Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Fewer Than One-Fourth Of Cybersecurity Job Candidates Are Qualified
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/25/2017 | 4:43:03 PM
Not surprising
I am not supervise at all. It is really hard to find any candidate for any IT positions these days in US. IT resources are very expensive trait include security skills too.
AcmeM
50%
50%
AcmeM,
User Rank: Apprentice
2/24/2017 | 5:38:30 PM
Re: They may not exist so you need to teach them right
The problem I see is companies requiring credentials and passing over anyone who dosen't have them. Passing a test and understanding the problem and how to fix it are 2 different things.

I had a DoD 5220.22-M operating manual dropped on my desk from a large aerospace/defense customer saying we need to comply, after reading through a 174 pages of acronyms I called their COMSEC manager and asked "What do you really need?" She replied "encrypted Email". I had it setup the next day. Yet even after a year nobody we communicate with at that company is setup for encrypted email and hers comes with an invalid certificate warning. I asked what the hold up was with their encryption and was told she had to get authorization from a vice president.... I just about bust a gut laughing. I've kept repeated reminders to them in my CYA file. I could cite numerous other examples of the beauracracy of big business from this company in Dulles, VA alone.

I'd bet money the only criteria was that she had a degree in security.
Dans_Security
100%
0%
Dans_Security,
User Rank: Apprentice
2/24/2017 | 3:45:53 PM
Look for Core skills
After being a hiring manager in IT Security for many years, I have to say the statistics are pretty accurate from a perspective of the people I see. 

One thing that people need to remember, The business needs an outcome, this means delivery and many of the seucrity professionals out there lack this "delivery" mentality and focus more on the research and detailed analysis functions. 

My interview process is fairly simple.

1st interview - Theory and Cultural Fit (1 Hour)- Theory is focused on what they know as a base. Pick a technology/system that they are familiar with and go through their thought processes.

2nd Interview - Detailed Theory + Ability to Learn (1-1.5 hours)- Focused on detailed questions (including scripting and commands) on a high skill system. (We ask them to nominate a technology beforehand and give them 5 days of research beforehand). 

3rd Interview - Practical Lab + Anaylsis assessment (1-2 Hours)- We ask them to nominate a different technoloigy and build it in the lab. My team then break these instances in a fairly common way that a standard person will know in 2 seconds and resolve in 5 minutes. We can see their analysis functions of the situation, see the steps they go through to analyse and also resolve. 

4th Interview - Management Discussion


I have interviewed hundreds of people from different backgrounds, cultures and capabilitites and less than 15% qualify. Not from a certification perspective (they have all these), but from a core fundamental of missing on key delivery aspects (pick 1 from above). It amuses me that we get them to nominate the technologies that they are comfortable with (build this specific to their requirements and strengths) yet when it comes to practical use and assessment, they fail on something they say they are good at.

If they have the core skills of Analysis, ability and willingness to learn, a delivery approach and are happy to delve into the details, then they can get a job with me.... The certifications arent required, once you go through our day to day operations, these just happen naturally.

My team is amazing. I give them standard and non-standard scenario's on different topics and areas eadh day/week, to which I get 4-5 different responses from the team. They then work out what is best between them and compare their theories and aspects with each other. 

 

They learn from each other and if new technologies that we want to adopt come up, I'll throw them through the certification path, although I will allocate them lab space to build, break, fix and adjust to make sure they can assess the feasability, as well as learn and train on the technology thorugh practical experience. 

 
DaveRHowe
50%
50%
DaveRHowe,
User Rank: Strategist
2/24/2017 | 2:51:53 AM
Re: They may not exist so you need to teach them right
My usual response to hiring managers is - "do you really think the guy who invented 'x' is certified in it?" :D
duffer14
100%
0%
duffer14,
User Rank: Apprentice
2/23/2017 | 8:46:17 AM
Re-thinking
Maybe rethinking what qualified means would level the playing field. Security is a tough field to get into without experience. Security is not rocket science and I would offer that people with a technical and business background would make great candidates within the security field. Security is not what is taught in books or at conferences where the focus is on a perfect world, leading people to believe that what is in the books or discussed at conferences is the real world, obviously, it is not. Last I checked, companies were in business to make money and security is part of that process, whether you want to call it a cost avoidance exercise or whatever. Security is an enhancement to and provides protection for the business while allowing the company to function and profit. I can argue that technical skills and business knowledge are critical in a security role and that security skills can be developed based upon that knowledge. The knowledge of what the business does and what is critical to the business is paramount to securing it.
HaroldShaw
100%
0%
HaroldShaw,
User Rank: Apprentice
2/22/2017 | 10:22:34 PM
We need to improve the educational pipeline and provide freelance opportunities
I believe that the solution to the cyber skills gap is twofold. The first is to improve the educational pipeline. In this area, leaders in the cybersecurity education market such as SANS.org play a key role with online courses and certifications. The second is to offer cybersecurity experts additional opportunities to freelance or moonlight with companies, thereby sharing the skills of a qualified person amongst multiple non-competing companies. For example, companies will benefit from sharing a virtual CISO by getting expert advice at a lower cost than full-time, and the virtual CISO will benefit by exercising his/her expertise in different domains. A dedicated security freelancer marketplace such as SECUR1TY.com can help enable such arrangements. 
laurahees
50%
50%
laurahees,
User Rank: Apprentice
2/22/2017 | 8:18:23 PM
True but..
Isn't that the same with all job candidates? Regardless of the industry it is hard to find good people.  They are out there but it is hard to find a good match.  It is definitely more difficult in the security industry and why Managed Security Services is so helpful.  I do see hope with the new hiring post college generation.  They are excited, ready, inexperienced, no special certifications but honest and hard workers that come to their jobs on time, respect everyone in the office and are ready to learn, work hard and engineer solutions.  It is kind of exciting.  True article and thanks for posting.
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
2/22/2017 | 6:24:37 PM
Bah. Loaded descriptor.
Define "qualified".

