Over the last year or so, I have heard from several sources that we have a "cybersecurity skills gap". That we have more IT security positions then we have skilled people to fill them.
Here is one example of such claims:
Now, as an experienced cybersecurity professional who has been on the job market for some time without too much success, I have a hard time accepting this. Why do I say this?
Well, if this is true, then we should be in a "seller's market" when it comes to IT Security skills. Think of it as having 10 open jobs for every available cybersecurity professional. In such a state, organizations would do all they can to fill those positions. This means they would pay more then the going rate for people. And those who are short on some skills, but who clearly show they have the ability to learn, will get hired very easily.
The opposite of this would be a "buyer's market", which would be where you might have 10 people competing for one job. Now organizations can pick and choose who they want, and get just the right person, and maybe even get away from paying less then the going rate because those people want a job. And if you are short on some skills, you'll be SOL. You won't even get an interview.
If, as some claim, we have a "skills gap", we should be in that seller's market for skilled cybersecurity professionals. Are we? Because I don't see it in my area. I see more of a buyers market. This *may* be true in some areas and some markets, but it may not be universal. Other areas may not have enough security positions for job seekers, which may force them to leave. And pumping in more professionals then the market can truly handle is not the answer.
And actually, related to this is another problem, which I don't think that the people pushing this "skills gap" are addressing. The points above about the threats are true. But I think the problem is too many organizations are NOT adding security staff. In my area, I've heard that a large majority of organizations don't have a CISO (or equivalent). How many of these recent breaches could have been prevented or limited had those organizations had the right staff? So before we start pumping in more professionals, let's also make sure there will be jobs for them to fill first. There may be a very legitimate need for more cybersecurity professionals, but the jobs are not there. Organizations are behind in staffing.
Also, the claim above is that since there are unfilled positions out there, there must be a skills gap, because the assumption is that those positions are unfilled because there aren't any qualified people to fill them. Is that correct? Or could there be other explanations? I will accept that some positions they may not be able to find qualified people. But for others, they may very well be turning away qualified people. Why do I say this? I've seen it in my area.
In my area there are several positions which have gone unfilled for some time, in a couple of cases over a year. Now, while some may say its because there are no qualified candidates, I believe its because the people in charge of finding candidates just don't know what they are doing. I know that for several of these positions that qualified candidates were submitted. But were turned down. Or worse, didn't even get a chance to interview. So to claim these positions are going unfilled due to "lack of qualified candidates" is erroneous. There are other factors going on.
This is what I and others have seen in our area:
* Job descriptions where they are looking for someone with the skills of an entire Information Security Department. Which is hard to find. Most of us specialize, doing work in some areas but not all. Hiring managers really need to be more realistic on the skills set they must have, not tossing in a wish list of things. Too often when such job descriptions are put out, people will apply if they have majority of the skills. But will be turned down by HR screeners because they don't have ALL the skills. Or they don't get past a phone screen because they find out that certain skills are a "must have" (not noted in the description), and sadly they don't have one or two of them.
* Job descriptions where they are looking for an entry level person with mid-level or senior-level knowledge. And want to pay at entry level. It seems that some companies don't understand what is the normal pay for entry level, mid-level and senior level InfoSec professionals. Further, they don't seem to understand what skills a mid-level or senior level person will have vs an entry level. Hence, we've seen job descriptions where they want someone with 2 years of experience and a CISSP. Or 2 years of experience and a skills background that can only be obtained from 4-5 years of experience.
* Job descriptions where it seems that someone doesn't understand what the main InfoSec certifications are really all about, especially what it takes to obtain them in terms of experience. For instance. A CISSP is a senior-level cert requiring 5 years of experience. It is not an entry level cert, nor is someone with 2 years of experience going to have it. So don't ask for it. Asking for a Security+ or maybe SSCP or CASP is more reasonable. CISA means they are an experienced systems auditor. CISM means they are an experienced security manager. Again, not entry level certs. And as they aren't entry level certs, don't offer entry level pay. The CISSP, CISA, and CISM certs (among others) average over $100,000. If you're not willing to pay these people at least $90K, don't ask for people with these certs. (and some of them won't accept below $100K, btw).
And if you are a recruiter who wants to recruit InfoSec positions, you better understand this and advise your client (the company wanting to hire InfoSec people) of what is and isn't reasonable in regards to pay. Don't accept what they give you, because you won't be successful recruiting good people. In fact, I get turned off by recruiters that bring me such positions, because it tells me they have no idea.
This is a topic I plan on revisiting in the future.