Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Fewer Than One-Fourth Of Cybersecurity Job Candidates Are Qualified
Threaded  |  Newest First  |  Oldest First
AndyN601
100%
0%
AndyN601,
User Rank: Apprentice
2/22/2017 | 6:17:28 PM
They may not exist so you need to teach them right
While there is a lot of discussion about whether or not certifications are viable in this field it is my impression that most enterprises still look for those letters following the name. The survey presented states that 70 percent of companies require certifications for a position. While that is not 100%, I don't know how drastic a departure from certifications this really indicates.

I think one of the biggest issues is that the number of people who have the right experience might not even exist in the world. Perhaps one of the primary reasons only 25% are qualified is because only 25% of the whole population have the actual experience. How many Cyber Security Specialists have 10+ years of hands on Cloud Security for example? So much of the technology is newer than the experience of the people yet companies are looking for people with these extreme skills. This sets them up to fail at finding the exact match.

 Additionally, not every company is installing the latest gear or using the latest and greatest. Therefore, as an example, while someone may know Networks, they may not be up to speed on the newest Cisco device or something. Yet, the hiring company wants them to know it. Heck, the hiring company may be one of the only companies do date that has purchased the equipment. Yet, they require experience on it. That seems like a rather tall order.

What needs to take place is practical, real scenario based education that shows the learner the actual situation. People who do get to work on this equipment and in these rare, yet highly sought after scenarios, should be teaching others the voodoo they do. This way, while the learner may not have been the one to install the equipment or resolve the situation, they know, through experienced learning, what they can do to rectify things or set things up etc. A book with a few pictures is a good start but give me a video or something showing me from start to finish how to write and execute that command line and we'll all be better off.

Companies should be investing in the education of the Security pros too (actually all their people but that's for later). Chief Learning Officers and the leadership need to invest in the people to give them the tools to succeed in the environment. There are companies out there who provide valid education at a fraction of previous costs. 

Another thing I believe worth mention is the application process itself. Security professionals are neck deep in the swamp. They don't have time to poke their head up to see what other jobs are out there let alone spend a long time filling out forms on-line. So, companies should not expect an ad on the web to draw the crowds and they should make the experience of being reviewed by the hiring manager less complicated. Hence, the article's comment about referrals being a top method for recruitment.
DaveRHowe
50%
50%
DaveRHowe,
User Rank: Strategist
2/24/2017 | 2:51:53 AM
Re: They may not exist so you need to teach them right
My usual response to hiring managers is - "do you really think the guy who invented 'x' is certified in it?" :D
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/25/2017 | 4:56:39 PM
Re: They may not exist so you need to teach them right
"My usual response to hiring managers is - "do you really think the guy who invented 'x' is certified in it?" :D" Good point and most likely not. Invention requires new ways of thinking.
Dans_Security
100%
0%
Dans_Security,
User Rank: Apprentice
2/24/2017 | 3:45:53 PM
Look for Core skills
After being a hiring manager in IT Security for many years, I have to say the statistics are pretty accurate from a perspective of the people I see. 

One thing that people need to remember, The business needs an outcome, this means delivery and many of the seucrity professionals out there lack this "delivery" mentality and focus more on the research and detailed analysis functions. 

My interview process is fairly simple.

1st interview - Theory and Cultural Fit (1 Hour)- Theory is focused on what they know as a base. Pick a technology/system that they are familiar with and go through their thought processes.

2nd Interview - Detailed Theory + Ability to Learn (1-1.5 hours)- Focused on detailed questions (including scripting and commands) on a high skill system. (We ask them to nominate a technology beforehand and give them 5 days of research beforehand). 

3rd Interview - Practical Lab + Anaylsis assessment (1-2 Hours)- We ask them to nominate a different technoloigy and build it in the lab. My team then break these instances in a fairly common way that a standard person will know in 2 seconds and resolve in 5 minutes. We can see their analysis functions of the situation, see the steps they go through to analyse and also resolve. 

