Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Fewer Than One-Fourth Of Cybersecurity Job Candidates Are Qualified
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/25/2017 | 4:43:03 PM
Not surprising
I am not supervise at all. It is really hard to find any candidate for any IT positions these days in US. IT resources are very expensive trait include security skills too.
AcmeM
50%
50%
AcmeM,
User Rank: Apprentice
2/24/2017 | 5:38:30 PM
Re: They may not exist so you need to teach them right
The problem I see is companies requiring credentials and passing over anyone who dosen't have them. Passing a test and understanding the problem and how to fix it are 2 different things.

I had a DoD 5220.22-M operating manual dropped on my desk from a large aerospace/defense customer saying we need to comply, after reading through a 174 pages of acronyms I called their COMSEC manager and asked "What do you really need?" She replied "encrypted Email". I had it setup the next day. Yet even after a year nobody we communicate with at that company is setup for encrypted email and hers comes with an invalid certificate warning. I asked what the hold up was with their encryption and was told she had to get authorization from a vice president.... I just about bust a gut laughing. I've kept repeated reminders to them in my CYA file. I could cite numerous other examples of the beauracracy of big business from this company in Dulles, VA alone.

I'd bet money the only criteria was that she had a degree in security.
Dans_Security
100%
0%
Dans_Security,
User Rank: Apprentice
2/24/2017 | 3:45:53 PM
Look for Core skills
After being a hiring manager in IT Security for many years, I have to say the statistics are pretty accurate from a perspective of the people I see. 

One thing that people need to remember, The business needs an outcome, this means delivery and many of the seucrity professionals out there lack this "delivery" mentality and focus more on the research and detailed analysis functions. 

My interview process is fairly simple.

1st interview - Theory and Cultural Fit (1 Hour)- Theory is focused on what they know as a base. Pick a technology/system that they are familiar with and go through their thought processes.

2nd Interview - Detailed Theory + Ability to Learn (1-1.5 hours)- Focused on detailed questions (including scripting and commands) on a high skill system. (We ask them to nominate a technology beforehand and give them 5 days of research beforehand). 

3rd Interview - Practical Lab + Anaylsis assessment (1-2 Hours)- We ask them to nominate a different technoloigy and build it in the lab. My team then break these instances in a fairly common way that a standard person will know in 2 seconds and resolve in 5 minutes. We can see their analysis functions of the situation, see the steps they go through to analyse and also resolve. 

4th Interview - Management Discussion


I have interviewed hundreds of people from different backgrounds, cultures and capabilitites and less than 15% qualify. Not from a certification perspective (they have all these), but from a core fundamental of missing on key delivery aspects (pick 1 from above). It amuses me that we get them to nominate the technologies that they are comfortable with (build this specific to their requirements and strengths) yet when it comes to practical use and assessment, they fail on something they say they are good at.

If they have the core skills of Analysis, ability and willingness to learn, a delivery approach and are happy to delve into the details, then they can get a job with me.... The certifications arent required, once you go through our day to day operations, these just happen naturally.

My team is amazing. I give them standard and non-standard scenario's on different topics and areas eadh day/week, to which I get 4-5 different responses from the team. They then work out what is best between them and compare their theories and aspects with each other. 

 

They learn from each other and if new technologies that we want to adopt come up, I'll throw them through the certification path, although I will allocate them lab space to build, break, fix and adjust to make sure they can assess the feasability, as well as learn and train on the technology thorugh practical experience. 

