Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

5/27/2014
06:00 AM
Sara Peters
Sara Peters
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Dark Reading Radio: The Real Reason Security Jobs Remain Vacant

Join us Wednesday, May 28, at 1:00 p.m. Eastern, to learn why good security staff really are not hard to find, if you know what to look for.

Woe is you. You're desperately looking for someone to fill that vacant security position -- to protect your company and to soothe the other hellishly overworked security staff -- but you cannot find anyone qualified for the position.

You may be feeling bad for yourself, but here's the thing: It's all your fault.

Want to know why it's your fault and how to fix it? Then join us tomorrow -- Wednesday, May 28 -- at 1:00 p.m. Eastern Time for the next episode of Dark Reading Radio: "The Real Reason You Can't Fill Vacant Security Jobs."

My guests will be Julie Peeler, head of the ISC(2) foundation, and Mark Aiello, president of Boston-based cyber security staffing firm Cyber360 Solutions. In this episode we will discuss some of the findings of the security section of the InformationWeek IT Salary Survey and explain what they mean to you. Such as:

Security professionals earn more than the average IT worker. The median base salary of IT staff overall is $88,000 annually, compared with $98,000 for security staff. The base salaries of managers are $112,000 and $125,000, respectively. Maybe you are having trouble finding or keeping security staff because you're not paying them enough.

None of the security managers who responded to the survey and only 3 percent of the security staff respondents are age 25 or under. Seventy-eight percent of staff and 87 percent of managers are ages 36 and over. The median number of years that the survey respondents (security staff and management alike) have spent working in the IT profession (security or otherwise) is 18. If you think that you're going to find security professionals in their early 20s who have CISSPs and degrees from prestigious four-year colleges, who will work for $50,000 a year, you are sorely mistaken. Young talent is out there -- maybe you just aren't looking in the right places.

Two-thirds of both staff and managers say they are at least satisfied with their jobs, if not “very satisfied.” And yet 45 percent of staff and 44 percent of managers are looking for new jobs to some degree. Security staff feel so secure in their jobs that they feel confident asking for more money and benefits. If your security pros keep leaving for better jobs, maybe you aren't trying hard enough to retain them.

This will be an essential conversation for anyone who hires security staff and a valuable discussion for everyone in security who wants a better idea of what they're really worth (and how to make sure they get every penny of it).

So register now and join us Wednesday at 1:00 p.m. Eastern Time. Have questions for the guests? Share them in the comments section below or bring them along to the show Wednesday -- we'll be taking questions from the live audience and the guests will join the audience in a live text chat following the broadcast.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
fabipefi
50%
50%
fabipefi,
User Rank: Apprentice
7/28/2014 | 2:51:31 PM
Re: Certifications vs Experience
"As Governor, I'll battle regarding jobs and Iowa employees, not outsource jobs like my Democratic challenger and Governor Master," Hulsey stated.

The evaluation demonstrates how Burke company-has her father's organization Journey bicycles that outsourcing over 99PERCENT of the production to Taiwan and China wherever they spend employees less than MONEYTHREE each hour.

Condition Consultant Brett Hulsey MNS acts about the Assemblage Work, Power, and Tourisms Committees, offers university levels in Politics Economy and Organic Technology, was a Dane County Boss regarding fourteen decades, has an energy and ecological consulting company, and assisted develop two sophisticated Iowa bioenergy crops.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
5/28/2014 | 5:29:35 PM
Re: Certifications vs Experience
What I have experienced is that the individuals who have the large laundry list of certifications generally view certs as the finish line.  Some of the most talented security professionals I know do not have a single cert.  The difference is in passion for security of the quest for money.
Paladium
100%
0%
Paladium,
User Rank: Moderator
5/28/2014 | 7:58:27 AM
Certifications vs Experience
Wanted to add to the discussion.  I have seen my share of over certified security professionals that do not have the necessary hands on experience to support their wealth of certifications.  This can be a trap for an organization who 1) do not understand what the problem is they are trying to address in the vacancy, 2) large quantities of certifications give the impression of "knowledge", often over riding candidates who have extensive hands on practical experience in the field.  Certifications do not mean that the individual can fill the role effectively, or bring the necessary wisdom of cause and effect analysis (especially in IR events).

As a rule of thumb I look for three years of direct hands on experience PER security certification.  If they have a CEH then I want to see three years of CEH hands on experience.  If its a management role then I want to see five years of direct management experience to support that CISM certification. Certifications should be a capstone achievement that *supports* a security professionals accomplishments within the cyber security space.  It must never be a replacement for.  

I personally think there is a certification mill out there that is making a lot of money for educational firms, but producing very little actual hands on experienced candidates to pull from.  Great for the education business, not so good for those of us on the front line.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
5/27/2014 | 8:56:34 PM
Moderate Fear?
I'd be interested to know how many companies are short on security staff not due to salary but due to a moderate to high fear that hiring talented security professionals opens them up to a potential breach.  Whether the fear is founded or not, I've seen it at work (my perception, not putting words in mouths), and good assets who were rough around the edges were passed over for cleaner but less talented hackers.  Trust is huge, especially when the talent you're looking at might have a criminal record, but it's part of the hiring dance and sometimes a bigger deal breaker than salary.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/27/2014 | 4:10:01 PM
important topic
This should be a very enlightening and relevant discussion. Can't wait to tune in!
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17479
PUBLISHED: 2020-08-10
jpv (aka Json Pattern Validator) before 2.2.2 does not properly validate input, as demonstrated by a corrupted array.
CVE-2020-17480
PUBLISHED: 2020-08-10
TinyMCE before 4.9.7 and 5.x before 5.1.4 allows XSS in the core parser, the paste plugin, and the visualchars plugin by using the clipboard or APIs to insert content into the editor.
CVE-2020-9078
PUBLISHED: 2020-08-10
FusionCompute 8.0.0 have local privilege escalation vulnerability. A local, authenticated attacker could perform specific operations to exploit this vulnerability. Successful exploitation may cause the attacker to obtain a higher privilege and compromise the service.
CVE-2020-9243
PUBLISHED: 2020-08-10
HUAWEI Mate 30 with versions earlier than 10.1.0.150(C00E136R5P3) have a denial of service vulnerability. The system does not properly limit the depth of recursion, an attacker should trick the user installing and execute a malicious application. Successful exploit could cause a denial of service co...
CVE-2020-9245
PUBLISHED: 2020-08-10
HUAWEI P30 versions Versions earlier than 10.1.0.160(C00E160R2P11);HUAWEI P30 Pro versions Versions earlier than 10.1.0.160(C00E160R2P8) have a denial of service vulnerability. Certain system configuration can be modified because of improper authorization. The attacker could trick the user installin...