Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Fewer Than One-Fourth Of Cybersecurity Job Candidates Are Qualified
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Dr.T
Dr.T,
 User Rank: Ninja
2/25/2017 | 4:43:03 PM
Not surprising
I am not supervise at all. It is really hard to find any candidate for any IT positions these days in US. IT resources are very expensive trait include security skills too.
AcmeM
AcmeM,
 User Rank: Apprentice
2/24/2017 | 5:38:30 PM
Re: They may not exist so you need to teach them right
The problem I see is companies requiring credentials and passing over anyone who dosen't have them. Passing a test and understanding the problem and how to fix it are 2 different things.

I had a DoD 5220.22-M operating manual dropped on my desk from a large aerospace/defense customer saying we need to comply, after reading through a 174 pages of acronyms I called their COMSEC manager and asked "What do you really need?" She replied "encrypted Email". I had it setup the next day. Yet even after a year nobody we communicate with at that company is setup for encrypted email and hers comes with an invalid certificate warning. I asked what the hold up was with their encryption and was told she had to get authorization from a vice president.... I just about bust a gut laughing. I've kept repeated reminders to them in my CYA file. I could cite numerous other examples of the beauracracy of big business from this company in Dulles, VA alone.

I'd bet money the only criteria was that she had a degree in security.
Dans_Security
Dans_Security,
 User Rank: Apprentice
2/24/2017 | 3:45:53 PM
Look for Core skills
After being a hiring manager in IT Security for many years, I have to say the statistics are pretty accurate from a perspective of the people I see. 

One thing that people need to remember, The business needs an outcome, this means delivery and many of the seucrity professionals out there lack this "delivery" mentality and focus more on the research and detailed analysis functions. 

My interview process is fairly simple.

1st interview - Theory and Cultural Fit (1 Hour)- Theory is focused on what they know as a base. Pick a technology/system that they are familiar with and go through their thought processes.

2nd Interview - Detailed Theory + Ability to Learn (1-1.5 hours)- Focused on detailed questions (including scripting and commands) on a high skill system. (We ask them to nominate a technology beforehand and give them 5 days of research beforehand). 

3rd Interview - Practical Lab + Anaylsis assessment (1-2 Hours)- We ask them to nominate a different technoloigy and build it in the lab. My team then break these instances in a fairly common way that a standard person will know in 2 seconds and resolve in 5 minutes. We can see their analysis functions of the situation, see the steps they go through to analyse and also resolve. 

4th Interview - Management Discussion


I have interviewed hundreds of people from different backgrounds, cultures and capabilitites and less than 15% qualify. Not from a certification perspective (they have all these), but from a core fundamental of missing on key delivery aspects (pick 1 from above). It amuses me that we get them to nominate the technologies that they are comfortable with (build this specific to their requirements and strengths) yet when it comes to practical use and assessment, they fail on something they say they are good at.

If they have the core skills of Analysis, ability and willingness to learn, a delivery approach and are happy to delve into the details, then they can get a job with me.... The certifications arent required, once you go through our day to day operations, these just happen naturally.

My team is amazing. I give them standard and non-standard scenario's on different topics and areas eadh day/week, to which I get 4-5 different responses from the team. They then work out what is best between them and compare their theories and aspects with each other. 

 

They learn from each other and if new technologies that we want to adopt come up, I'll throw them through the certification path, although I will allocate them lab space to build, break, fix and adjust to make sure they can assess the feasability, as well as learn and train on the technology thorugh practical experience. 

