Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Solving The Security Workforce Shortage
Newest First  |  Oldest First  |  Threaded View
Lutera77
50%
50%
Lutera77,
 User Rank: Apprentice
3/19/2014 | 1:04:31 AM
re: Solving The Security Workforce Shortage
@ubm_techweb_disqus_sso_-ae164aab1ecb02b2dc74be3a06f28f7c:disqus - what I list in a job requirement is the ideal candidate. If you don't meet all of the requirements, you should craft your response in such a manner that it convinces the recruiter and me you can do the job. What is underlying your comment is that in many cases, recruiters are generally not adding the necessary value to the process. I agree that this is a problem for some organizations.

@ubm_techweb_disqus_sso_-0480d4a7522709036363932f5b73339c:disqus - I've been at cybersecurity in many different sectors for a long time (20+ yrs). In the recent past I used to see non-techies go into threat intelligence, policy, and strategy; the latter two _generally_ only if you have an advanced degree from a prestigious university. In the commercial sector, threat intel weenies produced interesting but generally not actionable reporting, so we started to use techies and trained them in intel so they can produce actionable threat reporting & indicators (it's hard to connect the dots if you don't understand the rules of the environment). Fwiw, neither my colleagues I speak with nor I have had generally positive experiences with candidates who have cybersecurity degrees, advanced or otherwise. Personally, I generally hire based on references. If I do take a chance, I generally look for at least a minor in EE/Computer Engineering/ComSci from a top 50 program and some experience (~2-3 yrs) as network/systems engineer or low-level software engineer. The best people I've taken a chance on have had a minor in one of those fields and a major in the arts/humanities. I admit, my criteria is generally narrow and I may miss qualified candidates. However, I can't spend the time required to find the diamond in the rough ... and neither can my recruiters.
Lutera77
50%
50%
Lutera77,
 User Rank: Apprentice
3/19/2014 | 12:36:39 AM
re: Solving The Security Workforce Shortage
Sara - I think you should evaluate underlying assumptions that you used in developing the title for your article. If you treat the labor market as an economics problem, there really is no such thing as a shortage of supply; only a shortage at the price-point that you're willing to pay. Given the level of effort required to become & remain highly skilled in this domain, it may cost more to entice the types of people who _can_ excel into investing the effort to acquire & maintain the necessary skills.
Sara Peters
50%
50%
Sara Peters,
 User Rank: Author
3/4/2014 | 9:08:35 PM
re: Solving The Security Workforce Shortage
@byarbrough I completely agree with you. The experts I spoke to see things one way, but they're not the people who are actually doing the hiring. I think that the people conducting the research can be quite insightful, but they can't make a difference on their own. They can ask a bunch of questions and get a good idea for what the hiring managers really need and want, and they can point to good candidates and say "that's what you need and want," but they can't MAKE the hiring managers change their ways. It's like really unsuccessful matchmaking -- a person thinks they know what they want in a mate, and they keep going out with the same kind of person over and over again, and don't understand why it never works out.
Sara Peters
50%
50%
Sara Peters,
 User Rank: Author
3/4/2014 | 9:02:24 PM
re: Solving The Security Workforce Shortage
@jdeerman750 Ageism is a very real problem in a lot of fields, of course, but why do you think it exists in security? (I agree that it does.) Companies seem to be willing to spend the money on security people, so they're not squeezing out the senior professionals based on salary. They seem to be having a hard time finding experienced people, so they're not passing on seasoned professionals based on the fact that there is such a huge number of job applicants. And the days of people staying with a company for 20 years and retiring at age 63 are gone -- people stay for 5 years, and retire when they're 70, if they're lucky. So the argument of "well we don't want to hire someone who's 50, because they'll be retiring soon" doesn't hold water either.

Is it simply that people perceive security as a young person's game?
Sara Peters
50%
50%
Sara Peters,
 User Rank: Author
3/4/2014 | 8:56:11 PM
re: Solving The Security Workforce Shortage
@Old Bull Thanks so much for your comment, because you're confirming for me what I'm seeing too -- and not just in the security field. So many employers don't know what they should be looking for, first of all. And then even when they DO know what they're looking for... they still don't look for it. Their actions don't fit with their words. It boggles my mind. If there really is a shortage, then why haven't employers started opening up their minds a bit?

