Thursday, June 23, 2016

The so-called InfoSec/Cybersecurity Skills Gap

Several groups are pushing the idea that there is a InfoSec/Cybersecurity "Skills Gap".  Basically the idea is that there are WAY more info sec positions then available people to fill them.

Sorry, but as an experienced infosec professional who has been looking and seen the market out there, and know of others who had have similar experiences, I'm not buying it.  MAYBE in some areas there are not enough people (DC area?).  MAYBE in certain skill areas (say pentesters or SOC folk) there are not enough people.  But I don't think that is a general issue across the board.

Sadly, these groups pushing this idea think that pumping out newbie infosec folks is the solution.  Really?  Companies are looking for EXPERIENCED people, not those with 'book learning'.

My own feeling is that a good deal of this is really caused by the companies themselves.  Anecdotal info I have is that too many companies want senior-level people to take on entry level jobs at entry level pay.  Or they want someone with the skills of 3 to take on a job.  What recruiters called "looking for a purple squirrel".  Too many companies want people to come on board with all the skills and knowledge needed to do the job, and not train to fill any gaps.  ("hit the job running" and all).  Hence perfectly qualified people are turned down if they are missing one or two things *they could easily pick on on the job*.

HERE we have a recent article on DarkReading on Cisco investing $10 Million in the skills gap.  Now, in the article they cite a study by ISACA that "84% of the security executives surveyed said only half of applicants for security jobs are qualified."  Oh, really?  And how did you determine they weren't qualified??  My experience is that too many companies put out unreasonable job descriptions and turn away good people.

How about trying this?  Have an independent group (like, say ISACA or ISSA) review those job descriptions to see if they are reasonable (also include the pay). AND a sample of the job applicants you rejected.  Does anyone want to bet that the job descriptions were unreasonable and that many of the applicants COULD have done the job??  (could be examples of what I mentioned above).

Further, these execs surveyed said "only 45% can determine the scope of an attack and remediate the damage."  Ok.  You DO understand that not all infosec people do that sort of work?  It sounds like you are only looking for certain kinds of infosec professionals.

As an example of this kind of nonsense is a recent job posting that popped up in my area.  One of the local cities is looking for a security manager.  A recruiting companies posted it.  And want to pay $80-100K for the position.  For a *security manager*.  Please note that 80K is entry level pay in infosec.  A security manager is a position that STARTS at about $110-120K per year.  And this recruiting company had the gall to claim that this is competitive.  Sorry, it's not.  (it's also not helped by the fact that this particular city does NOT have a good reputation in the local IT community).

Now, I don't know if they filled the position, but am sorry for whoever does take it.

What are others thoughts on this?  Am I off base?  Do you have similar examples/experiences you'd like to share?  Please comment on them.

No comments:

Post a Comment