2) foundation, and Mark Aiello, president of Boston-based cyber security staffing firm Cyber360 Solutions. In this episode we will discuss some of the findings of the security section of the InformationWeek IT Salary Survey and explain what they mean to you. Such as:

Security professionals earn more than the average IT worker. The median base salary of IT staff overall is $88,000 annually, compared with $98,000 for security staff. The base salaries of managers are $112,000 and $125,000, respectively. Maybe you are having trouble finding or keeping security staff because you're not paying them enough.

None of the security managers who responded to the survey and only 3 percent of the security staff respondents are age 25 or under. Seventy-eight percent of staff and 87 percent of managers are ages 36 and over. The median number of years that the survey respondents (security staff and management alike) have spent working in the IT profession (security or otherwise) is 18. If you think that you're going to find security professionals in their early 20s who have CISSPs and degrees from prestigious four-year colleges, who will work for $50,000 a year, you are sorely mistaken. Young talent is out there -- maybe you just aren't looking in the right places.

Two-thirds of both staff and managers say they are at least satisfied with their jobs, if not “very satisfied.” And yet 45 percent of staff and 44 percent of managers are looking for new jobs to some degree. Security staff feel so secure in their jobs that they feel confident asking for more money and benefits. If your security pros keep leaving for better jobs, maybe you aren't trying hard enough to retain them.

This will be an essential conversation for anyone who hires security staff and a valuable discussion for everyone in security who wants a better idea of what they're really worth (and how to make sure they get every penny of it).

So register now and join us Wednesday at 1:00 p.m. Eastern Time. Have questions for the guests? Share them in the comments section below or bring them along to the show Wednesday -- we'll be taking questions from the live audience and the guests will join the audience in a live text chat following the broadcast.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
fabipefi
50%
50%
fabipefi,
User Rank: Apprentice
7/28/2014 | 2:51:31 PM
Re: Certifications vs Experience
"As Governor, I'll battle regarding jobs and Iowa employees, not outsource jobs like my Democratic challenger and Governor Master," Hulsey stated.

The evaluation demonstrates how Burke company-has her father's organization Journey bicycles that outsourcing over 99PERCENT of the production to Taiwan and China wherever they spend employees less than MONEYTHREE each hour.

Condition Consultant Brett Hulsey MNS acts about the Assemblage Work, Power, and Tourisms Committees, offers university levels in Politics Economy and Organic Technology, was a Dane County Boss regarding fourteen decades, has an energy and ecological consulting company, and assisted develop two sophisticated Iowa bioenergy crops.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
5/28/2014 | 5:29:35 PM
Re: Certifications vs Experience
What I have experienced is that the individuals who have the large laundry list of certifications generally view certs as the finish line.  Some of the most talented security professionals I know do not have a single cert.  The difference is in passion for security of the quest for money.
Paladium
100%
0%
Paladium,
User Rank: Moderator
5/28/2014 | 7:58:27 AM
Certifications vs Experience
Wanted to add to the discussion.  I have seen my share of over certified security professionals that do not have the necessary hands on experience to support their wealth of certifications.  This can be a trap for an organization who 1) do not understand what the problem is they are trying to address in the vacancy, 2) large quantities of certifications give the impression of "knowledge", often over riding candidates who have extensive hands on practical experience in the field.  Certifications do not mean that the individual can fill the role effectively, or bring the necessary wisdom of cause and effect analysis (especially in IR events).

As a rule of thumb I look for three years of direct hands on experience PER security certification.  If they have a CEH then I want to see three years of CEH hands on experience.  If its a management role then I want to see five years of direct management experience to support that CISM certification. Certifications should be a capstone achievement that *supports* a security professionals accomplishments within the cyber security space.  It must never be a replacement for.  

I personally think there is a certification mill out there that is making a lot of money for educational firms, but producing very little actual hands on experienced candidates to pull from.  Great for the education business, not so good for those of us on the front line.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
5/27/2014 | 8:56:34 PM
Moderate Fear?
I'd be interested to know how many companies are short on security staff not due to salary but due to a moderate to high fear that hiring talented security professionals opens them up to a potential breach.  Whether the fear is founded or not, I've seen it at work (my perception, not putting words in mouths), and good assets who were rough around the edges were passed over for cleaner but less talented hackers.  Trust is huge, especially when the talent you're looking at might have a criminal record, but it's part of the hiring dance and sometimes a bigger deal breaker than salary.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/27/2014 | 4:10:01 PM
important topic
This should be a very enlightening and relevant discussion. Can't wait to tune in!
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.