4th Interview - Management Discussion


I have interviewed hundreds of people from different backgrounds, cultures and capabilitites and less than 15% qualify. Not from a certification perspective (they have all these), but from a core fundamental of missing on key delivery aspects (pick 1 from above). It amuses me that we get them to nominate the technologies that they are comfortable with (build this specific to their requirements and strengths) yet when it comes to practical use and assessment, they fail on something they say they are good at.

If they have the core skills of Analysis, ability and willingness to learn, a delivery approach and are happy to delve into the details, then they can get a job with me.... The certifications arent required, once you go through our day to day operations, these just happen naturally.

My team is amazing. I give them standard and non-standard scenario's on different topics and areas eadh day/week, to which I get 4-5 different responses from the team. They then work out what is best between them and compare their theories and aspects with each other. 

 

They learn from each other and if new technologies that we want to adopt come up, I'll throw them through the certification path, although I will allocate them lab space to build, break, fix and adjust to make sure they can assess the feasability, as well as learn and train on the technology thorugh practical experience. 

 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/25/2017 | 4:59:15 PM
Re: Look for Core skills
"The business needs an outcome" That is true. One thing we need to get everyone understand that preventing from a breach is an outcome for the business, that is mostly not visible enough.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/25/2017 | 5:02:08 PM
Re: Look for Core skills
"4th Interview - Management Discussion" I like your interview process. Some of these candidates may not even make 4th interview
Dans_Security
50%
50%
Dans_Security,
User Rank: Apprentice
2/28/2017 | 6:45:49 AM
Re: Look for Core skills
Most dont. We can scrub out quite a few at 2nd Interview and weed out the "talkers" at 3rd Interview
AcmeM
50%
50%
AcmeM,
User Rank: Apprentice
2/24/2017 | 5:38:30 PM
Re: They may not exist so you need to teach them right
The problem I see is companies requiring credentials and passing over anyone who dosen't have them. Passing a test and understanding the problem and how to fix it are 2 different things.

I had a DoD 5220.22-M operating manual dropped on my desk from a large aerospace/defense customer saying we need to comply, after reading through a 174 pages of acronyms I called their COMSEC manager and asked "What do you really need?" She replied "encrypted Email". I had it setup the next day. Yet even after a year nobody we communicate with at that company is setup for encrypted email and hers comes with an invalid certificate warning. I asked what the hold up was with their encryption and was told she had to get authorization from a vice president.... I just about bust a gut laughing. I've kept repeated reminders to them in my CYA file. I could cite numerous other examples of the beauracracy of big business from this company in Dulles, VA alone.

I'd bet money the only criteria was that she had a degree in security.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/25/2017 | 4:45:36 PM
Re: They may not exist so you need to teach them right
"The survey presented states that 70 percent of companies require certifications for a position. While that is not 100%, " Good questions. Sometime certification does not really represent the skills and knowledge unfortunately.
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
2/22/2017 | 6:24:37 PM
Bah. Loaded descriptor.
Define "qualified".

Are we talking "able to do the job," or are we talking "meets 100% of all the supposed qualifiers that HR thinks the job requires"?