 
DaveRHowe
50%
50%
DaveRHowe,
User Rank: Strategist
2/24/2017 | 2:51:53 AM
Re: They may not exist so you need to teach them right
My usual response to hiring managers is - "do you really think the guy who invented 'x' is certified in it?" :D
duffer14
100%
0%
duffer14,
User Rank: Apprentice
2/23/2017 | 8:46:17 AM
Re-thinking
Maybe rethinking what qualified means would level the playing field. Security is a tough field to get into without experience. Security is not rocket science and I would offer that people with a technical and business background would make great candidates within the security field. Security is not what is taught in books or at conferences where the focus is on a perfect world, leading people to believe that what is in the books or discussed at conferences is the real world, obviously, it is not. Last I checked, companies were in business to make money and security is part of that process, whether you want to call it a cost avoidance exercise or whatever. Security is an enhancement to and provides protection for the business while allowing the company to function and profit. I can argue that technical skills and business knowledge are critical in a security role and that security skills can be developed based upon that knowledge. The knowledge of what the business does and what is critical to the business is paramount to securing it.
HaroldShaw
100%
0%
HaroldShaw,
User Rank: Apprentice
2/22/2017 | 10:22:34 PM
We need to improve the educational pipeline and provide freelance opportunities
I believe that the solution to the cyber skills gap is twofold. The first is to improve the educational pipeline. In this area, leaders in the cybersecurity education market such as SANS.org play a key role with online courses and certifications. The second is to offer cybersecurity experts additional opportunities to freelance or moonlight with companies, thereby sharing the skills of a qualified person amongst multiple non-competing companies. For example, companies will benefit from sharing a virtual CISO by getting expert advice at a lower cost than full-time, and the virtual CISO will benefit by exercising his/her expertise in different domains. A dedicated security freelancer marketplace such as SECUR1TY.com can help enable such arrangements. 
laurahees
50%
50%
laurahees,
User Rank: Apprentice
2/22/2017 | 8:18:23 PM
True but..
Isn't that the same with all job candidates? Regardless of the industry it is hard to find good people.  They are out there but it is hard to find a good match.  It is definitely more difficult in the security industry and why Managed Security Services is so helpful.  I do see hope with the new hiring post college generation.  They are excited, ready, inexperienced, no special certifications but honest and hard workers that come to their jobs on time, respect everyone in the office and are ready to learn, work hard and engineer solutions.  It is kind of exciting.  True article and thanks for posting.
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
2/22/2017 | 6:24:37 PM
Bah. Loaded descriptor.
Define "qualified".

Are we talking "able to do the job," or are we talking "meets 100% of all the supposed qualifiers that HR thinks the job requires"?

Because those are two VERY different things, especially when it comes to the purple-squirrel hiring tactics that have plagued both the IT sector and business as a whole for many years.
AndyN601
100%
0%
AndyN601,
User Rank: Apprentice
2/22/2017 | 6:17:28 PM
They may not exist so you need to teach them right
While there is a lot of discussion about whether or not certifications are viable in this field it is my impression that most enterprises still look for those letters following the name. The survey presented states that 70 percent of companies require certifications for a position. While that is not 100%, I don't know how drastic a departure from certifications this really indicates.

I think one of the biggest issues is that the number of people who have the right experience might not even exist in the world. Perhaps one of the primary reasons only 25% are qualified is because only 25% of the whole population have the actual experience. How many Cyber Security Specialists have 10+ years of hands on Cloud Security for example? So much of the technology is newer than the experience of the people yet companies are looking for people with these extreme skills. This sets them up to fail at finding the exact match.

 Additionally, not every company is installing the latest gear or using the latest and greatest. Therefore, as an example, while someone may know Networks, they may not be up to speed on the newest Cisco device or something. Yet, the hiring company wants them to know it. Heck, the hiring company may be one of the only companies do date that has purchased the equipment. Yet, they require experience on it. That seems like a rather tall order.

What needs to take place is practical, real scenario based education that shows the learner the actual situation. People who do get to work on this equipment and in these rare, yet highly sought after scenarios, should be teaching others the voodoo they do. This way, while the learner may not have been the one to install the equipment or resolve the situation, they know, through experienced learning, what they can do to rectify things or set things up etc. A book with a few pictures is a good start but give me a video or something showing me from start to finish how to write and execute that command line and we'll all be better off.

Companies should be investing in the education of the Security pros too (actually all their people but that's for later). Chief Learning Officers and the leadership need to invest in the people to give them the tools to succeed in the environment. There are companies out there who provide valid education at a fraction of previous costs. 

Another thing I believe worth mention is the application process itself. Security professionals are neck deep in the swamp. They don't have time to poke their head up to see what other jobs are out there let alone spend a long time filling out forms on-line. So, companies should not expect an ad on the web to draw the crowds and they should make the experience of being reviewed by the hiring manager less complicated. Hence, the article's comment about referrals being a top method for recruitment.
<<   <   Page 2 / 2


COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5607
PUBLISHED: 2020-07-10
Open redirect vulnerability in SHIRASAGI v1.13.1 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
CVE-2020-15001
PUBLISHED: 2020-07-09
An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
CVE-2020-15092
PUBLISHED: 2020-07-09
In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
CVE-2020-15093
PUBLISHED: 2020-07-09
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...
CVE-2020-15299
PUBLISHED: 2020-07-09
A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is execu...