Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Solving The Security Workforce Shortage
Newest First  |  Oldest First  |  Threaded View
Lutera77
50%
50%
Lutera77,
 User Rank: Apprentice
3/19/2014 | 1:04:31 AM
re: Solving The Security Workforce Shortage
@ubm_techweb_disqus_sso_-ae164aab1ecb02b2dc74be3a06f28f7c:disqus - what I list in a job requirement is the ideal candidate. If you don't meet all of the requirements, you should craft your response in such a manner that it convinces the recruiter and me you can do the job. What is underlying your comment is that in many cases, recruiters are generally not adding the necessary value to the process. I agree that this is a problem for some organizations.

@ubm_techweb_disqus_sso_-0480d4a7522709036363932f5b73339c:disqus - I've been at cybersecurity in many different sectors for a long time (20+ yrs). In the recent past I used to see non-techies go into threat intelligence, policy, and strategy; the latter two _generally_ only if you have an advanced degree from a prestigious university. In the commercial sector, threat intel weenies produced interesting but generally not actionable reporting, so we started to use techies and trained them in intel so they can produce actionable threat reporting & indicators (it's hard to connect the dots if you don't understand the rules of the environment). Fwiw, neither my colleagues I speak with nor I have had generally positive experiences with candidates who have cybersecurity degrees, advanced or otherwise. Personally, I generally hire based on references. If I do take a chance, I generally look for at least a minor in EE/Computer Engineering/ComSci from a top 50 program and some experience (~2-3 yrs) as network/systems engineer or low-level software engineer. The best people I've taken a chance on have had a minor in one of those fields and a major in the arts/humanities. I admit, my criteria is generally narrow and I may miss qualified candidates. However, I can't spend the time required to find the diamond in the rough ... and neither can my recruiters.
Lutera77
50%
50%
Lutera77,
 User Rank: Apprentice
3/19/2014 | 12:36:39 AM
re: Solving The Security Workforce Shortage
Sara - I think you should evaluate underlying assumptions that you used in developing the title for your article. If you treat the labor market as an economics problem, there really is no such thing as a shortage of supply; only a shortage at the price-point that you're willing to pay. Given the level of effort required to become & remain highly skilled in this domain, it may cost more to entice the types of people who _can_ excel into investing the effort to acquire & maintain the necessary skills.
Sara Peters
50%
50%
Sara Peters,
 User Rank: Author
3/4/2014 | 9:08:35 PM
re: Solving The Security Workforce Shortage
@byarbrough I completely agree with you. The experts I spoke to see things one way, but they're not the people who are actually doing the hiring. I think that the people conducting the research can be quite insightful, but they can't make a difference on their own. They can ask a bunch of questions and get a good idea for what the hiring managers really need and want, and they can point to good candidates and say "that's what you need and want," but they can't MAKE the hiring managers change their ways. It's like really unsuccessful matchmaking -- a person thinks they know what they want in a mate, and they keep going out with the same kind of person over and over again, and don't understand why it never works out.
Sara Peters
50%
50%
Sara Peters,
 User Rank: Author
3/4/2014 | 9:02:24 PM
re: Solving The Security Workforce Shortage
@jdeerman750 Ageism is a very real problem in a lot of fields, of course, but why do you think it exists in security? (I agree that it does.) Companies seem to be willing to spend the money on security people, so they're not squeezing out the senior professionals based on salary. They seem to be having a hard time finding experienced people, so they're not passing on seasoned professionals based on the fact that there is such a huge number of job applicants. And the days of people staying with a company for 20 years and retiring at age 63 are gone -- people stay for 5 years, and retire when they're 70, if they're lucky. So the argument of "well we don't want to hire someone who's 50, because they'll be retiring soon" doesn't hold water either.

Is it simply that people perceive security as a young person's game?
Sara Peters
50%
50%
Sara Peters,
 User Rank: Author
3/4/2014 | 8:56:11 PM
re: Solving The Security Workforce Shortage
@Old Bull Thanks so much for your comment, because you're confirming for me what I'm seeing too -- and not just in the security field. So many employers don't know what they should be looking for, first of all. And then even when they DO know what they're looking for... they still don't look for it. Their actions don't fit with their words. It boggles my mind. If there really is a shortage, then why haven't employers started opening up their minds a bit?

