Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Solving The Security Workforce Shortage
Threaded  |  Newest First  |  Oldest First
Guest
50%
50%
Guest,
User Rank: Apprentice
2/22/2014 | 12:08:37 AM
re: Solving The Security Workforce Shortage
I did not realize that detecting and battling the exertions of the most technically advanced criminal forces in the history of humankind, boils down to gender, sociability and emotional intelligence. Thank you for explaining the issue in logical, critically thought out terms.
jdeerman750
50%
50%
jdeerman750,
User Rank: Apprentice
2/24/2014 | 8:18:52 PM
re: Solving The Security Workforce Shortage
It's also interesting that the discussion is always about the need for new trained security professionals but I have yet to see a discussion about keeping the older security professionals in the workforce. I know first hand as a senior security professional (that's someone in their late 50's) with over 20 years of experience in the security field, that companies complain about shortages but will not even consider a senior professional. I hear a lot about shortages of security professional but the writers should add a caveat to these stories, "of workers under 50".
Old Bull
50%
50%
Old Bull,
User Rank: Apprentice
2/25/2014 | 7:32:51 PM
re: Solving The Security Workforce Shortage
The "ageism" in IT-related positions is legendary yet it seems to me that those seasoned peeps are the ones who should be the *most* sought after. The EEOC doesn't seem to have much interest in age discrimination cases.

So, I'm not the only one who questions this "need for cybersecurity experts" when there are so many willing and able. Something about it just doesn't add up.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
3/4/2014 | 9:02:24 PM
re: Solving The Security Workforce Shortage
@jdeerman750 Ageism is a very real problem in a lot of fields, of course, but why do you think it exists in security? (I agree that it does.) Companies seem to be willing to spend the money on security people, so they're not squeezing out the senior professionals based on salary. They seem to be having a hard time finding experienced people, so they're not passing on seasoned professionals based on the fact that there is such a huge number of job applicants. And the days of people staying with a company for 20 years and retiring at age 63 are gone -- people stay for 5 years, and retire when they're 70, if they're lucky. So the argument of "well we don't want to hire someone who's 50, because they'll be retiring soon" doesn't hold water either.

Is it simply that people perceive security as a young person's game?
Old Bull
50%
50%
Old Bull,
User Rank: Apprentice
2/25/2014 | 7:16:47 PM
re: Solving The Security Workforce Shortage
@ Sara, it was with great interest I read this article because I fit this description of the Gǣnon-techieGǥ security applicant. I have psychology and business degrees, and twenty-plus years of seasoned business experience. Last year, I completed an M.S. degree in cybersecurity (no certs yet) and since have applied to approximately 75 cybersecurity firms and businesses advertising for cybersecurity positions even though I may not have the exact qualifications they stipulate. (Does anyone?) I haven't had the first interview or the first query of interest, even after listing my information with all of the IT job boards.

The reason I went back to school for the graduate degree was so much talk of a shortage of people needed in cybersecurity, going back even for several years. However, the job ads I've seen put such qualifications on job candidates that they won't fill many (or most?) of these positions for a decade, until those they can groom early on from secondary schools are finished with school. Qualifications such as "must have an active security clearance in place", "minimum 5+ years experience" in this and that, "CISSP required", and so on. There is no interest in security newbies nor is there a desire to invest in developing anyone though the need for people is reportedly there.

So, coming from the trenches, I'm just not seeing this hunt for the non-techie security analyst. It just isn't happening. Please inform as to which companies are interested in us non-techies.

R.S.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
3/4/2014 | 8:56:11 PM
re: Solving The Security Workforce Shortage
@Old Bull Thanks so much for your comment, because you're confirming for me what I'm seeing too -- and not just in the security field. So many employers don't know what they should be looking for, first of all. And then even when they DO know what they're looking for... they still don't look for it. Their actions don't fit with their words. It boggles my mind. If there really is a shortage, then why haven't employers started opening up their minds a bit?

It's the same in many places -- employers asking for the moon and stars from every applicant -- but in lots of fields that's because there are TOO MANY people looking for work. It's unfortunate, but understandable. In security, where there are apparently jobs remaining open for such a long time, this approach is not understandable at all.
Lutera77
50%
50%
Lutera77,
User Rank: Apprentice
3/19/2014 | 1:04:31 AM
re: Solving The Security Workforce Shortage
@ubm_techweb_disqus_sso_-ae164aab1ecb02b2dc74be3a06f28f7c:disqus - what I list in a job requirement is the ideal candidate. If you don't meet all of the requirements, you should craft your response in such a manner that it convinces the recruiter and me you can do the job. What is underlying your comment is that in many cases, recruiters are generally not adding the necessary value to the process. I agree that this is a problem for some organizations.