 
DaveRHowe
DaveRHowe,
 User Rank: Strategist
2/24/2017 | 2:51:53 AM
Re: They may not exist so you need to teach them right
My usual response to hiring managers is - "do you really think the guy who invented 'x' is certified in it?" :D
duffer14
duffer14,
 User Rank: Apprentice
2/23/2017 | 8:46:17 AM
Re-thinking
Maybe rethinking what qualified means would level the playing field. Security is a tough field to get into without experience. Security is not rocket science and I would offer that people with a technical and business background would make great candidates within the security field. Security is not what is taught in books or at conferences where the focus is on a perfect world, leading people to believe that what is in the books or discussed at conferences is the real world, obviously, it is not. Last I checked, companies were in business to make money and security is part of that process, whether you want to call it a cost avoidance exercise or whatever. Security is an enhancement to and provides protection for the business while allowing the company to function and profit. I can argue that technical skills and business knowledge are critical in a security role and that security skills can be developed based upon that knowledge. The knowledge of what the business does and what is critical to the business is paramount to securing it.
HaroldShaw
HaroldShaw,
 User Rank: Apprentice
2/22/2017 | 10:22:34 PM
We need to improve the educational pipeline and provide freelance opportunities
I believe that the solution to the cyber skills gap is twofold. The first is to improve the educational pipeline. In this area, leaders in the cybersecurity education market such as SANS.org play a key role with online courses and certifications. The second is to offer cybersecurity experts additional opportunities to freelance or moonlight with companies, thereby sharing the skills of a qualified person amongst multiple non-competing companies. For example, companies will benefit from sharing a virtual CISO by getting expert advice at a lower cost than full-time, and the virtual CISO will benefit by exercising his/her expertise in different domains. A dedicated security freelancer marketplace such as SECUR1TY.com can help enable such arrangements. 
laurahees
laurahees,
 User Rank: Apprentice
2/22/2017 | 8:18:23 PM
True but..
Isn't that the same with all job candidates? Regardless of the industry it is hard to find good people.  They are out there but it is hard to find a good match.  It is definitely more difficult in the security industry and why Managed Security Services is so helpful.  I do see hope with the new hiring post college generation.  They are excited, ready, inexperienced, no special certifications but honest and hard workers that come to their jobs on time, respect everyone in the office and are ready to learn, work hard and engineer solutions.  It is kind of exciting.  True article and thanks for posting.
Joe Stanganelli
Joe Stanganelli,
 User Rank: Ninja
2/22/2017 | 6:24:37 PM
Bah. Loaded descriptor.
Define "qualified".

Are we talking "able to do the job," or are we talking "meets 100% of all the supposed qualifiers that HR thinks the job requires"?

Because those are two VERY different things, especially when it comes to the purple-squirrel hiring tactics that have plagued both the IT sector and business as a whole for many years.
AndyN601
AndyN601,
 User Rank: Apprentice
2/22/2017 | 6:17:28 PM
They may not exist so you need to teach them right
While there is a lot of discussion about whether or not certifications are viable in this field it is my impression that most enterprises still look for those letters following the name. The survey presented states that 70 percent of companies require certifications for a position. While that is not 100%, I don't know how drastic a departure from certifications this really indicates.

I think one of the biggest issues is that the number of people who have the right experience might not even exist in the world. Perhaps one of the primary reasons only 25% are qualified is because only 25% of the whole population have the actual experience. How many Cyber Security Specialists have 10+ years of hands on Cloud Security for example? So much of the technology is newer than the experience of the people yet companies are looking for people with these extreme skills. This sets them up to fail at finding the exact match.

 Additionally, not every company is installing the latest gear or using the latest and greatest. Therefore, as an example, while someone may know Networks, they may not be up to speed on the newest Cisco device or something. Yet, the hiring company wants them to know it. Heck, the hiring company may be one of the only companies do date that has purchased the equipment. Yet, they require experience on it. That seems like a rather tall order.

What needs to take place is practical, real scenario based education that shows the learner the actual situation. People who do get to work on this equipment and in these rare, yet highly sought after scenarios, should be teaching others the voodoo they do. This way, while the learner may not have been the one to install the equipment or resolve the situation, they know, through experienced learning, what they can do to rectify things or set things up etc. A book with a few pictures is a good start but give me a video or something showing me from start to finish how to write and execute that command line and we'll all be better off.

Companies should be investing in the education of the Security pros too (actually all their people but that's for later). Chief Learning Officers and the leadership need to invest in the people to give them the tools to succeed in the environment. There are companies out there who provide valid education at a fraction of previous costs. 

Another thing I believe worth mention is the application process itself. Security professionals are neck deep in the swamp. They don't have time to poke their head up to see what other jobs are out there let alone spend a long time filling out forms on-line. So, companies should not expect an ad on the web to draw the crowds and they should make the experience of being reviewed by the hiring manager less complicated. Hence, the article's comment about referrals being a top method for recruitment.
<<   <   Page 2 / 2


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type=&quot;text&quot;` via a javascript &quot;Show Password&quot; button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn&acirc;&euro;&trade;t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file