It's the same in many places -- employers asking for the moon and stars from every applicant -- but in lots of fields that's because there are TOO MANY people looking for work. It's unfortunate, but understandable. In security, where there are apparently jobs remaining open for such a long time, this approach is not understandable at all.
byarbrough2008
50%
50%
byarbrough2008,
 User Rank: Apprentice
3/4/2014 | 6:57:48 PM
re: Solving The Security Workforce Shortage
Sara - I, like many others read this article with much interest. While I dare say all related articles are off the mark in terms of reality, I will say that you are the closest to the mark so far.

From my perspective, managers are not hiring in security regardless of background unless you have demonstrated experience in the industry (beyond personal or educational experience) and hold 1-M certifications, chiefly, the CISSP.

It is not so much an age issue, gender issue, or even an degree concentration issue as much as it is an organizational/management issue. Until the gap between entry through experienced positions has been bridged, there will continue to be shortages. Until organizations and management embrace cross-functional skills and a willingness to work with experienced professionals whom may need a little coaching but could excel if given the chance, the shortage will only become worse.
Old Bull
50%
50%
Old Bull,
 User Rank: Apprentice
2/25/2014 | 7:32:51 PM
re: Solving The Security Workforce Shortage
The "ageism" in IT-related positions is legendary yet it seems to me that those seasoned peeps are the ones who should be the *most* sought after. The EEOC doesn't seem to have much interest in age discrimination cases.

So, I'm not the only one who questions this "need for cybersecurity experts" when there are so many willing and able. Something about it just doesn't add up.
Old Bull
50%
50%
Old Bull,
 User Rank: Apprentice
2/25/2014 | 7:16:47 PM
re: Solving The Security Workforce Shortage
@ Sara, it was with great interest I read this article because I fit this description of the GÇ£non-techieGÇ¥ security applicant. I have psychology and business degrees, and twenty-plus years of seasoned business experience. Last year, I completed an M.S. degree in cybersecurity (no certs yet) and since have applied to approximately 75 cybersecurity firms and businesses advertising for cybersecurity positions even though I may not have the exact qualifications they stipulate. (Does anyone?) I haven't had the first interview or the first query of interest, even after listing my information with all of the IT job boards.

The reason I went back to school for the graduate degree was so much talk of a shortage of people needed in cybersecurity, going back even for several years. However, the job ads I've seen put such qualifications on job candidates that they won't fill many (or most?) of these positions for a decade, until those they can groom early on from secondary schools are finished with school. Qualifications such as "must have an active security clearance in place", "minimum 5+ years experience" in this and that, "CISSP required", and so on. There is no interest in security newbies nor is there a desire to invest in developing anyone though the need for people is reportedly there.

So, coming from the trenches, I'm just not seeing this hunt for the non-techie security analyst. It just isn't happening. Please inform as to which companies are interested in us non-techies.

R.S.
jdeerman750
50%
50%
jdeerman750,
 User Rank: Apprentice
2/24/2014 | 8:18:52 PM
re: Solving The Security Workforce Shortage
It's also interesting that the discussion is always about the need for new trained security professionals but I have yet to see a discussion about keeping the older security professionals in the workforce. I know first hand as a senior security professional (that's someone in their late 50's) with over 20 years of experience in the security field, that companies complain about shortages but will not even consider a senior professional. I hear a lot about shortages of security professional but the writers should add a caveat to these stories, "of workers under 50".
Guest
50%
50%
Guest,
 User Rank: Apprentice
2/22/2014 | 12:08:37 AM
re: Solving The Security Workforce Shortage
I did not realize that detecting and battling the exertions of the most technically advanced criminal forces in the history of humankind, boils down to gender, sociability and emotional intelligence. Thank you for explaining the issue in logical, critically thought out terms.


NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Hunny, I looked every where for the dorritos. 
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8567
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
CVE-2020-8568
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...
CVE-2020-8569
PUBLISHED: 2021-01-21
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, ...
CVE-2020-8570
PUBLISHED: 2021-01-21
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executi...
CVE-2020-8554
PUBLISHED: 2021-01-21
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typicall...