It's the same in many places -- employers asking for the moon and stars from every applicant -- but in lots of fields that's because there are TOO MANY people looking for work. It's unfortunate, but understandable. In security, where there are apparently jobs remaining open for such a long time, this approach is not understandable at all.
byarbrough2008
50%
50%
byarbrough2008,
 User Rank: Apprentice
3/4/2014 | 6:57:48 PM
re: Solving The Security Workforce Shortage
Sara - I, like many others read this article with much interest. While I dare say all related articles are off the mark in terms of reality, I will say that you are the closest to the mark so far.

From my perspective, managers are not hiring in security regardless of background unless you have demonstrated experience in the industry (beyond personal or educational experience) and hold 1-M certifications, chiefly, the CISSP.

It is not so much an age issue, gender issue, or even an degree concentration issue as much as it is an organizational/management issue. Until the gap between entry through experienced positions has been bridged, there will continue to be shortages. Until organizations and management embrace cross-functional skills and a willingness to work with experienced professionals whom may need a little coaching but could excel if given the chance, the shortage will only become worse.
Old Bull
50%
50%
Old Bull,
 User Rank: Apprentice
2/25/2014 | 7:32:51 PM
re: Solving The Security Workforce Shortage
The "ageism" in IT-related positions is legendary yet it seems to me that those seasoned peeps are the ones who should be the *most* sought after. The EEOC doesn't seem to have much interest in age discrimination cases.

So, I'm not the only one who questions this "need for cybersecurity experts" when there are so many willing and able. Something about it just doesn't add up.
Old Bull
50%
50%
Old Bull,
 User Rank: Apprentice
2/25/2014 | 7:16:47 PM
re: Solving The Security Workforce Shortage
@ Sara, it was with great interest I read this article because I fit this description of the GÇ£non-techieGÇ¥ security applicant. I have psychology and business degrees, and twenty-plus years of seasoned business experience. Last year, I completed an M.S. degree in cybersecurity (no certs yet) and since have applied to approximately 75 cybersecurity firms and businesses advertising for cybersecurity positions even though I may not have the exact qualifications they stipulate. (Does anyone?) I haven't had the first interview or the first query of interest, even after listing my information with all of the IT job boards.

The reason I went back to school for the graduate degree was so much talk of a shortage of people needed in cybersecurity, going back even for several years. However, the job ads I've seen put such qualifications on job candidates that they won't fill many (or most?) of these positions for a decade, until those they can groom early on from secondary schools are finished with school. Qualifications such as "must have an active security clearance in place", "minimum 5+ years experience" in this and that, "CISSP required", and so on. There is no interest in security newbies nor is there a desire to invest in developing anyone though the need for people is reportedly there.

So, coming from the trenches, I'm just not seeing this hunt for the non-techie security analyst. It just isn't happening. Please inform as to which companies are interested in us non-techies.

R.S.
jdeerman750
50%
50%
jdeerman750,
 User Rank: Apprentice
2/24/2014 | 8:18:52 PM
re: Solving The Security Workforce Shortage
It's also interesting that the discussion is always about the need for new trained security professionals but I have yet to see a discussion about keeping the older security professionals in the workforce. I know first hand as a senior security professional (that's someone in their late 50's) with over 20 years of experience in the security field, that companies complain about shortages but will not even consider a senior professional. I hear a lot about shortages of security professional but the writers should add a caveat to these stories, "of workers under 50".
Guest
50%
50%
Guest,
 User Rank: Apprentice
2/22/2014 | 12:08:37 AM
re: Solving The Security Workforce Shortage
I did not realize that detecting and battling the exertions of the most technically advanced criminal forces in the history of humankind, boils down to gender, sociability and emotional intelligence. Thank you for explaining the issue in logical, critically thought out terms.


Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27605
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
CVE-2020-27606
PUBLISHED: 2020-10-21
BigBlueButton before 2.2.8 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
CVE-2020-27607
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or tr...
CVE-2020-27608
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
CVE-2020-27609
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.