Are we talking "able to do the job," or are we talking "meets 100% of all the supposed qualifiers that HR thinks the job requires"?

Because those are two VERY different things, especially when it comes to the purple-squirrel hiring tactics that have plagued both the IT sector and business as a whole for many years.
AndyN601
100%
0%
AndyN601,
User Rank: Apprentice
2/22/2017 | 6:17:28 PM
They may not exist so you need to teach them right
While there is a lot of discussion about whether or not certifications are viable in this field it is my impression that most enterprises still look for those letters following the name. The survey presented states that 70 percent of companies require certifications for a position. While that is not 100%, I don't know how drastic a departure from certifications this really indicates.

I think one of the biggest issues is that the number of people who have the right experience might not even exist in the world. Perhaps one of the primary reasons only 25% are qualified is because only 25% of the whole population have the actual experience. How many Cyber Security Specialists have 10+ years of hands on Cloud Security for example? So much of the technology is newer than the experience of the people yet companies are looking for people with these extreme skills. This sets them up to fail at finding the exact match.

 Additionally, not every company is installing the latest gear or using the latest and greatest. Therefore, as an example, while someone may know Networks, they may not be up to speed on the newest Cisco device or something. Yet, the hiring company wants them to know it. Heck, the hiring company may be one of the only companies do date that has purchased the equipment. Yet, they require experience on it. That seems like a rather tall order.

What needs to take place is practical, real scenario based education that shows the learner the actual situation. People who do get to work on this equipment and in these rare, yet highly sought after scenarios, should be teaching others the voodoo they do. This way, while the learner may not have been the one to install the equipment or resolve the situation, they know, through experienced learning, what they can do to rectify things or set things up etc. A book with a few pictures is a good start but give me a video or something showing me from start to finish how to write and execute that command line and we'll all be better off.

Companies should be investing in the education of the Security pros too (actually all their people but that's for later). Chief Learning Officers and the leadership need to invest in the people to give them the tools to succeed in the environment. There are companies out there who provide valid education at a fraction of previous costs. 

Another thing I believe worth mention is the application process itself. Security professionals are neck deep in the swamp. They don't have time to poke their head up to see what other jobs are out there let alone spend a long time filling out forms on-line. So, companies should not expect an ad on the web to draw the crowds and they should make the experience of being reviewed by the hiring manager less complicated. Hence, the article's comment about referrals being a top method for recruitment.
<<   <   Page 2 / 2


Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16966
PUBLISHED: 2019-10-21
An issue was discovered in Contactmanager 13.x before 13.0.45.3, 14.x before 14.0.5.12, and 15.x before 15.0.8.21 for FreePBX 14.0.10.3. In the Contactmanager class (html\admin\modules\contactmanager\Contactmanager.class.php), an unsanitized group variable coming from the URL is reflected in HTML on...
CVE-2019-9491
PUBLISHED: 2019-10-21
Trend Micro Anti-Threat Toolkit (ATTK) versions 1.62.0.1218 and below have a vulnerability that may allow an attacker to place malicious files in the same directory, potentially leading to arbitrary remote code execution (RCE) when executed.
CVE-2019-16964
PUBLISHED: 2019-10-21
app/call_centers/cmd.php in the Call Center Queue Module in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated attackers (with at least the permission call_center_queue_add or call_center_queue_edit) to execute any comma...
CVE-2019-16965
PUBLISHED: 2019-10-21
resources/cmd.php in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute any commands on the host as www-data.
CVE-2019-18203
PUBLISHED: 2019-10-21
On the RICOH MP 501 printer, HTML Injection and Stored XSS vulnerabilities have been discovered in the area of adding addresses via the entryNameIn and KeyDisplay parameter to /web/entry/en/address/adrsSetUserWizard.cgi.