Because those are two VERY different things, especially when it comes to the purple-squirrel hiring tactics that have plagued both the IT sector and business as a whole for many years.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/25/2017 | 4:49:05 PM
Re: Bah. Loaded descriptor.
"Are we talking "able to do the job," or are we talking "meets 100% of all the supposed qualifiers that HR thinks the job requires"?" Really good point. There should not be a gab between those two actually.
laurahees
50%
50%
laurahees,
User Rank: Apprentice
2/22/2017 | 8:18:23 PM
True but..
Isn't that the same with all job candidates? Regardless of the industry it is hard to find good people.  They are out there but it is hard to find a good match.  It is definitely more difficult in the security industry and why Managed Security Services is so helpful.  I do see hope with the new hiring post college generation.  They are excited, ready, inexperienced, no special certifications but honest and hard workers that come to their jobs on time, respect everyone in the office and are ready to learn, work hard and engineer solutions.  It is kind of exciting.  True article and thanks for posting.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/25/2017 | 4:50:23 PM
Re: True but..
"Isn't that the same with all job candidates? " Good point. That is what I was thinking when I post my first message. This is the case in all IT in general.
HaroldShaw
100%
0%
HaroldShaw,
User Rank: Apprentice
2/22/2017 | 10:22:34 PM
We need to improve the educational pipeline and provide freelance opportunities
I believe that the solution to the cyber skills gap is twofold. The first is to improve the educational pipeline. In this area, leaders in the cybersecurity education market such as SANS.org play a key role with online courses and certifications. The second is to offer cybersecurity experts additional opportunities to freelance or moonlight with companies, thereby sharing the skills of a qualified person amongst multiple non-competing companies. For example, companies will benefit from sharing a virtual CISO by getting expert advice at a lower cost than full-time, and the virtual CISO will benefit by exercising his/her expertise in different domains. A dedicated security freelancer marketplace such as SECUR1TY.com can help enable such arrangements. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/25/2017 | 4:53:03 PM
Re: We need to improve the educational pipeline and provide freelance opportunities
"For example, companies will benefit from sharing a virtual CISO by getting expert advice at a lower cost than full-time" This is really a great idea. That would benefits both companies and the candidates.
duffer14
100%
0%
duffer14,
User Rank: Apprentice
2/23/2017 | 8:46:17 AM
Re-thinking
Maybe rethinking what qualified means would level the playing field. Security is a tough field to get into without experience. Security is not rocket science and I would offer that people with a technical and business background would make great candidates within the security field. Security is not what is taught in books or at conferences where the focus is on a perfect world, leading people to believe that what is in the books or discussed at conferences is the real world, obviously, it is not. Last I checked, companies were in business to make money and security is part of that process, whether you want to call it a cost avoidance exercise or whatever. Security is an enhancement to and provides protection for the business while allowing the company to function and profit. I can argue that technical skills and business knowledge are critical in a security role and that security skills can be developed based upon that knowledge. The knowledge of what the business does and what is critical to the business is paramount to securing it.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/25/2017 | 4:54:17 PM
Re: Re-thinking
"Security is a tough field to get into without experience. " This is really a good point. You would not rally handle security without good level of experience.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/25/2017 | 5:03:46 PM
Re: Re-thinking
"Security is an enhancement to and provides protection for the business while allowing the company to function and profit." That makes sense, it is part of profit basically.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/25/2017 | 4:43:03 PM
Not surprising
I am not supervise at all. It is really hard to find any candidate for any IT positions these days in US. IT resources are very expensive trait include security skills too.


Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19794
PUBLISHED: 2019-12-13
The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.
CVE-2019-19795
PUBLISHED: 2019-12-13
samurai 0.7 has a heap-based buffer overflow in canonpath in util.c via a crafted build file.
CVE-2019-19796
PUBLISHED: 2019-12-13
Yabasic 2.86.2 has a heap-based buffer overflow in myformat in function.c via a crafted BASIC source file.
CVE-2019-5253
PUBLISHED: 2019-12-13
E5572-855 with versions earlier than 8.0.1.3(H335SP1C233) has an improper authentication vulnerability. The device does not perform a sufficient authentication when doing certain operations, successful exploit could allow an attacker to cause the device to reboot after launch a man in the middle att...
CVE-2019-5260
PUBLISHED: 2019-12-13
Huawei smartphones HUAWEI Y9 2019 and Honor View 20 have a denial of service vulnerability. Due to insufficient input validation of specific value when parsing the messages, an attacker may send specially crafted TD-SCDMA messages from a rogue base station to the affected devices to exploit this vul...