@ubm_techweb_disqus_sso_-0480d4a7522709036363932f5b73339c:disqus - I've been at cybersecurity in many different sectors for a long time (20+ yrs). In the recent past I used to see non-techies go into threat intelligence, policy, and strategy; the latter two _generally_ only if you have an advanced degree from a prestigious university. In the commercial sector, threat intel weenies produced interesting but generally not actionable reporting, so we started to use techies and trained them in intel so they can produce actionable threat reporting & indicators (it's hard to connect the dots if you don't understand the rules of the environment). Fwiw, neither my colleagues I speak with nor I have had generally positive experiences with candidates who have cybersecurity degrees, advanced or otherwise. Personally, I generally hire based on references. If I do take a chance, I generally look for at least a minor in EE/Computer Engineering/ComSci from a top 50 program and some experience (~2-3 yrs) as network/systems engineer or low-level software engineer. The best people I've taken a chance on have had a minor in one of those fields and a major in the arts/humanities. I admit, my criteria is generally narrow and I may miss qualified candidates. However, I can't spend the time required to find the diamond in the rough ... and neither can my recruiters.
byarbrough2008
50%
50%
byarbrough2008,
User Rank: Apprentice
3/4/2014 | 6:57:48 PM
re: Solving The Security Workforce Shortage
Sara - I, like many others read this article with much interest. While I dare say all related articles are off the mark in terms of reality, I will say that you are the closest to the mark so far.

From my perspective, managers are not hiring in security regardless of background unless you have demonstrated experience in the industry (beyond personal or educational experience) and hold 1-M certifications, chiefly, the CISSP.

It is not so much an age issue, gender issue, or even an degree concentration issue as much as it is an organizational/management issue. Until the gap between entry through experienced positions has been bridged, there will continue to be shortages. Until organizations and management embrace cross-functional skills and a willingness to work with experienced professionals whom may need a little coaching but could excel if given the chance, the shortage will only become worse.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
3/4/2014 | 9:08:35 PM
re: Solving The Security Workforce Shortage
@byarbrough I completely agree with you. The experts I spoke to see things one way, but they're not the people who are actually doing the hiring. I think that the people conducting the research can be quite insightful, but they can't make a difference on their own. They can ask a bunch of questions and get a good idea for what the hiring managers really need and want, and they can point to good candidates and say "that's what you need and want," but they can't MAKE the hiring managers change their ways. It's like really unsuccessful matchmaking -- a person thinks they know what they want in a mate, and they keep going out with the same kind of person over and over again, and don't understand why it never works out.
Lutera77
50%
50%
Lutera77,
User Rank: Apprentice
3/19/2014 | 12:36:39 AM
re: Solving The Security Workforce Shortage
Sara - I think you should evaluate underlying assumptions that you used in developing the title for your article. If you treat the labor market as an economics problem, there really is no such thing as a shortage of supply; only a shortage at the price-point that you're willing to pay. Given the level of effort required to become & remain highly skilled in this domain, it may cost more to entice the types of people who _can_ excel into investing the effort to acquire & maintain the necessary skills.


COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29071
PUBLISHED: 2020-11-25
An XSS issue was found in the Shares feature of LiquidFiles before 3.3.19. The issue arises from the insecure rendering of HTML files uploaded to the platform as attachments, when the -htmlview URL is directly accessed. The impact ranges from executing commands as root on the server to retrieving se...
CVE-2020-29072
PUBLISHED: 2020-11-25
A Cross-Site Script Inclusion vulnerability was found on LiquidFiles before 3.3.19. This client-side attack requires user interaction (opening a link) and successful exploitation could lead to encrypted e-mail content leakage via messages/sent?format=js and popup?format=js.
CVE-2020-26241
PUBLISHED: 2020-11-25
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. This is a Consensus vulnerability in Geth before version 1.9.17 which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth's pre-compiled dataCopy (at 0x00...04) co...
CVE-2020-26242
PUBLISHED: 2020-11-25
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.18, there is a Denial-of-service (crash) during block processing. This is fixed in 1.9.18.
CVE-2020-26240
PUBLISHED: 2020-11-25
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth before version 1.9.24 could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ETC chain on...